// LEGAL

Privacy Policy

Last updated: 1 July 2026

This policy explains how OriFlows ("OriFlows", "we", "us") collects, uses, and protects personal data when you visit this website, book an audit call, or use the automation services we provide to dental practices. We are committed to handling data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

OriFlows is an automation services provider for UK private dental practices, operated by Mohammed Mostafijur. For any privacy-related question, contact us via the details on our website.

2. What data we collect

Depending on how you interact with us, we may collect:

3. How we use your data

We do not sell or rent personal data to third parties, and we do not use it for purposes beyond what's described here.

4. Legal basis for processing

We process personal data under the following legal bases: consent (e.g. when you submit the audit booking form), contract (to deliver services you've engaged us for), and legitimate interest (e.g. responding to enquiries).

5. Where your data is stored

GoHighLevel (GHL) Booking form submissions and practice automation data are processed and stored using GoHighLevel, our core automation platform. GoHighLevel's infrastructure is hosted on AWS and Google Cloud Platform in the United States, and GoHighLevel is certified under the UK-U.S. Data Privacy Framework for international transfers.

We also use Formspree (form submission handling) and Cal.com (call scheduling) for the website's audit booking flow. Each of these providers processes data only as needed to deliver that specific function.

6. Practice clients and patient data

Where a dental practice engages OriFlows to run patient-facing automations, the practice is the data controller and OriFlows acts as a data processor, processing patient data only on the practice's documented instructions. Full terms governing this relationship are set out in our Data Processing Agreement (DPA), provided to clients on signup.

7. Data retention

We retain personal data only as long as necessary for the purposes described above, or as required by law. Practice client data is retained for the duration of the service agreement and deleted or returned at termination, as set out in the DPA.

8. Your rights

Under UK GDPR, you have the right to:

To exercise any of these rights, contact us directly. If you are a patient of a practice using our services, you can also contact that practice, as they are the data controller for your information.

9. Cookies

This website uses minimal cookies/local scripts required for core functionality (e.g. the booking calendar embed). We do not currently use third-party advertising or tracking cookies.

10. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of this page will reflect the most recent revision.

11. Contact

For any questions about this policy or how your data is handled, please get in touch via the contact details on our homepage.