Privacy Policy
Privacy Policy
SmileBooth by HYPERMIND · TAX ID: EL802834643 · Greece
Effective: May 14, 2026 · Last updated: May 14, 2026
1. Who We Are
SmileBooth is a product developed and operated by HYPERMIND (Greek Tax ID: EL802834643), a technology and digital product studio based in Greece ("we", "us", "our"). SmileBooth provides AI-powered smile visualization tools for dental clinics, accessible at smilebooth.ai (the marketing site) and app.smilebooth.ai (the clinic dashboard and patient-facing application) (collectively, the "Service").
HYPERMIND acts as the data controller in respect of personal data processed through the Service. Where dental clinics use SmileBooth to process data about their patients, the clinic may act as an independent controller or joint controller; we address this relationship in Section 7.
2. Scope of This Policy
This Privacy Policy applies to:
- Visitors to smilebooth.ai (the marketing and informational website).
- Dental clinic staff and administrators using app.smilebooth.ai (the SmileBooth dashboard).
- Dental patients who interact with the SmileBooth smile visualization experience, whether via a tablet in the clinic, a QR code link, or any embedded integration.
It does not apply to the Hypermind corporate website at hypermind.io, which is governed by Hypermind's own privacy policy.
3. Data We Collect
3.1 Clinic Accounts (app.smilebooth.ai)
| Category | Examples | Source |
|---|---|---|
| Account identifiers | Name, email address, role | Provided by clinic during signup |
| Authentication data | Hashed passwords, session tokens | Generated on account creation |
| Clinic details | Clinic name, address, subscription tier | Provided by clinic |
| Usage data | Login times, features accessed, session duration | Automatically collected |
| Technical data | IP address, browser type, device identifiers | Automatically collected |
3.2 Patient Smile Visualization
| Category | Details | Source |
|---|---|---|
| Facial photographs | Selfie images captured or uploaded by the patient for AI visualization | Provided by the patient |
| AI-generated images | The "after" smile visualizations produced by our AI engine | Generated by the Service |
| Session metadata | Timestamp, clinic association, procedure type selected | Automatically collected |
| Contact details (optional) | Name, email, or phone if patient opts in to receive their visualization or book a consultation | Provided by the patient |
3.3 Marketing Site (smilebooth.ai)
When you visit smilebooth.ai or submit a demo request, we collect contact information (name, email, clinic name), inquiry content, and standard web analytics data (pages visited, referral source, approximate location derived from IP).
4. How We Use Your Data
4.1 Providing and Improving the Service
- Generating photorealistic smile visualizations using our AI model.
- Operating clinic dashboards, authentication, and account management.
- Delivering patient visualization results to the patient's screen or, with consent, to the patient's email or phone.
- Diagnosing technical issues and improving AI model quality.
4.2 Business Operations
- Processing demo requests and responding to sales inquiries.
- Managing clinic subscriptions and billing.
- Sending transactional communications (account confirmations, product updates).
4.3 AI Model Development
Important: We do not use patient facial photographs or AI-generated smile images to train or fine-tune our AI models without explicit, freely given, separate, and informed consent from both the clinic and, where applicable, the patient. Aggregated and anonymized technical performance metrics (rendering speed, accuracy scores) may be used internally for model improvement.
4.4 Analytics & Marketing
We use aggregated, anonymized usage data to understand how the Service is used and to communicate with prospective clinic customers. We do not engage in targeted advertising using patient data.
5. Legal Basis for Processing (GDPR)
As an entity established in Greece, we process personal data in compliance with the EU General Data Protection Regulation (GDPR) (Regulation 2016/679).
| Processing Activity | Legal Basis |
|---|---|
| Providing smile visualization to patients | Legitimate interests of the clinic (Art. 6(1)(f)) or patient consent (Art. 6(1)(a)) |
| Clinic account management and contract fulfillment | Performance of contract (Art. 6(1)(b)) |
| Responding to demo requests and sales inquiries | Legitimate interests (Art. 6(1)(f)) |
| Sending marketing communications | Consent (Art. 6(1)(a)) or legitimate interests, subject to opt-out |
| Processing facial images (special category data) | Explicit consent (Art. 9(2)(a)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
6. Biometric & Health-Adjacent Data
Facial photographs and AI-generated smile images may constitute biometric data or health-related data under the GDPR — classified as "special category" personal data requiring heightened protection.
We treat all patient facial images as special category data. This means:
- We process them only for the specific purpose of generating a smile visualization during the session.
- Images are not retained beyond the session unless the clinic or patient explicitly elects to save the result.
- Where images are saved, they are stored with encryption at rest.
- Images are never sold, licensed, shared with third-party advertisers, or used to build facial recognition datasets.
- Clinics are responsible for obtaining appropriate patient consent before initiating a visualization session, and must inform patients that their image will be processed by AI software operated by HYPERMIND
7. Data Sharing & Third Parties
7.1 Clinic Partners
Dental clinics that use SmileBooth have access to data generated within their account, including saved visualizations and lead capture data submitted by their patients. Clinics are independent data controllers for the purposes of their own patient records.
7.2 Service Providers (Processors)
We share data with carefully selected third-party processors who assist us in delivering the Service. All processors are bound by data processing agreements and may only use data on our instructions.
| Category | Purpose |
|---|---|
| Cloud infrastructure | Hosting, storage, and compute for the application and AI model |
| AI model providers | Processing facial images to generate smile visualizations |
| Email / communications | Sending transactional and optional marketing emails |
| Analytics | Aggregated, anonymized usage analytics |
| Payment processing | Handling clinic subscription billing |
7.3 Legal Disclosures
We may disclose personal data where required by applicable law, court order, or regulatory authority, or to protect the rights and safety of users or the public.
7.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to equivalent privacy protections.
8. International Data Transfers
Our primary infrastructure is located within the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Patient facial photographs (session-only) | Deleted automatically at end of session unless saved |
| Saved smile visualizations | Duration of clinic's active subscription + 30 days after termination |
| Patient contact details (opt-in lead capture) | Until deleted by clinic, or 2 years from capture, whichever is sooner |
| Clinic account data | Duration of active account + 90 days after closure |
| Web analytics data | 26 months (aggregated / anonymized) |
| Financial / billing records | 7 years (Greek tax law obligations) |
10. Your Rights Under GDPR
If you are located in the EEA or UK, you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your data, subject to legal obligations.
- Restriction: Request that we limit processing of your data in certain circumstances.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: At any time where processing is consent-based, without affecting prior processing.
- Lodge a complaint: With the Hellenic Data Protection Authority (HDPA) at www.dpa.gr, or your local supervisory authority.
To exercise any right, contact us at privacy@hypermind.io. We will respond within 30 days.
Note: Patients who have undergone a smile visualization at a clinic may need to contact their dental clinic to exercise certain rights, as the clinic is the controller of their consultation records.
11. Cookies & Tracking
- Strictly necessary cookies: Required for authentication, session management, and security. Cannot be disabled.
- Functional cookies: Remember your preferences (e.g. language, clinic settings).
- Analytics cookies: Help us understand usage patterns using aggregated data. You may opt out via our cookie consent banner.
The patient-facing smile visualization experience (accessed via QR code or tablet) is designed to be minimal-cookie and does not use advertising or third-party tracking cookies.
12. Children's Privacy
The SmileBooth Service is directed at dental clinics and their adult patients. We do not knowingly process facial images of children under the age of 16 without verified parental or guardian consent. Clinics are responsible for ensuring appropriate consent is obtained before allowing a minor to use the smile visualization feature.
13. Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or alteration, including:
- Encryption of data in transit (TLS) and at rest (AES-256).
- Role-based access controls restricting data access to authorized personnel only.
- Regular security assessments and penetration testing.
- Secure deletion of patient images at end of session.
In the event of a data breach likely to result in risk to your rights, we will notify relevant supervisory authorities within 72 hours and affected individuals without undue delay, as required by GDPR.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date above and, where appropriate, notify clinic administrators by email. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
15. Contact
HYPERMIND — Data Controller
Tax ID: EL802834643 · Greece
Email: privacy@hypermind.io
Website: hypermind.io