Last updated: 10/06/2026

This Privacy Policy explains how DSY Management Services Ltd, trading as ReviewLab ("ReviewLab", "we", "us", "our"), collects, uses, and protects personal data. We are committed to protecting your privacy and handling personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

Company details

Registered company name: DSY Management Services Ltd

Trading name: ReviewLab

Company number: 16925422
Registered address: [REGISTERED ADDRESS]

ICO registration number: [ICO REGISTRATION NUMBER]

Contact for data protection queries: [EMAIL ADDRESS]

1. About this policy and our two roles

It is important to understand the two different capacities in which we handle personal data, because your rights and the right point of contact depend on which applies.

a) Where we act as a "controller" (this policy applies in full). We are the data controller for personal data relating to: visitors to our website; businesses and individuals we contact as prospective clients; and our actual clients and their staff. This means we decide how and why that data is used, and the sections below explain how we do so.

b) Where we act as a "processor" on behalf of our clients. When we deliver our review-management services, we handle limited personal data belonging to our clients' own customers (for example, a clinic's customers who are invited to leave a review). In that context, our client is the data controller and we are only the data processor, acting strictly on the client's documented instructions under a written Data Processing Agreement.

If you are a customer or patient of one of our clients and you have questions about how your data is used, or you wish to exercise your data protection rights, please contact that business directly, as they control your data. We will assist them in responding to any request. Section 10 explains this relationship in more detail.

2. The personal data we collect (as controller)

Website visitors

Technical data: IP address, browser type, device information, operating system.

Usage data: pages visited, time on site, referral source, and similar analytics information.

Cookie data: see our Cookie Policy / Section 6 below.

Enquiries and contact forms

Identity and contact data: name, email address, phone number, business name, and any information you choose to include in a message to us.

Prospective clients (outreach)

Business contact details: business name, contact name, business email, business phone number, website, and publicly available business information, used to introduce our services.

Clients

Identity, contact, and account data: name, business name, role, email, phone.

Billing data: billing contact details and payment information (payment card details are handled by our payment processor, not stored by us).

Correspondence and service records.

We do not intentionally collect special category data (such as data concerning health) about our website visitors, prospective clients, or clients through this website. Please do not include sensitive personal information in messages sent to us.

3. How we collect your data

Directly from you — when you complete a form, email us, book a call, or become a client.

From your use of our website — automatically, via cookies and analytics tools.

From publicly available sources — for prospective-client outreach, such as business directories, business websites, and public business listings.

4. Why we use your data and our lawful bases

We only use personal data where the law allows us to. The lawful bases we rely on are:

Purpose Lawful basis Responding to your enquiries Legitimate interests; steps to enter a contract Providing and managing our services to clients Performance of a contract B2B marketing and outreach to prospective business clients Legitimate interests (promoting our services to relevant businesses) Sending marketing emails/SMS where required Consent, or the PECR "soft opt-in" for existing customers Website analytics and improvement Consent (via cookie controls) and/or legitimate interests Billing, accounting, and record-keeping Legal obligation; performance of a contract Maintaining security and preventing fraud Legitimate interests; legal obligation

Where we rely on legitimate interests, we have considered the impact on your rights and have concluded that our use of the data is proportionate and would not unduly affect you. You may object to this — see Section 8.

5. Marketing communications

Where we send you electronic marketing (email or SMS), we do so in line with PECR. You can opt out at any time using the unsubscribe link in any email, by replying STOP to an SMS, or by contacting us at [EMAIL ADDRESS]. We will action opt-out requests promptly. Opting out of marketing does not affect any service-related communications necessary to provide a service you have requested.

6. Cookies and analytics

Our website uses cookies and similar technologies to function and to help us understand how the site is used. Non-essential cookies (including analytics and any marketing/tracking cookies) are only set with your consent, which you can give or withdraw through our cookie banner or browser settings. Essential cookies necessary for the site to operate do not require consent.

[If you use Google Analytics, a Meta Pixel, or similar, name them here and link to a separate Cookie Policy listing each cookie, its purpose, and duration.]

7. Who we share your data with (sub-processors and third parties)

We do not sell your personal data. We share it only with trusted service providers who help us run our business, and only as necessary. These include:

Customer relationship and messaging platform — we use HighLevel (GoHighLevel / LeadConnector) to manage contacts, communications, automations, and review-request campaigns. This may involve sub-providers for SMS, calls, and email (for example, Twilio and Mailgun) and cloud hosting (for example, Google Cloud and Amazon Web Services).

Website hosting and analytics providers.

Payment processor — for billing (card details are handled directly by the processor).

Professional advisors — such as our accountant and legal advisors, where necessary.

Authorities or regulators — where we are legally required to disclose data.

Each provider is bound by contractual obligations to keep data secure and to use it only for the purposes we specify. A current list of our key sub-processors is available on request.

8. International data transfers

Some of our service providers, including our customer relationship and messaging platform (HighLevel) and its underlying hosting and messaging providers, are based in or store data in the United States. This means some personal data may be transferred to and processed outside the UK.

Where personal data is transferred outside the UK, we ensure an appropriate safeguard is in place as required by UK data protection law. This includes reliance on the UK Extension to the EU–US Data Privacy Framework where the provider is certified, and/or the use of the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses, together with appropriate additional safeguards. You can request more information about the safeguards in place by contacting us.

9. Your rights

Under UK data protection law, you have the right to:

Access the personal data we hold about you.

Rectification of inaccurate or incomplete data.

Erasure of your data in certain circumstances.

Restriction of processing in certain circumstances.

Object to processing based on legitimate interests, and to direct marketing at any time.

Data portability in certain circumstances.

Withdraw consent at any time, where we rely on consent.

To exercise any of these rights, contact us at [EMAIL ADDRESS]. We will respond within one month. There is normally no charge.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority, at ico.org.uk, or by calling 0303 123 1113. We would, however, appreciate the chance to address your concerns first.

10. Our role as a data processor for client services

This section explains how we handle personal data belonging to our clients' customers when delivering our services. In this context, our client (for example, a clinic) is the data controller, and we act only as their processor.

We process only on the client's instructions, under a written Data Processing Agreement that meets the requirements of Article 28 UK GDPR.

We practise strict data minimisation. To deliver review-request services, we only process limited data such as a customer's first name, contact details (email and/or mobile number), and confirmation that they attended an appointment. We do not collect, request, or process any clinical, treatment, diagnosis, or health-condition information, and our intake is designed so that such information is not provided to us.

The lawful basis for contacting customers rests with our client. Our clients confirm to us that their customers have been informed their contact details may be used for feedback requests and have been given the ability to opt out, in line with UK GDPR and PECR.

Review-request messages are sent in the name of, and on behalf of, our client, and include an opt-out in every message.

Security and transfers. We apply appropriate technical and organisational security measures, and where this data is processed via providers outside the UK, the safeguards described in Section 8 apply.

Data subject requests. If you are a customer of one of our clients, please contact that business to exercise your rights. If you contact us, we will refer you to the relevant controller and assist them in responding.

11. Data retention

We keep personal data only for as long as necessary for the purposes set out in this policy, or as required to meet legal, accounting, or reporting obligations. When we no longer need data, we securely delete or anonymise it. Personal data we process on behalf of clients is deleted or returned at the end of the relevant engagement, in line with our Data Processing Agreement with that client.

12. Data security

We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse. These include access controls, encryption in transit and at rest where provided by our platforms, restricted access on a need-to-know basis, and separation of client data. No system can be guaranteed completely secure, but we take reasonable steps to protect your information and to notify you and the relevant authorities of any breach where we are legally required to do so.

13. Children's data

Our website and services are directed at businesses and are not intended for children. We do not knowingly collect personal data relating to children through our website.

14. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top shows when it was last revised. Material changes will be notified where appropriate.

15. Contact us

For any questions about this policy or how we handle personal data, contact:

DSY Management Services Ltd (trading as ReviewLab)

[REGISTERED ADDRESS]

Email: [EMAIL ADDRESS]