Health Privacy & Confidentiality Statement

Version 1.2 · Effective: upon publication · Provider: Grayscale Digital, LLC (Michigan)

1. Structural framing — load-bearing language

1. DueSouthDental facilitates information and clinic-listing services for U.S. patients researching cross-border dental implants in Tijuana and Los Algodones, Mexico. We are an editorial directory and patient-decision wizard.
2. We are not a healthcare provider, a medical professional, a medical advisor, or a medical referral service. We do not provide clinical care, diagnose patients, prescribe or recommend treatment.
3. We operate a facilitation and editorial directory service, not a medical advisory service. We do not have a physician-patient relationship with you or with any other site visitor.
4. Always seek the advice of a qualified physician or licensed dentist before selecting a treatment, a doctor, or a medical facility. The Site supplements, but does not replace, clinical consultation.

2. What we collect

2.1 Wizard preference data

When you complete the wizard, we collect your stated preferences: procedure of interest, location preference, budget band, travel readiness window, sedation preference, implant brand priority, anxiety / chairside-care preference, English fluency requirement, companion question, home city / state.

2.2 Contact information

When you choose to send an inquiry to a specific clinic, we collect: name, email address, optionally phone number / WhatsApp, and optionally a free-text message you write to the clinic.

2.3 Operational analytics (first-party only)

Page-view counts, wizard completion / filter-match / inquiry-delivery rates, aggregated session metadata (referrer, broad geography, device type). Captured via Cloudflare Web Analytics, which does not use cookies and does not fingerprint visitors. Browser Do-Not-Track signals are honored where applicable.

2.4 Inquiry delivery records

Once you send an inquiry to a clinic, we record (for billing-integrity, dispute-resolution, and audit purposes): timestamp of delivery, the specific clinic the inquiry was sent to, the wizard-response payload at the time of delivery, the rules version used to qualify the inquiry, and any subsequent confirmation events.

3. What we do NOT collect

• No Protected Health Information (PHI) as defined in 45 C.F.R. § 160.103. The wizard does not request, and Provider does not collect, store, or process patient X-rays, identifiable clinical photos, medical history records, treatment-plan documentation, prior diagnoses, prescription history, or any other clinical record.
• No retargeting pixels on wizard or intake pages. Provider does not deploy Facebook Pixel, Google Ads remarketing, TikTok Pixel, LinkedIn Insight Tag, or any equivalent third-party advertising tracker on patient-facing surfaces.
• No third-party advertising trackers. The Site is not part of any cross-site advertising network. Wizard responses are not used to build advertising profiles.
• No sale or licensing of your data. Provider does not sell, license, or trade your wizard responses, contact information, or any other data to any third party.
• No PHI flow to clinics from Provider. When we deliver your inquiry, we deliver only what's described in §2.2 plus the wizard preferences from §2.1. We do not deliver clinical records.

4. How we use your data

4.1 Wizard preferences

Used to compute the deterministic filter-match showing you clinics whose published profiles match your stated preferences. Filter-match logic is deterministic, identical for every user, and never weighted by clinic payment.

4.2 Contact information

When you submit an inquiry, your contact information is delivered to the specific clinic you choose along with a summary of your wizard responses so the clinic can prepare for the consultation. We do not deliver your contact information to any clinic you did not specifically choose.

4.3 Operational analytics

Used to improve wizard performance and editorial content. Analytics are first-party, aggregated, and never used to identify individual visitors.

4.4 Inquiry delivery records

Used for billing integrity when paid billing is in effect (see Healthcare-Marketing Rider §1.1), dispute resolution between Provider and listed clinics, and security / fraud detection.

5. Sharing your data

5.1 Cross-border data transfer (U.S. → Mexico)

If you send an inquiry to a clinic, your contact information transfers to the clinic in Mexico. Once delivered, your inquiry data crosses the U.S.-Mexico border. After delivery, Mexican law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares — LFPDPPP — and applicable COFEPRIS regulations) governs the clinic's handling of your data, and the clinic's own privacy practices apply. By sending an inquiry, you consent to this cross-border transfer.

5.2 Service providers

We use a small set of operational service providers that process data on our behalf, including Cloudflare (hosting, edge compute, privacy-preserving analytics), Google Workspace (clinic communications, internal email), and a customer-relationship-management (CRM) provider. Each operational service provider processes data only as necessary to provide their service and is subject to a written data-processing agreement (or vendor terms equivalent) prohibiting unauthorized use.

5.3 Legal requirements

We may disclose your data if required by law, court order, valid government action, or to protect Provider's rights and safety. We will challenge unduly broad legal requests where appropriate. If we receive a legal request for your data, we will notify you to the extent permitted by law.

5.4 No business associate disclosures

Provider does not enter into HIPAA Business Associate Agreements with listed clinics, because Provider does not collect, store, or transmit PHI on behalf of any clinic. See Healthcare-Marketing Rider §3 for the full no-PHI / no-HIPAA-BA framing.

6. Your rights and controls

6.1 Withdraw an inquiry

You may withdraw an inquiry within twenty-four (24) hours of delivery by emailing [email protected]. We will notify the clinic that you withdrew the inquiry and request that the clinic delete your contact information. We will delete the inquiry record from our systems (subject to limited audit-log retention per §11). After 24 hours, we cannot guarantee withdrawal because the clinic may have already begun acting on your inquiry; you can ask the clinic directly.

6.2 Access your data

Email [email protected] to request a copy of the wizard responses and inquiry history Provider holds for you. We will respond within 45 days.

6.3 Correct your data

Email [email protected] to request correction of inaccurate data Provider holds for you.

6.4 Delete your data

Email [email protected] to request deletion of your data from Provider's systems. Subject to limited audit-log retention (typically 90 days). Note that we cannot retract inquiries already delivered to clinics; you can ask the clinic directly for clinic-side deletion.

6.5 Opt out of sale or sharing

Provider does not "sell" or "share" personal information for cross-context behavioral advertising, as those terms are defined under CCPA / CPRA and analogous state laws. There is therefore no separate opt-out to exercise.

6.6 Opt out of analytics

Cloudflare Web Analytics does not use cookies and does not fingerprint visitors, so most privacy regimes do not require an opt-out. Browser Do-Not-Track signals are honored where applicable.

6.7 No retaliation

Provider will not retaliate against you for exercising any privacy right described in this Statement.

7. Washington My Health My Data Act (MHMDA)

The DueSouthDental wizard intake UX includes consent prompts compatible with Washington's My Health My Data Act ("MHMDA", RCW Chapter 19.373). Wizard preferences include some "consumer health data" within MHMDA's broad definition; collection is gated by an explicit consent screen at wizard intake, and an additional explicit consent screen before any inquiry is delivered to a clinic.

Washington State residents have additional MHMDA rights: revoke consent, delete consumer health data, access a list of third parties with whom data has been shared. To exercise MHMDA rights, email [email protected].

Provider does not "sell" consumer health data within the meaning of MHMDA. Inquiry delivery to a chosen clinic is a service the user requested and authorized through the consent screen, not a sale.

8. California Consumer Privacy Act (CCPA / CPRA)

8.1 Categories of personal information collected

In the past 12 months, Provider has collected the following categories of personal information from California residents: Identifiers (name, email, phone, IP truncated for analytics); Customer records (wizard preference data linked to your inquiry); Internet activity (page views, wizard completion, filter-match events); Geolocation (broad geography, state-level, from IP — no precise GPS).

We do not collect: biometric information, sensory data, professional/employment information, education information, inferences for advertising purposes.

8.2 Sources, business purposes, and sharing

Sources: directly from you (wizard, inquiry), from your browser (page navigation, IP), from operational service providers. Business purposes: operate the directory service, deliver your inquiry to your chosen clinic, compute filter-match, generate aggregate analytics, meet billing-integrity / audit-trail obligations. Third parties: the clinic you chose, plus operational service providers under data-processing agreements (§5.2). No other third parties.

8.3 CCPA / CPRA rights

• Right to know, right to delete, right to correct.
• Right to opt out of "sale" or "sharing" — N/A; Provider does not sell or share.
• Right to limit use of sensitive personal information — applicable to "anxiety level" and similar fields; covered by §7.1 consent gating.
• Right to non-discrimination for exercising CCPA / CPRA rights.

To exercise CCPA / CPRA rights, email [email protected].

9. Other state consumer-health-data laws

State consumer-health-data laws are evolving rapidly. Provider's general posture is to honor reasonable access, correction, and deletion requests from any state's residents under the email path in §6 above, regardless of whether the state has a specific consumer-health-data statute. If your state has a specific statute (Connecticut CTDPA, Colorado CPA, Virginia VCDPA, Texas TDPSA, etc.), email [email protected] and reference the statute.

10. Children

The Site is intended for adults aged 18 and older. We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where 16 is the age of digital consent). If we discover we have collected data from a child, we will delete it.

11. Security

Provider takes reasonable technical and organizational measures: TLS 1.2+ encryption in transit; least-privilege role-based access controls with multi-factor authentication on administrative accounts; encrypted at rest; regular review against evolving threat models; documented incident response. In the event of a data incident affecting your data, Provider will notify you in accordance with applicable breach-notification law.

12. Retention

13. International users

The Site is operated from the United States. By accessing the Site from outside the United States, you consent to data processing in the United States. The Site is not specifically targeted at residents of jurisdictions with stricter data-protection regimes (e.g., the European Union, the United Kingdom).

14. Cross-border data transfer (Mexico, in detail)

When you submit an inquiry to a clinic, the following data crosses the U.S.-Mexico border: your name, email, phone / WhatsApp (if provided), free-text inquiry message (if written), summary of wizard responses, and the DueSouthDental referral identifier. Transfer occurs via TLS-encrypted email or webhook to the clinic's chosen intake endpoint, initiated by your explicit consent at inquiry submission.

After delivery, the clinic — not Provider — controls the data. The clinic's privacy practices apply. Mexican LFPDPPP and applicable COFEPRIS regulations govern. You may exercise data rights against the clinic directly; Provider can facilitate the request but is not the clinic's data processor. If a clinic violates LFPDPPP or applicable Mexican law in handling your data, Provider's role is limited to: (i) removing the clinic from the directory if violation is confirmed (per Public Vetting Criteria removal process), and (ii) facilitating your communication with the clinic's privacy contact.

15. Changes to this Statement

We may update this Statement from time to time. Material updates (changes to data collection categories, sharing practices, retention periods, your rights, structural framing in §1, cross-border transfer mechanism) will be announced with at least 30 days' notice via prominent on-site banner and email notice where applicable. Prior versions are archived at /legal/privacy/v1.0, /legal/privacy/v1.1, /legal/privacy/v1.2, etc.

16. Contact us

For privacy questions, data access requests, or to exercise rights described above:

[email protected]

17. Definitions

"Consumer health data" has the meaning given in MHMDA RCW 19.373.020(8) and analogous state statutes.

"directory service" or "Site" means the DueSouthDental patient-decision wizard, clinic directory, and related features.

"LFPDPPP" means Mexico's Ley Federal de Protección de Datos Personales en Posesión de los Particulares.

"MHMDA" means Washington's My Health My Data Act, RCW Chapter 19.373.

"Personal information" has the meaning given in CCPA / CPRA and analogous state statutes.

"PHI" means Protected Health Information as defined in 45 C.F.R. § 160.103. Provider does not collect PHI.

"Provider" means Grayscale Digital, LLC, a Michigan limited liability company.

"Sale" of personal information has the meaning given in CCPA/CPRA. Provider does not sell personal information.

"Sharing" of personal information has the meaning given in CPRA. Provider does not share personal information.

Last updated: 2026-05-07.