Legal
Privacy Policy
Effective 8 May 2025
1. Who we are
SmileProof (“we”, “us”, “our”) operates the dental review platform at smileproof.co.uk. We are the data controller for personal information collected through this platform.
You can contact us about privacy matters at hello@smileproof.co.uk.
This policy explains what personal data we collect, why we collect it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data we collect and why
We collect personal data in the following contexts:
Reviewers
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Send a verification link to confirm you visited the practice | Legitimate interests (review integrity) |
| Display name or initials | Shown publicly alongside your review | Consent (you choose what to enter) |
| Review content and ratings | Published on the practice profile | Consent |
| Treatment date and price | Aggregated for price transparency data; not shown individually | Consent |
| Follow-up preference | Send a 3-month outcome check-in if you opt in | Consent |
Practice owners
| Data | Purpose | Legal basis |
|---|---|---|
| Email address and name | Create and manage your practice account | Contract |
| Practice information | Displayed on your public profile | Contract |
| Subscription and billing data | Process payments via Stripe | Contract |
| Login activity | Account security and fraud prevention | Legitimate interests |
All visitors
| Data | Purpose | Legal basis |
|---|---|---|
| IP address and browser data | Security, abuse prevention, and anonymous analytics | Legitimate interests |
| Page view events | Show practice owners how many times their profile was viewed | Legitimate interests |
| Approximate location (if you grant permission) | Show nearby dental practices in search results | Consent |
3. Cookies
SmileProof uses cookies and similar technologies for the following purposes:
- Essential cookies — required for authentication and security. These cannot be disabled.
- Analytics cookies — anonymised usage data to help us understand how the platform is used. You can opt out via your browser settings.
We do not use advertising or tracking cookies, and we do not sell or share your data with advertising networks.
4. How we share your data
We share personal data only where necessary:
- Supabase — our database and authentication provider, hosted in the EU. Data is processed under a Data Processing Agreement.
- Resend — used to send transactional emails (verification links, review invites). Only your email address and the content of the email are shared.
- Stripe — processes payments for practice subscriptions. We do not store card details; Stripe handles all payment data under their own privacy policy.
- Anthropic— review text may be sent to Anthropic's API to generate anonymised AI summaries. No personally identifiable information is included in these requests. Summaries are cached in our database; raw review text is not stored by Anthropic under our API agreement.
- Legal obligations — we may disclose data to law enforcement or regulators where required by law.
We do not sell your personal data to any third party.
5. How long we keep your data
- Reviews — retained indefinitely while the practice is listed, as they form the public record. You may request removal (see section 6).
- Account data — retained for as long as your account is active, then deleted within 90 days of account closure.
- Email addresses (reviewers) — retained for 24 months to allow follow-up check-ins if opted in, then deleted.
- Page view events — aggregated after 12 months; raw event data is deleted.
- Server logs — retained for up to 30 days for security purposes.
6. Your rights
Under UK GDPR you have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data (“right to be forgotten”). Note that removing a review may not be possible where it forms part of a verified public record, but we will consider each request.
- Restriction — ask us to limit how we process your data while a dispute is resolved.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior processing.
To exercise any of these rights, email hello@smileproof.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. Data security
We use industry-standard measures to protect your personal data, including encrypted connections (TLS), row-level security on our database, and access controls that limit which team members can view personal information. No transmission over the internet is completely secure — if you believe your data has been compromised, please contact us immediately.
8. Children
SmileProof is not intended for use by anyone under 18. We do not knowingly collect personal data from children. If you believe a child has submitted data to us, please contact us and we will delete it promptly.
9. International transfers
Our primary infrastructure is located within the UK and EU. Where data is transferred outside the UK (for example, to Anthropic's US-based API), we ensure appropriate safeguards are in place, including standard contractual clauses approved by the ICO.
10. Changes to this policy
We may update this policy periodically. Material changes will be flagged by updating the effective date at the top of this page. We encourage you to review this policy from time to time. Continued use of SmileProof after changes are posted constitutes acceptance of the revised policy.
11. Contact
For any privacy questions or to exercise your rights, contact us at hello@smileproof.co.uk.