Who is responsible
DBX ONE is operated by Dillon, the founder of the service. For privacy or data-handling questions, email [email protected].
Privacy notice
This page explains what information DBX ONE collects, why it is used, how long it is kept, and who to contact about privacy or data-handling questions.
Last updated: 6 July 2026
DBX ONE is operated by Dillon, the founder of the service. For privacy or data-handling questions, email [email protected].
DBX ONE turns supplier and consumables invoices into clearer spend reports for practices and clinics.
DBX ONE is intended for supplier invoices, supplier emails and related business contact information. It is not designed for clinical records.
This notice applies to people who visit the DBX ONE website, contact DBX ONE, apply for a report, send supplier invoice files or receive communications about a DBX ONE submission.
For website enquiries, contact details, application details and direct communications, DBX ONE is responsible for how that information is used.
For invoice files submitted by a practice or clinic so that DBX ONE can prepare a requested report, the organisation normally decides what is submitted and why. In that situation, DBX ONE handles the invoice files on the organisation’s instructions and the Data Processing Agreement explains the processor terms in more detail.
DBX ONE does not need patient records, clinical documents, prescriptions, referrals, test results or patient-identifiable information. Supplier invoices can also contain unnecessary information, so practices are encouraged to remove or redact information that is not needed for the report, such as bank details, account numbers, staff names, handwritten notes or unrelated attachments where practical.
For business enquiries, applications and report communications, DBX ONE generally relies on legitimate interests in responding to requests, operating the service and keeping appropriate business records. Where a report is requested or discussed as a service, processing may also be necessary to take steps before entering into a contract or to perform a contract.
Where DBX ONE processes invoice files on behalf of a practice or clinic, the submitting organisation is normally responsible for identifying its own lawful basis for the information it chooses to send. DBX ONE handles the files for the requested report and under the DPA terms.
Customer invoice data is not used to train shared or general AI models and is not reused for other clients. Any AI-assisted review is used to support the requested DBX ONE report only.
DBX ONE may use service providers for hosting, file storage, email delivery, security, AI-assisted processing or operational tools. The current sub-processor position is set out on the Confidentiality page and in the DPA. Sub-processors must be used only for the service and with appropriate confidentiality and security protections.
DBX ONE aims to keep hosting and storage in UK/EU-aligned environments where practical. Some technology providers may process limited information outside the UK or EEA. Where this happens, DBX ONE expects appropriate safeguards to be in place through the relevant provider terms, data processing terms or transfer mechanisms.
Invoice files submitted for a free report are intended to be deleted within 30 days after report delivery unless a different period is agreed in writing or retention is required to resolve a query, security issue, legal issue or payment/service dispute.
Contact messages, application records and report correspondence may be kept for a reasonable period so DBX ONE can respond to enquiries, keep a record of what was requested, manage follow-up questions and maintain basic business records.
Deletion or return of invoice files can be requested by emailing [email protected].
DBX ONE is designed to limit access to submitted files and use technical and organisational safeguards such as access controls, encrypted connections, protected cloud storage and retention limits. More detail is provided on the Confidentiality page.
Depending on the situation and lawful basis, individuals may have rights to request access, correction, deletion, restriction, portability or objection to the use of their personal information. Requests can be sent to [email protected].
Right to object: where DBX ONE relies on legitimate interests, individuals can object to that processing. DBX ONE will consider the request and stop the processing unless there is a compelling reason to continue or another lawful basis applies.
Please contact DBX ONE first at [email protected] so the issue can be reviewed. Individuals also have the right to complain to the Information Commissioner’s Office, the UK data protection regulator.
Before submitting invoice files, practices may wish to run the service past their DPO, IG lead, finance/procurement lead, practice partners or Caldicott Guardian equivalent where relevant, and record the processing in their own records if personal data is involved.
This notice may be updated as DBX ONE develops, for example if new storage, email, analytics or AI suppliers are added. The latest version will be published on this page.
For more detail, review the Confidentiality page and the Data Processing Agreement.