PRIVACY POLICY

Effective Date: April 01, 2026 | Version: 1.0

At The Smile Co. Dental, we believe your personal information deserves the same care and trust you place in us when you walk through our doors. This Privacy Policy explains, in plain and simple language, what information we collect, why we collect it, how we use it, and the rights you have over your own data.

This policy applies to all visitors and patients who interact with us through our website (www.thesmilecodental.com), our appointment booking forms, or through any off-platform communication channels such as WhatsApp or email.

This Privacy Policy has been prepared in compliance with the Digital Personal Data Protection (DPDP) Act, 2023 (hereinafter referred to as "the Act") and other applicable Indian laws, including the Information Technology Act, 2000.

1. Key Definitions

To help you understand this policy, here is what we mean by some key terms:

Important Terms

Personal Data — Any information that can identify you as an individual, such as your name, phone number, or email address.

Sensitive Personal Data — Information of a sensitive nature such as your health records, prescriptions, dental history, or clinical notes.

Data Principal — You, the patient or website visitor whose personal data is being processed.

Data Fiduciary — The Smile Co. Dental, which determines the purpose and means of processing your personal data.

Processing — Any operation performed on your personal data, including collection, storage, use, sharing, or deletion.

Consent — Your free, specific, informed, unconditional, and unambiguous agreement to provide your personal data for a stated purpose.

Grievance Officer — The designated person at our clinic who handles your data-related complaints and concerns.

2. What Personal Data We Collect

We believe in collecting only what is truly necessary. We follow the principle of data minimisation — meaning we do not ask for information we do not need.

2.1 Data Collected on Our Website

When you interact with us through our website, we collect only the following:

• Full Name — to address you correctly and identify your appointment.

• Email Address — to send appointment confirmations and follow-up communications.

• Phone Number — to contact you regarding your appointment and provide clinical support.

We do not collect any other information beyond what is listed above through our website forms, except where you choose to provide any other information voluntarily.

2.2 Data You Share Via WhatsApp or Email (Off-Platform)

As a dental healthcare provider, patients sometimes voluntarily share additional health-related information with us outside our website — typically via WhatsApp or email. This may include:

• Dental X-rays, photographs, or clinical reports

• Prescriptions or medical history documents

• Descriptions of symptoms, pain levels, or ongoing health conditions

• Referral letters, prescriptions from other healthcare professionals

Important Note on Health Data

Health-related information is considered Sensitive Personal Data and is handled with a higher level of care, discretion, and security. It is used solely for the purpose of providing you with the appropriate dental treatment and clinical care.

2.3 Automatically Collected Technical Data

When you browse our website, certain technical data may be automatically collected through cookies or third-party tools. This may include your browser type, device type, pages visited, and approximate geographic location. We use this solely to improve the performance and user experience of our website.

3. Why We Collect Your Data — Purpose Limitation

We will never use your data for purposes beyond those listed here. Your information is collected strictly for the following reasons:

• Booking, confirming, rescheduling, or cancelling dental appointments. Appointment Scheduling:

• Sending reminders, post-treatment follow-up messages, or clinical advice. Clinical Communication:

• Understanding your dental health to provide accurate diagnosis and treatment. Providing Dental Services:

• Maintaining clinical records as required under Indian laws. Legal and Regulatory Compliance:

• Understanding how visitors use our website to make it more helpful and accessible. Website Improvement:

We will not use your personal data for automated decision-making that has a significant effect on you, nor will we use it for targeted advertising beyond the scope described in Section 6 of this policy.

4. Consent — Your Agreement & How to Withdraw It

Under the Digital Personal Data Protection Act, 2023, your consent must be Free, Specific, Informed, Unconditional, and Unambiguous. We are committed to upholding each of these principles.

4.1 How We Obtain Your Consent

By submitting the forms on this website, you are giving us your explicit, informed consent to process your data for the purposes described above.

Consent through off-platform channels (such as WhatsApp) is implied when you voluntarily initiate contact with our clinic and share information for the purpose of receiving dental care.

4.2 How to Withdraw Your Consent

You have the right to withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of any processing carried out before the withdrawal. To withdraw your consent:

• Send an email to hello(at)thesmilecodental(dot)com with the subject line: "Withdraw Consent — [Your Name]"

• Clearly state the data and/or the purpose for which you are withdrawing consent.

• Our team will process your request within 30 (thirty) days of receipt.

Please note: Withdrawal of consent for clinical data may affect our ability to provide you with continuity of dental care. We will inform you of any such implications before processing your withdrawal.

5. Your Rights as a Data Principal

The DPDP Act, 2023 grants you — as a Data Principal — the following rights with respect to your personal data held by us:

5.1 Right to Access Information

You have the right to request a summary of the personal data we hold about you and the purposes for which it is being processed. We will respond to your request within a reasonable timeframe.

5.2 Right to Correction and Updation

If any personal data we hold about you is inaccurate, incomplete, or outdated, you have the right to request correction or updation. We will act on such requests promptly.

5.3 Right to Erasure

You have the right to request the deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw your consent. Note that we may be required to retain certain clinical data under applicable Indian healthcare laws even after a deletion request.

5.4 Right to Grievance Redressal

If you believe your data rights have been violated, you have the right to raise a grievance with our designated Grievance Officer (see Section 9). If you are not satisfied with the outcome, you may escalate the matter to the Data Protection Board of India as and when it becomes operational.

5.5 Right to Nominate

You may nominate another individual who shall exercise your data rights on your behalf in the event of your death or incapacity, in accordance with the DPDP Act, 2023.

To exercise any of the rights listed above, please contact our Grievance Officer at hello(at)thesmilecodental(dot)com. We will acknowledge your request within 72 hours and resolve it within 30 days.

6. Third-Party Integrations & Data Sharing

Our website integrates with the following third-party platforms to improve our services, marketing reach, and online visibility. We are transparent about how each of these may interact with your data.

6.1 Facebook & Instagram (Meta Platforms)

Our website includes links to our Facebook and Instagram pages, and we may use Meta Pixel for marketing analytics. Meta may collect information about your browsing behaviour on our website to show you more relevant advertisements across its platforms. This is governed by Meta's own Privacy Policy (available at www.facebook.com/privacy/policy/).

You can opt out of Meta's interest-based advertising through your Facebook/Instagram account settings or via the Digital Advertising Alliance's opt-out tool.

6.2 Google Maps

Our website embeds Google Maps to display our clinic's location and to help patients navigate to us. When you interact with the Google Maps feature, Google may collect location data and usage data in accordance with Google's Privacy Policy (available at policies.google.com/privacy). We do not receive any identifiable information from Google Maps.

6.3 Google Analytics (if applicable)

We may use Google Analytics to understand how visitors interact with our website. This tool collects anonymised data such as page views, session duration, and traffic sources. No personally identifiable information is shared with Google through this integration.

6.4 No Sale of Your Data

Our Commitment

We do not sell, rent, trade, or commercially transfer your personal data to any third party for their independent marketing or commercial use. Period.

6.5 Disclosure Required by Law

We may disclose your personal data to government authorities, law enforcement agencies, or regulatory bodies if we are legally required to do so under applicable Indian law. We will notify you of such disclosure where legally permissible.

7. Data Security — Our Obligations as Data Fiduciary

As the Data Fiduciary responsible for your personal data, we take our security obligations seriously. We have implemented reasonable and appropriate technical and organisational measures to protect your data from unauthorised access, loss, misuse, alteration, or disclosure.

7.1 Security Measures We Follow

• Access control: Only authorised clinic staff can access your personal data.

• Secure communication: Our website uses SSL/HTTPS encryption to protect data transmitted online.

• Health data handling: Sensitive health records shared via WhatsApp or email are stored securely and accessed only by treating clinical staff.

• Staff training: Our team is trained to handle patient data with confidentiality and discretion.

• Device security: Devices used to store patient data are password-protected and kept secure.

7.2 Personal Data Breach

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the relevant data protection authority as required by the DPDP Act, 2023. We will communicate the nature of the breach, the data affected, and the steps we have taken to contain and remediate it.

8. How Long We Retain Your Data

We retain your personal data only for as long as it is necessary to fulfil the purpose for which it was collected, or as required by applicable law — whichever is longer.

After the applicable retention period, personal data will be securely deleted or anonymised so that it can no longer identify you.

9. Cookies & Tracking Technologies

Our website may use cookies — small data files stored on your device — to improve your browsing experience, remember your preferences, and support analytics and marketing integrations (Facebook Pixel, Google Analytics).

You may choose to disable cookies through your browser settings at any time. Please note that disabling certain cookies may affect the functionality of parts of our website. We recommend reviewing your browser's help guide for instructions on managing cookies.

10. Data of Minors

We are mindful that dental care includes patients of all ages, including children. We do not knowingly collect personal data from individuals below the age of 18 years without the explicit consent of their parent or legal guardian.

If a parent or guardian submits information on behalf of a minor for the purpose of booking a dental appointment, they confirm by doing so that they are the lawful custodian of the minor and consent to the processing of the minor's relevant health data strictly for clinical purposes.

11. Grievance Redressal — Contact Our Grievance Officer

In accordance with the Digital Personal Data Protection Act, 2023, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have designated a Grievance Officer to address any concerns, complaints, or requests related to your personal data.

Designated Grievance Officer

Name: Dr. Puja Saha, BDS

Role: Clinic Lead & Data Fiduciary Representative

Email: hello(at)thesmilecodental(dot)com

Address: 40/1, Dum Dum Park, North Kolkata, West Bengal

Hours of Availability: Tuesday–Saturday (Morning & Evening) | Sunday (Morning) | Monday (Evening)

Please submit your grievance in writing (via email) with the subject line: "Data Grievance — [Your Name]". We will acknowledge receipt within 72 (seventy-two) hours and endeavour to resolve the matter within 30 (thirty) days of receipt.

If you are not satisfied with our resolution, you have the right to approach the Data Protection Board of India (once constituted and operational) under the DPDP Act, 2023.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will update the "Effective Date" at the top of this document.

We encourage you to review this policy periodically. Continued use of our website or services after any changes constitutes your acceptance of the updated policy. Where required by law, we will seek fresh consent.

13. Governing Law & Jurisdiction

This Privacy Policy is governed by the laws of India, including but not limited to:

• The Digital Personal Data Protection (DPDP) Act, 2023

• The Information Technology Act, 2000, and its Rules

• Any other applicable legislation enacted by the Government of India or the State of West Bengal

Any disputes arising under this Privacy Policy shall be subject to the exclusive jurisdiction of the courts in Kolkata, West Bengal.