1. Who we are
SightSync is a product of New Vantage Co Ltd, a company registered in England and Wales. Our registered office is in London, United Kingdom.
Contact us at care@newvantageco.com or call 020 3435 6769.
SightSync is an AI-powered patient recall platform used by UK optical practices to contact their existing patients about overdue eye examinations. In data protection terms, the optical practice is the data controller for their patient data, and New Vantage Co Ltd is a data processor acting on their instructions.
2. Data we process
2a. Practice (customer) data
When a practice signs up we collect:
- Practice name, address, NHS registration number
- Account holder name and work email address
- Billing information (handled by Stripe — we do not store card numbers)
- Practice Management System (PMS) API credentials (encrypted at rest)
- Google Calendar OAuth tokens (if the practice connects Google Calendar)
2b. Patient data (processed on behalf of practices)
Patient data is uploaded by the practice from their PMS. We process:
- Full name, phone number, and (if provided) email address
- Date of last eye examination
- Clinical risk flags (e.g. diabetic, glaucoma suspect, myopia child) — as provided by the practice
- Opt-out status and opt-out timestamp
We also generate and store:
- AI call recordings and transcripts
- Call outcome logs (booked, no answer, voicemail, declined, opted out)
- WhatsApp and email fallback delivery status
- Appointment booking records and confirmation call outcomes
2c. Patient opt-out portal data
If a patient visits their personal opt-out link, we record:
- That the opt-out was exercised (timestamp)
- No other personal data is collected from this page
3. Legal basis for processing
Under UK GDPR, we rely on the following lawful bases:
- Legitimate interests — AI recall calls are made to existing patients of the practice with whom the practice has an ongoing clinical relationship. Eye health monitoring is a legitimate clinical reason to contact patients. Patients can opt out at any time.
- Contract — for processing practice (customer) account data to provide the SightSync service.
- Legal obligation — for compliance audit logs required under GOC and CQC frameworks.
Automated calls and PECR: All AI calls comply with the Privacy and Electronic Communications Regulations (PECR). Every call opens with a clear disclosure that it is automated. Patients can press 0 during any call to opt out immediately and permanently.
4. Our data processors
We use the following third-party services to provide SightSync. Each is bound by a data processing agreement:
| Processor | Purpose | Location |
|---|
| Database provider | Patient data, call logs, audit trail | EU (Frankfurt) |
| Hosting provider | Web application and API hosting | EU region |
| AI voice provider | AI voice call delivery and transcription | USA (SCCs in place) |
| Telephony & messaging | SMS and WhatsApp delivery | USA (SCCs in place) |
| Email provider | Transactional email delivery | EU / USA (SCCs in place) |
| Payment processor | Subscription billing | USA (SCCs in place) |
| Job queue | Campaign processing (no patient data at rest) | EU |
SCCs = Standard Contractual Clauses approved by the UK ICO for international transfers.
5. Data retention
- Patient data and call logs — retained for the duration of the practice's active subscription, plus 90 days after cancellation to allow for data export. Then permanently deleted.
- Call recordings and transcripts — retained for 12 months from the date of the call, then automatically purged.
- Opt-out records — retained indefinitely so that opted-out patients are never contacted again, even if a new campaign is launched.
- Billing records — retained for 7 years as required by UK tax law.
6. Patient rights
Patients whose data is processed through SightSync have the following rights under UK GDPR. To exercise them, patients should contact the optical practice directly, as the practice is the data controller.
- Right to opt out — press 0 during any call, reply STOP to any SMS or WhatsApp message, or visit the personal opt-out link in any message. Takes effect immediately and permanently.
- Right of access — contact your optical practice to request a copy of data held about you.
- Right to erasure — contact your optical practice to request deletion of your data.
- Right to object — you may object to receiving automated recall calls. Press 0 during any call.
If you are a patient with a concern specifically about SightSync (not your optical practice), contact us at care@newvantageco.com.
7. Practice rights
As a practice (data controller) using SightSync, you have the right to:
- Export all patient data and call logs from your dashboard at any time
- Request deletion of all data by cancelling your subscription and emailing us
- Request a copy of our Data Processing Agreement (DPA)
- Receive notification of any data breach affecting your patients within 72 hours
8. Security
We protect your data through:
- Row-level security (RLS) in our database — practices can only access their own data
- TLS 1.3 encryption in transit for all data
- AES-256 encryption at rest in Supabase
- PMS API credentials encrypted with application-level encryption before storage
- No practice can access another practice's patient records
9. ICO registration
New Vantage Co Ltd is in the process of registering with the Information Commissioner's Office (ICO) as a data processor. We will update this page with our registration number once complete. Until then, we operate under the practice's ICO registration as a data processor acting on their instructions.
If you have a complaint about how we handle data, you have the right to lodge a complaint with the ICO at ico.org.uk.
10. Changes to this policy
We will notify practices by email at least 14 days before making any material changes to this policy. The “last updated” date at the top of this page will always reflect the current version.
New Vantage Co Ltd · London, United Kingdom · care@newvantageco.com