Privacy Policy

1. Who we are

Dental Tourism CR (“DTCR”, “we”, “us”) is a website operated by Leads Agency SRL, a company organized under the laws of Costa Rica, registered with cédula jurídica 3-102-759132, with offices in San José, Costa Rica. We provide a marketplace that connects international patients (primarily from the United States and Canada) with verified dental clinics in Costa Rica. We are not a dental provider, we do not provide medical advice, and we do not process payments between patients and clinics. We do, however, charge clinics on paid subscription plans a fixed monthly fee, which is handled by our payment provider PayPal; see sections 2 and 5.

This Privacy Policy explains what personal information we collect when you use dentaltourismcr.com, how we use it, who we share it with, and the rights you have over your information. If you have any question about this policy or about your data, contact us at privacy@dentaltourismcr.com.

2. Information we collect

2.1 Information you give us directly

• Quiz answers: When you complete the homepage quiz to find a clinic match, we record your treatment of interest, budget range, origin city, travel timeline, top priority, case complexity, and whether you want concierge support. You can take the quiz without creating an account; in that case, the answers are stored in a first-party cookie on your browser only.
• Account information (patients): If you create an account, we store your full name, email address, and (for password-based signup) a one-way hashed password. If you sign in with Google, we store the name and email Google returns and an avatar URL.
• Account information (clinics): If you apply as a clinic, we store the business name, owner email, contact email, address, team member names and credentials, treatments offered, pricing ranges, certifications, photos, FAQ answers, and any other information you provide on the application form.
• Billing information (clinics): If your clinic is on a paid subscription plan, we store the plan you chose, its status, your invoice and payment history, and a reference id for the subscription. Your card or bank details are entered on, and held by, PayPal; we never see or store your full payment instrument.
• Conversations and uploads: Messages you send to a clinic (or that a clinic sends to you) through the platform inbox are stored on our content management system. Files you upload during a conversation, such as dental records, x-rays, or proof of payment, are stored on our file hosting provider and made accessible only to the parties of that conversation.
• Reviews: If you submit a review of a clinic after treatment, we publish your first name, last initial, origin city, and review text. We do not publish your full name, email, or contact information on the public profile.

2.2 Information collected automatically

• Functional cookies: A session cookie keeps you signed in. A small first-party cookie remembers your quiz answers between pages so you don’t have to start over. A consent cookie remembers your cookie preferences. None of these requires your consent because they are strictly necessary to operate the service. Full list of cookies on our Cookie Policy page.
• Analytics cookies: If you consent, Google Analytics 4 collects information about how you use the site: pages visited, referring source, approximate location (country/region only, IP truncated), device type, and how long you spend on each page. Analytics is disabled by default and only activates after you click Accept in the cookie banner. You can change your preference at any time.
• Advertising cookies: If you consent, we may use advertising cookies to measure ad performance and to show you relevant ads on other websites. Advertising is disabled by default and only activates after you click Accept in the cookie banner. We do not currently set advertising cookies but may do so in the future as we scale; this policy will be updated when we do.
• Server logs: Our hosting provider records standard request logs (IP address, user agent, requested URL, response status). We do not use these logs for tracking or profiling. The IP address is also briefly held in memory by our matching API to enforce rate limits and is discarded after a few minutes; it is not written to disk or attached to your account.

2.3 Information from clinics about you

A clinic may import you into the platform if you are an existing patient of theirs. When this happens, the clinic acts as the data controller for your information and DTCR acts as their processor. The clinic is responsible for having a lawful basis to share your information with us. If you receive a message from a clinic on DTCR and you did not authorize them to import you, contact us at privacy@dentaltourismcr.com and we will help remove your record.

3. How we use your information

• Match you with clinics that fit your case and budget.
• Let you exchange messages, share documents, and receive quotes from a clinic.
• Send you transactional emails about your inquiries: when a clinic responds, when a quote arrives, when a follow-up is scheduled. These emails are operational; you cannot opt out of them while you have an active conversation, but you can delete your account to stop them entirely.
• Verify clinics, monitor response times, and remove clinics that fall below quality standards.
• Calculate the commission a clinic owes us when a patient accepts a quote.
• Bill clinics on paid subscription plans their fixed monthly fee, and keep a record of those invoices.
• Improve the product (analytics cookies, only if you consent).
• Detect and prevent abuse, fraud, and spam.
• Comply with our legal obligations.

4. Legal bases (EU/UK only)

If you are in the European Union or the United Kingdom, our legal bases under GDPR are:

• Contract: Most processing (matching, messaging, sending quotes) is necessary to provide the service you signed up for.
• Legitimate interest: Verifying clinics, preventing fraud, securing the platform, and basic anti-spam server logs.
• Consent: Analytics cookies, advertising cookies, and any other non-essential processing. You can withdraw consent at any time using the cookie preferences link in our footer.
• Legal obligation: Where we are required to keep records (for example, transaction records for tax purposes in Costa Rica).

5. Who we share your information with

We do not sell your personal information. We share it only with the following categories of recipients, and only as needed to operate the service:

• The clinic you choose to contact. When you request a match or send a message, the clinic sees your name, the contents of your messages, your quiz answers, and any files you upload to the conversation. The clinic uses that information to prepare a quote for you. The clinic acts as an independent data controller for the information they receive; their handling of your data is governed by their own privacy practices.
• Sanity (CMS). Our content management system, which stores your account information, conversations, and reviews. Sanity is a Norwegian company; data is hosted in their global infrastructure.
• Uploadthing (file storage). Files you upload (x-rays, payment receipts, treatment plans) are stored on Uploadthing’s infrastructure.
• Resend (transactional email). Sends our operational emails (lead notifications, message alerts, review requests). Resend does not send marketing email on our behalf.
• PayPal (subscription billing). If your clinic is on a paid plan, PayPal processes the recurring subscription charge and sends us the payment status (success, failure, cancellation) so we can keep your account current. PayPal handles your card or bank details directly, under its own privacy policy.
• Google (authentication and analytics). If you sign in with Google, Google handles the OAuth flow. If you consent to analytics, Google Analytics 4 receives anonymized usage data about your visit.
• Authorities, when legally required. Costa Rican courts, regulators, or law enforcement, if compelled by valid legal process. We will notify you when permitted.
• A successor company. If Leads Agency SRL is acquired or merges with another entity, your data may be transferred as part of the transaction. The successor will be bound by this policy or one no less protective.

6. International data transfers

We are based in Costa Rica. Some of our service providers (Sanity, Uploadthing, Resend, Google) operate globally and may process your data in the European Economic Area, the United States, Canada, or elsewhere. For users in the EU/UK, transfers outside the EEA are made under standard contractual clauses or equivalent safeguards. By using the service you understand that your data may be processed outside your country of residence.

7. How long we keep your data

• Active accounts: for as long as your account exists.
• Conversations and quotes: for the duration of the conversation plus a retention window for review and dispute resolution; typically 24 months after the last activity.
• Reviews: indefinitely, unless you ask us to remove them; reviews are part of the public record of clinic performance.
• Server logs and rate-limit records: a few minutes (rate limits) to a few weeks (web server logs at our hosting provider).
• After account deletion: we delete or anonymize personal information promptly. We may retain a minimal record (email hash, deletion date) to honor opt-outs and to comply with our legal obligations.

8. Your rights

Wherever you live, you can email privacy@dentaltourismcr.com to:

• Access a copy of the personal information we hold about you.
• Correct information that is inaccurate.
• Delete your account and the personal information we associate with it. (We may retain anonymized records as described above.)
• Restrict or object to specific processing.
• Withdraw consent for analytics or advertising at any time using the cookie preferences link in the footer.
• Receive your data in a portable format.
• File a complaint with your local data protection authority.

We respond to verified requests within 30 days. We may ask you to verify your identity (for example, by responding from the email address on the account) before acting on a request, to make sure we’re not handing your data to someone else.

Self-service for signed-in users. Patients with an account can download a portable copy of their data at any time from their profile page, and can permanently close their account from that same page. Clinic owners have the equivalent controls on their dashboard settings page: data export and a self-service deactivation request that hides the clinic immediately while a DTCR admin processes the request within five business days. The email address above remains valid as a fallback if you do not want to or cannot sign in.

8.1 U.S. state-specific rights

If you live in California, Virginia, Connecticut, Texas, or another U.S. state with a comprehensive privacy law, you have the rights described above plus the following clarifications:

• Right to know / right to access: You can ask for the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes of collection, and the categories of third parties we have shared it with.
• Right to delete: You can request deletion of personal information we collected from you, subject to limited exceptions.
• Right to opt out of “sale” or “sharing”: We do not sell personal information for money. Some U.S. state laws define “share” broadly enough to include cross-context advertising. To opt out of any such sharing, reject advertising cookies in our cookie banner or use the cookie preferences link in the footer. You can also send a Global Privacy Control signal from your browser; we honor it.
• Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond providing the service.
• Right to non-discrimination: We will not deny service, change pricing, or reduce the quality of service because you exercised any privacy right.
• Authorized agents: You can authorize someone to make a request on your behalf. We will ask for proof of authorization.

In the past 12 months we have collected, for the purposes described in section 3, the categories of information described in section 2 (identifiers, customer records, internet activity, geolocation at the country level, professional information for clinic owners, and commercial information for clinic owners on paid plans). We have disclosed those categories to the recipients listed in section 5. We have not sold personal information for monetary consideration.

8.2 Costa Rica

Under Ley 8968, you have the rights of access, rectification, cancellation, and opposition (the “ARCO” rights), plus the right to revoke your consent. The Agencia de Protección de Datos de los Habitantes (PRODHAB) is the supervisory authority and can be reached at prodhab.go.cr.

8.3 Canada

Under PIPEDA (and Quebec’s Law 25 if you live in Quebec), you have the rights of access, correction, and withdrawal of consent. Quebec residents can also request that we cease use of their personal information and, in some cases, request portability. Complaints can be filed with the Office of the Privacy Commissioner of Canada or the Commission d’accès à l’information (Quebec).

9. Security

We protect your data with reasonable technical and organizational measures: HTTPS for all traffic, password hashing with bcrypt, scoped access tokens to our content store, periodic dependency security review, and least-privilege access for our team. No system is perfectly secure; if a breach affects your data we will notify you and the appropriate authorities as required by law.

10. Children

The service is not directed at children under 18. We do not knowingly collect personal information from children. If you are under 18, do not create an account or use the matching service without a parent or legal guardian. If you believe we have collected information from a child, contact us and we will delete it.

11. Changes to this policy

We may update this policy as the service evolves. The “Last updated” date at the top reflects the most recent change. If we make material changes (for example, sharing data with new categories of recipients, or starting to sell data), we will notify you by email if we have your address on file and through a prominent banner on the site.

12. Contact

Leads Agency SRL
Cédula jurídica: 3-102-759132
San José, Costa Rica
Email: privacy@dentaltourismcr.com