Privacy Policy

SmileSync Ltd ("SmileSync", "we", "us", or "our") operates the SmileSync platform available at smilesync.dental and app.smilesync.dental. We are registered in England and Wales.

For the purposes of UK GDPR and the Data Protection Act 2018, SmileSync Ltd is the data controller for personal data collected through our website and platform. For personal data processed on behalf of dental practices using our software, we act as a data processor.

If you have any questions about this policy or how we handle your data, contact our privacy team at privacy@smilesync.dental.

We collect the following categories of personal data:

From dental professionals and practices — Name, email address, and professional details provided during registration — Practice name, address, and contact information — Payment and billing information (processed via our payment provider; we do not store card details) — Usage data, including log data, feature usage, and session information — Communications with our support team

From patients (processed on behalf of dental practices) — Clinical notes, treatment plans, consent records, and dental records entered by the treating practice — Before/after photographs and clinical imagery uploaded by the practice — Patient contact details used for appointment reminders and portal access — Portal activity and engagement data

From website visitors — IP address, browser type, referring URLs, and pages visited — Cookie and tracking data (see Section 8)

We use personal data for the following purposes and on the following legal bases:

To provide and operate the SmileSync platform — *Contract performance* Delivering the features and services you or your practice have subscribed to, including clinical documentation, patient communication, and practice management tools.

To process payments and manage your subscription — *Contract performance* Billing, invoicing, and subscription management in connection with your chosen plan.

To communicate with you about your account — *Contract performance / Legitimate interests* Account notifications, support responses, product updates, and security alerts.

To improve our product — *Legitimate interests* Analysing aggregated, anonymised usage patterns to understand how our platform is used and where we can improve it. We do not use identifiable patient data for this purpose.

To comply with legal obligations — *Legal obligation* Retaining records as required by applicable law, responding to lawful requests from regulators or law enforcement, and fulfilling our obligations under the Data Protection Act 2018.

To send marketing communications — *Consent* If you have opted in, we may send you information about new features, events, or offers. You can withdraw consent at any time by clicking "unsubscribe" in any email or contacting privacy@smilesync.dental.

We do not sell personal data. We share data only in the following circumstances:

Service providers and sub-processors We engage trusted third-party providers to operate our platform, including cloud hosting, payment processing, analytics, and customer support tooling. All sub-processors are bound by data processing agreements and are required to maintain appropriate security standards.

Dental practices Patient data entered or generated through a practice's SmileSync account is accessible to authorised users of that practice. We process this data as a data processor on behalf of the practice as controller.

Legal and regulatory We may disclose data where required by law, court order, or regulatory authority — including the Information Commissioner's Office (ICO).

Business transfers In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections.

All data is stored on servers located within the United Kingdom and European Economic Area. We do not transfer personal data outside the UK/EEA without appropriate safeguards in place.

We implement appropriate technical and organisational security measures, including: — Encryption in transit (TLS 1.2+) and at rest (AES-256) — Role-based access controls and audit logging — Regular security assessments and penetration testing — Staff training on data protection obligations

No system is completely secure. If you believe your account has been compromised, contact us immediately at privacy@smilesync.dental.

We retain personal data for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required by law.

• —Account data: retained for the duration of your subscription plus 7 years following termination, in line with standard accounting and legal requirements
• —Clinical data (patient records): retained in accordance with NHS and GDC guidance, which generally requires dental records to be kept for a minimum of 10 years (or until the patient's 25th birthday if longer)
• —Marketing data: retained until you withdraw consent or request deletion
• —Support communications: retained for 3 years following resolution

When data is no longer required, it is securely deleted or anonymised.

Under UK GDPR, you have the following rights regarding your personal data:

• —Right of access: request a copy of the personal data we hold about you
• —Right to rectification: ask us to correct inaccurate or incomplete data
• —Right to erasure: ask us to delete your data where there is no lawful reason to retain it
• —Right to restrict processing: ask us to pause processing of your data in certain circumstances
• —Right to data portability: receive your data in a structured, machine-readable format
• —Right to object: object to processing based on legitimate interests or for direct marketing
• —Rights related to automated decision-making: we do not make solely automated decisions that produce legal or similarly significant effects

To exercise any of these rights, email privacy@smilesync.dental. We will respond within one calendar month. If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We use cookies and similar technologies to operate and improve our website and platform.

Strictly necessary cookies — required for the platform to function; no consent needed Performance cookies — help us understand how visitors interact with our website (analytics); require consent Functional cookies — remember your preferences and settings; require consent Marketing cookies — used to deliver relevant content; require consent

You can manage your cookie preferences at any time via the cookie banner on our website or through your browser settings. Note that disabling certain cookies may affect platform functionality.

Our platform and website are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data without appropriate consent, please contact us at privacy@smilesync.dental and we will delete it promptly.

Patient portal access for minors is managed by the treating dental practice in accordance with their own data protection policies and applicable guidance from the GDC and CQC.

We may update this privacy policy from time to time to reflect changes in our practices, the law, or our services. We will notify active users of material changes by email or via in-platform notice. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of SmileSync after a policy update constitutes acceptance of the revised terms.

If you have questions, concerns, or requests relating to this privacy policy or the way we handle your data, please contact:

Privacy Team — SmileSync Ltd Email: privacy@smilesync.dental Post: 21 Wellfield Court, Willen, Milton Keynes, MK15 9HL, United Kingdom

For complaints you may also contact the Information Commissioner's Office: Website: ico.org.uk Telephone: 0303 123 1113