Privacy Policy
FAB Teeth Club · Effective date: [To be inserted at launch] · Version: 0.1 (draft for solicitor review) Data controller: FAB Teeth Club Ltd (Co. No. 17167173) · ICO Reg: [FTC-ICO-NUMBER] · 5–6 Well Street, Callington, Cornwall, PL17 7AU · privacy@fabteethclub.com
This policy explains what personal data FAB Teeth Club collects, why we collect it, who we share it with, and the rights you have over it. It applies to visitors to fabteethclub.com, to members and prospective members, and to the parents and guardians who enrol child members. We've written it in plain English, because you should be able to understand how your data is used without needing a lawyer.
1. Who we are
In short: Three companies in the FAB Group handle your data, each with a defined role. FAB Teeth Club Ltd runs your membership. Your dental practice holds your clinical records. FAB Group Holdings Ltd runs the Group's AI improvement programme — only ever with your explicit consent.
| Controller | Responsible for |
|---|---|
| FAB Teeth Club Ltd ("the Club", "we") | Your membership account, payments, the app and website, the digital member experience (including Dr Fliss AI), FAB Points, and the FAB Smile Warranty |
| Your Clinic (FAB Teeth Ltd t/a Archway Dental, ICO ZB092041; or Archway Dental (Saltash) Ltd, ICO [SALTASH-ICO]) | Your clinical records and the clinical care you receive, governed by the Clinic's own privacy policy |
| FAB Group Holdings Ltd (ICO ZC158939) | The Group-level AI and product-improvement programme (section 5) — only with your explicit consent |
2. The data we collect
In short: Membership details, payment details, your interactions with the app — and, because we are a dental membership, some health data. We collect what the service needs, and nothing speculative.
- Identity and contact — name, date of birth, email, phone, postal address
- Membership and account — tier, join date, founding-member status, family bundle composition, FAB Points, login and settings
- Payment — Direct Debit mandate and collection records, processed by GoCardless; we do not hold your bank details on our own systems
- Health data — medical history you provide or confirm through the app, treatment-pathway records relevant to your benefits, compliance signals, your Clinical Intelligence Profile (CIP), and — where your tier includes it — remote monitoring data such as intraoral imagery
- Dr Fliss AI interactions — messages you exchange with the Dr Fliss AI member experience
- Website and app usage — device and analytics data as described in our Cookie Policy
- Children's data — where a parent or guardian enrols a child member (section 7)
3. Why we use your data, and our lawful bases
In short: Most of what we do is simply running your membership — the contract between us. AI model training is different: it only ever happens with your separate, explicit, opt-in consent.
| Purpose | Lawful basis (UK GDPR) | Health data condition |
|---|---|---|
| Running your membership: account, benefits, app, warranty, FAB Points | Art. 6(1)(b) — contract | — |
| Supporting your clinical care: medical history, pathways, monitoring surfaced to your clinical team | Art. 6(1)(b) — contract | Art. 9(2)(h) — health care |
| Longitudinal monitoring of your own care (your CIP) | Art. 6(1)(b) — contract | Art. 9(2)(h) — health care |
| Payments via GoCardless | Art. 6(1)(b); 6(1)(c) — legal obligation | — |
| Service messages (login links, confirmations, payment notices) | Art. 6(1)(b) — contract | — |
| Marketing communications | Art. 6(1)(a) — consent | — |
| Platform improvement and analytics (aggregated wherever possible) | Art. 6(1)(f) — legitimate interests | Not used without consent |
| AI and product improvement, including model training (section 5) | Art. 6(1)(a) — consent | Art. 9(2)(a) — explicit consent |
| Legal and regulatory compliance | Art. 6(1)(c) — legal obligation | Art. 9(2)(f)/(g) where applicable |
Where we rely on legitimate interests, we have balanced our interest against your rights, and we do not use health data on this basis. You can object at any time (section 9).
4. Service messages and marketing
In short: Service emails are part of running your membership and you will always receive them. Marketing is separate, consent-based, and easy to switch off.
- Service messages — login links, signup confirmations, payment and membership notifications. These are not marketing.
- Marketing — sent only with your consent, with an unsubscribe link in every message. Opting out never affects your membership or benefits.
- Children — we never send marketing to child members; communications about a child's membership go to the enrolling parent or guardian.
5. AI and product improvement — your choice
In short: As a founding member you can help the platform learn and improve. It is entirely your choice, made with a separate opt-in tick that is never pre-ticked, and you can change your mind at any time without losing anything.
The FAB Group is building clinically governed AI to improve preventive dental care — including earlier detection of oral disease and better between-appointment guidance. To do that well, the Group (under the control of FAB Group Holdings Ltd) trains and improves its models using data from members who have chosen to contribute.
How consent works. Consent is captured in the join flow (and in your account settings) as a separate, clearly labelled, opt-in tick — never pre-ticked, never bundled with the Terms. Because this purpose can include health data such as clinical observations and intraoral imagery, we ask for explicit consent under Article 9(2)(a) UK GDPR. Saying no changes nothing about your membership, your warranty, or your care.
Withdrawing consent. Withdraw at any time in account settings or via privacy@fabteethclub.com. Your data is flagged out of all future training runs with immediate practical effect. For data already in models trained before withdrawal, we follow current ICO guidance and keep the position under review.
What we promise about training data. It is held under the FAB Group's control and never sold or shared with third parties for their own commercial purposes. Identifiers are separated from clinical and imaging data before use, with the link held in a separate access-controlled store. Data relating to child members is not used for model training.
6. Who we share your data with
In short: Carefully chosen service providers acting on our documented instructions, your Clinic, and nobody else. We never sell your data.
| Provider | Purpose |
|---|---|
| GoCardless Ltd | Direct Debit collection (FCA-authorised, FRN 597190) |
| Supabase / Vercel | Secure hosting of the platform, database and website |
| Resend | Service emails — processed in the EU (Ireland) |
| Klaviyo | Marketing emails to members who have opted in |
| Henry Schein One Ltd (Dentally) | The Clinic's practice management system, with which the platform integrates |
| Remote monitoring providers | Scan analysis under the FAB Monitoring programme, where your tier includes it |
| AI infrastructure providers | Secure processing powering the Dr Fliss AI experience — your data is not used to train these providers' own models |
| Professional advisers and authorities | Lawyers, accountants, insurers; regulators or law enforcement where legally required |
We also share data with the other FAB Group controllers in section 1, each for their defined role. We never sell your personal data.
7. Children's data
In short: Children join through a parent or guardian, who is the contracting party. We collect the minimum we need, never market to children, and don't use children's data for AI training.
A child member (Foundation, 0–10; Momentum, 11–17) is enrolled by a parent or legal guardian, who is the contracting party and point of contact. We collect only what the child's membership and clinical care need, design child-accessible parts of the service in line with the ICO's Age Appropriate Design Code, and exclude children's data from the AI training programme. When a child member turns 18, we contact the household about transitioning to an adult membership.
8. Where your data is held, and for how long
In short: Your data lives in the UK and the EU. A small number of providers process limited data elsewhere, always under UK-approved safeguards.
The platform and its database are hosted in the United Kingdom and the European Economic Area. Some providers (for example, our marketing email provider) may process limited data outside the UK under UK adequacy regulations or the approved International Data Transfer Agreement/Addendum.
| Data type | Retention |
|---|---|
| Membership account and transaction records | Membership + 6 years |
| Health data held by the Club (CIP, monitoring, medical-history confirmations) | Membership + 11 years; children's records to age 25 (or 26 where treatment occurred at 17) |
| Clinical records held by your Clinic | Per the Clinic's policy (typically 11 years from last entry; children to 25) |
| Consent and preference records | Life of consent + 6 years |
| AI training corpus (consented data) | Until consent withdrawn or purpose ends |
| Marketing data | Until opt-out or membership end, plus suppression records |
9. Your rights
In short: You can see, correct, export, restrict, or delete your data, and object to how we use it — and you can take your Clinical Intelligence Profile with you if you leave.
You have the rights of access, rectification, erasure (subject to legal retention), restriction, portability — including your CIP, which we commit contractually, not just statutorily, to export for you or to another provider at your direction — objection (to legitimate-interests processing and to direct marketing at any time), and withdrawal of consent. Email privacy@fabteethclub.com; we respond within one calendar month, free of charge for reasonable requests.
10. How we protect your data
Encryption in transit and at rest; row-level security and role-based access on the membership database; versioned, append-only medical-history records — confirmations are added, never destructively overwritten; audited access and a significant-event log across the Group's clinical systems; documented secrets management and supplier due diligence. If a breach is likely to put your rights at risk, we will notify you and the ICO without undue delay and, where required, within 72 hours.
11. Cookies
See our Cookie Policy. Non-essential cookies are used only with your consent.
12. Complaints
Contact us first at privacy@fabteethclub.com — we will respond quickly. You also have a statutory right to complain to the Information Commissioner's Office at any time: ico.org.uk · 0303 123 1113.
13. Changes to this policy
Material changes will be notified to members in writing, and the current version will always be at fabteethclub.com/privacy with its effective date shown.