1. Who We Are
BosseyAI LTD ("BosseyAI", "we", "us") provides AI-powered patient pipeline services for dental clinics, including our AI receptionist Sarah.
- Company Number: 17105662
- Registered Address: 86–90 Paul Street, London EC2A 4NE
- ICO Registration: ZC108524
- Email: hello@bosseyai.com
2. What This Policy Covers
This policy applies to:
- Website visitors — people browsing bosseyai.co.uk
- Clinic clients — dental practice owners and staff using our services
- Dental patients — patients of clinics that use BosseyAI (processed on the clinic's behalf)
If you are a dental patient, the clinic is the Data Controller of your data. BosseyAI processes it on their behalf as a Data Processor. For questions about your data, contact the clinic directly.
3. What Data We Collect
Website visitors: IP address, browser type, pages visited, referral source — used only for site analytics.
Clinic clients: Name, business name, email, phone, billing information.
Dental patients (via clinic):
- Name (where provided on a call)
- Mobile phone number
- Appointment date, time, and treatment type
- Call transcript or summary
- SMS message logs
We do not collect clinical records, diagnoses, treatment history, payment card data, or identity documents.
4. How We Use Your Data
- Answering inbound calls via Sarah AI on behalf of the clinic
- Sending appointment confirmations, reminders, and follow-ups by SMS
- Reactivating dormant patients on the clinic's behalf
- Requesting Google reviews after appointments
- Delivering and improving BosseyAI's services
We never use patient data for our own marketing, model training, or sell it to third parties.
5. Sub-Processors
| Provider | Purpose | Location |
|---|---|---|
| VAPI Inc. | AI voice call handling (Sarah) | USA |
| Twilio Inc. | SMS and WhatsApp delivery | USA / EU |
| Railway Corp. | Server infrastructure | EU West |
| Supabase Inc. | Database storage | EU West |
| n8n GmbH | Workflow automation | EU |
| OpenAI LP | AI language processing | USA |
International transfers to US-based providers are covered by Standard Contractual Clauses (SCCs) approved by the ICO.
6. Data Retention
| Data Type | Retention |
|---|---|
| Patient contact records | Duration of clinic contract + 30 days |
| Call transcripts & SMS logs | 90 days (auto-deleted) |
| Call metadata | 12 months |
| Client business data | Contract duration + 6 years |
7. Your Rights
Under UK GDPR you have the right to: access your data, correct inaccurate data, request erasure, restrict processing, data portability, and object to processing.
To exercise any right: hello@bosseyai.com — we respond within 30 days.
You can also complain to the ICO: ico.org.uk · 0303 123 1113
8. Cookies
This website uses only essential cookies required for it to function. We do not use tracking or advertising cookies without your consent. You can manage cookie preferences via your browser settings.
9. Security
We use TLS encryption for all data in transit, row-level database security, and strict access controls. In the event of a data breach we notify affected parties and the ICO within the required timeframes.
10. Changes
We may update this policy. Changes are published here with an updated date. Material changes are notified to clients by email.
11. Contact
BosseyAI LTD · hello@bosseyai.com · 86–90 Paul Street, London EC2A 4NE · ICO: ZC108524