Privacy — Speed to Lead

Scope

This section covers Speed to Lead, the missed-call SMS workflow Async Digital provides to dental clinics. The workflow runs like this: you call the clinic, the call is not answered, the clinic's phone system forwards the call event to a service we operate, and one short text message goes back to your phone with a link to book a callback through the clinic's online booking page.

It does not cover any other product or surface; for those, see the privacy hub.

Who is responsible for your data

The dental clinic you tried to call is the controller of your data under UK GDPR. They decide that they want to text callers back when they miss a call, and they instruct us to run the workflow that does it.

Async Digital Ltd is the processor. We act on the clinic's documented instructions under a Data Processing Agreement (Article 28 UK GDPR). We do not use your phone number for our own purposes, do not sell it, do not share it with anyone outside the sub-processors listed below, and do not combine it with any data from any other source.

If you want to exercise your rights, you should contact the clinic in the first instance. If you contact us instead, we will tell you which clinic asked us to send the SMS (if you can identify the call), forward your request to them within two working days, and not act on it ourselves — that is what processors are required to do.

What we hold about you

For each missed call routed through Speed to Lead:

Your phone number, as delivered by your phone carrier's caller-ID signalling. We do not type it in or look it up.
Call-event metadata from Twilio — the timestamp of the call, its duration (if any), the forwarding reason, and Twilio's internal call identifier.
The text message we sent you — a fixed template chosen by the clinic at onboarding. Your phone number appears on the delivery envelope; the body of the message contains only the clinic's name and the booking link.

We do not hold your name, your email address, your reason for calling, anything you may have left in voicemail (we do not retrieve voicemail), or any data from the clinic's patient records.

If you tap the booking link and complete a booking, the booking page is run by Cal.com under the clinic's own account — whatever you enter there (name, email, chosen slot) is held by the clinic and Cal.com directly, not by us.

Lawful basis

The clinic's lawful basis under UK GDPR Article 6 is legitimate interests — specifically the clinic's interest in responding to a caller who tried to reach them and could not. The processing is a single templated SMS containing a booking link; the impact on the caller is low; the caller initiated the contact and so a service-responsive reply is within reasonable expectation. Each clinic that uses Speed to Lead is required to complete a Legitimate Interests Assessment before going live, using a template Async Digital provides at onboarding. You can request a summary of the relevant assessment by contacting the clinic, or by emailing the contact below and we will route the request.

The text message is not marketing. It does not promote any product, it does not ask you to buy anything, and it does not invite you to a campaign. Sending service-responsive SMS to a caller who tried to reach the clinic is permitted under the Privacy and Electronic Communications Regulations (PECR); the same SMS is not permitted as an unsolicited marketing message, and the workflow is configured to refuse anything beyond the agreed template. The SMS is sent only between 08:00 and 21:00 local UK time.

We do not rely on consent (Article 6(1)(a)) for this processing, because you did not give affirmative consent to an SMS follow-up before you placed the call. We do not rely on contract (Article 6(1)(b)) at the point of the missed call, because at that moment you are not yet a party to any contract with the clinic.

AI processing

No artificial-intelligence model is involved in this workflow. The text message is a fixed template chosen by the clinic; nothing about you, your call, or your number is fed into any large language model or AI service to write, score, or sequence the message. If we ever change that, this section and the “Last updated” date below will reflect it before the change goes live, and the clinic will be notified ahead of time so they can decide whether to continue.

How long we keep it

n8n execution log (the system that runs the workflow) — 14 days, the default on the plan we use; we do not extend it.
Twilio call-event metadata and SMS delivery records — held by Twilio under Twilio's standard policy, typically around 13 months. The clinic can request a shorter window directly from Twilio where Twilio's policy allows it.
Cal.com booking record, if you book — held by Cal.com and the clinic, under the retention the clinic configures for its booking page. We do not copy that record into our systems.

We do not maintain a long-term database of caller phone numbers. After 14 days, your phone number is gone from our execution log; what remains in Twilio is held on the clinic's behalf, not ours.

Sub-processors

Speed to Lead relies on three sub-processors, each engaged under a written agreement and under the clinic's onward instructions:

Twilio Ireland Limited (with Twilio Inc. for some US-routed billing and support) — receives the missed-call event and delivers the SMS. Primary processing is in the EU (Ireland); some operational routing reaches the United States. Transfer basis: UK adequacy for EEA processing; the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses for any US-handled metadata.
n8n GmbH (n8n Cloud) — runs the workflow that decides what SMS to send. Processing is in Germany (Frankfurt). Transfer basis: UK adequacy.
Cal.com, Inc. — runs the booking page the SMS link points to. Region (EU or US) is confirmed at the clinic's onboarding and recorded on file. Transfer basis: UK adequacy where EU-hosted; UK IDTA or UK Addendum to EU SCCs where US-hosted.

If we add or change a sub-processor, the clinic gets at least 30 days' notice and can object within 14 days. If the change is material we will also update this section and the “Last updated” date below before it goes live.

International transfers

The workflow is run from the United Kingdom and the data is held in the United Kingdom or the European Economic Area, with the exceptions noted under Sub-processors above (some Twilio routing and, depending on configuration, Cal.com hosting may involve the United States). Where data reaches the United States, the transfer is covered by the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses. We review these mechanisms at least annually.

How to stop, opt out, or escalate to a human

You have three routes:

Reply STOP to the SMS. Twilio's standard reply-to-stop handling will block any further SMS to your number for the clinic that triggered it. You do not need to give a reason.
Reply HUMAN to the SMS (or any free-text reply). The reply is reviewed by Async Digital and forwarded to the clinic for a personal response. We aim to acknowledge replies during UK business hours quickly, and within the next business day outside those hours. We do not attempt to answer clinical questions automatically; for clinical advice please call the practice on its published number, or in an emergency contact NHS 111 or 999.
Email the contact below. Mention the clinic name (or the time of the call, or your phone number) so we can find the right record and either remove your number from the workflow or pass your message on.

If you ask us to remove your number from the workflow, we forward your request to the clinic within two working days and provide whatever technical assistance the clinic needs (for example, deleting the number from the workflow execution log) within five working days for straightforward cases.

Who we are

The processor is:

Async Digital Ltd
167–169 Great Portland Street, London W1W 5PF, United Kingdom
Registered in England & Wales, company number 16950485
Contact: privacy@async-digital.com

The controller is the dental clinic you were trying to reach. Their contact details are on their website, on the SMS you received, and on the booking page the SMS links to.

Your rights

Under the UK GDPR you have the right to:

ask what personal data is held about you (right of access);
ask for data that is wrong or incomplete to be corrected (right to rectification);
ask for data to be deleted (right to erasure), where there is no overriding legal reason to keep it;
ask for processing to be restricted (right to restriction);
object to processing (right to object) — for Speed to Lead, the practical route is to reply STOP, which honours the objection at the network level;
ask for a copy of data you provided in a portable format (right to data portability), where applicable.

The workflow does not carry out any automated decision-making or profiling that produces legal or similarly significant effects within the meaning of Article 22 UK GDPR. The text message is informational; it does not approve, deny, or rank anything.

Because the clinic is the controller, your rights are exercised against the clinic, with us providing the technical assistance the clinic needs to honour them. We respond to clinic requests for technical help within five working days for straightforward cases.

If you are not satisfied with how a request has been handled, you can complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint or on 0303 123 1113. We would appreciate the chance to address any concern first.

Changes we would have to flag

If we introduce AI into the workflow, change the channel (for example to email or postal mail), add a sub-processor, change the retention windows above, or extend the workflow into a vertical where children or vulnerable adults are routinely the primary callers, we will update this section and the register below before the change ships.

Register of updates

Last updated: 2026-04-29

2026-04-29 — Section published.