GDPR Compliance | SuiteGrowth

SuiteGrowth is a data processor that handles patient personal data on behalf of UK dental practices. This page explains how we meet our obligations under UK GDPR and the Data Protection Act 2018, and answers the questions practices and their Information Governance leads most commonly raise.

Do you need UK servers to be GDPR compliant?

No. This is a common misconception. UK GDPR does not require data to be stored on UK or EU servers. What the law requires is that any international transfer of personal data is made under appropriate safeguards — typically Standard Contractual Clauses (SCCs) or an adequacy decision.

SuiteGrowth's primary database is hosted in an EU/UK AWS region. Where any component of our infrastructure is based in the US, transfers are governed by SCCs and the relevant Data Processing Agreements with each provider.

What type of data does SuiteGrowth process?

The data SuiteGrowth processes falls into two categories:

Standard personal data — patient first name, mobile number, appointment date and treatment type, WhatsApp message content, and sentiment classification. This is processed under legitimate interests as set out in our DPA.
Special category health data (Article 9) — where a practice's patient management system provides medical alert or allergy information, this data flows through our AI system to generate clinically appropriate responses. This is processed strictly in transit — it is not stored beyond the processing window, not used for training, and not shared with any party other than the AI processor under a Data Processing Agreement with zero retention configured.

How is AI processing governed?

SuiteGrowth uses Claude (by Anthropic) for AI sentiment scoring and response generation. Patient message content, including any medical context provided by the practice management system, is sent to Anthropic's API for processing.

We have taken the following steps to ensure this is compliant:

Zero data retention — we have configured our Anthropic account with a 0-day data retention policy. Patient data is not stored on Anthropic's servers beyond the immediate API request.
Model training disabled — user feedback and model training on our data is disabled. Patient conversations are never used to train or improve AI models.
Data Processing Agreement — Anthropic provides a DPA covering UK-to-US transfers via Standard Contractual Clauses.

Sub-processors and international transfers

All sub-processors used by SuiteGrowth are listed in our Data Processing Agreement. For sub-processors based outside the UK or EU, transfers are made under Standard Contractual Clauses. Each sub-processor operates under a Data Processing Agreement consistent with UK GDPR requirements.

Sub-processor	Purpose	Location	Transfer mechanism
Supabase	Database and authentication	EU (AWS)	No transfer
Vercel	Application hosting and serverless functions	EU / US	SCCs / DPA
Anthropic	AI sentiment analysis and response generation	US	SCCs / DPA — zero retention configured
Meta (WhatsApp)	WhatsApp message delivery	US / EU	SCCs / DPA
360dialog	WhatsApp Business API access	EU	No transfer
Resend	Email notifications to practice staff	US	SCCs / DPA
Sentry	Error monitoring	US	SCCs / DPA

Lawful basis for processing

Patient data is processed under the following lawful bases:

Legitimate interests (Article 6(1)(f)) — post-appointment follow-up communication serves the legitimate interests of the dental practice in delivering good patient care and managing their reputation, balanced against patient privacy interests.
Contract (Article 6(1)(b)) — processing client (practice) data to deliver the contracted service.
Special category data (Article 9(2)(h)) — where medical alert or allergy information is processed, this falls under the provision of health or social care services by a health professional or under their responsibility.

Patient rights

Patients have full UK GDPR rights including access, rectification, erasure, restriction, and objection. The dental practice (as data controller) is responsible for handling patient rights requests. SuiteGrowth will assist practices in fulfilling requests within 5 working days of instruction.

Patients can opt out of further automated messages at any time by replying STOP. This is processed automatically and immediately — no further messages are sent once an opt-out is recorded.

Security measures

All data encrypted in transit (TLS) and at rest
Row-level security in the database — each practice can only access its own patient data
No shared access tokens or API keys across practices
Access to production systems limited to authorised personnel only
Error monitoring and alerting via Sentry
72-hour breach notification obligation to the practice (as controller) in the event of a data breach affecting patient data

Practice obligations

The dental practice is the data controller for patient data. Before using SuiteGrowth, practices are responsible for:

Ensuring they have a lawful basis to share patient contact details with SuiteGrowth
Informing patients that they may receive automated WhatsApp follow-up messages after appointments
Listing SuiteGrowth as a data processor in their own privacy documentation and data processing register
Handling any patient data subject access requests or erasure requests within the statutory timeframe

Our Data Processing Agreement sets out these obligations in full and forms part of the agreement between SuiteGrowth and every practice using the platform.

ICO registration

SuiteGrowth is registered with the Information Commissioner's Office (ICO) as a data processor. Registration details are available on request.

Questions and data requests

For any GDPR-related questions, data subject requests, or to request a copy of our sub-processor list or security documentation, contact us at hello@suitegrowth.co.uk.