PRIVACY POLICY

Effective Date: 06-01-2025 Last Updated: 10-17-2025 Smile Keeper ("we," "us," "our," or "Smile Keeper") respects your privacy and is committed to protecting the personal information and Protected Health Information (PHI) that you entrust to us through the Smile Keeper App platform (the "Service").

1. INFORMATION WE COLLECT

1.1 Information You Provide

Account Information: Name, email address, phone number, practice name Credentials: Username and password (stored encrypted) Verification Information: Phone number for two-factor authentication

1.2 Information (PHI)

As a Business Associate under HIPAA, we process: Names Dates of birth Appointment information Photos and documents uploaded to records Folder and file organization data

1.3 Automatically Collected Information

Usage Data: Features accessed, actions performed, timestamps Device Information: Browser type, operating system, device identifiers Log Data: IP addresses, access times, pages viewed Security Logs: Login attempts, authentication events, access patterns

2. HOW WE USE INFORMATION

2.1 To Provide Services

Enable access to records and practice management features Facilitate synchronization with practice management systems Process and store uploaded photos and documents Provide user authentication and security features

2.2 For Security and Compliance

Monitor for unauthorized access attempts Maintain audit trails as required by HIPAA Investigate security incidents Prevent fraud and abuse

2.3 For Communication

Send service-related notifications Provide customer support Notify about changes to our policies Send security alerts

2.4 For Improvement

Analyze usage patterns to improve features Troubleshoot technical issues Develop new functionalities

3. HOW WE SHARE INFORMATION

3.1 We DO NOT Sell Your Information

We never sell, rent, or trade your personal information or PHI.

3.2 Service Providers (Subcontractors)

We may share information with vendors who help us provide the Service: Infrastructure and hosting providers Practice management system integrators Authentication service providers Google Drive (when you explicitly connect this service for file storage) All subcontractors sign agreements to protect PHI

3.3 Legal Requirements

We may disclose information when required by: Law, regulation, or legal process Government authorities with proper authorization Court orders or subpoenas HIPAA-permitted disclosures

3.4 Business Transfers

If we are involved in a merger, acquisition, or asset sale, your information may be transferred with appropriate protections.

3.5 With Your Consent

We may share information for purposes you specifically authorize.

4. DATA SECURITY

4.1 Technical Safeguards

Encryption: Industry-standard encryption at rest and in transit Authentication: Multi-factor authentication required Access Controls: Role-based permissions Session Management: Automatic timeout after inactivity Third-Party Storage: When you use Google Drive integration, files are subject to Google's security measures and policies

4.2 Administrative Safeguards

Regular security assessments Employee training on data protection Incident response procedures Business Associate Agreements with all vendors

4.3 Physical Safeguards

Secure data centers Backup systems Disaster recovery procedures

4.4 SMS Communications and A2P 10DLC Compliance

This privacy policy complies with A2P 10DLC requirements. We use SMS only for two-factor authentication and service notifications We do not share mobile phone numbers with third parties for marketing purposes We do not share opt-in consent data with third parties All SMS communications require your consent You may opt-out of non-essential SMS at any time by replying STOP Message and data rates may apply We maintain records of consent as required by telecommunications regulations

5. YOUR RIGHTS AND CHOICES

5.1 Under HIPAA

For PHI, you have the right to: Access your health information Request corrections to your records Receive an accounting of disclosures Request restrictions on certain uses File a complaint with HHS

5.2 Account Information

You can: Update your profile information Change your password Enable/disable features Request account deletion Disconnect Google Drive integration Manage Google permissions through your Google account

5.3 Communications

You can opt out of non-essential communications but cannot opt out of service-related or security notifications.

6. THIRD-PARTY SERVICES

6.1 Practice Management Systems

We integrate with third-party practice management systems. These integrations are governed by separate agreements and their own privacy policies.

6.2 Cloud Storage Services

Dental practices may connect their own cloud storage accounts We are not responsible for the privacy practices of these services You should review the privacy policies of any connected services We do not access or control data once transferred to external storage

6.3 Google Drive

Optional integration requiring explicit authorization We don't store your Google credentials Files transferred to Google Drive are governed by Google's terms and privacy policy You retain full control through your Google account

7. GOOGLE SERVICES INTEGRATION

When you choose to connect Google Drive to the Service, we access Google services solely to store photos and documents in your designated Google Drive account. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements. We access only the minimum Google Drive permissions necessary to: Create folders for organization Upload files you select Manage files within designated folders You may disconnect Google Drive at any time through your account settings. Files previously stored in Google Drive remain there after disconnection.

8. DATA RETENTION

8.1 Active Accounts

We retain your information while your account is active and as needed to provide services. Google Drive files follow Google's retention policies, not ours.

8.2 After Termination

PHI is retained or destroyed per HIPAA requirements and your instructions Some information may be retained for legal compliance Audit logs are retained for the period required by law

8.3 De-identified Data

We may retain de-identified, aggregated data for analytics and improvement purposes.

9. CHILDREN'S PRIVACY

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

10. CALIFORNIA PRIVACY RIGHTS

California residents have additional rights under the California Consumer Privacy Act (CCPA): Right to know what information we collect Right to delete personal information Right to opt-out of sale (we do not sell information) Right to non-discrimination To exercise these rights, contact us at info@smilekeeper.app.

11. INTERNATIONAL DATA TRANSFERS

If you access the Service from outside the United States, your information may be transferred to and processed in the United States.

12. BREACH NOTIFICATION

In the event of a breach involving PHI, we will: Notify affected parties as required by HIPAA Cooperate with your practice's breach response Take steps to mitigate harm Document the incident and response

13. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. Your continued use after changes constitutes acceptance.

14. HOW TO CONTACT US

For privacy-related questions or to exercise your rights, contact: Privacy Officer Arbor Labs, Inc. [Address] [City, State ZIP] Email: info@smilekeeper.app Phone: [Phone Number] You may also file a complaint with: U.S. Department of Health & Human Services Office for Civil Rights 200 Independence Avenue, S.W. Washington, D.C. 20201

15. COOKIE POLICY

15.1 Essential Cookies

We use essential cookies for: User authentication Security features Session management

15.2 Analytics Cookies

With your consent, we may use analytics cookies to understand usage patterns.

15.3 Managing Cookies

You can control cookies through your browser settings, but disabling essential cookies may impact Service functionality.

16. LEGAL BASIS FOR PROCESSING

We process your information based on: Consent: When you agree to specific processing Contract: To provide the services you've requested Legal Obligation: To comply with HIPAA and other laws Legitimate Interests: For security, fraud prevention, and service improvement

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.