Privacy Policy

Introduction
Data protection has a particularly high priority for Smylor (hereinafter: "we", "us"). We consider it our primary responsibility to maintain the confidentiality of the personal data you provide to us and to protect it from unauthorized access. Therefore, we use the utmost care and state-of-the-art security standards to ensure maximum protection of your personal data.
With the information presented below, we provide you with an overview of the processing of your personal data that arises in connection with the use of our website, accessible via https://smylor.com/ (hereinafter "web").
We also want to inform you about your rights under data protection laws. We always process your personal data in accordance with the General Data Protection Regulation (hereinafter "GDPR"), the Telecommunications and Telemedia Data Protection Act (hereinafter "TTDSG") and all applicable country-specific data protection regulations.

1 Responsibility
The responsible controller in the context of GDPR is:
Smylor Limited
Address: 24 Rowan Park, Lismonaghan, Letterkenny, Co. Donegal, Ireland F92 N7D1
E-mail: privacy@smylor.com
Website: https://smylor.com/

2 Data Protection Officer
You can reach our data protection officer as follows:
Name: Nikita Serkevich
Email: privacy@smylor.com

You can contact our data protection officer directly with all questions and suggestions regarding data protection and the exercise of your rights.

3 Definition
This privacy policy is based on the terms of the GDPR. For your convenience, we would like to explain some important terms in this context:
• Personal Data: Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

• Data subject: The data subject is any identified or identifiable natural person whose personal data is processed by the controller.

• Processing: Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• Recipient: A recipient is a natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether or not a third party. However, authorities that may receive personal data in the context of a specific investigative task under Union or Member State law are not considered recipients.

• Third Party: a third party is a natural or legal person, public authority, agency, or other body other than the Data Subject, the Controller, the Processor, and the persons authorized to process the Personal Data under the direct responsibility of the Controller or the Processor.

• Consent: Consent is any expression of will in the form of a declaration or other unambiguous affirmative action made voluntarily by the data subject for the specific case in an informed manner and in an unambiguous manner, by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.

4 Origin of the personal data
We may obtain personal information in the following ways:

4.1 Information provided by you
You have the possibility to provide information about yourself on the platform.

4.2 Automatically collected and generated data
When you use our website, we collect personal data about you.

5 Scope, purpose, storage period and, if applicable, recipients and third country transfer of the respective processing of personal data

5.1 General information
In the following, we will give you an overview of which personal data we process. For this purpose, we explain to what extent and for what purposes. In addition, we indicate - if available - which third-party providers we use to receive your data. Finally, we inform you whether a third country transfer takes place in the respective processing by the third-party provider.
The provision of your personal data is always voluntary. However, it may be that the respective functionality only works with your information.
We will not disclose your personal data to third parties without your consent, unless this is permitted by law (e.g. because it is necessary for the performance of the contract).

5.2 Data transfers to third countries
If we transfer personal data to a third country for processing, we ensure compliance with Art. 44 et seq. GDPR. That means that before any transfer of personal data to third parties in a country outside the European Union ("EU") or the European Economic Area ("EEA"), we check whether an adequate level of protection is ensured.
An adequate level of protection can be ensured, among other things, by the fact that an adequacy decision of the EU Commission is available, that we have concluded standard data protection clauses with the recipient and have taken further additional measures, or that the third-country transfer is permitted under other guarantees regulated in Art. 46 et seq. GDPR. Where the data transfer is based on Art 46, 47 or 49 (1) GDPR, you may obtain from us a copy of the safeguards for the existence of an adequate level of data protection in relation to the data transfer or an indication of the availability of a copy of the safeguards. Copies of these guarantees can be requested from us.

5.3 Data deletion
The data processed by us will be deleted in accordance with the legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (e.g., if the purpose of processing this data has ceased to apply or they are not required for the purpose). If the data are not deleted because they are required for other and legally permissible purposes, their processing will be limited to these purposes. That means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.

5.4 Security measures
We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk in accordance with the legal requirements, considering the state of the art, the implementation costs and the nature, scope, circumstances, and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons.
The measures include safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to data as well as access to, input of, disclosure of, assurance of availability of, and segregation of data relating to you. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, the deletion of data, and responses to data compromise.
Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software, and processes in accordance with the principle of data protection, through technology design and through data protection-friendly default settings. Further information can be found here: Data Security & Safety | Smylor-Dental Treatment Marketplaces.

5.5 Transfer of personal data
During our processing of personal data, it may happen that the data is transferred to other bodies, companies, legally independent organizational units, or persons or that it is disclosed to you. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a web app. In such cases, we comply with the legal requirements and conclude corresponding contracts or agreements with the recipients of the data that serve to protect your data.

6 The processing of your personal data

6.1.1 Provision of the Website
When you visit our website, data is automatically processed that your browser transmits to our server. This general data and information is stored in the server's log files (in so-called "server log files"). The following can be collected:
• Browser type and version
• Operating system used
• Referrer URL (previously visited website)
• Host name of the accessing computer
• Date and time of the server request
• IP address
As a hosting provider we use TelemaxX Telekommunikation GmbH, whose servers are located in Germany for our German and other EU country purposes.
We also use Datasource AG, Bösch 69, CH-6331 Hünenberg in Switzerland for our Swiss country purposes.

6.1.2 Purpose of the processing
When using this general data and information, we do not draw any conclusions about you. The purposes pursued by us include in particular:
• the guarantee of a smooth connection set-up of the website,
• the clarification of acts of abuse or fraud,
• problem analysis in the network, and
• the evaluation of system security and stability.

6.1.3 Legal basis
The legal basis for data processing is our legitimate interest within the meaning of Art. 6 (1) (f) GDPR. We have an overriding legitimate interest in being able to offer our service in a technically flawless manner.

6.1.4 Storage period
The log files are stored for security reasons (e.g., for the clarification of abuse or fraud) for a maximum of 7 days and then deleted. Data whose further retention is required for evidentiary purposes will be retained until the matter has been finally clarified.

6.1.5 Recipients of personal data
We use the following service providers: Smylor Data Sub-Processors

6.2 Registration in the web app/ Creation of a user account

6.2.1 Scope of processing
To use our web app, you must first register. Therefore, we process the following personal data:
• IP address (anonymized)
• Username (freely selectable)
• E-mail address

6.2.2 Purpose of processing
The purpose of the processing is to perform authentication and manage your user account.

6.2.3 Legal basis
The legal basis for the data processing is the fulfillment of the contract concluded with you within the meaning of Art. 6 (1) (b) GDPR.
When using the single sign-on procedure with a third-party service, the legal basis is your consent within the meaning of Art. 6 (1) (a) GDPR.

6.2.4 Storage period
We delete your personal data that we collect in connection with the registration of the web app as soon as it is no longer required to achieve the purpose for which it was collected. This is the case at the latest when you have deleted your account and one year has passed.

6.2.5 Recipients of personal data
We use the following recipients: Smylor Data Sub-Processors

6.3 Use of the platform

6.3.1 Scope of processing
We can provide you with the benefits of our platform if certain required personal data is collected. This includes the following personal data:
• IP address (anonymized)
• Date and time of the retrieval and the amount of data transferred and the message whether the data exchange was complete.
• Time zone
• Web app crash information
• Browser type and operating system

6.3.2 Purpose of processing
The purposes we pursue include, in particular:
• Technical operation of the website
• Ensuring smooth connection establishment of the web app,
• Investigation of acts of abuse or fraud,
• Problem analyses in the network, as well as
• the evaluation of system security and stability.

6.3.3 Legal basis
The legal basis for data processing is our legitimate interest within the meaning of Art. 6 (1) (f) GDPR. We have an overriding legitimate interest in being able to offer our service in a technically flawless manner.

6.3.4 Storage period
We delete your personal data that we collect in connection with use as soon as it is no longer necessary to achieve the purpose for which it was collected. This is the case at the latest when you have deleted your account and one year has passed.

6.3.5 Recipients of personal data
We use the following providers: Smylor Data Sub-Processors

6.4 Cookies use
6.4.1 Scope of processing
We use cookies on our web site (smylor.com) and for logged in Smylor members on our dental treatment marketplace platform sites. Anonymous users of our platform sites are cookie free unless otherwise notified.
Cookies are small text files that are stored on the device memory of your mobile device and assigned to the web app you are using. Cookies cannot execute programs or transmit viruses to your mobile device and therefore cannot cause any damage. They serve to make our web app more user-friendly and effective overall, i.e., more pleasant for you. Cookies can contain data that make it possible to recognize the end device used. In some cases, however, cookies only contain information about certain settings that are not personally identifiable. However, cookies cannot directly identify a user.
From a legal point of view, a distinction must be made between essential and non-essential cookies.

6.4.2 Essential cookies
We use essential cookies. These are cookies that are technically necessary to provide all functions of our web app. The legal basis for the data processing is our legitimate interest according to Art. 6 (1) (f) GDPR. We have an overriding legitimate interest in being able to offer our service in a technically flawless manner.

6.4.3 Non essential cookies
We also use non-essential cookies (e.g., analysis and marketing cookies). These are cookies that are not technically necessary. We use them to understand your behavior on our web app and to improve our offer. The legal basis for the data processing is your consent pursuant to Art. 6 (1) (a) GDPR. The cookies are only set after you have given your consent via our cookie banner.

6.4.4 Storage period
Regarding the storage period, the following types of cookies must be distinguished:
-Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after you close the web app.
-Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved or preferred content can be displayed directly when you visit our web app again. Likewise, user data collected with the help of cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage period of cookies (e.g., in the context of obtaining consent), it can be assumed that cookies are permanent, and the storage period can be up to two years.

6.4.5 Google Analytics

6.4.5.1 Scope of processing
The web app uses functions of the web analytics service Google Analytics. Through Google Analytics, we process the following personal data, among others:
• Request time
• IP address
• Online identifiers (including cookie identifiers)
• Device identifiers
• Technical characteristics of users (e.g., browser type and version, device type, operating system).
• Measurement of usage behavior (e.g., views of individual pages / content, views of content from different areas, session duration / dwell time, bounce rate).
• Use of individual functionalities of the web app
• Referral URL (the previously visited page)

6.4.5.2 Purpose of processing
With the help of Google Analytics, we analyze your user behavior in order to make decisions regarding product and marketing optimization based on the results.

6.4.5.3 Legal basis
The legal basis for the use of Google Analytics is your voluntary and revocable consent pursuant to Art. 6 (1) (a) GDPR.
You can consent to the processing of your data by Google Analytics using our Consent Manager, prevent the collection of your data, or revoke consent once given. To revoke, simply call up the cookie settings in the web app again.

6.4.5.4 Storage period
Personal data will be anonymized by Google 26 months after your last activity unless there is a legal obligation to retain it.

6.4.5.5 Recipients of personal data
Your data will be passed on to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland to the extent necessary. Google | Privacy Policy

6.4.6 Book an appointment

6.4.6.1 Scope of processing
You have the possibility to book an appointment via our service. Therefore, we process the following personal data:
• First and last name (if stated by you)
• Gender
• Date of Birth
• Telephone Number
• E-Mail address
• Date and time of the request
• Treatment
• Practitioner Name
• Communication content

6.4.6.2 Purpose of processing
We process your data to enable the booking of an appointment with your dentist.

6.4.6.3 Legal basis
If your request is based on pre-contractual measures or an existing contract with us, the legal basis is the performance of the contract and the implementation of pre-contractual measures pursuant to Art. 6 (1) (b) GDPR.
If your request is made independently of pre-contractual measures or existing contracts with us, our overriding legitimate interests pursuant to Art. 6 (1) (f) GDPR constitute the legal basis. We have an overriding legitimate interest in providing users of our application with a possibility by which they can contact us.

6.4.6.4 Storage period
We delete your personal data as soon as it is no longer required to achieve the purpose for which they were collected. In the context of contact inquiries, this is generally the case when the circumstances indicate that the specific matter has been conclusively processed.

6.4.6.5 Recipients of personal data
To enable your booking, the respective dentist, you made an appointment with, receives your personal data as stated above, to fix the appointment.
Please find the recipients here: Smylor Data Sub-Processors

6.4.7 Support and contact options

6.4.7.1 Scope of processing
You have the possibility to contact us via e-mail (privacy@smylor.com).
In the context of contacting, you and answering your inquiry, we process the following personal data:
• First and last name (if stated by you)
• E-Mail address
• Date and time of the request
• Communication content

6.4.7.2 Purpose of processing
We process your data to respond to your inquiry and other matters arising from it.

6.4.7.3 Legal basis
If your request is based on pre-contractual measures or an existing contract with us, the legal basis is the performance of the contract and the implementation of pre-contractual measures pursuant to Art. 6 (1) (b) GDPR.
If your request is made independently of pre-contractual measures or existing contracts with us, our overriding legitimate interests pursuant to Art. 6 (1) (f) GDPR constitute the legal basis. We have an overriding legitimate interest in providing users of our application with a possibility by which they can contact us.

6.4.7.4 Storage period
We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. In the context of contact inquiries, this is generally the case when the circumstances indicate that the specific matter has been conclusively processed.

6.4.7.5 Recipients of personal data
Please find the recipients here: Smylor Data Sub-Processors

6.4.8 Chatbot

6.4.8.1 Scope of processing
You have the possibility to converse with us or a Smylor registered dentist via a chatbot on our website(s).
In the context of supporting the chat conversation between you and us, or a Smylor registered dentist, we may process the following personal data:
• First and last name (if stated by you)
• Date of Birth
• E-Mail address
• Date and time of the request
• IP address (anonymized)
• Communication content (including potential personal dental health information, which we will request additional permission to process)

6.4.8.2 Purpose of processing
We process your data to respond to your inquiry and other matters arising from it. Additionally, if you consent to, we can use your provided data to create a profile automatically.

6.4.8.3 Legal basis
If your request is based on pre-contractual measures or an existing contract with us, the legal basis is the performance of the contract and the implementation of pre-contractual measures pursuant to Art. 6 (1) (b) GDPR.
If your request is made independently of pre-contractual measures or existing contracts with us, our overriding legitimate interests pursuant to Art. 6 (1) (f) GDPR constitute the legal basis. We have an overriding legitimate interest in providing users of our application with a possibility by which they can contact us.
If you have not logged in as a Smylor user, but at the end of the conversation you consent to register, our legal basis is Art. 6 (1) a GDPR.

6.4.8.4 Storage period
We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. In the context of chat conversations, this is generally the case when the circumstances indicate that the specific matter has been conclusively processed.
At the end of a conversation, if you have not logged in or agreed to register with Smylor, any conversations will be treated as anonymous and will be deleted within 7 days.

6.4.8.5 Recipients of personal data
Please find the recipients here: Smylor Data Sub-Processors

6.4.9 Dentist Practice Registration

6.4.9.1 Scope of processing
You have the possibility to contact us via e-mail (privacy@smylor.com).
In the context of you registering with us we process the following personal data:
• First and last name (if stated by you)
• E-Mail address
• Date and time of the request
• Communication content

6.4.9.2 Purpose of processing
We process your public domain email address to identify you as a legitimate dental practice as part of the registration process. This public domain email address will be used for two factor authentication as part of validating the registration process

6.4.9.3 Legal basis
If your request is based on pre-contractual measures or an existing contract with us, the legal basis is the performance of the contract and the implementation of pre-contractual measures pursuant to Art. 6 (1) (b) GDPR.
If your request is made independently of pre-contractual measures or existing contracts with us, our overriding legitimate interests pursuant to Art. 6 (1) (f) GDPR constitute the legal basis. We have an overriding legitimate interest in providing users of our application with a possibility by which they can contact us.

6.4.9.4 Storage period
We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. In the context of contact inquiries, this is generally the case when the circumstances indicate that the specific matter has been conclusively processed.

6.4.9.5 Recipients of personal data
Please find the recipients here: Smylor Data Sub-Processors

7 Your rights
In this section, we inform you about the rights you have regarding the processing of your data. The exact scope of the right mentioned in each case can be found in the corresponding article of the General Data Protection Regulation (GDPR). Data subject inquiries should generally be addressed to us or our data protection officer via e-mail to privacy@smylor.com.

7.1 Right to confirmation
You have the right to request confirmation from us as to whether personal data concerning you is being processed.

7.2 Information (Art. 15 GDPR)
You have the right to receive information from us at any time free of charge about the personal data stored about you, as well as a copy of this data in accordance with the statutory provisions.

7.3 Rectification (Art. 16 GDPR)
You have the right to request the rectification of inaccurate personal data concerning you. You also have the right to request that incomplete personal data be completed, considering the purposes of the processing.

7.4 Erasure (Art. 17 GDPR)
You have the right to demand that personal data concerning you be deleted without delay if one of the reasons provided for by law applies and insofar as the processing or storage is not necessary.

7.5 Restriction of processing (Art. 18 GDPR)
You have the right to request that we restrict processing if one of the legal requirements is met.

7.6 Data portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you that you have provided to us in a structured, common, and machine-readable format. Furthermore, you have the right to transfer this data to another controller without hindrance by us, to whom the personal data was provided, provided that the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR. Art. 6 (1) (b) GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
In addition, when exercising your right to data portability pursuant to Article 20 (1) GDPR, you have the right to have the personal data transferred directly from one controller to another controller, to the extent that this is technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals.

7.7 Objection (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your situation, to the processing of personal data concerning you which is carried out on the basis of data processing in the public interest pursuant to Art. 6 (1) (e) GDPR or on the basis of our legitimate interest pursuant to Art. 6 (1) (f) GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defense of legal claims.

7.8 Revocation of consent under data protection law
You have the right to revoke your consent to the processing of personal data at any time with effect for the future.

7.9 Complaint to a supervisory authority
You have the right to lodge a complaint about our processing of personal data with a supervisory authority responsible for data protection.

8 Up-to-datedness and changes of the privacy policy
This privacy notice is currently valid and has the following status: June 2023.