Privacy policy.
At Novairu (a trading name of Growinty Ltd) we take the protection of your personal data seriously. This policy explains what data we collect, why we use it, how long we keep it and what rights you have.
1 · Data controller
Growinty Ltd
Company Number 16696497.
5 Brayford Square, London, England E1 0SG, United Kingdom.
Contact for data-subject requests: ana.boville@novairu.com.
Growinty Ltd acts as the data controller for personal data collected directly through this website (forms, email). When a dental practice or clinic subscribes to the Novairu service, Growinty Ltd acts as a data processor for the patient data processed on behalf of that practice, governed by a Data Processing Agreement (DPA) signed between both parties.
2 · What data we collect
Through the demo request form
- Identification: full name.
- Contact: email, phone/WhatsApp number.
- Business details: practice name, business type, approximate patient volume, practice management software, main commercial need.
- Metadata: submission date and source.
Through email or direct channels
- Any information you voluntarily share when contacting us.
As a data processor (if your practice is a customer)
When your practice has subscribed to the service, we process patient data limited to what is strictly necessary to operate: name, phone, treatment of interest, appointment history and outstanding invoice status. We do not process sensitive clinical data. The legal basis and specific terms are set out in the DPA signed with your practice, which remains the data controller with respect to its patients.
3 · Purpose and legal basis
| Purpose | Legal basis |
|---|---|
| Respond to your demo or commercial enquiry. | Legitimate interest (B2B professional contact) and steps prior to entering into a contract. |
| Send information about our services, case studies or product updates. | Legitimate interest in a B2B context. You can object at any time. |
| Provide the contracted service and support. | Performance of the contract with your practice. |
| Meet legal obligations (tax, accounting). | Compliance with legal obligations. |
4 · How long we keep data
- Unconverted leads: up to 24 months from the last useful contact.
- Active customers: for the duration of the contract.
- Legal obligations: the periods legally required (up to 6 years for commercial and tax records).
- Patient data (as processor): as agreed with the practice, with immediate deletion at contract end unless a legal obligation applies.
5 · Recipients and sub-processors
We share data only with providers strictly necessary to deliver the service, under data processing agreements and with safeguards equivalent to those required by UK GDPR and EU GDPR:
| Provider | Purpose | Processing location |
|---|---|---|
| Cloudflare, Inc. | Web hosting and CDN. | EU / global (with SCCs) |
| Railway Corp. | Backend infrastructure and database. | EU (Frankfurt) |
| Zoho Corporation | Corporate email. | EU |
| Anthropic PBC | AI engine (Claude) used to process conversations. | USA (SCCs + DPF) |
| Meta Platforms, Inc. | WhatsApp Business Cloud API for message exchange. | USA (SCCs + DPF) |
| Stripe Payments Europe, Ltd. | Subscription billing and payments. | Ireland / USA (SCCs + DPF) |
| FormSubmit / internal backend (interim) | Delivering form submissions to us. | EU / global (SCCs) |
| Brevo SAS (when activated) | Email marketing and commercial communications. | EU (France) |
| Google LLC (when Analytics is activated) | Anonymised web analytics. | USA (SCCs + DPF) |
We may also disclose data to public authorities, courts and tribunals when legally required.
6 · International transfers
Some of the providers above process data outside the United Kingdom and European Economic Area, principally in the United States. These transfers rely on:
- Standard Contractual Clauses approved by the European Commission (and UK Addendum where applicable).
- Data Privacy Framework (DPF) where the provider is certified.
- Additional technical measures (encryption in transit and at rest).
7 · Your rights
You may exercise the following rights at any time:
- Access — find out what personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — ask us to delete your data when no longer needed.
- Objection — to processing based on legitimate interest.
- Restriction of processing — in the specific circumstances set by UK GDPR.
- Portability — receive your data in a structured format.
- No solely automated decisions — we do not make decisions with legal effects about you based only on automated processing.
To exercise these rights, email ana.boville@novairu.com stating which right you wish to exercise and, if required, attaching a copy of a proof of identity.
If you believe your rights have not been properly handled, you may lodge a complaint with the Information Commissioner's Office (ico.org.uk) in the UK or with the Agencia Española de Protección de Datos (aepd.es) if you are in Spain.
8 · Information security
We apply appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration or disclosure: encryption in transit (TLS) and at rest, least-privilege access controls, encrypted backups, activity logging and periodic audits of our providers.
9 · Children
This website and its services are aimed exclusively at professional adults. We do not knowingly collect data from children under 13. If you think we have done so, please contact us and we will delete the data immediately.
10 · Changes to this policy
We may update this policy to reflect regulatory or service changes. We will publish the updated version on this page with the "Last updated" date visible at the top. If changes materially affect your rights, we will notify you by email or with a prominent notice on the site.