Privacy Policy

1. Overview

1.1 We are committed to protecting the privacy and security of your personal data. We have robust information security management systems in place and have implemented appropriate technical and organisational security measures to protect your data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

1.2 This Privacy Notice applies to personal data we process when you visit or use our website and when you use our clinical services. Further privacy policy statements and documents may apply offline and are available on request.

1.3 This site is owned and operated by 3Beam Ltd, whose registered office is at First Floor, 86 Harley Street, London, England, W1G 7HP. Company registration number: 12144164.

1.4 We are the data controller of the personal information you provide to us. We are registered as a data controller with the Information Commissioner's Office; our registration number is ZA 763469.

1.5 We have appointed a Data Contact for the business: Dr Emil Gadimali. You can contact our Data Contact at our postal address or via email at info@3beam.co.uk.

1.6 As a Data Controller we will take all necessary steps to comply with the UK GDPR, the Data Protection Act 2018, and relevant legislation when handling any personal data you provide to us. We ensure that data is:

• Fairly, lawfully, and transparently processed
• Processed for specified, explicit, and limited purposes
• Adequate, relevant, and limited to what is necessary (data minimisation)
• Accurate, kept up to date, and corrected without delay where inaccurate
• Not kept longer than necessary for its stated purpose
• Processed in accordance with your rights
• Protected by appropriate technical and organisational security measures
• Not transferred outside the UK without adequate safeguards

1.7 This Privacy Notice also explains how we inform patients where imaging may be interpreted by an external specialist radiologist (teleradiology or remote reporting) and how consent for this is recorded and honoured.

1.8 This Online Privacy Notice is a summary of our detailed written policies held at our business premises. Contact our Data Contact for further information.

2. Our Services

3Beam Ltd provides the following healthcare services at 86 Harley Street, London, to which this Privacy Notice applies:

• Diagnostic imaging — cone beam computed tomography (CBCT), OPG (orthopantomogram), cephalometric X-ray, and cephalometric tracing services for dental and maxillofacial clinical purposes.
• DEXA scanning — dual-energy X-ray absorptiometry (DEXA/DXA) for bone density measurement and body composition analysis.

3Beam Ltd is regulated by the Care Quality Commission (CQC) and operates under the Ionising Radiation (Medical Exposure) Regulations 2017 (IR(ME)R) and the Ionising Radiations Regulations 2017 (IRR17).

3. Information We Collect and How We May Use It

3.1 During your visit to our site, we will only collect personal information that you choose to provide — for example, if you contact us with an enquiry or request further information.

3.2 If you share another person's data with us (for example, if you refer a patient on their behalf), you must have lawful authority to do so. You are responsible for ensuring the transmission of that information to us is lawful.

3.3 The types and categories of data we may collect include:

Category	Examples
Identity data	Name, title, date of birth
Contact data	Address, email address, telephone number
Financial data	Payment details (processed by a third-party payment provider; not stored by us)
Transaction data	Services purchased, amounts, dates
Technical data	IP address, browser type and version, time zone, operating system (dependent on cookie preferences — see Section 15)
Usage data	How you use our website, products, and services
Marketing & communications data	Your preferences for receiving marketing from us
Special category data — health (imaging)	CBCT, OPG, and cephalometric imaging data (DICOM images and clinical reports); clinical indication and referral details. Processed under UK GDPR Article 9(2)(h) and DPA 2018 Schedule 1, Part 1.
Special category data — health (DEXA)	DEXA scan images, bone density measurements, T-scores, Z-scores, and body composition data; clinical indication and referral details. Processed under UK GDPR Article 9(2)(h) and DPA 2018 Schedule 1, Part 1.
Radiation dose records	Patient radiation dose data maintained as required under IR(ME)R 2017 and IRR17. Retained as part of your clinical record.

4. How We Use the Information

We may use the information you provide in the following ways:

• To administer any account you have with us
• To perform our contractual obligations to you
• To respond to your queries and requests
• To communicate with you about your appointments and care
• To ensure that the content of our site is presented effectively
• To provide you with information, products, and services requested from us
• To make improvements to the services we provide
• To disclose your personal information where required by law (e.g., to assist in disputes, regulatory investigations, or to detect and prevent fraud)
• To record and/or monitor email correspondence with us
• External specialist radiology reporting: where clinically appropriate, to obtain a specialist's interpretation and clinical report. We will clearly inform you if your images are to be interpreted by an external reporting clinician, and we will provide that clinician's name and qualifications before you agree to the service. This applies to both CBCT/dental imaging and DEXA scanning (see Section 6A).

5. How We Store and Protect Your Data

5.1 We have implemented appropriate technical and organisational security measures to protect your data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

5.2 Data we receive and process is held in secure electronic devices and on secure servers with restricted access and audit logging.

5.3 Personal data may be held in encrypted third-party cloud servers (including services hosted on Amazon Web Services (AWS)). We select regions and configurations appropriate for UK data.

5.4 Further encrypted backups may be held securely in off-site locations, which are also subject to physical security controls.

5.5 We will not sell, rent, or otherwise disclose your personal information to third parties other than as described in this policy, or unless required to do so by law.

5.6 The main establishment for all of our data processing is the United Kingdom. We do not generally operate or transfer personal data outside the UK.

5.7 Due to the operation of the internet and cloud-based applications, personal data may transit countries outside the UK. We will only permit this where adequate safeguards are in place, such as an ICO-approved International Data Transfer Agreement (IDTA) or an adequacy decision.

6. Sharing Your Data

6.1 We may share your personal information with certain third parties who provide services to us or work on our behalf.

6.2 Such third parties only have access to the personal information they need to perform those services. They are bound by contractual data processing agreements and are required to keep your information secure and confidential, using it only as permitted by us.

6.3 If you have contracted with us, we will share data only to the extent necessary for performance of that contract. Otherwise we will obtain your specific consent before sharing your data.

6.4 Categories of third parties with whom we may share data:

• Partners providing logistics and external service support
• Business partners or advisers for the purposes of completing a contract with you
• Marketing agencies appointed to provide services to us
• Service providers operating this site on our behalf
• Accountants, auditors, law firms, payment processors, and IT support providers
• Advertising and analytics services, software providers
• External specialist reporting — CBCT/dental imaging: CBCT Support Limited and Dr Rebecca J Davies (Specialist in Dental and Maxillofacial Radiology, GDC registered). Depending on the engagement, these parties may act as independent controllers or as processors. We share only the minimum data necessary (identifiers, referral details, clinical indication, and imaging data).
• External specialist reporting — DEXA scanning: Medica PLC (remote DEXA reporting service). We share the minimum data necessary (identifiers, referral details, clinical indication, and scan data) to enable production of your bone density report.
• Your referring clinician, where you have been referred to us for imaging, to communicate results and reports

6A. External Reporting & Teleradiology — Transparency and Consent

This section applies to all external reporting arrangements operated by 3Beam Ltd, including CBCT/dental imaging reporting and DEXA reporting.

7. How Long We Store Your Data

7.1 We will not keep your data for longer than is necessary for the relevant purposes set out in this Privacy Notice and our compliance policies. Retention periods vary depending on the type of data and the legal or clinical requirements that apply.

7.2 Where you have purchased a service from us, we will retain your relevant personal details for the duration of the contract and for a period afterwards in order to administer the contract, provide aftercare, respond to queries or complaints, and meet our legal and accounting obligations.

7.3 For speculative enquiries (e.g., website contact forms), data will normally be retained for up to 12 months unless consent is withdrawn earlier.

7.4 Healthcare data retention: In line with the Department of Health and Social Care's Records Management Code of Practice 2021, healthcare records are normally retained as follows:

Record type	Minimum retention period	Notes
Adult clinical records (general)	8 years from last episode of care	Extended under legal hold or active complaints
CBCT, OPG, and cephalometric images and reports	8 years from date of imaging	Including referral justification and communication logs
DEXA scan images and bone density reports	8 years from date of imaging	Including clinical interpretation and follow-up records
Radiation dose records	8 years from date of examination	Retained as required under IR(ME)R 2017
Children and young people's records	Until the patient's 25th birthday (or 26th if aged 17 at end of treatment)	In line with NHS Records Management Code of Practice

7.5 Certain categories of records — including dental, maxillofacial, and medico-legal records — may be retained for longer where required by law, professional regulators, insurers, or where clinical necessity or an active legal hold justifies it.

7.6 When data is no longer required, it will be securely deleted or anonymised so that it can no longer identify you.

8. Your Personal Data Rights

8.1 Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

8.2 To exercise any of the above rights, contact our Data Contact using the details in Section 1 or at the bottom of this page.

8.3 Where consent is the lawful basis for processing, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

8.4 If we process data about you obtained from a source other than yourself, we will provide you with the required transparency information within one month of obtaining it (or prior to our first contact with you), unless an exemption applies.

8.5 You have the right to lodge a complaint with the Information Commissioner's Office at any time and to seek judicial remedy.

9. Lawful Bases for Data Processing

9.1 We process personal data under one or more of the following lawful bases under Article 6 of the UK GDPR:

• Consent [Art 6(1)(a)]: where you have given specific, informed, and freely given consent — for example, for marketing communications or optional recording of consultations.
• Contract [Art 6(1)(b)]: where processing is necessary to perform a contract with you, or to take steps at your request before entering into a contract.
• Legal obligation [Art 6(1)(c)]: where processing is necessary to comply with a legal obligation, including IR(ME)R record keeping, CQC regulatory requirements, and HMRC obligations.
• Vital interests [Art 6(1)(d)]: where processing is necessary to protect life in an emergency.
• Legitimate interests [Art 6(1)(f)]: where processing is necessary for our legitimate interests or those of a third party, and those interests are not overridden by your rights and freedoms. This basis is only used following a documented Legitimate Interests Assessment (LIA).

9.2 Special category (health) data: We process imaging data (CBCT, OPG, cephalometric, DEXA) and related health data under Article 9(2)(h) of the UK GDPR — processing necessary for the purposes of medical diagnosis, the provision of health care or treatment, or the management of health care systems and services, carried out under a duty of confidentiality. Where applicable, we also rely on Article 9(2)(g) with relevant Schedule 1 conditions of the Data Protection Act 2018.

9.3 Legitimate interests relied upon by 3Beam Ltd (each supported by a documented LIA) include:

• Dental and maxillofacial imaging — to provide patients and referrers with safe, efficient diagnostic services.
• DEXA scanning — to provide patients and referrers with accurate bone density assessment services.
• External specialist radiology reporting (CBCT Support Limited / Medica PLC) — to ensure patients receive timely, expert clinical interpretation, subject to data minimisation, contractual controls, and transparency at the point of care.
• Video conferencing — to facilitate efficient clinical and business communications.

10. Children's Data

10.1 Our website is not directed at children and should not be accessed by them for the purposes of purchasing services.

10.2 Our imaging services may be provided to patients of any age, including children, where clinically appropriate and referred. Children's records are handled with particular care and retained for extended periods (see Section 7.4).

10.3 We will not knowingly collect information from persons under 13 years of age without their parent's or guardian's consent.

10.4 We have considered the Age Appropriate Design Code (Children's Code) in relation to our online activity and concluded that we are not a relevant Information Society Service likely to be accessed by children.

10.5 Online services and referral portal access are restricted to qualified medical and dental professionals who are over 18 years of age. Account opening requires a GMC or GDC registration number, which acts as an effective age gate.

10.6 If a parent or guardian of a child under 13 believes their child has engaged with our website without their knowledge, please contact us immediately at info@3beam.co.uk.

11. Third-Party Websites

11.1 Our site may contain links to third-party websites. If you visit these sites you should check their own privacy policies before submitting any personal data. We cannot accept any responsibility or liability for the policies of any other website.

12. Data Access and Subject Access Requests

12.1 You have the right to request access to the personal data we hold about you. Contact our Data Contact using the details in Section 1.

12.2 Data access is free of charge. Once we have verified your identity, we will respond without undue delay and in any case within one calendar month, providing the personal data we are legally obliged to provide.

12.3 Where additional time is needed (for complex or numerous requests), we will notify you within one month and provide an explanation. An extension of up to two further months may apply.

12.4 A fee may be charged for requests that are manifestly unfounded, excessive, or repetitive in nature. We may also decline to act on such requests. In either case, we will inform you within one month.

12.5 We will send information to you electronically in a commonly used format (e.g., secure email or via our portal), or by recorded delivery for paper documents.

12.6 We may need to verify your identity before releasing any information. This protects you and prevents your data being disclosed to someone without the right to receive it.

12.7 If you believe personal data we hold is incorrect, please contact us and we will correct it as soon as practicable.

12.8 If you wish to have your personal data removed from our systems, please contact us. We will do so if we are satisfied as to your identity and there is no lawful reason to retain the data. Note: clinical records are generally subject to mandatory retention periods (see Section 7) and cannot normally be erased on request.

12.9 If you are unhappy with any response from us, you may complain to the ICO (see Section 8).

13. Business Transfer or Sale

13.1 In the event our business, or part of it, is acquired, merged, or transferred, we may need to disclose personal data we hold to the acquiring party so they can continue providing services to you.

13.2 Any pre-transaction data transfer will be limited to what is strictly necessary for evaluation purposes, subject to appropriate confidentiality obligations. The data will be destroyed by the third party if the transaction does not proceed.

13.3 You will be informed of any material change to the controller of your personal data.

14. Other Regulatory Matters

14.1 Anti-Money Laundering

We have assessed our responsibilities under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017. We are not a regulated organisation registered with HMRC or the FCA, and we are not required to engage a Money Laundering Reporting Officer (MLRO). We do not accept payments in cash in excess of €10,000.

14.2 Modern Slavery

We fully support the aims of the Modern Slavery Act 2015. We are not required to publish a Modern Slavery & Human Trafficking statement under Section 54 of the Act. During recruitment we ensure adherence to all regulations, including confirmation of right to work in the UK. We maintain a zero-tolerance policy towards modern slavery and human trafficking within our organisation and supply chains.

15. Cookies and the Privacy and Electronic Communications Regulations (PECR)

15.1 Our website uses cookies and similar technologies. Cookies are small text files placed on your device to help the website function correctly and to analyse how it is used.

15.2 We use the following categories of cookies:

Category	Purpose	Consent required?
Strictly necessary	Essential for the website to function (e.g., session management, security)	No — these cannot be disabled
Analytics / performance	Help us understand how visitors use the site (e.g., Google Analytics)	Yes — your consent is requested
Functional	Remember your preferences and improve your experience	Yes — your consent is requested
Marketing / targeting	Used to deliver relevant advertising (if applicable)	Yes — your consent is requested

15.3 When you first visit our website, you will be asked to consent to non-essential cookies. You can withdraw your consent or change your cookie preferences at any time by clearing your browser cookies and revisiting the site, or by contacting us.

15.4 We are registered with the ICO and comply with the Privacy and Electronic Communications Regulations 2003 (PECR) in respect of all electronic marketing and cookie use.

15.5 We do not send unsolicited marketing emails or SMS messages without your prior consent, and we maintain a suppression list of individuals who have opted out.

16. Changes to This Policy

16.1 We reserve the right to update this Privacy Policy at any time to reflect changes in the law, our services, or our data processing activities.

16.2 Material changes will be notified on this page with an updated version number and review date. We encourage you to revisit this page periodically.

16.3 If you have any questions not addressed here, please contact our Data Contact.