Confidentiality Policy

About Connexy and who this policy is for

Connexy is a technology company based in Montreal, Quebec, Canada. We provide dental clinics with a smile-preview iPad system under the brand name Connexy Miroir. Connexy does not provide dental or medical services, does not diagnose or treat patients, and does not run marketing on behalf of dental clinics. The clinic uses our tool, in its own consultation room, to help patients accept higher-value treatment they were already considering.

This policy applies to two groups of people:

• Dental clinics, their owners, and their staff who visit connexy.ca, see our advertising, book a call, sign up for the Connexy Miroir, or otherwise interact with Connexy as a prospective or current client.
• Patients of those dental clinics whose contact information and session data flows through the Connexy Miroir when their clinic uses the tool. Patient data belongs to the clinic. Connexy processes that data only on the clinic's behalf, as a service provider.

For information about dental clinic owners and staff, Connexy is the data controller. For patient information, the dental clinic is the data controller and Connexy is the data processor.

What information we collect

What we collect depends on whether you are a dental clinic owner or staff member interacting with Connexy directly, or a patient of a dental clinic whose information flows through the Miroir to that clinic.

• Contact information: full name, email, phone, clinic name, and business address collected when you book a call, fill out a form, or contact us.
• Professional information: your role at your clinic, the type of dental practice you operate, your patient volume, and the treatments you offer — collected during sales calls and onboarding.
• Communication data: records of emails, calls, and messages exchanged with our team.
• Technical and usage data: IP address, browser type, pages visited, time spent on our website, and device information collected automatically when you visit connexy.ca.
• Advertising interaction data: how you interacted with our Facebook or Instagram advertisements, including ad clicks, video views, and form submissions via Meta Lead Ads.

• Patient contact details: first name, last name, and email address entered into the Miroir at the time of the in-chair consultation.
• Consent record: the timestamp of consent, the version of the consent text shown, and a cryptographic hash of that text. This audit trail does not contain the photograph or the preview after they are deleted.
• Session data: the treatment type discussed, the patient's smile goals captured during the session, the patient's photograph, and the simulated preview generated from that photograph.
• Storage: patient information is stored in the clinic's own CRM sub-account. The clinic owns the data. Connexy accesses it only to operate the Miroir on the clinic's behalf and to verify usage against the 90-day guarantee.

How we collect your information

We collect personal information through the following channels:

• Our website: when you visit connexy.ca, we collect technical and usage data automatically through cookies and analytics.
• Facebook and Instagram advertising: when you interact with our paid advertising on Meta platforms, we receive data about your interaction. If you click an ad, you arrive on a Connexy landing page where you may submit your contact information voluntarily.
• Booking forms: when you book a discovery call through our online booking calendar, we collect your name, email, phone number, and any answers you provide to pre-booking questions.
• Sales calls and onboarding: information you share verbally or in writing during calls with our team is recorded in our CRM.
• Email and direct messages: any communication you send us.
• Patient sessions on the Miroir: when a dental clinic uses the Connexy Miroir, the patient's contact details, photograph, consent record, and session answers are collected through the Miroir interface and stored in the clinic's CRM sub-account.

Why we use your information

We use the information we collect to:

• Respond to your inquiry and schedule discovery calls when you express interest in the Connexy Miroir.
• Provide our service: set up the Connexy Miroir, configure your iPad, and manage your account.
• Send follow-up communications related to your service, including onboarding instructions, usage reports, and billing notifications.
• Verify guarantee conditions by counting Miroir sessions completed during the 90-day period.
• Support the patient communications the clinic sends. When a patient uses the Miroir, the clinic sends them an automated email containing their preview. The email is sent from the clinic's own account, not from Connexy. Connexy provides the tool; the clinic sends the message.
• Improve our services by analyzing how our website, advertising, and product are used.
• Run advertising campaigns on Facebook and Instagram targeting dental clinic owners in the United States. We may use your email to create Custom Audiences or Lookalike Audiences. You can opt out at any time.
• Fulfill legal obligations, including responding to lawful requests from authorities and keeping records required by applicable law.

Facebook and Meta advertising

Connexy runs paid advertising on Facebook and Instagram to reach dental clinic owners in the United States. Here is how data flows in the context of our advertising:

• Meta Pixel: our website may use the Meta Pixel, a tracking code that lets us measure ad effectiveness, understand actions taken on our site, and show relevant ads to people who have visited. The Pixel collects pages visited, time spent, and events such as clicking a booking button.
• Custom Audiences: we may upload hashed contact lists (emails and phone numbers of existing or prospective clients) to Meta to target advertising. The data is hashed before being transmitted; Meta cannot use it for any purpose beyond matching it to its own user base for ad delivery.
• Lookalike Audiences: Meta may use that audience data to find other users with similar characteristics and show our ads to them. No personal data is shared with those users.
• Landing pages: when you click on one of our ads, you arrive on a Connexy landing page where you may submit your contact information. Your name, email, and phone number are transmitted directly to our CRM.
• Joint controllership: for Meta Page Insights data, Connexy and Meta are joint data controllers as defined under applicable privacy law. Meta has assumed primary responsibility for compliance regarding Insights data. See Meta's Page Controller Addendum for details.

You can manage your ad preferences and opt out of interest-based advertising through your Facebook Ad Settings or the Digital Advertising Alliance opt-out tool.

Third parties we share data with

We share personal information with the following categories of third-party service providers, each of which is contractually required to handle data securely and only for the purposes we specify:

• CRM and contact management platform: stores contact information, call notes, booking data, and Miroir session data for Connexy and for each clinic's own sub-account.
• Image-processing service: receives the anonymized image URL and rendering instructions from the Miroir, generates the simulated smile preview, and returns the result. This service never receives patient names or contact information.
• Image-hosting service: temporarily stores patient photographs so the image-processing service can access them. Photographs are automatically deleted within one (1) hour by the hosting service and within twenty-four (24) hours by Connexy's own systems.
• Workflow automation service: routes data between the Miroir, the image-processing service, the image-hosting service, and the clinic's CRM sub-account.
• Meta (Facebook / Instagram): advertising platform. Receives hashed contact data for Custom Audiences and processes Pixel data. Governed by Meta's Data Processing Terms.
• Video hosting platform: hosts the videos embedded on our website. May collect viewer analytics such as watch time and engagement.
• Website analytics platform: collects anonymized usage data about visits to connexy.ca.
• Payment processors: secure third-party processors used to handle billing. We do not store payment card information on our servers.

We do not sell, rent, or trade your personal information to any third party for their own marketing or commercial purposes.

How long we keep your data

We apply a split retention schedule that minimizes how long sensitive patient data exists on our systems, and we retain other data only for as long as necessary or required by law:

• Original photograph (patient): deleted within twenty-four (24) hours of the preview being generated. The image-hosting service applies an additional one-hour auto-deletion as a defense-in-depth measure.
• Simulated preview (patient): retained for up to thirty (30) days, then automatically deleted. This window allows the dental clinic to follow up with the patient about the preview.
• Consent audit record (patient): retained indefinitely as required for legal and audit purposes. The audit record contains only the timestamp, consent version, and hash of the text shown — not the photograph or preview after they are deleted.
• Patient name and email: retained by the dental clinic in its CRM sub-account. The clinic's retention practices govern from that point forward.
• Active client data: retained for the duration of your contract with Connexy and afterwards as needed for legal, billing, and business-record purposes.
• Prospective client data: contact information from leads who did not become clients may be retained for ongoing follow-up and outreach.
• Website analytics data: anonymized data may be retained indefinitely. Non-anonymized usage data is retained for up to 26 months.
• Advertising data: Custom Audience data uploaded to Meta is managed according to Meta's retention policies. You may request removal at any time.

When personal information is no longer needed for the purposes described above, it is securely deleted or anonymized.

Your rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you.
• Deletion: request that we delete your personal information, including before any automated deletion window, subject to legal and contractual obligations.
• Withdrawal of consent: withdraw your consent for any future use of your information.
• Amendment: request correction of inaccurate or incomplete information.
• Restriction: request that we limit how your information is used.
• Accounting of disclosures: request a record of how, when, and to whom your information has been disclosed.
• Confirmation: receive confirmation of the date your information was destroyed.
• Opt out of marketing: unsubscribe from marketing emails at any time using the unsubscribe link, or by contacting us.
• Object to advertising: request removal from any Custom Audience we have uploaded to Meta.
• Data portability (GDPR): request that we provide your data in a structured, machine-readable format.
• Lodge a complaint: in Canada, you may file with the Office of the Privacy Commissioner of Canada. In California, you have rights under the CCPA including the right to know, delete, and opt out of data sales.

To exercise any of these rights regarding data Connexy holds about you, email [email protected] with your full name (and, for patients, the name of the clinic where you used the Miroir). We will respond within thirty (30) days. For requests about patient data inside a clinic's CRM sub-account, contact that clinic directly since the clinic is the data controller for that information.

Cookies and tracking

Our website uses cookies and similar tracking technologies to operate correctly and to improve your experience. Cookies are small text files stored on your device.

• Essential cookies: required for the website to function. Cannot be disabled.
• Analytics cookies: help us understand how visitors interact with our site. We use this to improve content and performance.
• Advertising cookies (Meta Pixel): allow us to measure ad performance, retarget visitors, and build Custom Audiences on Meta platforms. These cookies track behavior across websites.

You can manage or disable cookies through your browser settings. Disabling advertising cookies will not remove ads but will make them less relevant to you. Disabling essential cookies may affect the functionality of our website.

Data security and breach notification

We take reasonable and appropriate technical and organizational measures to protect your information:

• Encrypted data transmission using HTTPS / TLS 1.3 across all web properties and on the iPad-based Miroir.
• Access controls limiting who within Connexy can access personal data.
• Per-iPad credentials so that data captured at one clinic cannot be accessed by another clinic's iPad.
• Reputable third-party platforms with their own security certifications and practices.
• Regular review of our data-handling practices.

No method of transmission over the internet or electronic storage is 100% secure. If a security incident occurs that affects clinic or patient information, we will investigate, take reasonable steps to mitigate harm, and notify the affected clinic within seventy-two (72) hours of discovery. We will assist the clinic with any further patient notification it is required to perform, document the incident and the steps taken to remediate it, and report to applicable regulatory authorities where required by law (including the U.S. Department of Health and Human Services for breaches affecting five hundred (500) or more individuals).

Healthcare and biometric compliance

The Connexy Miroir captures information that, depending on jurisdiction, may be subject to U.S. healthcare and biometric-data protection laws.

When a covered dental practice uses the Connexy Miroir in a manner that involves Protected Health Information under HIPAA, Connexy acts as a Business Associate of that practice. Connexy will execute a Business Associate Agreement (BAA) with the practice upon written request to [email protected]. Under the BAA, Connexy processes Protected Health Information solely to provide the Connexy Miroir service and applies safeguards appropriate to the nature of the data.

Several U.S. states regulate the collection, storage, and use of biometric information. Out of an abundance of caution, Connexy maintains a separate Biometric Information Retention Policy that documents the retention schedule, destruction process, and patient protections applied to any information collected through the Miroir that one or more state biometric statutes might treat as biometric.

Minors

Our service, as sold and marketed to dental clinics, is intended exclusively for dental clinic owners and business professionals. We do not knowingly market to or collect direct information from anyone under the age of eighteen (18) in that context.

We do not knowingly collect personal information from children under thirteen (13). Dental clinics must obtain verifiable parental or legal-guardian consent before using the Connexy Miroir with any patient who is under eighteen (18), or refrain from using the Miroir with that patient. The on-iPad consent flow requires the patient or guardian to confirm this before any photograph is captured.

If you believe a minor has submitted information directly to Connexy outside of the dental-clinic relationship described above, please contact us at [email protected] and we will delete it promptly.

Changes to this policy

We may update this Confidentiality Policy from time to time to reflect changes in our practices, legal requirements, or services. When we make material changes, we will update the "Last updated" date at the top of this page and, for significant changes, will give at least thirty (30) days' notice on this page before the change takes effect.

We encourage you to review this policy periodically. Continued use of our website or services after changes are posted constitutes your acceptance of the updated policy.

Contact us

If you have any questions, concerns, or requests regarding this Confidentiality Policy or how we handle your personal information, please reach out. We acknowledge requests within five (5) business days and provide a full response within thirty (30) days.