UK GDPR · Data Protection Act 2018

Privacy notice

This notice explains what personal data Dental Bench collects, why we collect it, how long we keep it, and what rights you have over it. It applies to anyone who uses dentalbench.co.uk, signs up to our mailing list, or places an order with us.

Last updated 16 May 2026 · Version 1.0

1. Who we are

The data controller for any personal data collected through dentalbench.co.uk is:

Toolsmith Ltd (trading as Dental Bench)

39 Heather Road, Small Heath, Birmingham B10 9TE, United Kingdom

Companies House registration 16520777 (registered in England and Wales)

VAT registration GB497504454

UK ICO Data Protection registration ZC147961 — verify on the ICO public register

Email info@toolsmithltd.co.uk · Phone +44 20 8059 4504

We have not formally appointed a Data Protection Officer because we are not required to under UK GDPR Article 37. For any data-protection question, please use the email or phone above and your enquiry will reach a director.

2. What personal data we collect

We only collect what we need for the specific purpose stated. The table below lists every category we collect.

What	When	Why
Email address	You submit our mailing-list / "notify me at launch" form, or you create a customer account.	To tell you when we launch, to send the one-off launch-week discount code you signed up for, to operate your customer account, and to send transactional emails relating to your orders.
Name, billing & delivery address, phone number	You place an order or create a customer account.	To process your order, deliver your goods, take payment, and meet legal record-keeping duties (e.g. VAT records).
Payment-card details	You enter card details at checkout.	To take payment for your order. We do not store or see your full card number — payment is handled by Shopify Payments (or Stripe / PayPal where applicable), which is PCI-DSS compliant. We only retain the last 4 digits, card brand, and an expiry month for fraud-screening and customer-service.
Order history	You place an order.	Customer service, returns processing, statutory record-keeping (HMRC requires VAT records for 6 years).
Trade-account information (practice name, dental council registration number, role, evidence of bona-fide trade status)	You apply for a trade account as a dental practice, lab, school, or hospital.	To verify you are a bona-fide healthcare professional or institution, to apply appropriate trade pricing, to comply with our duty as a medical-device importer under UK MDR 2002.
IP address & device information	Automatically when you visit the site.	Security, fraud prevention, site analytics, accessibility (e.g. serving the right language). See Cookies below.
Cookies & similar technologies	When you visit the site.	See Cookies below.
Correspondence (emails, contact-form messages, support tickets)	When you contact us.	To answer your enquiry and improve our service.

We do not collect "special category" personal data (Article 9 — health, race, religion, political opinions, genetic data, biometrics, sexual orientation) and do not knowingly process data about children under 13. If you believe we have inadvertently collected such data, contact us and we will erase it without delay.

3. Lawful basis for processing

Under UK GDPR Article 6, we rely on the following lawful bases:

Consent (Article 6(1)(a)): For the mailing-list / "notify me at launch" sign-up, and any subsequent marketing emails. You can withdraw consent at any time using the unsubscribe link in any marketing email, by emailing us, or by adjusting preferences in your account.
Performance of a contract (Article 6(1)(b)): For processing your orders, taking payment, delivering goods, providing customer service, processing returns.
Legal obligation (Article 6(1)(c)): For record-keeping required by HMRC (VAT records — 6 years), Companies Act, and post-market surveillance duties under UK MDR 2002 as the UK importer of CE-marked medical devices.
Legitimate interests (Article 6(1)(f)): For site security and fraud prevention, internal analytics to improve our service, and limited post-purchase emails about similar products you might find useful (the "soft opt-in" under PECR Reg 22(3)). You can object at any time using the same channels as for marketing consent.

4. How long we keep your data

Data	Retention period
Mailing-list email (no orders placed)	Until you unsubscribe, or 24 months of inactivity (no opens, no clicks), whichever is sooner.
Customer account & order history	For the life of your account, plus 6 years after your last order (HMRC VAT record-keeping requirement).
Payment-card metadata (last 4 digits, brand, expiry)	2 years from the transaction, then automatically deleted.
Trade-account application records	For the life of the trade account, plus 7 years after closure (UK MDR 2002 post-market surveillance retention).
Support correspondence	3 years from last contact.
Server logs & IP addresses	90 days, then anonymised.

After the retention period ends, we either delete the data or fully anonymise it so it can no longer identify you.

5. Who we share your data with

We share personal data with the following categories of recipient, only as needed for the purposes listed:

Recipient	Purpose	Where based
Shopify Inc. — e-commerce platform	Hosting the storefront, taking and processing your orders, storing customer accounts	Canada / Ireland (UK adequacy in place)
Shopify Payments / Stripe / PayPal	Payment processing	UK / Ireland / United States (transfers governed by UK IDTA — see below)
Klaviyo Inc. — email marketing platform	Sending mailing-list emails, order-related emails	United States (transfers governed by UK IDTA — see below)
Delivery couriers (Royal Mail, DPD, FedEx, etc.)	Delivering your orders	United Kingdom
HMRC	VAT and corporation-tax record-keeping	United Kingdom
MHRA (where reportable)	Adverse-event reporting for medical devices per UK MDR 2002 reg. 44	United Kingdom
PIK PAK Industries & IBC Sweden	Post-market surveillance reports for medical devices (your name, contact details, and complaint details may be shared if your complaint relates to a device safety issue)	Pakistan / Sweden
Our professional advisers (accountants, solicitors, auditors)	Only where strictly necessary for legal or financial advice	United Kingdom

We do not sell your personal data to anyone, and we do not share it with third parties for their own marketing purposes.

6. International transfers

Some of our service providers are based outside the UK. When personal data is transferred outside the UK, we rely on one of the following legal mechanisms:

UK adequacy decision — for transfers to the European Economic Area, Canada, and other adequate countries.
UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses — for transfers to the United States and other non-adequate jurisdictions.
EU-US Data Privacy Framework — where the US recipient is certified under the framework.

If you want a copy of the relevant transfer mechanism for a specific recipient, email info@toolsmithltd.co.uk.

7. Cookies & similar technologies

A cookie is a small text file stored by your browser when you visit a website. We (and our service providers) use cookies for the following purposes:

Type	What it does	Consent required?
Strictly necessary (Shopify session, cart, checkout, security)	Lets the site work — without these you cannot place an order or log in.	No (exempt under PECR Reg 6(4)(a))
Functional (language preference, currency)	Remembers your preferences.	Yes, but minimal impact — treated as essential alongside session.
Analytics (Shopify Analytics, Google Analytics if enabled)	Tells us which pages are viewed, how visitors arrive at the site, what's working and what's not. Anonymised / aggregated.	Yes — we ask for consent before setting these.
Marketing (Klaviyo, Meta Pixel, Google Ads if enabled)	Lets us measure how marketing campaigns perform and show you relevant ads on other sites.	Yes — we ask for consent before setting these.

When the full storefront launches we will display a cookie banner at first visit. You can change your cookie preferences at any time via the Cookie settings link in our site footer. During the current pre-launch coming-soon phase, the site uses only strictly-necessary cookies (Shopify session, security) plus mailing-list-form storage if you submit the signup form.

8. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

Right of access (Article 15): You can ask for a copy of the personal data we hold about you.
Right to rectification (Article 16): You can ask us to correct inaccurate or incomplete data.
Right to erasure / "right to be forgotten" (Article 17): You can ask us to delete your personal data in certain circumstances. We cannot delete records we are required by law to retain (e.g. HMRC VAT records, UK MDR post-market surveillance records), but we can confirm what those legal retention requirements are.
Right to restriction of processing (Article 18): You can ask us to limit processing in certain circumstances.
Right to data portability (Article 20): You can ask for a copy of your data in a structured, machine-readable format.
Right to object (Article 21): You can object to processing based on legitimate interests, and to direct marketing at any time. We will stop direct marketing immediately on request.
Right to withdraw consent (Article 7(3)): Where we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Rights relating to automated decision-making (Article 22): We do not make decisions about you based solely on automated processing.

To exercise any right, email info@toolsmithltd.co.uk with the subject line Data subject rights request. We respond within 1 month (extendable by 2 further months for complex requests, per Article 12(3)). There is no fee for a reasonable request.

9. Complaints to the ICO

If you are not satisfied with how we have handled your personal data, you have the right to complain to the UK Information Commissioner's Office:

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Phone 0303 123 1113 · Website ico.org.uk

We would appreciate the chance to address your concerns first — please contact us before escalating where you can.

10. Changes to this notice

We may update this notice from time to time to reflect changes in the law, our practices, or our services. The "Last updated" date and version number at the top of this page will always show when the most recent change was made. Significant changes will be flagged on the homepage and / or by email to subscribers.

Previous versions of this notice are kept on file and are available on request.

Your cart is empty