This Privacy Notice describes the manner in which personal data is collected through this website and the associated services we provide, together with how such data is processed, used, and disclosed in accordance with the United Kingdom General Data Protection Regulation (the “UK GDPR”), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), and other applicable laws of the United Kingdom. The website at https://caspersmile.uk/, together with our products, services, the Caspersmile Tracker application, mobile applications, online platforms, partner clinic referrals, and any other software, including all related content, technology, and tools, are collectively referred to in this Privacy Notice as the “Site.” CASPERSMILE LTD, a company registered in England and Wales with its registered office at 128 City Road, London, United Kingdom, EC1V 2NX, together with its affiliates, subsidiaries, and related entities (referred to herein as “Caspersmile,” the “Company,” “we,” “us,” or “our”), and the suppliers engaged on its behalf, may obtain or otherwise come into possession of the categories of personal data described below as a consequence of your access to, or interaction with, the Site (collectively, the “Collected Information”). For the purposes of UK data protection law, the Company acts as the data controller in respect of the Collected Information, save where otherwise expressly stated. The provisions of this Privacy Notice apply to every visitor and user of the Site located in the United Kingdom.

Where, in the course of providing our products and services, we process information that constitutes data concerning your health within the meaning of Article 9 of the UK GDPR — including your dental assessment responses, photographs of your teeth or smile, at-home impression kit results, and any clinical information generated in connection with the provision of clear aligner treatment — such processing is undertaken in accordance with the safeguards set out in this Privacy Notice and is subject to the professional duty of confidence owed by any registered dental practitioner involved in your treatment. Where you attend a Caspersmile partner clinic for a 3D dental scan or other in-clinic service, the relevant clinic acts as a separate, independent data controller in respect of the clinical records it creates during your appointment, and that clinic will provide you with its own privacy notice at that time.

This Privacy Notice further describes the rights and choices afforded to you under UK data protection law in connection with your personal data, the manner in which any modifications to this Privacy Notice will be communicated, and the channels through which you may submit inquiries or concerns relating to any matter addressed herein.

This Privacy Notice is incorporated by reference into, and forms an integral part of, our Terms of Use, any end user licence agreement applicable to our mobile applications (including the Caspersmile Tracker App), and any other agreement that references this Privacy Notice or otherwise governs access to or use of the Site (collectively, our “Terms”).

By accessing, browsing, or otherwise making use of the Site, or by accepting or entering into our Terms, you acknowledge—on your own behalf and on behalf of any organisation or company you represent (collectively referred to as “you”)—that you have read and understood this Privacy Notice. Where the lawful basis for any particular processing activity is your consent, you provide such consent freely and may withdraw it at any time as further described below. Should you not agree with any aspect of this Privacy Notice, you must refrain from accessing or otherwise using the Site.

Table of Contents

Changes to this Privacy Notice

Information We Collect and How We Use It

Lawful Bases for Processing

Other Information Collected

International Transfers of Personal Data

Retention of Personal Data

Automated Decision-Making

Your Rights Under UK Data Protection Law

Exercise Your Rights

Accuracy & Information Security

Children’s Privacy

Third-Party Websites and Site

Contact Us & Data Protection Queries

Changes to this Privacy Notice

The Company reserves the right, in its sole discretion, to revise, amend, or otherwise update this Privacy Notice at any time. Any such revisions shall take effect immediately upon publication of the updated Privacy Notice on the Site, and your continued access to or use of the Site following the posting of such revisions shall constitute your acknowledgement of the modified terms. Where the lawful basis for processing is consent, your continued use of the Site does not, by itself, constitute fresh consent, and any further consent required by law will be sought separately. In the event of any material modifications, we will provide reasonably prominent notice on the Site or, where appropriate, communicate the changes by alternative means, including by electronic mail.

Information We Collect and How We Use and Disclose It

The categories of personal data that we collect may generally be characterised as falling within one of the two groupings described below.

Personal data acquired through your engagement with the Site, including without limitation behavioural or activity data, information processed by the servers that operate the Site (such as IP addresses and device-related details), data captured by analytics and advertising platforms, information generated when you authenticate or share content via social media services, treatment-progress data submitted through the Caspersmile Tracker App, and data obtained through cookies and similar technologies (subject to the consent requirements imposed by PECR).

Personal data that you affirmatively and voluntarily provide to us, such as your contact details, account information, dental assessment responses, treatment preferences, photographs of your teeth, at-home impression kit results, and any other identifying information you elect to submit.

Collection. We will collect any and all personal data that you elect to provide to us through, by means of, or in connection with the Site. The principal categories of such personal data, together with examples and the purposes for which each may be processed, are set forth in the table below.

Examples and Subcategories Purposes (defined below)

Identifiers. Your given name and surname, email address, postal address, telephone number, and date of birth, together with any usernames, login credentials (including, without limitation, passwords), and social media account identifiers and login details. Such information may be processed for the following purposes: Site Operation; Communication with You. Provision of Clear Aligner Treatment. Personalisation; Advertising; Analytics. Promotional Communications. Disclosing Collected Information. Evaluation and Improvement. Quality Assurance. De-Identified and Aggregated Data. Lawful Processes; Protection of Company. Business Transactions.

Demographic Information. Your age, gender, and other demographic characteristics where you elect to provide them. Such information may be processed for the following purposes: Personalisation; Advertising; Analytics. Evaluation and Improvement. De-Identified and Aggregated Data.

Dental Assessment Data. Your responses to our online dental assessment, including information about your dental concerns, treatment preferences, previous orthodontic treatment, photographs of your teeth or smile, and any related information you submit to enable us to assess your eligibility for clear aligner treatment. Such information may be processed for the following purposes: Provision of Clear Aligner Treatment. Site Operation; Communication with You. Evaluation and Improvement. Quality Assurance. De-Identified and Aggregated Data.

Internet or Other Electronic Network Activity. Web browser type and version, IP addresses, MAC addresses, server log files, login data, cookies, pixels, beacons, additional unique online identifiers, and details concerning your device and online conduct (including search terms, dates and times of access, websites visited, duration of any visit, and other usage indicators). Information of this nature may, in certain circumstances, constitute personal data under UK data protection law. Such information may be processed for the following purposes: Personalisation; Advertising; Analytics. Promotional Communications. Evaluation and Improvement. Quality Assurance. De-Identified and Aggregated Data. Lawful Processes; Protection of Company.

Commercial Information. The volume and nature of orders placed (including clear aligners, retainers, night guards, mouth guards, and other products), the Site or products requested or purchased, payment plan selected (including Klarna, Shop Pay, or Partial.ly instalment arrangements), and information related to delivery and shipping within the United Kingdom. Such information may be processed for the following purposes: Provision of Clear Aligner Treatment. Site Operation; Communication with You. Promotional Communications. Evaluation and Improvement. Business Transactions.

Geolocation Information. Approximate geographic location derived from your IP address, used in particular to determine your proximity to partner clinics within the United Kingdom. Such information may be processed for the following purposes: Provision of Clear Aligner Treatment. Personalisation; Advertising; Analytics. Evaluation and Improvement.

Contact Forms and Requests for Information or Support. The Identifiers you supply, particulars about the products or services in which you have expressed interest, the entity (if any) that you represent, and the subject matter of your inquiry. Such information may be processed for the following purposes: Site Operation; Communication with You. Promotional Communications. Evaluation and Improvement. Quality Assurance.

Chat, Video Consultations, and Messaging. The Identifiers you supply, together with any text, content, audio, video, or other information that you input or transmit via chat, free video impression-guidance sessions, customer service telephone calls, and messaging functionalities (where such functionalities are made available to you). Such information may be processed for the following purposes: Site Operation; Communication with You. Provision of Clear Aligner Treatment. Quality Assurance. Evaluation and Improvement. Lawful Processes; Protection of Company.

Tracker App Data. Where you use the Caspersmile Tracker App for remote monitoring of your treatment progress, the photographs, videos, treatment-stage data, device identifiers, and related information you submit through the app. Such information may be processed for the following purposes: Provision of Clear Aligner Treatment. Site Operation; Communication with You. Evaluation and Improvement. Quality Assurance.

Inferences. Conclusions, including but not limited to those concerning preferences, conduct, characteristics (such as age and gender), suitability for particular treatment plans, and other comparable indicators, that may be derived from the categories of personal data identified above. Such information may be processed for the following purposes: Personalisation; Advertising; Analytics. Provision of Clear Aligner Treatment. Promotional Communications. Evaluation and Improvement.

Purposes We Process Your Information For.

Beyond the uses and disclosures referenced above, the Company and its suppliers may further process and disclose Collected Information in the manner set forth below. The Company will not use, sell, lease, or otherwise disclose Collected Information except as expressly described in this Privacy Notice or as otherwise required or permitted by applicable law. Each of the processing purposes described in this section corresponds to one or more lawful bases under Article 6 (and, where applicable, Article 9) of the UK GDPR, as further explained in the section entitled “Lawful Bases for Processing” below.

Site Operation; Communication with You. We will use and disclose your personal data and other Collected Information for the purpose for which such information was originally obtained, including, by way of illustration, the processing of and communication regarding your interactions with the Site (such as orders placed and account-related activity), the handling of requests for information, the management of any User-Generated Content you provide, the administration of your account (where applicable), the conduct of the Company’s business operations, the provision of customer support to users of the Site, and the delivery of communications you have specifically requested. The lawful bases for such processing are typically the performance of a contract to which you are a party (Article 6(1)(b)) and our legitimate interests in operating the Site (Article 6(1)(f)).

Provision of Clear Aligner Treatment. We process your personal data, dental assessment responses, photographs, and at-home impression kit results in order to assess your eligibility for clear aligner treatment, prepare a 3D smile preview, design and manufacture your custom aligners, arrange shipping to your address within the United Kingdom, refer you to partner clinics for 3D dental scans where appropriate, and otherwise to provide the products and services you have requested. Where such processing involves data concerning health within the meaning of Article 9 of the UK GDPR, the lawful basis for processing is your explicit consent (Article 9(2)(a)) or, where applicable, the necessity for the provision of health or social care or treatment in accordance with section 11 of and Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018.

Personalisation; Advertising; Analytics. We may process your personal data in order to customise the content and communications presented or delivered to you, to provide tailored guidance and assistance, and otherwise to personalise your overall experience while accessing or using the Site. In addition, we may share your personal data with our third-party service providers to analyse how the Site is used and to support its continued enhancement (each as further described in the “Analytics” section below). Furthermore, we, or our third-party service providers acting on our behalf, may use such information to direct advertisements for our products and services to you and to display those advertisements on other websites. The deployment of cookies and similar tracking technologies for these purposes is undertaken on the basis of your prior consent in accordance with PECR, which consent you may withdraw at any time via our cookie preference centre. Where personal data is processed for personalisation or analytics independently of cookie deployment, we rely on our legitimate interests (Article 6(1)(f)) or, where required, your consent (Article 6(1)(a)).

Promotional Communications. Subject to applicable law and consistent with your stated preferences, the Company may use Collected Information to deliver promotional communications regarding the Company and its products and services, including offers, sales, and information about new aligner plans, retainers, night guards, and accessories. In accordance with PECR, we will obtain your prior opt-in consent before sending direct marketing by electronic means (including email , SMS  and calls), save in those limited circumstances in which the “soft opt-in” exception applies—that is, where you are an existing customer who provided contact details during the course of a sale (or negotiations for a sale) of similar products or services, and you were given a clear opportunity to refuse marketing both at the time of collection and in each subsequent communication. Such communications may be customised in accordance with your preferences, including by reference to inferences drawn from your visits to the Site or your engagement with the links contained in our emails. You should be aware that pixel tags, cookies, and similar tracking technologies may be embedded in such emails to register your interactions and to determine when emails are opened, subject to the consent requirements imposed by PECR. You may withdraw your consent to receive promotional communications at any time, free of charge, by following the unsubscribe instructions provided in any such email, by replying “STOP” to any SMS message, or by contacting us through the means set forth under “Contact Us” below. With particular regard to text messaging, where you affirmatively opt in to receive SMS or MMS messages on the Site, the Company may transmit text messages to the telephone number you supply in connection with your use of the Site. Consent to receive text messages is not a precondition to the purchase of any goods or services or to the conduct of any other business with us. Standard message and data charges levied by your mobile network operator may apply. Your opt-in status to a Company SMS marketing campaign will not be shared with any third party for purposes unrelated to the operation of that campaign, save that such status may still be disclosed for the purpose of fraud prevention. Even where you withdraw consent to receive promotional communications, you may continue to receive administrative communications from us related to your treatment, your order, or your use of the Site, where the lawful basis for such communications is the performance of a contract or our legitimate interests.

Disclosing Collected Information.

a. To our Affiliates, Subsidiaries, and Related Entities: Depending upon the manner in which you utilise the Site and the information you supply to us or request from us, we may share your name, contact details, and other associated Collected Information with our affiliated entities that offer products or services that, in our reasonable judgment, may be of interest to you. Where required by UK GDPR or PECR, we will obtain your prior consent before any such disclosure for marketing purposes. Any such affiliated entity may communicate with you directly regarding the relevant products and services, subject to the prior receipt of your consent where required. You retain the right to opt out of receiving communications from any such affiliate in accordance with that affiliate’s own policies, and you may also opt out of receiving communications from us by contacting us through the means identified under “Contact Us” below.

b. To Partner Clinics and Dental Professionals: Where you elect to visit a Caspersmile partner clinic for a 3D scan, or where your treatment otherwise requires the involvement of a registered dental practitioner, we will share with that clinic or practitioner such of your personal data, dental assessment responses, and clinical information as is necessary to enable them to provide the relevant services to you. Such clinics and practitioners act as independent data controllers for their own clinical use of your data and are subject to professional duties of confidence in addition to UK data protection law.

c. To Our Third-Party Suppliers and Service Providers: We may disclose Collected Information to the suppliers, vendors, and service providers engaged by us or by our affiliates, to the extent necessary to enable us to make the Site, products, and services available to you, and otherwise to permit the use and sharing of Collected Information consistent with this Privacy Notice and applicable law. Such third parties act as our processors (within the meaning of Article 4(8) of the UK GDPR) and process personal data only on our documented instructions and under written contracts that satisfy the requirements of Article 28 of the UK GDPR. Such third parties include, by way of illustration and without limitation, our website management and hosting providers, marketing and advertising partners and service providers, customer support contractors, entities engaged to handle the processing and delivery of mailings and shipping, cloud storage providers, web analytics providers, payment processors (including Klarna, Shop Pay, and Partial.ly), aligner manufacturers and laboratories, courier and delivery partners, and electronic mail and SMS delivery vendors.

Evaluation and Improvement. We may use and disclose Collected Information for the purpose of analysing, developing, and refining the content, materials, products, and services we provide; informing our marketing and communication strategies; obtaining a better understanding of user demographics and preferences; assessing the effectiveness of the Site; and evaluating user requirements in order to tailor the content and overall user experience accordingly. Additionally, we may use such information to better understand—on both an aggregated and individualised basis—how users access and engage with the Site, including by monitoring, evaluating, and analysing the popularity of particular Site features and pages, conducting troubleshooting, generating statistical data (for example, to identify the geographic distribution of Site visitors), reviewing frequently asked questions, and pursuing other related statistical objectives. The lawful basis for such processing is our legitimate interests (Article 6(1)(f)) in maintaining and improving the Site.

Quality Assurance. In furtherance of quality assurance, the continual improvement of the customer experience, the detection and prevention of fraud, and the support of our customer service personnel (including representatives operating in our call centre and our free 1-on-1 video impression-guidance sessions), we employ tools that monitor and record certain user-experience information, including, without limitation, audio recordings of customer service telephone calls, video recordings of consultations, and any related information arising from those interactions. Where calls or video sessions are recorded, we will provide a clear notice prior to recording in accordance with applicable law. The lawful basis for such processing is our legitimate interests (Article 6(1)(f)) in ensuring service quality and preventing fraud.

De-Identified and Aggregated Data. We may anonymise or aggregate personal data and User-Generated Content, and aggregate other Collected Information, and use and disclose such anonymised or aggregated data in furtherance of our business purposes, in each instance to the extent permitted by applicable law. Where data has been effectively anonymised such that an individual is no longer identifiable, that data falls outside the scope of UK data protection law. To the extent we generate anonymised or aggregated information, we will adopt reasonable measures intended to maintain such information in anonymised or aggregated form, and we will not undertake to re-identify such data, except for the limited purpose of confirming the effectiveness of our anonymisation and aggregation processes.

Lawful Processes; Protection of Company. We may use and disclose Collected Information in compliance with, and in response to, requests from regulatory authorities (including the Information Commissioner’s Office and the Care Quality Commission where applicable), courts of competent jurisdiction, valid law enforcement inquiries, governmental agency demands, emergency response services, and other appropriate third parties, in furtherance of legal, protective, security, and safety objectives. We may further use and share Collected Information with third parties where we determine that such use or disclosure is necessary or appropriate to safeguard our rights or those of others, including for the purpose of enforcing our agreements, policies, and terms; commencing or defending legal proceedings; protecting our operations and assets; or pursuing remedies or otherwise mitigating damages we may sustain. The lawful bases for such processing are compliance with a legal obligation (Article 6(1)(c)) and our legitimate interests (Article 6(1)(f)).

Business Transactions. Should the Company experience a change in control, acquisition, merger, reorganisation, sale of assets (whether in whole or in part), or any analogous transaction, we may transfer, sell, share, or otherwise disclose Collected Information to the resulting owner or successor entity. Collected Information may likewise be disclosed in connection with the evaluation and negotiation of any such transaction, subject to appropriate confidentiality safeguards. Any such successor, owner, or other recipient will be bound by the provisions of this Privacy Notice as applied to the information disclosed, or will provide a level of protection no less stringent than that set out herein. The lawful basis for such processing is our legitimate interests (Article 6(1)(f)) in conducting business transactions.

With Your Consent. Subject to your consent (Article 6(1)(a)), we may use and disclose your personal data and other Collected Information in additional manners not specifically described in this Privacy Notice. Where consent is the lawful basis for processing, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Disclosures to Third Parties.

Consistent with, and in furtherance of, the purposes for which we collect your personal data as described in this Privacy Notice, we disclose certain categories of personal data to specified third parties for legitimate business purposes. All such disclosures are subject to written agreements that satisfy the requirements of UK data protection law.

Payment. All payments tendered in connection with the Site must be made directly through the Site by means of a credit card, debit card, or such alternative payment methods (for instance, Klarna, Shop Pay, Partial.ly, Apple Pay, Google Pay, or PayPal) as may be made available from time to time. Where alternative payment methods are offered, please be advised that those facilities are operated by independent third parties, and the use of such methods is governed by the privacy policy of the relevant third party. This Privacy Notice does not extend to such third party’s collection or use of your personal data, and you are encouraged to consult that third party’s privacy policy directly. With respect to credit and debit card payments, all card information is transmitted directly to our third-party payment processor in accordance with the Payment Card Industry Data Security Standard (PCI DSS), and the Company does not directly access, handle, or retain your credit or debit card data. To complete a payment via the Site, you may be required to provide your name, email address, telephone number, and the card number, expiration date, and security code, together with any further information necessary to verify the transaction. Our payment processor will use such payment-related information consistent with its own privacy policy.

User-Generated Content. You bear sole responsibility for any data, information, images, communications, documents, and other content that you input, submit, create, post, upload, transmit, or otherwise furnish through or by means of the Site, including by submitting feedback, participating in forums or discussion boards, uploading or providing photographs of your teeth or smile, posting product reviews or testimonials, commenting on blog posts, or completing a user account or profile. The term “User-Generated Content” refers to all data, feedback, information, images, communications, documents, and other content that is entered into, submitted on, posted to, uploaded to, transmitted through, streamed via, created on, displayed on, or otherwise made available through the Site by you or on your behalf. All User-Generated Content is provided at your own risk. We cannot guarantee that User-Generated Content you supply will not be viewed by individuals not authorised to receive it. We may make User-Generated Content available, including on a publicly accessible basis, to other users of the Site or to the general public, in our sole discretion and as appropriate. You are reminded that any personal data of third parties that you submit must be supplied in compliance with UK data protection law, and you confirm that you have a lawful basis for submitting such information.

Job Applications. If you submit to us, or via the Site, a CV, employment application, or any related materials, we may process such information to evaluate your professional qualifications and to consider or otherwise respond to your inquiry or application. The lawful basis for such processing is the taking of steps at your request prior to entering into a contract (Article 6(1)(b)) and our legitimate interests (Article 6(1)(f)) in recruiting suitable staff. We will retain such information for no longer than is necessary for those purposes, in accordance with our recruitment retention schedule.

Lawful Bases for Processing

In accordance with Article 5(1)(a) and Article 6 of the UK GDPR, we will only process your personal data where we have a lawful basis for doing so. The lawful bases on which we rely depend on the specific processing activity and are summarised below.

Consent (Article 6(1)(a)): Where you have given clear and affirmative consent for us to process your personal data for one or more specific purposes—for example, to receive direct marketing by email ,Calls and  SMS, to deploy non-essential cookies on your device, or to share your data with partner clinics for clinical purposes. You may withdraw your consent at any time, free of charge, as described elsewhere in this Privacy Notice.

Performance of a Contract (Article 6(1)(b)): Where processing is necessary for the performance of a contract to which you are a party (for example, to supply the clear aligners or other products you have ordered) or in order to take steps at your request prior to entering into such a contract (for example, to assess your eligibility for treatment).

Legal Obligation (Article 6(1)(c)): Where processing is necessary for compliance with a legal obligation to which we are subject under the laws of the United Kingdom—for example, in connection with tax, accounting, consumer protection, product safety, or anti-money-laundering requirements.

Vital Interests (Article 6(1)(d)): In exceptional circumstances, where processing is necessary to protect the vital interests of you or another natural person—for example, in a medical emergency.

Legitimate Interests (Article 6(1)(f)): Where processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. Our legitimate interests include operating, maintaining, and improving the Site; preventing fraud and ensuring network and information security; conducting direct marketing to existing customers (subject to PECR); defending legal claims; and conducting business transactions. Where we rely on legitimate interests, we have conducted (or will conduct) a balancing test to ensure that our interests are not overridden by your rights, and you have the right to object to such processing as described under “Your Rights Under UK Data Protection Law” below.

Special Category Data (Article 9 of the UK GDPR): To the extent that we process data concerning your health (including dental assessment responses, photographs of your teeth, and at-home impression kit results) in connection with the provision of clear aligner treatment, we do so on the basis of your explicit consent (Article 9(2)(a)) or, where applicable, the necessity for the provision of health or social care or treatment by or under the responsibility of a health professional (Article 9(2)(h), read together with section 11 of and Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018).

Other Information Collected

As you navigate the Site, certain information may be passively collected by means of various technologies. The categories of information so collected, and the methods used in connection with such collection, are described below. The deployment of such technologies on your device is subject, where required, to the consent requirements imposed by PECR.

User Activity. We obtain information regarding the manner in which the Site is used, including, without limitation, the features that you access, the links upon which you click, the search terms you employ, transactional data generated through the Site, the manner in which you interact with other users, performance metrics, and other indicators of usage. We further collect data automatically transmitted by your browser whenever you visit the Site (referred to as “Log Data”). Such Log Data may include, among other items, your computer’s Internet Protocol (“IP”) address, browser type and version, the pages of our website that you visit, the date and time of your visit, the duration of your visit to those pages, and other comparable statistics.

IP Addresses and Related Data. The servers used to operate and deliver the Site may collect information concerning you and the equipment, software, and means of communication you employ to access the Internet and the Site, including the IP addresses assigned to the computers and other devices from which you access the Internet, the identity of your Internet service provider (ISP), device identification numbers and unique identifiers, your media access control (MAC) address, your operating system, the screen resolution of your device, the type of web browser you employ, the pages of the Site you access, the websites accessed by you immediately before and after visiting the Site, the duration of your time on the Site, applicable date and time stamps, clickstream data, your approximate geographic location, performance statistics, and usage data. The Company may use such information for the administration of the Site and its servers, the generation of statistical data, the monitoring and analysis of Site traffic and usage trends, the detection and prevention of fraud, the investigation of complaints and policy violations, and the enhancement of the Site overall.

Analytics. The Site employs third-party analytics tools (such as Google Analytics) to collect and process information regarding your interaction with the Site, including the dates and times of your visits, the URLs of websites visited prior to your access to the Site and the times of those visits, and the IP addresses assigned to the devices from which you access the Internet. Our analytics providers may set and read cookies in order to collect such data, subject to your prior consent under PECR. Where you decline analytics cookies through our cookie preference centre, those cookies will not be deployed on your device. For additional information regarding Google’s handling of such data, you are encouraged to review Google’s Privacy Notice. You may also install the Google Analytics Opt-out Browser Add-on for each browser you use.

Advertising Networks, Personalised Advertising, Remarketing, and Retargeting. From time to time, the Site may participate in or otherwise utilise advertising networks and related advertising services administered by third-party advertising servers, advertising agencies, technology vendors, and research organisations, including, by way of illustration, Google Ads and the advertising services made available by Meta (sometimes referred to as the Meta “tracking pixel”). These services collect information regarding your visits to, and your interactions with, the Site and other websites, and use such information to target advertisements for goods and services and to display those advertisements on other websites. Where such services involve the deployment of cookies, pixel tags, or similar technologies on your device, we will obtain your prior consent in accordance with PECR before any such deployment, save for cookies that are strictly necessary for the provision of a service explicitly requested by you. You may withdraw your consent at any time through our cookie preference centre.

Social Media. The Site may incorporate widgets, tools, or applications provided by social media platforms (including Facebook, Instagram, TikTok, and others), and may otherwise permit interaction, integration, or content sharing with third-party social media platforms and the entities operating them. In order to facilitate such communications and features, we may be required to deploy cookies, plug-ins, and application programming interfaces supplied by those platforms, subject (where required) to your prior consent under PECR. By electing to use any third-party social media platform, or by sharing content or communications with any social media platform, you authorise us to share information with the relevant social media platform. We do not control the policies or terms of any such third-party platform, and we therefore disclaim responsibility for the use or disclosure of your information or content by such platforms, the use of which is at your sole risk. We encourage you to review the privacy policy of any social media platform that you access in connection with the Site.

Cookies and Tracking Technologies. The Site uses cookies and similar tracking technologies in order to monitor your use of the Site, with a view toward facilitating and enhancing the user experience and for the additional purposes described below. A cookie is a small data element stored on your device’s hard drive by your web browser. In accordance with PECR (in particular regulation 6) and the UK GDPR, the deployment of cookies on your device that are not strictly necessary for the provision of a service explicitly requested by you is undertaken only with your prior, informed, and specific consent. You can manage your cookie preferences through our cookie consent banner and cookie preference centre at any time. The categories of cookies typically deployed on the Site are as follows:

Strictly Necessary Cookies. These cookies are required for the proper operation of the Site. By way of illustration, such cookies are utilised to identify irregular website behaviour, to prevent fraudulent activity, to maintain the security of your session, to support the operation of our shopping basket and checkout, and to record your cookie consent preferences. These cookies are exempt from the consent requirements imposed by PECR; without them, certain features and services that you have requested cannot be provided.

Functional Cookies. Subject to your prior consent, these cookies enable us to provide enhanced functionality when you access or use the Site, including by recalling choices you have made (for instance, your preferences or settings), recognising any responses you have already provided, identifying features previously used by you, and enabling social media components.

Performance / Analytical Cookies. Subject to your prior consent, these cookies are used to assess the performance of the Site, including in connection with our analytics practices, in order to assist us in understanding how visitors engage with the Site (for instance, identifying which pages are most frequently accessed).

Advertising / Targeted Cookies. Subject to your prior consent, these cookies record your visits to the Site, the pages you access, and the links upon which you have clicked. They aggregate information regarding your browsing behaviour and identify the websites you have visited. The Company and its third-party advertising platforms or networks may use such information to render the Site and its content more relevant to your interests (a practice sometimes referred to as “behavioural” or “targeted” advertising). These cookies are also used to limit the frequency with which a particular advertisement is displayed to you and to assess the effectiveness of advertising campaigns.

The majority of web browsers accept cookies by default. Browsers also generally permit users to manage cookies through the browser’s settings. You may disable or limit cookies; however, doing so may impair your use and enjoyment of the Site. Modifying your cookie preferences in one browser will not necessarily apply to other browsers, and you may need to adjust your preferences each time you obtain a new device, install a new browser, upgrade an existing browser, or otherwise modify or delete a browser’s cookie file.

Do-Not-Track and Global Privacy Control Signals. Given the consent-based framework for cookie deployment described above, our practices in respect of “Do Not Track” signals are addressed through the cookie consent banner presented to you when you first access the Site. We honour the choices you make through that banner and through our cookie preference centre. We monitor industry developments concerning the Global Privacy Control (GPC) and similar opt-out preference signals, and where required to do so under applicable law, we will treat such signals as a valid expression of your preferences. For further information about browsers and extensions that support the GPC signal, please visit https://globalprivacycontrol.org/.

Embedded Content. The Site may incorporate content—including data feeds, scripts embedded within the Site’s code, and visible content such as videos—provided by third parties. In some instances, those third parties may collect data regarding your interactions with such content. The Site may, by way of example, employ YouTube to make video content available to you. By accessing any portion of the Site where videos are available, viewing an embedded video, or otherwise engaging with content delivered through YouTube, you signify your acceptance of YouTube’s terms and conditions. YouTube collects, and otherwise has access to, usage data (such as which videos you accessed and viewed) through videos embedded within the Site, as more particularly described in YouTube’s Privacy Notice.

Information that We Obtain from Third-Party Sources. We may obtain information regarding users of the Site from a variety of third-party sources—including offline and online sources such as marketing companies, analytics consultants, publicly available social media profiles, affiliate review and comparison websites, and other publicly available channels—and we may consolidate such information with Collected Information. The integration of such third-party data is undertaken in compliance with the principles of the UK GDPR, including the principles of lawfulness, fairness, and transparency, and, where required, we will provide you with information about the source of such data in accordance with Article 14 of the UK GDPR.

International Transfers of Personal Data

The Company is established in the United Kingdom. Some of our service providers, affiliates, and processors are located in countries outside the United Kingdom (referred to as "third countries"). Whenever we transfer your personal data to a third country, we take appropriate steps to ensure that your personal data continues to receive a level of protection essentially equivalent to that provided under United Kingdom data protection law. These steps include entering into approved data transfer agreements with the recipients of your personal data, assessing the risks of the transfer, and applying appropriate technical and organisational safeguards, with additional safeguards for any data concerning your health.

Retention of Personal Data

We will retain your personal data for such period as is required to fulfil the purposes outlined in this Privacy Notice and our Terms, except where a longer period of retention is required or otherwise permitted by applicable law (for example, on account of tax, accounting, regulatory, clinical record-keeping, product safety, or other legal obligations applicable in the United Kingdom).

In determining appropriate retention periods, we have regard to the nature, sensitivity, and quantity of the personal data, the purposes for which it is processed, the potential risk of harm from unauthorised use or disclosure, and the applicable legal, regulatory, accounting, or reporting requirements. Different categories of personal data are retained for different periods. By way of illustration, customer account and transactional records are retained for the duration of your relationship with us and for such further period as is necessary to comply with our legal and statutory obligations; clinical and dental records are retained in accordance with applicable professional and regulatory guidance; marketing consent records are retained for as long as you remain subscribed and for such further period as is necessary to demonstrate compliance with applicable law; and call recordings and similar quality assurance data are retained only for as long as is necessary for the purpose for which they were created.

Where we no longer have any legitimate business need to process your personal data, we will either delete or anonymise it. Where deletion or anonymisation is not feasible (for example, where personal data has been preserved within back-up archives), we will securely store the personal data and isolate it from any further processing pending the time at which deletion becomes feasible. A summary of the retention periods applied to particular categories of personal data may be made available upon request through the channels identified under "Contact Us"

Automated Decision-Making

Save as may otherwise be expressly described in this Privacy Notice, you will not be subjected to a decision based solely on automated processing—including profiling—that produces legal effects concerning you or similarly significantly affects you, within the meaning of Article 22 of the UK GDPR. Where we do engage in any such automated decision-making (for example, in the context of automated initial eligibility screening based on your dental assessment responses), we will do so only on a basis permitted by Article 22(2) of the UK GDPR, will provide you with meaningful information about the logic involved and the significance and envisaged consequences of such processing, and will afford you the right to obtain human intervention by a qualified member of our clinical or customer support team, to express your point of view, and to contest the decision.

Your Rights Under UK Data Protection Law

The purpose of this section of the Privacy Notice is to inform you of the rights afforded to you under the UK GDPR and the Data Protection Act 2018 in respect of your personal data. These rights are exercisable subject to the conditions, exemptions, and limitations set out in those laws.

Right to be Informed: the right to be provided with clear, transparent, and easily understandable information about the manner in which we process your personal data, as set out in this Privacy Notice.

Right of Access: the right, under Article 15 of the UK GDPR, to obtain confirmation as to whether we are processing your personal data and, where we are, the right to obtain a copy of the personal data we hold about you, together with prescribed information regarding the processing.

Right to Rectification: the right, under Article 16 of the UK GDPR, to require us to rectify any inaccurate personal data concerning you, and to have incomplete personal data completed.

Right to Erasure (the “Right to be Forgotten”): the right, under Article 17 of the UK GDPR and subject to the conditions set out therein, to request the deletion of personal data we hold about you.

Right to Restriction of Processing: the right, under Article 18 of the UK GDPR, to request that we restrict the processing of your personal data in certain circumstances, including where the accuracy of the data is contested or where you have objected to processing pending verification of our overriding legitimate grounds.

Right to Data Portability: the right, under Article 20 of the UK GDPR and where the conditions of that Article are met, to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller or, where technically feasible, to require us to do so.

Right to Object: the right, under Article 21 of the UK GDPR, to object at any time to processing of your personal data carried out on the basis of our legitimate interests (Article 6(1)(f)) or for the performance of a task carried out in the public interest, including any associated profiling. You also have an absolute right to object at any time to the processing of your personal data for direct marketing purposes, including profiling for that purpose.

Right to Withdraw Consent: where the lawful basis for our processing of your personal data is your consent, the right to withdraw that consent at any time, free of charge. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

Rights in Relation to Automated Decision-Making and Profiling: the rights set out in the “Automated Decision-Making” section above.

Right to Lodge a Complaint: the right to lodge a complaint with the Information Commissioner’s Office (ICO), being the United Kingdom’s supervisory authority for data protection matters. The ICO may be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; telephone 0303 123 1113; or via the ICO website at www.ico.org.uk. We would, however, ask that you contact us first so that we may have an opportunity to address your concerns.

To exercise any of the foregoing rights, please refer to the “Exercise Your Rights” section of this Privacy Notice below. The exercise of these rights is generally free of charge; however, where requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either charge a reasonable fee or refuse to act on the request, in each case in accordance with Article 12(5) of the UK GDPR.

Exercise Your Rights

Where this Privacy Notice or applicable law affords you rights in connection with your personal data and Collected Information, you may submit a request to us by:

Emailing: support@caspersmile.uk

Telephoning: +44 20 4634 2811

Writing to: CASPERSMILE LTD, 128 City Road, London, United Kingdom, EC1V 2NX

Only you, or a person whom you have authorised in writing to act on your behalf, may submit a request relating to your personal data. Where a third party submits a request on your behalf, we reserve the right to verify that party’s authority to do so, including by requiring written authorisation signed by you. Without limitation of the foregoing, your request must:

provide information sufficient to permit us to reasonably verify that you are the individual to whom the personal data relates, or that you are an authorised representative of such individual;

describe your request with sufficient specificity to allow us to properly understand, evaluate, and respond to it; and

identify the right or rights under the UK GDPR or other applicable law that you are seeking to exercise.

We are unable to respond to your request, or to provide you with personal data, where we cannot verify your identity or your authority to make the request. Submission of a request does not require you to create an account with us. We will use any personal data provided in connection with such a request solely to verify the identity or authority of the requesting party.

We will respond to your request without undue delay, and in any event within one (1) month of receipt, in accordance with Article 12(3) of the UK GDPR. That period may be extended by a further two (2) months where necessary, taking into account the complexity and number of requests, and we will inform you of any such extension within one (1) month of receipt of your request, together with the reasons for the delay. Should we decline your request, we will inform you of the reasons for our decision and of your right to lodge a complaint with the Information Commissioner’s Office and to seek a judicial remedy.

Accuracy & Information Security

Personal data that you provide to us should be relevant to the purposes for which it is to be used and, to the extent necessary for those purposes, should be accurate, complete, and current. You are encouraged to inform us promptly of any changes to your personal data so that our records may be updated accordingly.

In accordance with Article 32 of the UK GDPR, we have implemented appropriate technical and organisational measures designed to ensure a level of security appropriate to the risks presented by our processing, including measures intended to protect against unauthorised access to, unauthorised disclosure of, loss, theft, misuse, or alteration of personal data under our control. Such measures include, where appropriate, encryption of personal data in transit and at rest, pseudonymisation, access controls and authentication, the regular testing and evaluation of the effectiveness of our security measures, business continuity and disaster recovery arrangements, and staff training on data protection. The Company nevertheless does not, and cannot, guarantee that unauthorised access, unauthorised disclosure, loss, theft, misuse, or alteration of personal data will not occur. We do not publish all of our security measures online, as doing so could undermine the effectiveness of those measures. The storage and transmission of information can never be entirely secure.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Information Commissioner’s Office without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, in accordance with Article 34 of the UK GDPR. Should you become aware of any breach of the Site’s security or of this Privacy Notice, please promptly notify us at support@caspersmile.uk.

Children’s Privacy

The Site is not directed at children under the age of eighteen (18), and individuals under the age of eighteen (18) are not permitted to use the Site without the involvement of a parent or legal guardian. Parents and legal guardians are nonetheless welcome to provide information on behalf of children under the age of eighteen (18).

Where we offer our products and services in connection with a minor (for example, where a teen discount is requested or where a parent orders aligners on behalf of a child aged twelve (12) or older), the parent or legal guardian must place the order, supervise the treatment, and provide any necessary consent. The Site is not intended for direct use by children under the age of eighteen (18). In accordance with the UK GDPR and section 9 of the Data Protection Act 2018, where we offer information society services directly to a child and rely upon consent as the lawful basis for processing, such processing is lawful only where the child is at least thirteen (13) years of age. Where the child is under thirteen (13), processing is lawful only where consent is given or authorised by the holder of parental responsibility.

We do not knowingly collect personal data directly from children under the age of eighteen (18) without verified parental or guardian consent. If you are under the age of eighteen (18), please request that your parent or guardian access and use the Site on your behalf, and refrain from using the Site or providing any information through the Site or any of its features—including your name, address, telephone number, email address, or any screen name or username you may employ. Should we learn that we have collected or otherwise received personal data directly from a child without the requisite parental or guardian consent, we will promptly delete that information. If you believe we may have inadvertently received any information from a child contrary to the foregoing, please contact us at support@caspersmile.uk. We have regard to the Information Commissioner’s Age Appropriate Design Code (the Children’s Code) when designing our services in any context where they may be accessed by children.

Third-Party Websites and Site

The Site may contain links to, or be linked from, websites, applications, or services that are not maintained or controlled by the Company (including affiliate review and comparison websites, partner clinic websites, payment provider websites, and social media platforms). The Company is not responsible for the privacy policies or practices of any third parties or for any third-party websites, applications, or services. This Privacy Notice does not extend to any third-party website, application, or service, or to any personal data that you may furnish to any third party. We encourage you to review the privacy policy of each website, application, and service that you visit or otherwise use.

Contact Us & Data Protection Queries

If you have any questions or concerns regarding this Privacy Notice or the manner in which we process your personal data, or if you wish to exercise any of your rights under UK data protection law, please contact us using the details below.

CASPERSMILE LTD

Registered office: 128 City Road, London, United Kingdom, EC1V 2NX

Email: support@caspersmile.uk

Telephone: +44 20 4634 2811

You also have the right at any time to lodge a complaint with the Information Commissioner’s Office, the United Kingdom’s supervisory authority for data protection matters:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Telephone: 0303 123 1113

Website: www.ico.org.uk

We would, however, appreciate the opportunity to address any concerns you may have before you approach the Information Commissioner’s Office, and we encourage you to contact us in the first instance.