IDENTITY AND CONTACT OF DATA CONTROLLER

Data Controller: Grinbliss
Status: Validation phase project
Website: www.grinbliss.com
Support: support@grinbliss.com 

IMPORTANT: Grinbliss is currently operating in a validation phase and is not yet registered as a legal entity in the United States, Mexico, or any other jurisdiction.

OUR COMMITMENT TO YOUR PRIVACY

Grinbliss respects your privacy and is committed to protecting personal data in compliance with applicable privacy laws including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Mexico’s Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP).

This Privacy Policy explains what data we collect, how we use it, who we share it with, and how to exercise your rights.

PERSONAL DATA WE COLLECT

We collect different types of data depending on how you use our platform:

1. PATIENT USER DATA (Registration for Reviews and Ratings)

To leave reviews and ratings, patients must create an account. We collect:

REQUIRED ACCOUNT INFORMATION:
• Full name
• Email address
• Profile photo (optional but recommended)
• Password (encrypted – we don’t store plain text passwords)

OPTIONAL PROFILE INFORMATION:
• Location (city/state – for community context)
• Bio or description (optional)

AUTOMATICALLY COLLECTED:
• IP address (for fraud prevention)
• Device information (browser type, operating system)
• Account creation date
• Last login date

REVIEW AND RATING DATA:
• Star rating (1-5 stars)
• Written review text (if provided)
• Date of review submission
• Clinic being reviewed
• Photos uploaded with review (optional)

2. DENTAL CLINIC DATA (Registration and Verification)

INITIAL REGISTRATION (Required to Apply):
• Clinic name
• Contact person name
• Email address
• Password (encrypted)

PROFILE INFORMATION (Completed During Verification):

Basic Clinic Information:
• Complete clinic name (legal and trade name)
• Physical address
• Phone numbers, WhatsApp Business
• Email addresses
• Website URL and social media profiles
• Google Maps location
• Business hours
• Years in operation
• Services offered
• Prices/price ranges
• Languages spoken

Professional Data:
• Full names of all dentists working at clinic
• Professional licenses (Mexican cédulas profesionales – numbers and scanned documents)
• Specialty certifications (ADM, CNCD, ICOI, etc.)
• Professional association memberships
• International accreditations (JCI, GHA, TEMOS, Qmentum – if applicable)
• Years of experience
• Educational background

Regulatory Documentation:
• COFEPRIS Operating Notice (Aviso de Funcionamiento)
• COFEPRIS Sanitary Officer Notice (Responsable Sanitario)
• Municipal Operating License
• Civil Protection Ruling
• Land Use License (if applicable)
• Tax Registration (RFC)
• Professional Liability Insurance policy (current)
• RPBI hazardous waste management contract
• Waste collection manifests
• X-Ray Equipment License (if applicable)
• Privacy Policy document

Facility and Safety Data:
• Photographs of facilities (reception, treatment rooms, sterilization areas)
• Photographs of equipment and technology
• Autoclave sterilization logs
• Biological sterilization test results (spore tests)
• Sterilization protocols (documented)
• Sanitization certificates
• Equipment maintenance contracts
• Guarantee/warranty policies
• Clinical records system documentation

Patient Statistics (Optional):
• Number of international patients served
• Patient testimonials (if clinic provides them)

3. WEBSITE VISITOR DATA (All Users)

TECHNICAL DATA (Automatically Collected):
• IP address
• Approximate geographic location (country, city)
• Browser type and version
• Operating system
• Device type (desktop, mobile, tablet)
• Pages visited and duration
• Referral source (how you found us)
• Date and time of visit
• Search queries used on site

COOKIES AND TRACKING:
• Session cookies (required for logged-in functionality)
• Authentication cookies (for registered users)
• Preference cookies (language, settings)
• Analytics cookies (Google Search Console – basic metrics)

4. CONTACT INQUIRIES

When you contact us via email or contact form:
• Name
• Email address
• Message or inquiry content
• Date of contact
• IP address (automatic)

PURPOSES OF DATA PROCESSING

PRIMARY PURPOSES (Necessary for Service):

FOR PATIENT USERS:
• Create and maintain user account
• Enable review and rating functionality
• Display your name and photo with reviews (publicly)
• Prevent fraud and fake reviews
• Authenticate login sessions
• Communicate regarding account or platform updates
• Moderate reviews for compliance with terms
• Respond to support requests

FOR DENTAL CLINICS:
• Create and maintain clinic account
• Verify compliance with published verification standards through two-level verification:
– Administrative verification by Grinbliss team (licenses, regulatory compliance, documentation)
– Professional peer review by Grinbliss Council Dental Advisors (clinical standards, professional protocols)
• Publish verified clinic profiles in public directory
• Conduct periodic re-verification to maintain verified status
• Communicate regarding verification status and requirements
• Process applications for Founding 10 Program (validation phase)
• Facilitate professional peer review by Council Dental Advisors
• Improve verification methodology
• Display clinic information to patients

FOR ALL VISITORS:
• Operate and maintain website functionality
• Display verified clinic profiles publicly
• Enable search and filtering of clinics
• Provide analytics for site improvement
• Prevent fraud and abuse
• Improve user experience
• Ensure platform security

SECONDARY PURPOSES (Optional, Require Consent):

• Send newsletters or platform updates (clinics and registered patients – opt-in)
• Marketing communications about new features
• Market research and business development
• Dental tourism trend analysis
• Featured clinic opportunities (clinics only)

You can object to processing of your data for secondary purposes at any time by:
• Email: support@grinbliss.com with subject “Opt-Out Secondary Purposes”
• Account settings (for registered users)
• Unsubscribe link in emails

SENSITIVE DATA

Some data we collect qualifies as SENSITIVE PERSONAL DATA under applicable privacy laws:

FROM CLINICS:
• Professional licenses (personal data of healthcare professionals)
• Photographs of dentists and clinical staff
• Medical/dental service information
• Health and safety documentation

Processing of sensitive data requires explicit consent. By providing this information for verification purposes, clinics grant consent for Grinbliss to process it according to the purposes described in this Policy.

FROM PATIENTS:
• Profile photos (biometric data in some jurisdictions)
• Reviews that may contain health information (patients should NOT include personal health details in public reviews)

DATA SHARING AND TRANSFERS

WE DO NOT SELL or RENT personal data to third parties.

We may share data with:

SERVICE PROVIDERS:
• Web hosting and storage services (secure servers)
• Authentication and security services
• Email services (for communications)
• Web analytics tools (Google Search Console – basic metrics only)
• Technical infrastructure providers
• Payment processors (when implemented)

These providers are contractually obligated to protect data and use it only for specified services.

PUBLIC DISPLAY:

PATIENT USERS:
• Your name and profile photo appear publicly with your reviews
• Your written reviews are displayed publicly
• Star ratings you submit are displayed publicly
• Your location (if provided) may be shown with reviews (city/state level only)
• Your email is NOT displayed publicly

DENTAL CLINICS:
• Clinic profile information is published in the directory (this is the essential service)
• Credentials, services, contact information, badges/verification status displayed publicly
• Facility and equipment photographs displayed publicly
• Average star ratings and patient reviews displayed publicly
• Complete regulatory documents (COFEPRIS permits, licenses, RPBI contracts) are NOT published – only verification status

COUNCIL DENTAL ADVISORS:
• Clinic documentation shared with assigned advisors for verification purposes only
• Advisors are bound by confidentiality obligations
• Advisors do NOT receive patient user data

LEGAL REQUIREMENTS:
• Government authorities when required by law, court order, or legal process
• To protect Grinbliss’s legal rights
• To prevent fraud or illegal activity
• To protect user safety

CORPORATE TRANSFERS:
• In case of merger, acquisition, or asset sale, data may be transferred to acquiring entity
• Users will be notified of any change in data controller

DATA RETENTION

PATIENT USER ACCOUNTS:
• Active accounts: Data retained while account is active
• Inactive accounts: After 24 months of inactivity, we may delete account (with 30-day notice)
• Account deletion: Upon user request or account closure, data deleted within 90 days
• Reviews: Remain publicly visible after account deletion (anonymized – name changed to “Former User”)
• Exception: Legal obligations may require longer retention

DENTAL CLINIC ACCOUNTS:
• Active verified clinics: Data retained while clinic maintains active verified profile
• After deletion or termination: Retained 90 days for backup, then permanently deleted
• Exception: Legal obligations may require longer retention
• Reviews of deleted clinics: Remain visible with clinic name but profile unavailable

WEBSITE VISITOR DATA:
• Analytics data: Aggregated and anonymized, retained for business intelligence
• Individual session data: 12-24 months
• IP addresses for fraud prevention: 12 months

COMMUNICATIONS:
• Email correspondence and support inquiries: Up to 3 years for operational records
• Contact form submissions: 12 months

YOUR RIGHTS

Depending on your jurisdiction, you may have the following rights regarding personal data:

ACCESS:
• Request confirmation of whether we process your data
• Obtain a copy of your data

RECTIFICATION:
• Request correction of inaccurate or incomplete data
• Update your profile information directly in account settings

DELETION:
• Request deletion of your account and data
• Note: Public reviews may be anonymized rather than deleted

RESTRICTION:
• Request limitation of processing under certain circumstances

OBJECTION:
• Object to processing of your data for specific purposes
• Opt-out of marketing communications

PORTABILITY:
• Request transfer of your data to another service (where technically feasible)
• Download your data in common format

WITHDRAW CONSENT:
• Withdraw previously given consent for data processing
• Note: May affect ability to use certain features

TO EXERCISE THESE RIGHTS:

1. Email: support@grinbliss.com
2. Subject: “Privacy Rights Request”
3. Include:
– Full name
– Email address associated with account
– Clear description of right you wish to exercise
– Proof of identity (copy of official ID if requesting sensitive data)
– For clinics: Clinic name and specific data to access/rectify/delete

RESPONSE TIME: 30 days from receipt of verified request

LIMITATIONS:
Certain rights may be limited by:
• Legal or regulatory retention obligations
• Legitimate interests of Grinbliss or third parties
• Ongoing legal proceedings
• Fraud prevention or security requirements
• Public interest (e.g., keeping reviews visible for community benefit)

ACCOUNT DELETION

PATIENT USERS:
To delete your account:
• Log in to your account
• Go to Settings > Delete Account
• Or email: support@grinbliss.com

What happens:
• Your account is deactivated immediately
• Personal data deleted within 90 days
• Public reviews remain but are anonymized (“Former User”)
• You can request full review deletion if preferred

DENTAL CLINICS:
To delete your account:
• Contact: support@grinbliss.com
• Verification required

What happens:
• Clinic profile removed from public directory
• Account data deleted within 90 days
• Reviews of your clinic remain visible but profile unavailable
• Exception: Founding 10 clinics with lifetime agreements (special terms apply)

COOKIES AND TRACKING TECHNOLOGIES

Grinbliss uses cookies and similar technologies. See our detailed Cookie Policy for complete information.

COOKIES WE USE:

ESSENTIAL COOKIES (Required):
• Session management for logged-in users
• Authentication tokens
• Security features
• Load balancing

FUNCTIONALITY COOKIES:
• Language preference
• Display settings
• “Remember me” functionality

ANALYTICS COOKIES:
• Google Search Console (basic site metrics only)
• Aggregate traffic data
• No personally identifiable individual tracking

You can control cookies through browser settings. Blocking essential cookies may prevent you from using account features.

SECURITY MEASURES

We implement reasonable technical, physical, and administrative security measures:

TECHNICAL SECURITY:
• SSL/TLS encrypted connection (HTTPS) for all data transmission
• Password encryption (bcrypt or similar – never stored in plain text)
• Secure storage with reputable hosting providers
• Regular security updates and patches
• Access controls through authentication mechanisms
• Regular secure backups
• Firewall protection
• Intrusion detection

ADMINISTRATIVE SECURITY:
• Limited data access to authorized personnel only
• Background checks for team members with data access
• Data protection training for team members
• Internal information handling policies
• Regular security audits
• Incident response plan

ACCOUNT SECURITY:
• Strong password requirements
• Email verification for new accounts
• Two-factor authentication (when implemented)
• Session timeout after inactivity
• Suspicious activity monitoring

IMPORTANT: No method of Internet transmission or electronic storage is 100% secure. While we implement reasonable security measures, we cannot guarantee absolute security. You are responsible for protecting your password and account credentials.

INTERNATIONAL DATA TRANSFERS

During validation phase, data may be processed on servers located in the United States, Mexico, or other jurisdictions. By using our services, you consent to international transfer of your data.

We take reasonable steps to ensure adequate protection regardless of processing location.

Upon formal registration of Grinbliss as a legal entity, we will specify processing locations and applicable protection measures.

FOR EU USERS:
Data transfers outside the EU are subject to appropriate safeguards under GDPR. We will implement Standard Contractual Clauses or rely on adequacy decisions as appropriate.

CHILDREN’S PRIVACY

Grinbliss is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors.

If we discover we have inadvertently collected data from a minor, we will delete it immediately.

Parents or guardians who believe we have collected data from a minor should contact us immediately at support@grinbliss.com.

THIRD-PARTY LINKS

Our site contains links to dental clinic websites, social media profiles, and other external resources.

We are NOT responsible for privacy practices of third-party sites. This Privacy Policy applies only to Grinbliss.

We recommend reviewing privacy policies of external sites before providing personal information.

Clinic websites linked from our directory are independently operated and have their own privacy policies.

CALIFORNIA RESIDENTS (CCPA)

California residents have specific rights under the California Consumer Privacy Act:

RIGHT TO KNOW:
• What personal information is collected
• Categories of sources
• Purposes for collection
• Whether information is sold or disclosed
• Categories of third parties receiving information

RIGHT TO DELETE:
• Request deletion of personal information
• Exceptions apply for legal, security, or operational reasons

RIGHT TO OPT-OUT:
• We DO NOT SELL personal information
• You can opt-out of marketing communications

RIGHT TO NON-DISCRIMINATION:
• We will not discriminate for exercising CCPA rights

To exercise CCPA rights: support@grinbliss.com with subject “California Privacy Request”

CATEGORIES OF PERSONAL INFORMATION WE COLLECT:
• Identifiers (names, email addresses, IP addresses)
• Commercial information (services offered, reviews, ratings)
• Internet activity (browsing behavior, pages visited)
• Geolocation data (approximate location)
• Professional information (licenses, certifications – clinics only)
• Visual information (photos – profile pictures, facility photos)

SOURCES OF INFORMATION:
• Directly from you (registration, profile creation)
• Automatically (cookies, analytics)
• From third parties (verification documents from Mexican authorities)

EUROPEAN UNION USERS (GDPR)

For users in the European Union:

LEGAL BASIS FOR PROCESSING:
• Consent: For optional features and marketing
• Contract: For providing services you’ve requested
• Legal obligations: For compliance with laws
• Legitimate interests: For fraud prevention, security, platform improvement

DATA CONTROLLER:
During validation phase, project founders act as data controllers. Upon registration, the formal entity will be designated.

EU REPRESENTATIVE:
Will be designated upon formal registration if required by GDPR.

DATA PROTECTION AUTHORITY:
EU users have the right to lodge complaints with their local data protection authority.

DATA PROTECTION OFFICER:
Will be designated if required by GDPR upon formal registration or when processing thresholds are met.

MEXICAN USERS (LFPDPPP)

For users in Mexico:

RESPONSIBLE PARTY (Responsable): Grinbliss (validation phase project)

ARCO RIGHTS: Access, Rectification, Cancellation, Opposition
• Exercise rights by contacting: support@grinbliss.com
• Response time: 20 business days

DATA TRANSFERS:
We are transparent about data transfers and obtain consent when required.

SENSITIVE DATA:
Explicit consent obtained for processing sensitive data (professional licenses, health-related information, photos).

REVOCATION OF CONSENT:
You may revoke consent at any time, subject to legal or contractual limitations.

CHANGES TO THIS PRIVACY POLICY

Grinbliss reserves the right to modify this Privacy Policy at any time.

Changes will be posted on this page with visible “Last Updated” date.

MATERIAL CHANGES will be communicated through:
• Prominent notice on website
• Email to registered users (patients and clinics)
• In-app notification (when applicable)

During validation phase, modifications may occur more frequently as we refine data handling practices.

Continued use of the site after changes constitutes acceptance of the modified Privacy Policy. If you disagree with changes, you should delete your account and stop using the service.

CONTACT US

Questions, concerns, or requests regarding this Privacy Policy or data practices:

General Support: support@grinbliss.com
Website: www.grinbliss.com

Response Time: We aim to respond within 7-10 business days for general inquiries, 30 days for formal privacy rights requests.

CONSENT AND ACKNOWLEDGMENT

By using www.grinbliss.com, creating an account, or providing information to Grinbliss, you:

✓ Acknowledge having read and understood this Privacy Policy
✓ Consent to the processing of your personal data as described
✓ Understand Grinbliss’s validation phase status
✓ Accept international data transfers necessary for service operation
✓ Understand your data will be displayed publicly in certain contexts (reviews, clinic profiles)

FOR REGISTERED USERS:
By creating an account (patient or clinic), you expressly consent to:
• Processing of your registration data
• Public display of certain information (name with reviews, clinic profiles)
• Communication from Grinbliss regarding your account

FOR CLINICS:
By submitting information for verification, you expressly consent to:
• Processing of sensitive data (professional licenses, health documentation)
• Public profile display including credentials and verification status
• Sharing documentation with Council Dental Advisors for verification purposes
• Display of patient reviews and ratings on your profile