Privacy Policy

Last Updated: April 21, 2026

1. Introduction

Cliara Technologies Ltd ("we," "our," or "Cliara") operates the Cliara platform at cliara.co.uk, a dental practice directory and booking service.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform.

Our Details:

Company Name: Cliara Technologies Ltd
Company Number: 17148521
Registered Address: 6 Pagett Close, Hucknall, NG15 7US, United Kingdom
Contact Email: hello@cliara.co.uk
Data Protection Contact: Nethmin Seneviratne (Director)

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Patient Information

When you book an appointment through Cliara, we collect:

Contact Details: Full name, email address, mobile phone number
Booking Information: Appointment date, time, selected practice, appointment status
Review Content: If you leave a review, we collect your rating (1-5 stars) and written feedback
Technical Information: IP address, browser type, device information (for fraud prevention and analytics)

We do NOT collect:

Medical or dental history
NHS number
Payment card details (we do not process patient payments)

2.2 Practice Information

When a dental practice registers on Cliara, we collect:

Business Details: Practice name, registered address, phone number, email address, website, GDC registration numbers
Operational Information: Opening hours, services offered, treatment pricing, photographs of premises
Account Information: Login credentials (securely hashed), subscription tier, billing information
Payment Details: Stripe account information for subscription billing (card details stored by Stripe, not by us)

2.3 Automatically Collected Information

We automatically collect:

Usage Data: Pages viewed, features used, time spent on site
Device Information: Browser type, operating system, screen resolution
Location Data: Approximate location based on IP address (for showing nearby practices)

3. How We Use Your Information

We process personal data only when we have a legal basis to do so under UK GDPR Article 6:

3.1 Contract Performance

We process data to fulfill our service to you:

Purpose	Data Used	Legal Basis
Processing appointment bookings	Name, email, phone, appointment details	Contract
Sending booking confirmations	Email, phone (via Resend and Twilio)	Contract
Managing user accounts	Email, name, password	Contract
Providing customer support	All account information	Contract
Storing booking history	Appointment records, practice details	Contract + Legal Obligation (financial records)

3.2 Legitimate Interests

We process data for our business operations:

Purpose	Data Used	Legal Basis
Sending review requests post-appointment	Email, phone	Legitimate Interest (quality feedback)
Displaying reviews publicly	Review text, rating, reviewer first name	Legitimate Interest (transparency)
Marketing to dental practices (B2B)	Practice contact details	Legitimate Interest (business development)
Analytics and platform improvement	Usage data, anonymized metrics	Legitimate Interest (service improvement)
Fraud prevention and security	IP address, device info, booking patterns	Legitimate Interest (protecting users)

Your Rights: You can object to processing based on legitimate interests at any time by contacting us.

3.3 Consent

We process data with your consent for:

Purpose	Data Used	Legal Basis
Marketing emails to patients	Email address	Consent (opt-in checkbox at registration)
Analytics cookies	Browsing behavior	Consent (cookie banner)

Your Rights: You can withdraw consent at any time by unsubscribing from emails or changing cookie preferences.

3.4 Legal Obligations

We retain certain data to comply with UK law:

Financial Records: Booking transactions, subscription payments (7 years for HMRC)
Data Breach Notifications: If required by ICO, we may process personal data to notify affected individuals

4. How We Share Your Information

4.1 Sharing with Dental Practices

When you book an appointment, we share your contact details with the practice:

Name, email, phone number, appointment date/time
This is necessary to complete your booking (contract performance)
Important: The practice becomes an independent data controller for this information. They must handle it in accordance with UK GDPR. We require practices to use patient data only for fulfilling appointments, not for marketing.

4.2 Third-Party Service Providers

We use trusted service providers who process data on our behalf:

Provider	Purpose	Data Shared	Location
Supabase	Database hosting	All user data	EU (London, UK — eu-west-2 region)
Stripe	Payment processing (practice subscriptions only)	Practice billing information	EU/UK
Resend	Transactional emails	Email addresses, names	EU
Twilio	SMS notifications	Phone numbers	EU
Cloudflare R2	Image storage	Practice photos, logos	EU
Google Maps API	Location services	Practice addresses	Google data centers (Standard Contractual Clauses in place)
Google Analytics 4	Website analytics	Anonymized usage data	Google data centers (with consent only)
Vercel	Website hosting	Server logs (IP addresses)	EU/UK

All third-party providers are contractually required to protect your data and use it only for the specified purposes. We use Standard Contractual Clauses (SCCs) where data is transferred outside the UK/EU.

4.3 Legal Requirements

We may disclose your information if required by law:

To comply with court orders, legal processes, or regulatory investigations
To protect our rights, property, or safety, or that of our users
To enforce our Terms & Conditions

We will never sell your personal data to third parties.

5. Data Retention

We retain personal data only as long as necessary:

Data Type	Retention Period	Reason
Active patient accounts	Until you delete your account	Ongoing service provision
Inactive patient accounts	2 years of inactivity	After 2 years, we send a deletion warning. Account deleted 30 days later if no response.
Booking history	7 years from booking date	Legal requirement (HMRC financial record-keeping)
Reviews	Indefinitely (or until you request deletion)	Public content that other users rely on. If you delete your account, your name is anonymized to "Anonymous" but the review text remains.
Active practice accounts	Until subscription is cancelled + 30 days	Ongoing service provision + grace period for reactivation
Cancelled practice accounts	30 days after cancellation	Grace period for reactivation, then deleted
Payment records	7 years	Legal requirement (HMRC)
Analytics data (Google Analytics 4)	14 months	GA4 default auto-deletion
Server logs (Vercel)	30 days	Vercel default retention

Note on Booking History: Even after account deletion, booking records are retained for 7 years (HMRC requirement for financial records). However, your personal contact details (name, email, phone) are redacted — replaced with "[REDACTED]" — so the booking history is no longer personally identifiable.

6. Your Data Protection Rights

Under UK GDPR, you have the following rights:

6.1 Right of Access

Request a copy of all personal data we hold about you.

How to exercise: Email hello@cliara.co.uk or use the "Download My Data" button in your account settings (provides instant JSON export).

6.2 Right to Rectification

Correct inaccurate or incomplete personal data.

How to exercise: Update your details in account settings, or email hello@cliara.co.uk.

6.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data.

How to exercise: Use the "Delete My Account" button in account settings, or email hello@cliara.co.uk.

Important: Some data is retained for legal reasons (e.g., booking history for HMRC), but your contact details are redacted. Reviews are anonymized.

6.4 Right to Restrict Processing

Request that we temporarily stop processing your data (e.g., while disputing accuracy).

How to exercise: Email hello@cliara.co.uk.

6.5 Right to Data Portability

Receive your data in a machine-readable format (JSON) to transfer to another service.

How to exercise: Use the "Download My Data" button in account settings.

6.6 Right to Object

Object to processing based on legitimate interests or for direct marketing.

How to exercise:

Marketing emails: Click "Unsubscribe" in any email, or email hello@cliara.co.uk
Legitimate interest processing: Email hello@cliara.co.uk explaining your objection

6.7 Right to Withdraw Consent

Where processing is based on consent (e.g., marketing emails, analytics cookies), you can withdraw consent at any time.

How to exercise:

Marketing: Unsubscribe from emails
Cookies: Change your cookie preferences or clear cookies in your browser

6.8 Right to Complain

If you believe we've mishandled your data, you can complain to the UK's data protection authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

7. Data Security

We take security seriously and implement appropriate measures to protect your data:

Encryption: All data transmitted between your device and our servers is encrypted using TLS (HTTPS)
Access Controls: Strict role-based access — only authorized personnel can access personal data
Secure Storage: Passwords are hashed using industry-standard algorithms (bcrypt)
Regular Backups: Database backups stored securely with encryption
Third-Party Audits: Our hosting providers (Supabase, Vercel) undergo regular security audits and hold industry certifications (ISO 27001, SOC 2)

Data Breach Notification: If we experience a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO within 72 hours, as required by law.

8. Age Restrictions

You must be at least 16 years old to use Cliara. If you are under 16, a parent or guardian must book appointments on your behalf using their own contact details.

If you are under 18, please ensure you have permission from a parent or guardian before booking an appointment.

We do not knowingly collect personal data from children under 16. If we discover we have inadvertently collected such data, we will delete it promptly.

9. Cookies and Tracking Technologies {#cookies}

We use cookies and similar technologies to improve your experience on our website.

9.1 What Are Cookies?

Cookies are small text files stored on your device by your web browser. They help us remember your preferences, keep you logged in, and analyze how you use our site.

9.2 Types of Cookies We Use

Essential Cookies (No Consent Required)

These cookies are necessary for the website to function:

Cookie Name	Purpose	Duration
`sb-access-token`	Keeps you logged in (Supabase authentication)	Session
`sb-refresh-token`	Refreshes your login session	30 days

Analytics Cookies (Consent Required)

These cookies help us understand how you use our site:

Cookie Name	Purpose	Duration	Provider
`_ga`	Distinguishes unique visitors	2 years	Google Analytics 4
`_ga_*`	Maintains session state	2 years	Google Analytics 4

We only set analytics cookies if you click "Accept All" in our cookie banner. If you click "Reject All," analytics cookies are not set and Google Analytics does not track you.

9.3 Managing Cookies

Cookie Consent Banner: When you first visit Cliara, you'll see a banner asking for your cookie preferences. Your choice is stored for 1 year.

Change Your Mind: You can change your cookie preferences at any time by:

Clearing cookies in your browser settings (this resets your choice and the banner will appear again)
Emailing hello@cliara.co.uk to request we manually reset your consent

Browser Controls: You can also disable cookies entirely in your browser settings. However, this may affect website functionality (e.g., you won't stay logged in).

9.4 Do Not Track

Some browsers support a "Do Not Track" (DNT) signal. We respect DNT signals — if DNT is enabled, we do not load Google Analytics even if you previously accepted cookies.

9.5 Third-Party Cookies

We do not use third-party advertising cookies or tracking pixels (e.g., Facebook Pixel, Google Ads Remarketing).

The only third-party cookies on our site are:

Google Analytics (if you consent)
Stripe (on payment pages only, for fraud prevention — Stripe's own cookie policy applies)

10. International Data Transfers

Your data is primarily stored in the UK and EU:

Supabase: London, UK (eu-west-2 region) — UK GDPR applies directly
Vercel: EU regions for European users

Some service providers may process data outside the UK/EU:

Google Analytics, Google Maps API: Data may be processed in Google's global data centers, including the USA
Stripe: Data may be processed in the USA and EU

Where data is transferred outside the UK/EU, we ensure adequate protection through:

Standard Contractual Clauses (SCCs): EU-approved contracts requiring recipients to protect data to EU standards
Adequacy Decisions: Where the UK/EU has determined a country provides adequate data protection

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

How We Notify You:

We will update the "Last Updated" date at the top of this page
For significant changes, we may email registered users

Your Continued Use: By continuing to use Cliara after changes are posted, you accept the updated Privacy Policy.

We recommend reviewing this page periodically to stay informed.

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: hello@cliara.co.uk

Mail: Cliara Technologies Ltd
6 Pagett Close
Hucknall
NG15 7US
United Kingdom

Data Protection Contact: Nethmin Seneviratne (Director)

Response Time: We aim to respond to all data protection requests within 30 days (as required by UK GDPR).

13. Definitions

Personal Data: Any information relating to an identified or identifiable person (e.g., name, email, phone number)
Data Controller: The entity that determines how and why personal data is processed (Cliara is the controller for most data; practices become controllers when they receive patient contact details)
Data Processor: An entity that processes data on behalf of a controller (e.g., Supabase processes data on our behalf)
Processing: Any operation performed on personal data (collection, storage, use, deletion, etc.)
UK GDPR: The UK General Data Protection Regulation, the UK's data protection law post-Brexit
ICO: Information Commissioner's Office, the UK's independent data protection authority

End of Privacy Policy

For Terms & Conditions, see: