Privacy Policy
Last updated: February 2026
1. Introduction
This Privacy Policy explains how Smylo ("we", "us", "our") collects, uses, and protects your personal information when you use our website at smylo.uk (the "Service").
Smylo is a free, independent platform that helps people in England find and compare NHS dental practices. We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
By using Smylo, you agree to the collection and use of information as described in this policy.
2. Data Controller
The data controller responsible for your personal data is:
Smylo
Email: privacy@smylo.co.uk
Website: smylo.uk
3. What data we collect
3.1 Data you provide directly
We may collect personal data that you voluntarily provide to us:
Contact form submissions: name, email address, and message content.
Email alert subscriptions ("Notify me when a dentist accepts near me"): email address and postcode (used to match you with nearby practices).
Practice feedback ("Is this information correct?"): your response (correct / incorrect) — no personal data is collected. A hashed version of your IP address is stored for rate-limiting only; we cannot identify you from this.
Request-to-book forms (when available): name, email address, phone number (optional), visit type preference, preferred time, optional message, and GDPR consent confirmation.
Important: Request-to-book data may constitute health-related data under Article 9 of UK GDPR (special category data) as it implies you are seeking dental treatment. We process this data only with your explicit consent, which you provide by ticking the consent checkbox on the form.
3.2 Data collected automatically
When you visit Smylo, we may automatically collect:
- Usage data: pages visited, search queries (postcodes), features used, time spent on pages
- Device data: browser type, operating system, screen resolution
- Location data: approximate location derived from your IP address or postcode searches (we do not use GPS tracking)
- Cookies and similar technologies: see Section 7 below
3.3 Data we do NOT collect
- We do not collect medical or dental history
- We do not require account registration to use the Service
- We do not collect payment or financial information
- We do not knowingly collect data from children under 13
4. How we use your data
We use your personal data for the following purposes:
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Responding to your contact form messages | Legitimate interest (Article 6(1)(f)) |
| Sending email alerts when practices near you start accepting patients | Consent (Article 6(1)(a)) |
| Processing request-to-book submissions and sharing your details with the selected dental practice | Explicit consent (Article 6(1)(a) and Article 9(2)(a) for health-related data) |
| Rate-limiting practice feedback submissions | Legitimate interest (Article 6(1)(f)) |
| Analysing website usage to improve the Service | Legitimate interest (Article 6(1)(f)) |
| Displaying relevant advertisements (Google AdSense) | Consent (Article 6(1)(a)) — via cookie consent |
| Preventing fraud and abuse | Legitimate interest (Article 6(1)(f)) |
We will never sell your personal data to third parties.
5. How we share your data
Dental practices: If you submit a request-to-book form, we share the information you provide (name, contact details, visit type) with the specific dental practice you selected. This is done only with your explicit consent.
Service providers: We use trusted third-party services to operate Smylo:
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Website hosting | Global (US/EU) |
| Supabase | Database hosting (encrypted) | EU (Frankfurt) |
| Mapbox | Interactive maps | US |
| Resend | Email delivery | US |
| Google AdSense | Advertising (with consent) | US |
| Google Analytics | Usage analytics | US |
| Sentry | Error monitoring | US |
All third-party providers are bound by their own privacy policies and data processing agreements.
Legal requirements: We may disclose your data if required by law, court order, or regulatory authority.
6. Data retention
We retain your personal data only for as long as necessary:
| Data type | Retention period |
|---|---|
| Contact form messages | 12 months, then deleted |
| Email alert subscriptions | Until you unsubscribe |
| Request-to-book submissions | 90 days after submission, then deleted |
| Practice feedback | Indefinitely (anonymised — no personal data) |
| Website analytics | 26 months (Google Analytics default) |
| Server logs | 30 days |
7. Cookies
Smylo uses cookies and similar technologies. Here is what we use:
7.1 Strictly necessary cookies
These are required for the website to function and cannot be switched off:
- Session cookies — maintaining your browsing session (session duration)
- Cookie consent — remembering your cookie preferences (12 months)
7.2 Analytics cookies (with consent)
- Google Analytics (_ga, _gid) — understanding how visitors use Smylo (up to 2 years)
7.3 Advertising cookies (with consent)
- Google AdSense cookies — displaying relevant advertisements (varies)
You can manage your cookie preferences at any time using the cookie banner on our website, or by adjusting your browser settings.
8. Your rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access — You can request a copy of the personal data we hold about you.
- Right to rectification — You can ask us to correct any inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — You can ask us to delete your personal data where there is no compelling reason for us to continue processing it.
- Right to restrict processing — You can ask us to suspend the processing of your data in certain circumstances.
- Right to data portability — You can request your data in a structured, commonly used, machine-readable format.
- Right to object — You can object to processing based on legitimate interest.
- Right to withdraw consent — Where we process data based on consent, you can withdraw it at any time. For email alerts, use the unsubscribe link in every email. For other data, contact us at privacy@smylo.co.uk.
- Right to complain — If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.
To exercise any of these rights, email us at privacy@smylo.co.uk. We will respond within 30 days.
9. Data security
We take reasonable measures to protect your personal data:
- All data transmitted between your browser and Smylo is encrypted using HTTPS/TLS
- Our database is hosted on Supabase with encryption at rest and row-level security policies
- Access to personal data is restricted to authorised personnel only
- IP addresses in feedback submissions are hashed using SHA-256 (one-way encryption)
- We regularly review and update our security practices
No system is 100% secure. If you believe your data has been compromised, please contact us immediately at privacy@smylo.co.uk.
10. International data transfers
Some of our service providers (Vercel, Mapbox, Resend, Google) are based in the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the ICO
- UK International Data Transfer Agreement (IDTA) where applicable
- Adequacy decisions by the UK Government
11. Children's privacy
Smylo is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at privacy@smylo.co.uk and we will delete it promptly.
12. Third-party links
Smylo contains links to external websites, including NHS.uk, CQC reports, and dental practice websites. We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal data.
13. Changes to this policy
We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. For significant changes, we may provide additional notice (such as a banner on the website).
14. Contact us
If you have any questions about this Privacy Policy or how we handle your data:
- Email: privacy@smylo.co.uk
- Contact form: smylo.uk/contact