Smile Stories Privacy Policy

Last Updated: 15/02/2026

Smile Stories Limited (Company No. 10977086), registered address 330 Wimborne Road, Bournemouth, BH9 2HH, is the data controller for the purposes of UK data protection law.

1. Our Legal Basis for Processing Your Personal Data

Under the UK General Data Protection Regulation (UK GDPR), we must have a valid reason to use your personal information. At Smile Stories, we collect and process your data based on the following legal grounds:

1. To Fulfil a Contract:
   We need your personal information to provide the dental services you have requested—this includes booking appointments, providing treatments, managing your care, and communicating with you about your care.
2. With Your Consent:
   We aim to always ask for your consent before sending you marketing communications, such as newsletters, special offers, or Smile Club updates. We will only send you marketing emails or text messages where you have provided explicit consent, or where we rely on the “soft opt-in” for existing patients. You can withdraw your consent or opt out at any time by contacting us.
3. To Comply with Legal Obligations:
   We are required by law to retain certain records, such as your dental treatment history and financial information, for specified periods to meet regulatory, tax, and legal requirements.
4. For Our Legitimate Interests:
   We may use your data to:

• Send appointment reminders or follow-up messages
• Improve the services we offer, including analysing website traffic or requesting feedback
• Handle and investigate complaints or insurance claims
  We carefully balance this use with your privacy rights.

5. With Your Explicit Consent for Testimonials or Marketing Materials:
   If you agree, we may use before-and-after images or testimonials for our website, social media, or marketing. We will never use such images without your explicit written consent, and you can withdraw this consent at any time.
6. Sensitive Health Data:
   Some of the information we collect and process may include sensitive personal data about your health, such as details of your dental condition, treatment history, medical background, and photographs. We process this information because it is necessary for the provision of healthcare and medical diagnosis, and to comply with our professional and legal obligations.
7. Data Retention:
   We retain your personal data, including health records, in line with legal and regulatory requirements.
   Dental and medical records are typically retained for at least 11 years or until the patient reaches the age of 25, whichever is longer.
   Analytics cookies: up to 12 months
   Marketing data: until consent is withdrawn
   Inquiry form submissions: 3 years
   CCTV footage is typically retained for 30 days unless required for investigation, insurance, safeguarding or legal purposes, in which case it may be retained for longer.
8. Children’s Data:
   Where we process the personal data of children under the age of 18, we require the consent of a parent or guardian to provide treatment and to process their data.
9. Referrals to Other Healthcare Providers:
   From time to time, we may need to refer patients to other dental practices, healthcare providers, or hospitals to ensure they receive appropriate care. When this is necessary, we will share only the information required for the referral and will do so in line with our confidentiality obligations and data protection laws. We do this because it is necessary for the provision of healthcare services and in your vital interests.
10. CCTV Monitoring
    We operate CCTV within certain areas of our premises for the purposes of security, crime prevention, safeguarding patients and staff, and protecting property. We rely on our legitimate interests to operate CCTV systems in a proportionate and responsible manner. CCTV footage is only accessed where necessary and is not used for monitoring staff performance unless required as part of a formal investigation.
11. Automated Decision-Making:
    We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals.

2. Communication Methods

At Smile Stories, we use WhatsApp to communicate with patients for appointment confirmations, reminders, general enquiries and, where appropriate, to share treatment updates, images or post-treatment advice.

Messages sent to us via WhatsApp are securely managed using a third-party platform (respond.io), which allows our team to respond efficiently and in line with our data protection responsibilities. This system does not change how you use WhatsApp, but it helps ensure that messages are handled securely, consistently and appropriately on our side.

Please note that WhatsApp is a third-party messaging service with its own privacy and security practices, which we do not control. While WhatsApp uses end-to-end encryption, it is not specifically designed for the transmission of sensitive medical information.

By choosing to contact us through WhatsApp, you acknowledge and agree that we may respond to you via this platform. This may include discussion of appointment details, aspects of your treatment, or the sharing of relevant images or updates where appropriate to your care. If you would prefer not to receive treatment-related communication via WhatsApp, you may let us know at any time and we will use an alternative contact method such as email or telephone.

We use WhatsApp primarily to manage enquiries, coordinate appointments and provide relevant updates relating to your care. Where sensitive or complex clinical information is involved, we may recommend discussing this via telephone, secure email or in person.

We may also use WhatsApp internally between authorised team members, where necessary, to coordinate patient care, appointment logistics and treatment discussions. All staff are trained in confidentiality and data protection, and any information shared in this way is used strictly for clinical or administrative purposes. Access to patient information is limited to those who require it for their role.

In addition to WhatsApp, we may contact you by email, SMS (text message), telephone or through our website contact forms. These methods are used to ensure convenience, continuity of care and timely responses to your needs.

If you would prefer not to use WhatsApp for any communication, including messages involving medical or sensitive information, you can inform us at any time by emailing management@smilestories.co, and we will update your communication preferences accordingly.

Your communication preferences are important to us, and we will always do our best to respect your choice.

3. International Data Transfers

At Smile Stories, we use a number of trusted third-party services to help us deliver, manage, and improve our services. Some of these services may process personal data outside the United Kingdom (UK) and the European Economic Area (EEA), including in the United States and other countries.

These services include, but are not limited to:

• Google Analytics, Google Ads, YouTube, Facebook Pixel, TikTok Pixel
• MailerLite (email marketing)
• Unbounce (landing pages)
• Acuity Scheduling (online bookings)
• Stripe (payment processing)
• Dropbox (cloud storage)
• Hotjar (website analytics)
• Chatbot (website chat widget)
• Facebook Messenger, Instagram DMs, TikTok DMs (only used when you contact us through those platforms first)

We also work with clinical tools such as:

• Dentally (patient management system)
• Romexis by Planmeca (x-ray storage)
• Dental Monitoring (for remote treatment monitoring)

Whenever your personal data is processed outside the UK or EEA, we take reasonable steps to select service providers that follow strong data protection standards. Where personal data is transferred outside the UK or EEA, we rely on UK adequacy regulations or approved safeguards such as Standard Contractual Clauses to ensure your data is protected to UK standards.

If you would like more details about where your data is stored or how it is safeguarded, you can contact us at management@smilestories.co.

4. How We Keep Your Information Safe

At Smile Stories, we take the security of your personal information seriously and have measures in place to help protect your data from being accidentally lost, accessed without permission, altered, or shared inappropriately.

These measures include:

• Using secure systems and software that require strong passwords and, where possible, two-factor authentication.
• Ensuring that all of our team members are trained on confidentiality, privacy, and data protection.
• Storing any physical (paper-based) records securely, such as in locked cabinets, although we aim to keep most records digital wherever possible.
• Using reputable cloud-based systems for managing patient information, which we select based on their security features and compliance with data protection standards.
• Keeping our computers protected with antivirus software, firewalls, and regular security updates.

While all members of our team have access to patient information in order to carry out their roles, we work hard to ensure that all data is handled sensitively, confidentially, and in line with legal and ethical standards.

Please be aware that while we do everything reasonably possible to protect your information, no system can ever be 100% secure. We cannot guarantee the absolute security of information transmitted online, such as through email, messaging apps, or web forms, so we advise caution when sharing sensitive information through these channels.

5. Cookies and Consent

Our website uses cookies and similar tracking technologies to help us understand how visitors use our site, improve your browsing experience, and provide relevant advertising.

What are Cookies?

Cookies are small text files stored on your device when you visit a website. Some cookies are essential for the website to function properly, while others help us improve our website or deliver more relevant content and advertising.

What Cookies We Use:

We use cookies for the following purposes:

• Essential cookies: Necessary for site functionality, such as online booking tools and our chatbot.
• Analytics cookies: To understand how visitors use our site (Google Analytics, Hotjar).
• Advertising and tracking cookies: To show relevant ads and measure marketing effectiveness (Facebook Pixel, TikTok Pixel, Google Ads).

Your Choices and Consent:

When you visit our website, you will see a cookie banner that allows you to:

• Accept All Cookies
• Reject Non-Essential Cookies
• Customise Your Preferences

You can change or withdraw your consent at any time by clicking on the Cookie Preferences button at the bottom of our website or by adjusting your browser settings.

6. Use of External Providers to Help Follow Up on Your Enquiry

Sometimes people get in touch with us about treatment but don’t have the chance to book right away. To make sure we’re being as helpful as possible, we work with a trusted external provider who sends a small number of text messages or WhatsApp messages on our behalf to check whether you’d still like to continue your enquiry.

To do this, we share only the basic details needed for that follow-up, such as your name, phone number or email and the type of treatment you originally asked us about. This provider acts strictly under our instructions and cannot use your information for anything else.

We rely on legitimate interests for this kind of communication, as it helps us respond to enquiries you have already made and offer the support or information you initially requested. If you no longer wish to receive these messages, you can reply “STOP” at any time or contact us directly at management@smilestories.co.

Any external provider we work with must follow strong privacy and security standards, protect your information, and delete it once the service is complete.

7. Your Privacy Rights and How to Contact Us

Smile Stories Limited is registered with the UK Information Commissioner’s Office
(ICO Registration Number: ZA294263).

If you have any questions about this privacy policy, how we handle your personal data, or if you would like to exercise any of your data protection rights (such as accessing your data, correcting it, withdrawing consent, requesting deletion of your data, restricting how we use your data, or requesting data portability where applicable), you can contact our Practice Manager:

Practice Manager
Smile Stories
Email: management@smilestories.co

We will do our best to respond to your request as promptly as possible and always within the timeframes required by law.

If you are not satisfied with how we handle your personal data or feel we have not resolved your concern, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent authority for data protection.

ICO Contact Details:
Website: www.ico.org.uk
Helpline: 0303 123 1113

8. Data Breach Notification

While we do everything reasonably possible to keep your personal information secure, if we ever experience a personal data breach that puts your privacy at risk, we will take it seriously.

If required by law, we will:

• Notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
• Inform any individuals directly affected without undue delay, where there is a risk to their rights or freedoms.

If you become aware of any security incident involving your data in connection with Smile Stories, please contact our Practice Manager immediately at management@smilestories.co.

Thank you for trusting Smile Stories with your personal information.

Smile Stories Complaints Policy

Please follow this link for our complaints policy.