ToothAbroad ("we", "us") operates toothabroad.com. This policy explains what personal information we collect, how we use it, and your rights under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy frameworks. Until a legal entity is formed, the data controller is the ToothAbroad operator based in Spain; privacy requests go to [email protected].
We rely on your explicit consent to process health-related details submitted with a quote request, your consent for newsletter emails and any later clinic introduction, our legitimate interest in operating a secure site for abuse prevention, and pre-contractual steps requested by you when we prepare a written quote-check brief. Dental/medical details may be special-category health data under GDPR Article 9, so we keep the first review written-first and document-free.
We share your information only with (a) the specific clinics you've asked us to contact, after your explicit consent to that introduction; (b) essential service providers (email delivery, hosting, secure file transfer, analytics) under appropriate data-processing terms; and (c) authorities where required by law. We do not sell or rent personal information, and we do not share quote-request details with clinics just because you submitted the form.
You have the right to access, correct, delete, or export your personal information, to object to processing, and to withdraw consent at any time. California residents have the additional rights provided by the CCPA/CPRA including the right to opt out of the "sharing" of personal information. Email [email protected] to exercise any of these rights; we respond within 30 days.
Quote requests are retained for up to 24 months from the last meaningful interaction unless you ask us to delete them sooner or a legal obligation requires a different period. Newsletter signups are retained until you unsubscribe or ask for deletion. Because ToothAbroad does not currently collect medical documents or image files, we do not maintain a medical-record upload archive.
ToothAbroad operates from Spain and our primary servers are located in the European Union. Patients may be in the United States and clinics we introduce you to may be located in Mexico, Costa Rica, Colombia and other countries. We only transfer your quote details to a clinic outside the EU/EEA after you ask for that specific introduction and consent to the transfer. We do not transfer X-rays, CBCT scans, mouth photos, lab reports, or other medical documents because we do not collect them; if a clinic needs those records, it should request them directly from you through its own process.
Privacy questions: [email protected]. Material changes to this policy will be announced by a notice on the site for at least 30 days before taking effect.