Effective Date: 06/01/2025 Last Updated: 10/17/2025

Smile Keeper ("we," "us," "our," or "Smile Keeper") respects your privacy and is committed to protecting the personal information and Protected Health Information (PHI) that you entrust to us through the Smile Keeper App platform (the "Service").

1. INFORMATION WE COLLECT 1.1 Information You Provide Account Information: Name, email address, phone number, practice name Credentials: Username and password (stored encrypted) Verification Information: Phone number for two-factor authentication

1.2 Information (PHI) As a Business Associate under HIPAA, we process: Names Dates of birth Appointment information Photos and documents uploaded to records Folder and file organization data

1.3 Automatically Collected Information Usage Data: Features accessed, actions performed, timestamps Device Information: Browser type, operating system, device identifiers Log Data: IP addresses, access times, pages viewed Security Logs: Login attempts, authentication events, access patterns

2. HOW WE USE INFORMATION 2.1 To Provide Services Enable access to records and practice management features Facilitate synchronization with practice management systems Process and store uploaded photos and documents Provide user authentication and security features

2.2 For Security and Compliance Monitor for unauthorized access attempts Maintain audit trails as required by HIPAA Investigate security incidents Prevent fraud and abuse

2.3 For Communication Send service-related notifications Provide customer support Notify about changes to our policies Send security alerts

2.4 For Improvement Analyze usage patterns to improve features Troubleshoot technical issues Develop new functionalities

3. HOW WE SHARE INFORMATION 3.1 We DO NOT Sell Your Information We never sell, rent, or trade your personal information or PHI.

3.2 Service Providers (Subcontractors) We may share information with vendors who help us provide the Service: Infrastructure and hosting providers Practice management system integrators Authentication service providers Google Drive (when you explicitly connect this service for file storage) All subcontractors sign agreements to protect PHI

3.3 Legal Requirements We may disclose information when required by: Law, regulation, or legal process Government authorities with proper authorization Court orders or subpoenas HIPAA-permitted disclosures

3.4 Business Transfers If we are involved in a merger, acquisition, or asset sale, your information may be transferred with appropriate protections.

3.5 With Your Consent We may share information for purposes you specifically authorize.

4. DATA SECURITY 4.1 Technical Safeguards Encryption: Industry-standard encryption at rest and in transit Authentication: Multi-factor authentication required Access Controls: Role-based permissions Session Management: Automatic timeout after inactivity Third-Party Storage: When you use Google Drive integration, files are subject to Google's security measures and policies

4.2 Administrative Safeguards Regular security assessments Employee training on data protection Incident response procedures Business Associate Agreements with all vendors

4.3 Physical Safeguards Secure data centers Backup systems Disaster recovery procedures

4.4 SMS Communications and A2P 10DLC Compliance This privacy policy complies with A2P 10DLC requirements. We use SMS only for two-factor authentication and service notifications We do not share mobile phone numbers with third parties for marketing purposes We do not share opt-in consent data with third parties All SMS communications require your consent You may opt-out of non-essential SMS at any time by replying STOP Message and data rates may apply We maintain records of consent as required by telecommunications regulations

5. YOUR RIGHTS AND CHOICES 5.1 Under HIPAA For PHI, you have the right to: Access your health information Request corrections to your records Receive an accounting of disclosures Request restrictions on certain uses File a complaint with HHS

5.2 Account Information You can: Update your profile information Change your password Enable/disable features Request account deletion Disconnect Google Drive integration Manage Google permissions through your Google account

5.3 Communications You can opt out of non-essential communications but cannot opt out of service-related or security notifications.

6. THIRD-PARTY SERVICES 6.1 Practice Management Systems We integrate with third-party practice management systems. These integrations are governed by separate agreements and their own privacy policies.

6.2 Cloud Storage Services Dental practices may connect their own cloud storage accounts We are not responsible for the privacy practices of these services You should review the privacy policies of any connected services We do not access or control data once transferred to external storage

6.3 Google Drive Optional integration requiring explicit authorization We don't store your Google credentials Files transferred to Google Drive are governed by Google's terms and privacy policy You retain full control through your Google account

7. GOOGLE SERVICES INTEGRATION When you choose to connect Google Drive to the Service, we access Google services solely to store photos and documents in your designated Google Drive account. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements. We access only the minimum Google Drive permissions necessary to: Create folders for organization Upload files you select Manage files within designated folders You may disconnect Google Drive at any time through your account settings. Files previously stored in Google Drive remain there after disconnection.

8. DATA RETENTION 8.1 Active Accounts We retain your information while your account is active and as needed to provide services. Google Drive files follow Google's retention policies, not ours.

8.2 After Termination PHI is retained or destroyed per HIPAA requirements and your instructions Some information may be retained for legal compliance Audit logs are retained for the period required by law

8.3 De-identified Data We may retain de-identified, aggregated data for analytics and improvement purposes.

9. CHILDREN'S PRIVACY The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

10. CALIFORNIA PRIVACY RIGHTS California residents have additional rights under the California Consumer Privacy Act (CCPA): Right to know what information we collect Right to delete personal information Right to opt-out of sale (we do not sell information) Right to non-discrimination To exercise these rights, contact us at info@smilekeeper.app.

11. INTERNATIONAL DATA TRANSFERS If you access the Service from outside the United States, your information may be transferred to and processed in the United States.

12. BREACH NOTIFICATION In the event of a breach involving PHI, we will: Notify affected parties as required by HIPAA Cooperate with your practice's breach response Take steps to mitigate harm Document the incident and response

13. CHANGES TO THIS POLICY We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. Your continued use after changes constitutes acceptance.

14. HOW TO CONTACT US For privacy-related questions or to exercise your rights, contact: Privacy Officer 3208 Ortega Ave, Lafayette, CA 94549 Email: info@smilekeeper.app

15. COOKIE POLICY 15.1 Essential Cookies We use essential cookies for: User authentication Security features Session management

15.2 Analytics Cookies With your consent, we may use analytics cookies to understand usage patterns.

15.3 Managing Cookies You can control cookies through your browser settings, but disabling essential cookies may impact Service functionality.

16. LEGAL BASIS FOR PROCESSING We process your information based on: Consent: When you agree to specific processing Contract: To provide the services you've requested Legal Obligation: To comply with HIPAA and other laws Legitimate Interests: For security, fraud prevention, and service improvement

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.