Privacy Policy

Effective June 8, 2020

Welcome!

This Privacy Policy (“Policy”) describes how we collect, process, and share your Personal Data. We also describe Users’ rights and choices with respect to how we process your Personal Data and other important information. Please read this Policy carefully.

Who We Are

This is the Policy of Bid Doc Inc. (“SmileSnap,” “us,” “our,” or “we”), a Colorado corporation with offices at 3740 Dacoro Ln. #200, Castle Rock, CO 80109. You can contact us at [email protected].

Scope of this Policy

This Privacy Policy applies to our “Service” which includes our website at smilesnap.com and other sites that link to/post this Privacy Policy, (including any subdomains or mobile versions, the “Corporate Site(s)”) and our SmileSnap patient and clinic interface and SaaS platform (the “Platform”).

This Policy is incorporated into the Terms of Use governing your use of our Service. Any capitalized terms not defined in this Privacy Policy will have the definitions provided in our Terms of Use.

Disclaimer: Once an image, file, or any other information or data is downloaded, or is otherwise retrieved or saved outside the SmileSnap portal, it no longer enjoys the protections of the SmileSnap Portal. SmileSnap therefore shall neither be held responsible nor liable in relationship to such data once it exists outside the SmileSnap Portal

Your use of our Service indicates your acknowledgement of the practices described in this Policy.

Our Clients and other Third Parties

SmileSnap provides an interface for patients (our “Users”) to submit images of their dental, oral health, and other conditions to prospective providers of dentistry, orthodontic, and other oral care services (our “Clients”). Through our Service, our Clients and their authorized users (“Client Users”) can access these Users’ images and data in order to create and provide Users with quotes for treatment, communicate with Users, and perform other relationship management or related services.

This Policy only addresses how SmileSnap processes Personal Data. This Policy does not apply to our Clients, or describe how our Clients process Personal Data, including the Personal Data we collect on their behalf. Our Clients may process your Personal Data (including while using our Service) in ways that are not described in, or that are different from, the practices described in this Policy.

This Policy also does not apply to information processed by other third parties, for example, when you visit a third-party website or interact with third-party services. Please review any third party’s privacy policy before disclosing information to them.

Processing of Personal Data

Types of Personal Data we Process

We may process the following categories of data that relate to identified or identifiable individuals (“Personal Data”) (note, specific Personal Data elements listed in each category are only examples and may change):

Identity Data: Personal Data relating to an individual’s identity or representing that individual, such as your name, ID/driver’s license number, gender, date of birth, photo/avatar, username, persistent user identifiers/ID numbers, and biographical information.

Contact Data: Identity Data used to contact an individual, e.g. email address(es), physical address(es), phone number(s), or usernames/handles for online services.

Commercial Data Personal Data relating to your use of the Service, including your transactions/purchases, e.g. credit usage, contact frequency, pricing, and other similar information.

Device/Network Data: Personal Data relating to your device, browser, or application e.g. IP addresses, MAC addresses, application ID/AdID/IDFA, identifiers from cookies, session navigation history and similar browsing metadata, and other data generated through applications and browsers, including cookies and similar technologies.

Health/Image Data: Personal Data contained in images and related metadata that show oral health, dental, or other medical conditions, and which may include sensitive health data.

Inference Data: Personal Data inferred about personal characteristics and preferences, such as demographics, interests, behavioral patterns, psychological trends, predispositions, or behavior.

Special Category Data: Personal Data revealing racial, national, or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health information, or information relating to sex life or sexual orientation.

User Content: Personal Data included in content provided by users of the Service in a free-form or unstructured format, such as in a “contact us” box, free text field, in a presentation, file, or document, or in messages.

Sources of Personal Data

We collect Personal Data from various sources based on the context in which the Personal Data will be processed:

You: We collect Personal Data from you directly, for example, when you input information into an online form, sign up for a waiting list, register, or contact us directly.

Your Devices: We may collect certain Personal Data automatically from your devices. For example, we collect Device/Network Data automatically using cookies and similar technologies when you use our Service, access our Sites, or when you open our marketing communications.

Service Providers: We receive Personal Data from third parties with whom we have a relationship in connection with a relevant transaction, or who collect information on our behalf.

Data we create or infer: We (or third parties operating on our behalf) create and infer Personal Data (such as Inference Data) based on our observations or analysis of other Personal Data we process, and we may correlate this data with other data we process about you.

Clients: We collect data from Clients when they authorize us to collect data on their behalf or when they input information about you into our Service, e.g. in connection with a bid or quote.

How We Process Personal Data: Platform

When you use the Platform., we generally process your Personal Data in connection with the following activities and purposes, as well as for the general processing purposes described below.

User Account Registration

We generally process Identity Data, Device/Network Data, and Contact Data when Users or Client Users register and create an account on our Service. We primarily use this data as necessary to create, maintain, and provide Client Users with information about their account. We may also use Contact Data to correspond with Users or Client Users with informational messages regarding the Service, or in connection with other requests from those Users/Client Users.

Use of the Platform

We generally process Identity Data, Contact Data, Commercial Data, User Content and Device/Network Data when Users or Client Users access and use our Platform. We use this data as necessary to authenticate Users, deliver messages and notifications to Users or Client Users, and as otherwise necessary to provide our Service, operate the Platform, and carry out the processes and transactions the User, Client or, Client Users request. We may also collect and associate Personal Data with additional data relating to the volume and nature of Client Users’ use of our Service and process this data as necessary to determine billing or usage levels.

User Submissions & Quoting

When Users submit images and patient information to a Client for a quote for treatment services, or where a Client User interacts with a User’s file or record they receive, we generally process Identity Data, Health/Image Data, Contact Data, Device/Network Data, User Content, and Inference Data and we may share that data with the Client. This Personal Data may contain or reveal Special Category Data.

This data is processed primarily on behalf of our Clients as necessary to deliver the images to client, create a patient file and related quote, enable communications between the Client and User or about a User’s quote or other requests, and otherwise provide the Service and fulfill the requests of Users and Clients (e.g. quoting, patient communications, documentation, etc.) We may also use this data to create User account profiles so that you may submit information to other prospective providers without resubmitting your data. Note, certain additional information may be added to a submission you make to a prospective provider by its Authorized Users. This information may not be reflected in your User profile.

How we Process Personal Data: Corporate Site

When you use the Corporate Site, we generally process your Personal Data in connection with the following activities and purposes, as well as for the business purposes of processing described below.

Communications

You may contact us through our Corporate Site, or sign up for certain communications from us. In each case, we generally collect Contact Data, and any Identity Data or User Content that you provide in the registration form. This information is primarily used to respond to your request, but where you consent, or if relevant to your request and permitted by law, we may send you marketing communications as described further below.

Cookies and Similar Technologies

When you use our Service, you may interact with cookies and similar technologies that we operate on or allow access to our Service. We, and certain third parties, may automatically collect and process Device/Network Data and Inference Data when you interact with these cookies and similar technologies. In cases where these cookies and similar technologies are controlled by third parties, we may receive this data from third parties to the extent allowed by the applicable service provider or partner. Please note, some of these technologies can be used by third parties to identify you across platforms, devices, websites, and services. The privacy policies of third parties may apply to these third-party technologies and their own use of any Personal Data they collect.

Subject to Users’ rights and choices, we use this data as follows:

• for “essential” or “functional” purposes, such as to enable various features of the Service such as remembering passwords, or staying logged in during your session;
• for “analytics” purposes, consistent with our legitimate interests in how the Service is used or performs, how users engage with and navigate through the Service, what other sites users visit before visiting our Service, how often they visit our Service, and other similar information; and
• on our Corporate Site, for “retargeting” or similar advertising purposes, so that you can see advertisements from us on other websites. These technologies and the data they collect, may be used by advertisers to deliver ads that are more relevant to you based on content you have viewed, including content on our Corporate Site. These tracking technologies may also help prevent you from seeing the same advertisements too many times, and help us understand whether you have interacted with or viewed ads we’ve delivered to you. This collection and ad targeting may take place both on our Corporate Site, as well as on third-party websites that participate in the ad network (e.g. any advertisements delivered by that ad network on a third-party website).

Business Purposes of Processing

We process Personal Data for numerous purposes in connection with our business; for example, we process your Personal Data:

• To enable communications between Users and our Clients
• To fulfill our contractual obligations to you
• To provide, improve, and secure our products and services
• For customer service and workforce training/development
• To comply with the law, and in the public interest
• Please see below for more information regarding the purposes for which we process your Personal Data.

Service Provision and Contractual Obligations

We process any Personal Data as is necessary to provide our Service, authenticate users and their rights to access the Service or User data, and as otherwise necessary to fulfill our contractual obligations to you, and provide you with the information, features, and services you request.

Personalization & Bids/Quoting

We process certain Personal Data as necessary in connection with our legitimate business interest in personalizing our Service, including analyzing Personal Data to identify potential suggested connections between patients and providers. For example, aspects of the Service may be customized to you so that it displays your name and relevant information regarding providers that may interest you. We may also customize content to reflect your display preferences, to show you features or data relevant to you, or other similar functionality.

Internal Processes and Service Improvement

We may use any Personal Data we process through our Service as necessary in connection with our improvement of the design of our Service, understanding how our Service is used or functions, for customer service purposes, in connection with the creation and analysis of logs and metadata relating to Service use, and for ensuring the security and stability of the Service. Additionally, we may use Personal Data to understand what parts of our Service are most relevant to users, how users interact with various aspects of our Service, how our Service performs or fails to perform, etc., or we may analyze use of the Service to determine if there are specific activities that might indicate an information security risk to the Service or our Users.

Aggregate Analytics

We use Personal Data (excluding Special Category Data) we process through our Service to create aggregate analytics relating to trends in how our Service is used and performs, to understand which aspects of our Service are most relevant to Users, and to create other reports regarding the use of our Service that we or our Clients may request from time to time. The resulting aggregate data will not contain information from which an individual may be individually identified. This processing is subject to Users’ rights and choices applicable to processing performed in accordance with our legitimate business interests.

Marketing Communications

We use Personal Data (excluding Special Category Data) as necessary to provide marketing communications. You may opt-in to these communications, or consistent with our legitimate business interests, we may send you marketing and promotional communications if you communicate with us about our Service, register for an account, or where otherwise permitted by law. We may also process Device/Network Data and Contact Data when you interact with our communications in connection with our interest in understanding communication response and open rates.This processing is subject to Users’ rights and choices applicable to processing performed in accordance with our legitimate business interests.

Compliance, Health, Safety & Public Interest

Note that we may, without your consent or further notice to you, and to the extent required or permitted by law, process any Personal Data for purposes determined to be in the public interest, where required by law, or as necessary in connection with the establishment or defense of our legal rights. For example, we may process information as necessary to fulfil our legal obligations, to protect the vital interests of any individuals, to establish claims for violations of applicable contracts, for authorized medical or public health purposes, or as otherwise in the public interest or required by a public authority. Please see the data sharing section for more information about how we disclose Personal Data in extraordinary circumstances.

Other Processing of Personal Data

If we process Personal Data in connection with our Service in a way not described in this Policy, this Policy will still apply generally (e.g. with respect to Users’ rights and choices) unless otherwise stated when you provide it.

Data Sharing

Information we collect may be shared with a variety of parties, depending upon the purpose for and context in which that information was provided. We generally share Personal Data with the following categories of recipients:

Clients: We process data on behalf of Clients and may share your Personal Data with Clients to the extent such information was provided to us for processing on the Client’s behalf or if you direct us to share that information with the Client. For example, any Identity Data, Contact Data, Device/Network Data, Health/Image or other Personal Data provided by a Client User or processed on the Client’s behalf may be shared with Clients, including when you submit a request for a quote.

Business Purposes: In connection with our general business operations, product/service improvements, to enable certain features, and in connection with our other lawful business interests, we may share Personal Data with service providers or subprocessors who provide certain services or process data on our behalf. For example, we may disclose information as part of our own internal operations, with vendors such as cloud-hosting providers, CRM providers, code management platforms, payment processors, IT security vendors, and other utilities or functions.

Affiliates: We may share your Personal Data with any of our current or future affiliated entities, subsidiaries, and parent companies, for example, in order to streamline certain business operations, develop products and services that better meet the interests and needs of our customers, or to improve the quality and delivery of our Service.

Successors: Your Personal Data may be shared if we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.

Lawful Recipients: In limited circumstances, we may, without notice or your consent, access and disclose your Personal Data, any communications sent or received by you, and any other information that we may have about you to the extent we believe such disclosure is legally required, to prevent or respond to a crime, to investigate violations of our Terms of Use, in the vital interests of us or any person, or in such other circumstances as may be required or permitted by law. Note, these disclosures may be made to governments that do not ensure the same degree of protection of your Personal Data as your home jurisdiction. We may, in our sole discretion (but without any obligation), object to the disclosure of your Personal Data to such parties.

Users’ rights and choices

Users’ Rights

Applicable law may grant you rights in your Personal Data. These rights vary based on your location, state/country of residence, and may be limited by or subject to our exemptions for certain laws, or other individuals’ rights.

Note: SmileSnap is primarily a processor of its Clients’ Personal Data. We may notify Clients of your rights requests; however, we may be unable to directly fulfill rights requests regarding Personal Data unless we are the controller of that information or have the necessary rights of access. SmileSnap may not have access to or control over all or some Personal Data controlled by Clients. Please contact the Client directly for data rights requests regarding Client-controlled information, and we will assist the Client as necessary to complete your request.

To the extent you have rights in Personal Data we control, you may submit requests to exercise rights you have by contacting us at [email protected]. All rights requests must be verified to ensure that the individual making the request is authorized to make that request, to reduce fraud, and to ensure the security of your Personal Data. We may require that you log in to your account or verify that you have access to your account or the email on file in order to verify your identity. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.

For information regarding your California Privacy Rights (if you are a California resident), please see below. You may also have additional rights under other laws, including the Health Insurance Portability and Accountability Act of 1996 (as amended “HIPAA”).

Users’ Choices

It is possible for you to use portions of our Service without providing any Personal Data, but you may not be able to access certain features or view certain content. To the extent required under applicable law, and subject to our rights under applicable law, you may have the following choices regarding the Personal Data we process. Note: SmileSnap processes Personal Data primarily on behalf of its Clients. Some choices may be available only to certain Clients and Client Users, and your choices may be limited based on a Clients’ specifications and requirements.

Consent: If you consent to processing, you may withdraw your consent at any time, to the extent required by law.

Direct Marketing: You have the choice to opt-out of or withdraw your consent to processing related to direct marketing communications. You may have a legal right not to receive such messages in certain circumstances, in which case, you will only receive direct marketing communications if you consent. You may exercise your choices via the links in our communications or by contacting us re: direct marketing using the information below. To opt-out of the collection of information relating to email opens, configure your email so that it does not load images in our emails.

Cookies & Similar Tech: If you do not want information collected using cookies and similar technologies, you can manage/deny cookies (and certain technologies) using your browser’s settings menu, or any menus we may make available to you. You must opt out of third-party services directly via the third party. For example, to learn more about or opt-out of Google’s analytics services, visit Google Analytics Terms of Use, the Google Privacy Policy, or Google Analytics Opt-out. Please note, currently our Service does not respond to your browser’s do-not-track request.

Other Processing: You may have the right under applicable law to object to our processing of your Personal Data that we undertake without your consent in connection with our legitimate business interests. You may contact us re: data rights requests as described above. Note that we may not be required to cease, or limit processing based solely on that objection, and we may continue processing cases where our interests in processing are balanced against individuals’ privacy interests.

Information Security

We implement and maintain reasonable security measures to safeguard the Personal Data we process. However, we sometimes share Personal Data with, or process data on behalf of third parties, as noted above. We require our service providers to follow certain security practices, in particular those that have access to Health/Image Data. However, we do not warrant perfect security and we do not provide any guarantee that your Personal Data or any other information you provide us will remain secure.

Data Retention

We retain Personal Data for the periods stated above, or if none, for so long as it remains relevant to its purpose or for so long as is required by law (if longer). As we process Personal Data on behalf of Clients, we may retain information for the periods requested by the Client or delete information upon the Client’s request. We will review retention periods periodically, and if appropriate, we may de-identify or anonymize data held for longer periods.

Minors

Our Service is intended for use by Clients and Client Users and is neither directed at nor intended for direct use by individuals under the age of 16. Do not access or use the Service if you are not of the age of majority in your jurisdiction.

International Transfers

We operate and use service providers located in the United States. If you are located outside the U.S., your Personal Data may be transferred to the U.S. The U.S. may not provide the same legal protections of Personal Data as your home country. If you are a resident of the European Union, your Personal Data may be transferred to the U.S. pursuant to the E.U.-U.S. Privacy Shield Framework, the Standard Contractual Clauses, or other adequacy mechanisms, or pursuant to exemptions provided under EU law.

Your California Privacy Rights

Under the California Consumer Privacy Act (“CCPA”) and other California laws, California residents may have the following rights, subject to your submission of an appropriately verified request (see below for verification requirements):

Privacy Rights

Right to Know

You may have the right to request any of following, for the 12 month period preceding your request: (1) the categories of Personal Data we have collected about you, or that we have sold, or disclosed for a commercial purpose; (2) the categories of sources from which your Personal Data was collected; (3) the business or commercial purpose for which we collected or sold your Personal Data; (4) the categories of third parties to whom we have sold your Personal Data, or disclosed it for a business purpose; and (5) the specific pieces of Personal Data we have collected about you.

Right to Delete

You may have the right to have us delete (or deidentify) certain Personal Data that we hold about you, subject to exceptions under applicable law.

Right to Non-Discrimination

You may have the right to not to receive discriminatory treatment as a result of your exercise of any rights conferred by the CCPA.

Direct Marketing

You may request a list of Personal Data we have disclosed about you to third parties for direct marketing purposes (if any) during the preceding calendar year.

Opt-Out of Sale

At this time, we do not sell Personal Data. If we engage in sales of Personal Data in the future (as defined by applicable law), you may direct us to stop selling or disclosing Personal Data to third parties for commercial purposes.

Submission of Rights Requests

You may submit requests, via at [email protected]. See below for information regarding information that you must submit to verify your identity.

Verification of Rights Requests

All rights requests must be verified to ensure that the individual making the request is authorized to make that request, to reduce fraud, and to ensure the security of your Personal Data. We may require that you provide the email address we have on file for you (and verify that you can access that email account) and we may request additional information such as an address, phone number, or other data we have on file, in order to verify your identity. Depending on the sensitivity of the Personal Data you request and what type of request you submit, we may request additional information from you. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.

Supplemental Data Processing Disclosures

Categories of Personal Data Disclosed for Business Purposes

For purposes of the CCPA, we may disclose to Service Providers for “business purposes” the following categories of Personal Data: Identity Data, Contact Data, Device/Network Data, Inference Data, User Content, and to the extent permitted by law, Health/Image Data, and Special Category Data.

Data Sale

For purposes of the CCPA, we do not “sell” your Personal Data.

Right to Know