Privacy Policy

This policy explains how Polish collects, uses, and protects personal data in connection with our social media management service for dental practices.

Last updated: April 2026  ·  Controller: Polish (getpolished.digital)

1. What personal data we collect

From website visitors

• IP address, browser/device information, and basic request data needed to serve and secure the website
• Anti-bot verification signals processed through Cloudflare Turnstile when you submit the sign-up form
• Form progress or preference data stored in your browser local storage when you start sign-up or use portal features

From enquiries and sign-ups

• Name and work email address
• Practice name and location
• Phone number (if provided)
• Information submitted in our sign-up and setup forms: growth priorities, tone preferences, services offered, website and social profile links, and related brand preferences

During active service delivery

• Social media account permissions or profile links that you provide to us
• Brand assets including logos, photography, videos, and uploaded files
• Approved content, review responses, support requests, and related communications
• Billing and subscription information processed via Stripe; we do not store full card details

We do not collect or process patient data. Dental practices are responsible for ensuring no patient data is shared with us.

Children's data

Our service is directed at dental practices and their staff, not at individuals under 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data relating to a person under 18, please contact us at hello@getpolished.digital and we will delete it promptly.

2. Legal basis for processing

Processing activity	Legal basis (UK GDPR)
Responding to enquiries	Legitimate interests (Article 6(1)(f))
Delivering the contracted service	Performance of a contract (Article 6(1)(b))
Processing payments	Performance of a contract (Article 6(1)(b))
Sending service communications (invoices, reports, updates)	Performance of a contract (Article 6(1)(b))
Fraud prevention, form security, and abuse prevention	Legitimate interests (Article 6(1)(f))
Portal authentication and session management	Performance of a contract (Article 6(1)(b))
Meeting legal and tax obligations	Legal obligation (Article 6(1)(c))

Where we rely on legitimate interests, we have carried out a balancing assessment and concluded that our interests do not override your rights. You may request details of this assessment by contacting us.

3. Cookies and local storage

Category	Purpose	Consent required
Essential cookies	Secure portal session handling and core site functionality	No
Local storage	Saving sign-up progress, client session state, and interface preferences in your browser	No, where strictly necessary for the service you request
Security technologies	Cloudflare Turnstile and related request checks used to prevent spam, abuse, and bot submissions	No, where strictly necessary for site security

We do not currently use third-party advertising or analytics cookies on this site. If we introduce non-essential cookies or tracking technologies in the future, we will update this policy and implement appropriate consent mechanisms before doing so.

If you want to remove locally stored browser data for this site, you can clear your browser storage and cookies. Our sign-up form uses Cloudflare Turnstile; you can read more about that here: Cloudflare Turnstile Privacy Addendum.

4. How we use your data

• To set up and deliver your social media management service
• To communicate about content, approvals, reporting, and support
• To send invoices and process payments
• To improve service delivery and internal processes
• To meet our legal and accounting obligations

We do not sell, rent, or trade your personal data to any third party. We do not use your personal data for direct marketing unless you have opted in, and you may withdraw that consent at any time.

5. Automated decision-making

We do not carry out any automated decision-making or profiling that produces legal effects or similarly significant effects on you. Cloudflare Turnstile performs automated bot-detection checks on form submissions, but this is limited to determining whether a submission is from a human visitor and does not profile you or make decisions about access to the service.

6. Who we share data with

To deliver the service, we use the following third-party sub-processors. Each is contractually bound to protect your data:

Sub-processor	Purpose	Location
Cloudflare	Website hosting, database infrastructure, secure sessions, and Turnstile bot protection	International / provider infrastructure
Stripe	Payment processing, subscriptions, invoices, and customer billing portal	International / provider infrastructure
Planable	Content collaboration, approvals, and scheduling	International / provider infrastructure
Cloudinary	Media storage and asset management	International / provider infrastructure
Resend	Transactional email notifications	International / provider infrastructure

We may update our sub-processors. Material changes will be communicated to active clients with at least 14 days' notice.

We may also disclose personal data where required to do so by law, regulation, court order, or governmental authority.

7. International transfers

Some sub-processors operate outside the UK. Where this occurs, we rely on appropriate transfer safeguards such as the UK International Data Transfer Agreement (IDTA), Standard Contractual Clauses, or the UK extension to the EU-US Data Privacy Framework, as applicable to the relevant provider. You may request further details of the safeguards in place by contacting us.

8. How long we keep your data

Data type	Retention period
Enquiry and contact records	2 years from last contact
Client account and service records	Duration of contract + 6 years (statutory limitation period)
Financial records (invoices, payments)	7 years (HMRC requirement)
Browser-side form progress and local preferences	Until cleared by the user or overwritten in the browser
Social media credentials / access tokens	Deleted within 30 days of contract end

After the applicable retention period, personal data is securely deleted or anonymised.

9. Your rights under UK GDPR

You have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete data
• Erasure — ask us to delete your data where there is no legitimate reason to retain it
• Restriction — ask us to restrict processing in certain circumstances
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — where processing is consent-based, you can withdraw at any time without affecting the lawfulness of processing carried out before withdrawal

To exercise any right, email hello@getpolished.digital. We will respond within one calendar month. In complex cases, we may extend this by a further two months, in which case we will inform you within the initial month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

10. Security

We take reasonable technical and organisational measures to protect your personal data, including access controls, encrypted communications (TLS in transit), restricted data access on a need-to-know basis, and server-side session cookies for authenticated portal access. We regularly review our security practices and update them as appropriate.

11. Changes to this policy

We may update this policy from time to time. The date at the top reflects the most recent revision. Where changes are material, we will notify active clients directly. Continued use of the service after notification of a material change constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or to exercise your rights: hello@getpolished.digital