Smile Stories Privacy Policy

Last Updated: 21/07/2025

1. Our Legal Basis for Processing Your Personal Data

Under the UK General Data Protection Regulation (UK GDPR), we must have a valid reason to use your personal information. At Smile Stories, we collect and process your data based on the following legal grounds:

1. To Fulfil a Contract:
   We need your personal information to provide the dental services you have requested—this includes booking appointments, providing treatments, managing your care, and communicating with you about your care.
2. With Your Consent:
   We aim to always ask for your consent before sending you marketing communications, such as newsletters, special offers, or Smile Club updates. We will only send you marketing emails or text messages where you have provided explicit consent, or where we rely on the “soft opt-in” for existing patients. You can withdraw your consent or opt out at any time by contacting us.
3. To Comply with Legal Obligations:
   We are required by law to retain certain records, such as your dental treatment history and financial information, for specified periods to meet regulatory, tax, and legal requirements.
4. For Our Legitimate Interests:
   We may use your data to:

• Send appointment reminders or follow-up messages
• Improve the services we offer, including analysing website traffic or requesting feedback
• Handle and investigate complaints or insurance claims
  We carefully balance this use with your privacy rights.

5. With Your Explicit Consent for Testimonials or Marketing Materials:
   If you agree, we may use before-and-after images or testimonials for our website, social media, or marketing. We will never use such images without your explicit written consent, and you can withdraw this consent at any time.
6. Sensitive Health Data:
   Some of the information we collect and process may include sensitive personal data about your health, such as details of your dental condition, treatment history, medical background, and photographs. We process this information because it is necessary for the provision of healthcare and to comply with our legal obligations.
7. Data Retention:
   We retain your personal data, including health records, in line with legal and regulatory requirements. Dental and medical records are typically retained for at least 11 years or until the patient reaches the age of 25, whichever is longer.
8. Children’s Data:
   Where we process the personal data of children under the age of 18, we require the consent of a parent or guardian to provide treatment and to process their data.
9. Referrals to Other Healthcare Providers:
   From time to time, we may need to refer patients to other dental practices, healthcare providers, or hospitals to ensure they receive appropriate care. When this is necessary, we will share only the information required for the referral and will do so in line with our confidentiality obligations and data protection laws. We do this because it is necessary for the provision of healthcare services and in your vital interests.

2. Communication Methods

At Smile Stories, we use WhatsApp to communicate with patients for appointment confirmations, reminders, general enquiries, and, where appropriate, to share treatment updates, images or post-treatment advice.

Messages sent to us via WhatsApp are securely managed using a third-party platform (respond.io) that allows our team to respond efficiently and in line with our data protection responsibilities. This system does not affect how you use WhatsApp, but it ensures that your messages are handled securely and consistently on our side.

Please note that WhatsApp is a third-party messaging service with its own privacy and security practices, which we do not control. While it uses end-to-end encryption, it is not specifically designed for sharing sensitive medical information.

By contacting us through WhatsApp, you are providing implied consent for us to respond via this platform, including in cases where medical or sensitive information may be shared as part of your enquiry or treatment communication. We use WhatsApp primarily to handle enquiries, manage appointments, and provide relevant updates related to your care.

We also use WhatsApp internally between team members, where necessary, to coordinate patient care, appointment logistics and treatment discussions. All staff are trained in confidentiality and data protection, and any information shared in this way is used appropriately for clinical or administrative purposes.

In addition to WhatsApp, we may contact you by email, SMS (text message), telephone or through our website contact forms. These methods are used to ensure convenience, continuity of care and timely responses to your needs.

If you would prefer not to use WhatsApp for any communication, including messages involving medical or sensitive information, you can inform us at any time by emailing management@smilestories.co, and we will use an alternative contact method such as email or telephone.

Your communication preferences are important to us, and we will do our best to respect your choice.

3. International Data Transfers

At Smile Stories, we use a number of trusted third-party services to help us deliver, manage, and improve our services. Some of these services may process personal data outside the United Kingdom (UK) and the European Economic Area (EEA), including in the United States and other countries.

These services include, but are not limited to:

• Google Analytics, Google Ads, YouTube, Facebook Pixel, TikTok Pixel
• MailerLite (email marketing)
• Unbounce (landing pages)
• Acuity Scheduling (online bookings)
• Stripe (payment processing)
• Dropbox (cloud storage)
• Hotjar (website analytics)
• Chatbot (website chat widget)
• Facebook Messenger, Instagram DMs, TikTok DMs (only used when you contact us through those platforms first)

We also work with clinical tools such as:

• Dentally (patient management system)
• Romexis by Planmeca (x-ray storage)
• Dental Monitoring (for remote treatment monitoring)

Whenever your personal data is processed outside the UK or EEA, we take reasonable steps to select service providers that follow strong data protection standards. These providers may be based in countries recognised for having adequate data protection laws or may use legal agreements that aim to safeguard your information to UK standards.

If you would like more details about where your data is stored or how it is safeguarded, you can contact us at management@smilestories.co.

4. How We Keep Your Information Safe

At Smile Stories, we take the security of your personal information seriously and have measures in place to help protect your data from being accidentally lost, accessed without permission, altered, or shared inappropriately.

These measures include:

• Using secure systems and software that require strong passwords and, where possible, two-factor authentication.
• Ensuring that all of our team members are trained on confidentiality, privacy, and data protection.
• Storing any physical (paper-based) records securely, such as in locked cabinets, although we aim to keep most records digital wherever possible.
• Using reputable cloud-based systems for managing patient information, which we select based on their security features and compliance with data protection standards.
• Keeping our computers protected with antivirus software, firewalls, and regular security updates.

While all members of our team have access to patient information in order to carry out their roles, we work hard to ensure that all data is handled sensitively, confidentially, and in line with legal and ethical standards.

Please be aware that while we do everything reasonably possible to protect your information, no system can ever be 100% secure. We cannot guarantee the absolute security of information transmitted online, such as through email, messaging apps, or web forms, so we advise caution when sharing sensitive information through these channels.

5. Cookies and Consent

Our website uses cookies and similar tracking technologies to help us understand how visitors use our site, improve your browsing experience, and provide relevant advertising.

What are Cookies?

Cookies are small text files stored on your device when you visit a website. Some cookies are essential for the website to function properly, while others help us improve our website or deliver more relevant content and advertising.

What Cookies We Use:

We use cookies for the following purposes:

• Essential cookies: Necessary for site functionality, such as online booking tools and our chatbot.
• Analytics cookies: To understand how visitors use our site (Google Analytics, Hotjar).
• Advertising and tracking cookies: To show relevant ads and measure marketing effectiveness (Facebook Pixel, TikTok Pixel, Google Ads).

Your Choices and Consent:

When you visit our website, you will see a cookie banner that allows you to:

• Accept All Cookies
• Reject Non-Essential Cookies
• Customise Your Preferences

You can change or withdraw your consent at any time by clicking on the Cookie Preferences button at the bottom of our website or by adjusting your browser settings.

6. Your Privacy Rights and How to Contact Us

If you have any questions about this privacy policy, how we handle your personal data, or if you would like to exercise any of your data protection rights (such as accessing your data, correcting it, withdrawing consent, requesting deletion of your data, or restricting how we use your data), you can contact our Practice Manager:

Practice Manager
Smile Stories
Email: management@smilestories.co

We will do our best to respond to your request as promptly as possible and always within the timeframes required by law.

If you are not satisfied with how we handle your personal data or feel we have not resolved your concern, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent authority for data protection.

ICO Contact Details:
Website: www.ico.org.uk
Helpline: 0303 123 1113

7. Data Breach Notification

While we do everything reasonably possible to keep your personal information secure, if we ever experience a personal data breach that puts your privacy at risk, we will take it seriously.

If required by law, we will:

• Notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
• Inform any individuals directly affected without undue delay, where there is a risk to their rights or freedoms.

If you become aware of any security incident involving your data in connection with Smile Stories, please contact our Practice Manager immediately at management@smilestories.co.

Thank you for trusting Smile Stories with your personal information.

Smile Stories Complaints Policy

Please follow this link for our complaints policy.