Smile Stories Privacy Policy

Last Updated: 20/05/2026

Smile Stories Limited (Company No. 10977086), registered address 330 Wimborne Road, Bournemouth, BH9 2HH, is the data controller for the purposes of UK data protection law.

1. Our Legal Basis for Processing Your Personal Data

Under the UK General Data Protection Regulation (UK GDPR), we must have a valid reason to use your personal information. At Smile Stories, we collect and process personal information for the purposes of providing healthcare, responding to treatment enquiries, preparing consultations, communicating with you, and supporting your patient journey. We rely on the following legal grounds:

1. To Fulfil a Contract:
   We need your personal information to provide the dental services you have requested. This includes booking appointments, providing treatments, managing your care, preparing consultations, creating treatment plans, managing payments and communicating with you about your care.
2. With Your Consent:
   We aim to ask for your consent before sending marketing communications, such as newsletters, educational information, treatment-related updates, relevant Smile Stories services or special offers.

   We may also contact existing patients and people who have previously enquired about treatment where permitted under the “soft opt-in” rules, particularly where communications relate to services similar to those you have already expressed an interest in.

   Decisions relating to elective healthcare, cosmetic dentistry, orthodontics and dental implant treatment often take time and may involve multiple conversations over a period of months.

   You may withdraw your consent or opt out of non-essential communications at any time by using the unsubscribe option, replying STOP where available, or contacting us directly.

3. To Comply with Legal Obligations:
   We are required by law to retain certain records, such as your dental treatment history, financial information, safeguarding information and complaint or regulatory records, for specified periods to meet regulatory, tax, legal and professional requirements.
4. For Our Legitimate Interests:
   We may use your data to:
   • send appointment reminders, consultation updates and follow-up communications;
   • respond to treatment enquiries and support your enquiry journey;
   • provide information relating to treatment options, consultations or relevant services you have expressed interest in;
   • improve the services we offer, including analysing website traffic, reviewing feedback and improving patient experience;
   • handle complaints, concerns, insurance claims or disputes;
   • maintain appropriate records and continuity of care.

   Where we rely on legitimate interests, we carefully balance this use against your privacy rights and expectations.

5. With Your Explicit Consent for Testimonials or Marketing Materials:
   If you agree, we may use before-and-after images, videos, stories or testimonials for our website, social media, teaching, presentations or marketing. We will never use identifiable images, videos or testimonials for external marketing without your explicit consent, and you can withdraw this consent at any time.
6. Sensitive Health Data:
   Some of the information we collect and process may include special category personal data relating to your health, including details of your dental condition, treatment history, medical background, photographs, radiographs, scans, clinical records and information relating to your smile, teeth, mouth or treatment goals.

   This may include information provided before you formally become a patient, for example where you request a Smile Assessment, upload photographs, enquire about treatment, complete an enquiry form, or ask us to prepare a personalised Smile Report.

   We process this information because it is necessary:

   • for the provision of healthcare and treatment planning;
   • to assess suitability for potential treatment;
   • to prepare consultations and treatment recommendations;
   • to comply with our professional, ethical and legal obligations; and
   • where required, with your explicit consent.

   Some information you provide, including photographs and treatment goals, may be used to prepare personalised consultation materials or reports for discussion during your consultation, including virtual consultations.

   Smile Stories clinicians always review this information personally. We do not make treatment decisions based solely on automated processing, and Smile Stories does not upload patient or lead photographs to AI systems for assessment.

7. Data Retention:
   We retain your personal data, including health records, in line with legal, professional and regulatory requirements.

   Dental and medical records are typically retained for at least 11 years or until the patient reaches the age of 25, whichever is longer.

   Analytics cookies: up to 12 months.

   Marketing data: until consent is withdrawn or you opt out, unless we need to retain limited information to respect your preferences.

   General enquiry form submissions: up to 24 months from your most recent interaction with us.

   Smile Assessment enquiries, uploaded photographs, consultation materials and Smile Report information: generally retained for up to 24 months where treatment has not proceeded.

   Recordings and transcriptions: generally retained only for as long as reasonably necessary and typically for no longer than 24 months unless incorporated into clinical records or required for legal, regulatory or complaint handling purposes.

   CCTV footage is typically retained for 30 days unless required for investigation, insurance, safeguarding or legal purposes, in which case it may be retained for longer.

   These retention periods reflect the reality that decisions regarding cosmetic dentistry, orthodontics, implants and elective healthcare often take time and may involve follow-up conversations over an extended period. Information may be securely deleted sooner upon request where appropriate and legally permissible.

8. Children’s Data:
   Where we process the personal data of children or young people under the age of 18, we generally require the consent of a parent or legal guardian for treatment and the processing of personal data.

   Where information, photographs or enquiries are submitted on behalf of someone under the age of 18, the person submitting information confirms that they are the parent, legal guardian or otherwise authorised to do so.

9. Referrals to Other Healthcare Providers:
   From time to time, we may need to refer patients to other dental practices, healthcare providers, specialists or hospitals to ensure they receive appropriate care. When this is necessary, we will share only the information required for the referral and will do so in line with our confidentiality obligations and data protection laws. We do this because it is necessary for the provision of healthcare services and, where relevant, in your vital interests.
10. CCTV Monitoring:
    We operate CCTV within certain areas of our premises for the purposes of security, crime prevention, safeguarding patients and staff, and protecting property. We rely on our legitimate interests to operate CCTV systems in a proportionate and responsible manner. CCTV footage is only accessed where necessary and is not used for monitoring staff performance unless required as part of a formal investigation.
11. Automated Decision-Making:
    We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals. Smile Stories clinicians remain responsible for all clinical decisions and treatment recommendations.
12. Limited Use of Technology & AI-Assisted Tools:
    In limited circumstances, Smile Stories may use carefully selected technology tools to help organise, summarise, transcribe or rephrase information provided during enquiries, consultations or treatment discussions.

    These tools are used to support communication, administration, transcription, note keeping and record accuracy. They are not used to independently diagnose conditions, analyse photographs or make treatment decisions.

    Smile Stories clinicians remain responsible for all treatment discussions and recommendations. Smile Stories does not upload patient or lead photographs to AI systems for clinical assessment.

2. Communication Methods

At Smile Stories, we may use WhatsApp to communicate with existing patients and people who enquire about treatment for appointment confirmations, reminders, general enquiries, consultation coordination and, where appropriate, to share treatment updates, images, post-treatment advice or information relevant to your enquiry or care.

Messages sent to us via WhatsApp may be securely managed using a trusted third-party communication platform (respond.io), which helps our authorised team respond efficiently, consistently and in line with our confidentiality and data protection responsibilities. This system does not change how you use WhatsApp but helps ensure messages are handled appropriately and securely on our side.

Please note that WhatsApp is a third-party messaging service with its own privacy and security practices, which are outside Smile Stories’ control. While WhatsApp uses end-to-end encryption, it is not specifically designed for the routine exchange of highly sensitive medical information. Where particularly sensitive or complex clinical matters arise, we may recommend communication by telephone, secure email, virtual consultation or in person.

By choosing to contact us through WhatsApp, you acknowledge and agree that we may respond to you via this platform. This may include discussion of appointment details, aspects of your treatment, your enquiry, or the sharing of relevant images or updates where appropriate to your care or enquiry. If you would prefer not to receive treatment-related communication via WhatsApp, you may let us know at any time and we will use an alternative contact method such as email or telephone.

We use WhatsApp primarily to manage enquiries, coordinate appointments and provide relevant updates relating to your care or treatment interests. Where sensitive or complex clinical information is involved, we may recommend discussing this via telephone, secure email, virtual consultation or in person.

We may also use secure communication systems between authorised team members, where necessary, to coordinate patient care, appointment logistics, enquiries and treatment discussions. All staff are trained in confidentiality and data protection, and access to personal information is limited to those who require it to perform their role.

In addition to WhatsApp, we may contact you by email, SMS, telephone, through our website contact forms or through communication platforms used by Smile Stories. These methods are used to ensure convenience, continuity of care and timely responses to your needs.

Where you enquire about treatment or request a Smile Assessment, we may contact you by email, SMS, telephone, WhatsApp or other agreed methods to help progress your enquiry, answer questions, provide educational information, arrange consultations, share relevant updates or discuss treatment options you have expressed interest in. You may opt out of non-essential communications at any time.

If you would prefer not to use WhatsApp for any communication, including messages involving medical or sensitive information, you can inform us at any time by emailing management@smilestories.co, and we will update your communication preferences accordingly.

Your communication preferences are important to us, and we will take reasonable steps to respect your choice.

Consultation Recording, Transcription & Note Keeping

In some circumstances, Smile Stories may use audio recording, transcription and note-support tools to help improve the accuracy of records, reduce administrative burden and allow our clinicians and team members to focus more fully on the person in front of them.

During clinical appointments, treatment discussions, virtual consultations or telephone conversations, we may use carefully selected tools to assist with note keeping, transcription and record accuracy. This may include the use of secure transcription technology, AI-assisted documentation tools and communication systems.

Where appropriate, virtual consultations conducted via platforms such as Zoom may be recorded, including audio and video, to support continuity of care, consultation accuracy, treatment discussions, complaint handling, quality assurance and record keeping. We aim to be transparent where consultations are recorded and will generally notify you in advance, at the start of the consultation and/or through the platform being used.

Telephone calls with Smile Stories may also be recorded or transcribed using secure communication systems to support quality assurance, staff training, continuity, enquiry handling and accurate note keeping.

Treatment room audio recordings used to assist with clinical note keeping are generally processed temporarily and deleted after transcription or incorporation into clinical notes where appropriate.

AI-assisted tools used by Smile Stories are designed to support administration, transcription, communication and note keeping only. They are not used to analyse photographs, diagnose conditions or make treatment decisions. Smile Stories clinicians remain responsible for all clinical recommendations and treatment discussions.

Where recordings or transcriptions are retained, we generally seek to retain them only for as long as reasonably necessary for clinical, administrative, training, complaint handling or legal purposes, and typically for no longer than 24 months unless incorporated into clinical records or required for a longer lawful purpose.

3. Smile Assessments, Uploaded Photographs & Smile Reports

Where you enquire about treatment, request a Smile Assessment, complete an enquiry form, upload photographs or use our Smile Report platform, Smile Stories may process information relating to your dental concerns, treatment goals, preferences and photographs of your teeth, mouth, smile or facial appearance.

Some of this information may constitute special category personal data relating to health, even before you formally become a patient of Smile Stories.

We may use this information to:

• understand your concerns, goals and treatment priorities;
• assess suitability for potential treatment options;
• prepare personalised Smile Reports and consultation materials;
• support virtual consultations and treatment discussions;
• explain potential treatment options and likely outcomes;
• respond to your enquiry and provide relevant follow-up communication;
• maintain continuity where treatment decisions take place over an extended period of time.

Where appropriate, photographs or information you provide may be incorporated into personalised consultation materials, presentations or Smile Reports created specifically for your consultation and internal Smile Stories use.

Smile Stories does not sell, publicly share or use uploaded photographs for advertising or marketing purposes without separate explicit consent.

Uploaded photographs and enquiry information are reviewed by Smile Stories clinicians and authorised team members involved in your enquiry or care. In limited circumstances, authorised technical support providers or software developers may access systems where necessary for maintenance or troubleshooting, subject to confidentiality and appropriate safeguards.

Uploaded photographs and Smile Report image data may be stored using secure hosting infrastructure within the United Kingdom or European Economic Area (including Germany), together with appropriate technical and organisational safeguards.

Where treatment does not proceed, Smile Assessment enquiries, uploaded photographs, consultation materials and Smile Report information are generally retained for up to 24 months from your most recent interaction with Smile Stories, after which they may be securely deleted unless a lawful reason requires longer retention.

If information is submitted on behalf of someone under the age of 18, the person submitting the information confirms that they are the parent, legal guardian or otherwise authorised to do so.

4. International Data Transfers

At Smile Stories, we use a number of trusted third-party services to help us deliver, manage, and improve our services. Many of these systems are hosted within the UK or EEA. Some providers may process personal data outside the UK or EEA, including in the United States and other countries.

These services may include, but are not limited to:

• Website, analytics and advertising tools, such as Google Analytics, Google Ads, YouTube, Facebook Pixel, TikTok Pixel and Hotjar
• Email marketing and communication tools, such as MailerLite and other email, SMS or messaging platforms
• Landing page, enquiry and booking systems, such as Unbounce, Acuity Scheduling and website contact forms
• Payment processors, such as Stripe
• Cloud hosting, storage and file management systems, such as Hetzner (Germany) for secure hosting of certain Smile Report and uploaded image data, and Dropbox for consultation materials and operational file storage.
• Customer relationship management and enquiry management systems, such as GoHighLevel, Pipedrive and related workflow tools
• Messaging and communication management platforms, such as respond.io, WhatsApp, Facebook Messenger, Instagram DMs and TikTok DMs where you contact us through those channels or agree to use them
• Workflow automation and integration tools, such as Zapier and Make
• Virtual consultation platforms, such as Zoom
• Call recording, VoIP and telephone communication systems, such as JustCall
• Transcription, note-support and AI-assisted documentation tools, such as Dentally AI, Wispr and limited AI-assisted drafting tools used only for administrative, transcription, documentation or communication support, not for clinical diagnosis or image assessment
• Smile Report and consultation platforms, including our custom Smile Report platform and related technical support providers

We also work with clinical and dental practice systems such as:

• Dentally (patient management system)
• Romexis by Planmeca (x-ray storage)
• Dental Monitoring (for remote treatment monitoring where applicable)

Whenever your personal data is processed outside the UK or EEA, we take reasonable steps to select providers with appropriate privacy, confidentiality and security standards. Where required, we rely on safeguards recognised under UK data protection law, such as UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or other approved contractual safeguards.

Where third-party providers process personal data on our behalf, they are expected to act only under our instructions, use personal data only for the relevant service, and maintain appropriate confidentiality and security protections. Some providers may act as independent controllers for certain activities, for example where they operate their own platform, account, legal or security obligations.

If you would like more details about where your data is stored or how it is safeguarded, you can contact us at management@smilestories.co.

5. How We Keep Your Information Safe

At Smile Stories, we take the security and confidentiality of personal information seriously and maintain appropriate organisational, technical and physical safeguards to help protect your data from accidental loss, unauthorised access, misuse, alteration or inappropriate disclosure.

These measures include:

• Using secure systems and software protected by strong passwords, access controls and, where available, multi-factor authentication.
• Restricting access to personal information so that only authorised team members, clinicians or approved support providers who require access for their role can view relevant information.
• Using secure cloud-based systems for patient management, consultation records, communication, reporting and file storage, selected based on security, confidentiality and reliability standards.
• Providing confidentiality, privacy and data protection training to team members handling personal information.
• Using secure transcription, note-support and communication tools to help maintain accurate records and continuity of care while minimising unnecessary manual handling of sensitive information.
• Protecting company devices and systems using device passwords, encryption where appropriate, antivirus software, firewalls and regular software/security updates.
• Securely storing physical records where required, although Smile Stories seeks to maintain digital records wherever reasonably possible.
• Applying reasonable safeguards around recordings, consultation materials, uploaded photographs and Smile Reports to reduce the risk of unauthorised access.

Access to personal information is limited to authorised individuals who reasonably require it to carry out their role, whether for patient care, enquiry handling, administration, consultation preparation or operational support. Team members are expected to comply with confidentiality obligations, internal policies, professional standards and data protection requirements. We take steps to ensure that personal information is handled sensitively, confidentially and in line with legal, professional and ethical obligations.

In limited circumstances, approved software developers, technical support providers or platform partners may access systems for maintenance, troubleshooting or technical support purposes. Such access is restricted to what is reasonably necessary, subject to confidentiality obligations and monitored where appropriate.

While we take reasonable and proportionate measures to protect personal information, no method of transmission over the internet or electronic storage system can be guaranteed to be completely secure. We therefore encourage care when sharing particularly sensitive information electronically and will continue to review and improve our safeguards where appropriate.

6. Cookies and Consent

Our website uses cookies and similar tracking technologies to help us understand how visitors use our site, improve your browsing experience, and provide relevant advertising.

What are Cookies?

Cookies are small text files stored on your device when you visit a website. Some cookies are essential for the website to function properly, while others help us improve our website or deliver more relevant content and advertising.

What Cookies We Use:

We use cookies for the following purposes:

• Essential cookies: Necessary for site functionality, such as online booking tools and our chatbot.
• Analytics cookies: To understand how visitors use our site, including tools such as Google Analytics and Hotjar.
• Advertising and tracking cookies: To help us understand how visitors interact with our website, improve the relevance of our advertising, measure marketing effectiveness and support enquiry or consultation journeys, including tools such as Facebook Pixel, TikTok Pixel and Google Ads.

Your Choices and Consent:

When you visit our website, you will see a cookie banner that allows you to:

• Accept All Cookies
• Reject Non-Essential Cookies
• Customise Your Preferences

You can change or withdraw your consent at any time by clicking on the Cookie Preferences button at the bottom of our website or by adjusting your browser settings.

7. Use of External Providers to Help Follow Up on Your Enquiry

At Smile Stories, we recognise that decisions relating to cosmetic dentistry, orthodontics, dental implants and elective healthcare often take time and may involve several conversations before treatment begins.

Where you enquire about treatment, request a Smile Assessment, upload photographs, book a consultation or express interest in treatment, we may contact you to help support your enquiry journey. This may include appointment reminders, consultation invitations, educational information, answers to questions, treatment-related updates and relevant follow-up communications.

To support this process, Smile Stories may use carefully selected communication, customer relationship management and workflow systems, together with authorised team members or trusted external support providers acting under our instructions.

This communication may take place by email, SMS, telephone, WhatsApp or other methods you have used to contact us or agreed to receive communications through.

We only share information reasonably necessary for these purposes, such as your name, contact details, treatment interests, enquiry status or relevant consultation information.

Where we rely on legitimate interests or the “soft opt-in” rules to communicate with people who have previously enquired about treatment, we aim to ensure communications remain relevant, proportionate and related to services you have shown an interest in.

You may opt out of non-essential communications at any time by following unsubscribe instructions, replying STOP where available or contacting us directly at management@smilestories.co.

Any third-party provider we work with is expected to maintain appropriate privacy, confidentiality and security standards and may only use personal information for authorised purposes.

8. Your Privacy Rights and How to Contact Us

Smile Stories Limited is registered with the UK Information Commissioner’s Office (ICO Registration Number: ZA294263).

If you have any questions about this privacy policy, how we handle your personal data, or if you would like to exercise any of your data protection rights, including requesting access to your information, correcting inaccuracies, withdrawing consent, requesting deletion where legally appropriate, restricting processing, objecting to certain uses, or requesting portability where applicable, please contact our Practice Manager.

This may include information held in relation to your treatment, enquiry, Smile Assessment, Smile Report, uploaded photographs, communications, recordings or consultation information where applicable.

Practice Manager
Smile Stories
Email: management@smilestories.co

We will respond to your request as promptly as possible and within the timeframes required by law.

If you are not satisfied with how we handle your personal data or feel we have not resolved your concern, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent authority for data protection.

ICO Contact Details:
Website: www.ico.org.uk
Helpline: 0303 123 1113

9. Data Breach Notification

While Smile Stories takes appropriate steps to protect personal information, no organisation can entirely eliminate the risk of security incidents. If we become aware of a personal data breach that may affect your rights or freedoms, we will respond promptly and in accordance with our legal obligations.

If required by law, we will:

• Notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
• Inform any individuals directly affected without undue delay, where there is a risk to their rights or freedoms.

If you become aware of any security incident involving your data in connection with Smile Stories, please contact our Practice Manager immediately at management@smilestories.co.

10. How We Use Technology to Support Care and Communication

Smile Stories may use carefully selected digital tools, including transcription, note-support and communication technologies, to help improve record keeping, continuity of care, administrative efficiency and the quality of patient and enquiry experiences.

This may include the use of secure transcription or AI-assisted documentation tools to help our clinicians, care coordinators and team members maintain accurate records and focus more fully on the person in front of them.

During treatment discussions, consultations, virtual appointments or telephone conversations, we may use tools that support note keeping, transcription or recording where appropriate. This may include audio recording within treatment rooms for temporary transcription purposes, recorded virtual consultations, Zoom transcriptions or telephone call recording systems.

Treatment room audio recordings used to support note keeping are generally processed temporarily and deleted after transcription or incorporation into clinical notes where appropriate.

Virtual consultations may be recorded, including audio and video, to support consultation continuity, treatment discussions, complaint handling, quality assurance, training and accurate record keeping. Smile Stories aims to be transparent where consultations are recorded and will generally notify you in advance, at the start of the consultation and/or through the platform being used.

Telephone calls may also be recorded or transcribed to help maintain accurate records, support enquiry handling, staff training, quality assurance and continuity of communication.

Where recordings or transcriptions are retained, we generally seek to retain them only for as long as reasonably necessary and typically for no longer than 24 months unless incorporated into clinical records or required for legal, regulatory or complaint handling purposes.

Smile Stories clinicians remain responsible for all clinical decisions and recommendations. Technology tools used by Smile Stories are intended to support communication, administration, documentation and record keeping and are not used to independently diagnose conditions or make treatment decisions.

Smile Stories does not upload patient or lead photographs to AI systems for clinical assessment.

Thank you for trusting Smile Stories with your personal information.

Smile Stories Complaints Policy

Please follow this link for our complaints policy.