Privacy Policy
Privacy Policy
This policy explains how personal and clinical workflow information may be handled when organizations use The Smile Longevity Lab platform. It is written as a long-form structured template and should be reviewed by qualified counsel before adoption.
Effective / last updated: May 1, 2026
Introduction
This Privacy Policy describes how The Smile Longevity Lab (“we,” “us,” or “our”) collects, uses, discloses, stores, and otherwise processes information when you access or use our websites, applications, APIs, and related services that link to this Privacy Policy (collectively, the “Services”).
The Services are designed for use by licensed clinicians, clinics, and authorized workforce members (“Professionals”) in connection with patient care workflows. Depending on how your clinic configures access, patients (“Patients”) may also access portions of the Services through invitation-based accounts.
Privacy expectations can vary materially by role (Professional versus Patient), by contractual arrangements between us and a clinic or enterprise customer (“Customer”), and by applicable law (including health privacy regimes). Where our Customer controls accounts and clinical records on behalf of a clinic, that Customer may be responsible for certain notices and rights processes as described below.
Who we are and how to contact us
The data controller for personal information processed through the Services may be The Smile Longevity Lab or the clinic / Customer organization that contracts for use of the Services, depending on context (for example, clinic-managed clinical records). Where multiple parties process personal information as independent controllers, each party’s responsibilities should be confirmed in your clinic agreements and internal privacy notices.
For privacy inquiries relating to the Services, contact us through the Contact page on this website or via the contact channels your clinic provides. If you are a Patient seeking access to medical records or corrections to clinical documentation, your clinic remains the primary point of contact for clinical record requests unless applicable law provides otherwise.
Scope
This Privacy Policy applies to personal information we process in connection with the Services. It does not apply to third-party websites, applications, or services that we do not control, even if linked from the Services.
If you access the Services as part of a clinic workforce, your employer’s policies may also apply to your use of employer-provided accounts and devices.
Key definitions
For readability, we use “personal information” to mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with an identified or identifiable individual. Some jurisdictions use distinct definitions for “personal data” or “personal information,” and certain categories may receive heightened protections.
We use “health information” broadly to refer to information related to medical conditions, oral health assessments, clinical encounters, diagnostic impressions when entered by Professionals, treatment notes, and similar clinical content processed through the Services. Depending on context, some health information may be regulated as protected health information (“PHI”) under applicable health privacy laws where PHI exists and is created or maintained by a regulated covered entity or business associate.
Information we collect
We collect information in three primary ways: (1) information you or your clinic provide directly; (2) information collected automatically when you use the Services; and (3) information we receive from third parties at the direction of a Customer or as needed to operate integrations.
- Account and identity information: name, professional credentials where applicable, clinic affiliation, email address, phone number, authentication credentials (stored using secure methods), and role assignments.
- Clinical workflow content: patient demographics as entered by authorized users, visit metadata, structured assessments, scores and longitudinal outputs, attachments or uploads permitted by the Customer configuration, and clinician-entered notes.
- Communications: messages you send us for support, feedback, or legal inquiries, including metadata such as timestamps.
- Technical and usage data: IP address, device identifiers, browser type, operating system, approximate location derived from IP, pages viewed, referring URLs, diagnostics, error logs, security signals, and session telemetry needed to secure and operate the Services.
- Payment and billing information: where Customers purchase paid offerings, we may process billing contacts and transaction records; payment card processing may be handled by a payment processor.
Sources of personal information
We collect personal information directly from you when you register, sign in, submit forms, upload content, correspond with us, or otherwise interact with the Services.
We may also collect personal information from Customers (for example, clinic administrators provisioning accounts), from integration partners enabled by the Customer, from authentication providers used by the Customer, and from automated systems that generate logs during Service operation.
How we use personal information
We use personal information to provide, maintain, secure, analyze, and improve the Services; to authenticate users; to enforce access controls consistent with clinic roles; to generate outputs requested by authorized Professionals (such as reports and longitudinal scoring visualizations); to communicate operational notices; to provide customer support; to comply with law; and to protect rights, safety, and integrity of users and the Services.
Where permitted by contract and applicable law, we may use aggregated or de-identified information that cannot reasonably be used to identify an individual for analytics, research, product improvement, benchmarking, and public reporting.
- Operating core functionality: rendering dashboards, storing visit records, generating PDFs or exports configured by the Customer, and maintaining audit-relevant metadata where implemented.
- Security and abuse prevention: detecting fraud, credential stuffing, malware signals, and unauthorized access attempts.
- Compliance: responding to lawful requests, preserving records subject to legal holds, and fulfilling contractual obligations to Customers.
Legal bases (where applicable)
If you are located in the European Economic Area, Switzerland, or the United Kingdom, we rely on one or more legal bases under applicable data protection law, such as: performance of a contract; legitimate interests that are not overridden by your rights (for example, securing the Services); consent where required; compliance with legal obligations; and, where sensitive processing occurs, an applicable permissive ground under local law (which may include healthcare-related bases subject to professional secrecy rules and contractual commitments).
Because processing contexts differ (clinic-controlled clinical records versus purely operational contact details), the precise legal basis for a specific processing activity may depend on your relationship to us and your clinic’s instructions.
AI-assisted outputs and automated processing
Certain features may assist Professionals by generating draft narratives, summaries, or structured interpretations based on inputs authorized users provide. These outputs are intended as workflow assistance and do not replace independent professional judgment, examination, diagnosis where applicable, or treatment planning.
Where AI-assisted features are used, inputs necessary to generate outputs may be transmitted to model providers under contractual safeguards configured for enterprise SaaS environments. Customers should review applicable agreements, data processing terms, and clinic policies governing use of AI assistants with patient-related content.
You should not submit emergency medical information through chat-style interfaces unless your clinic explicitly configures workflows for that purpose. If you believe you are experiencing a medical emergency, call local emergency services.
Disclosures of personal information
We disclose personal information to service providers and subprocessors that assist us in hosting, infrastructure, authentication, logging, customer support, security monitoring, email delivery, payment processing, and other operational functions. These parties are permitted to use personal information only as instructed and subject to appropriate confidentiality and security obligations.
We may disclose personal information if we believe disclosure is required by law, regulation, legal process, or governmental request; to enforce our terms or investigate potential violations; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of users, the public, or us.
In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction subject to appropriate safeguards and notices required by law.
International transfers
We may process and store personal information in countries other than the country where you reside. Those countries may have data protection laws that differ from those where you live.
Where required, we implement appropriate safeguards such as standard contractual clauses or other lawful transfer mechanisms, supplemented by technical and organizational measures and risk assessments consistent with regulatory guidance.
Retention
We retain personal information for as long as necessary to provide the Services, fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods may be dictated by clinic policies, regulatory requirements for clinical records, and backup cycles.
When personal information is no longer needed, we will delete or de-identify it in accordance with applicable law and contractual commitments, subject to minimum statutory retention periods.
Security
We implement administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, loss, misuse, or alteration. Measures may include access controls, encryption in transit, monitoring, vulnerability management, least-privilege engineering practices, and workforce training.
No method of transmission or storage is completely secure. Users must protect credentials, enable multi-factor authentication where offered, and promptly report suspected unauthorized access.
Your privacy rights and choices
Depending on your location and the nature of the information, you may have rights to access, rectify, delete, restrict processing, object to processing, withdraw consent where processing is consent-based, or port certain information. You may also have rights related to automated decision-making where applicable law grants such rights and such decisions produce legal or similarly significant effects (not all product features constitute regulated automated decision-making).
If we process personal information on behalf of a Customer as a processor or service provider, we may need to direct certain requests to the Customer that controls the record. We will assist Customers as required by contract and law.
To exercise rights, contact us through the Contact page or follow instructions provided by your clinic. We may need to verify your identity before fulfilling requests and may decline requests that compromise others’ privacy, are impracticable, or are prohibited by law.
- EEA/UK/Switzerland: You may lodge a complaint with a supervisory authority.
- United States state privacy laws: Additional disclosures and rights may apply depending on residency and whether information is processed as “personal information” under those laws.
Incident response and notifications
We maintain procedures designed to detect and respond to security incidents. Where required by applicable law or contract, we will notify affected Customers and/or regulators and coordinate communications consistent with regulatory timelines and instructions from Customers responsible for end-user notices.
Children
The Services are not directed to children for independent sign-up. Where minors are patients, access and records handling should be managed by Parents/Legal guardians and authorized Professionals consistent with clinic policies and applicable law.
Third-party links and integrations
The Services may contain links to third-party websites or enable integrations configured by Customers. This Privacy Policy does not apply to those third parties. Their collection and use of information is governed by their own policies.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will post the updated policy with a revised “last updated” date and, where required by law or contract, provide additional notice (such as email notification or an in-product banner).
Your continued use of the Services after an update becomes effective constitutes acceptance of the revised policy unless applicable law requires explicit consent for certain changes.
Privacy contacts and regulatory inquiries
For general privacy questions, please use the Contact page. For formal regulatory correspondence or data protection authority inquiries, use the legal contact details provided by your contracting clinic or the designated privacy mailbox described in your enterprise agreement, if applicable.