AWS complies with the FBI's Criminal Justice Information Services (CJIS) standard. We sign CJIS security agreements with our customers, including allowing or performing any required employee background checks according to the CJIS Security Policy.
Law enforcement customers (and partners who manage CJI) are taking advantage of AWS services to improve the security and protection of CJI data, using the advanced security services and features of AWS, such as activity logging (AWS CloudTrail), encryption of data in motion and at rest (S3’s ServerSide Encryption with the option to bring your own key), comprehensive key management and protection (AWS Key Management Service and CloudHSM), and integrated permission management (IAM federated identity management, multi-factor authentication).
AWS has created a Criminal Justice Information Services (CJIS) Workbook in a security plan template format aligned to the CJIS Policy Areas. Additionally, a CJIS Whitepaper has been developed to help guide customers in their journey to cloud adoption.
In 2011, the Cloud Security Alliance (CSA) launched STAR, an initiative to encourage transparency of security practices within cloud providers. The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. AWS is a CSA STAR registrant and has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). This CAIQ published by the CSA provides a way to reference and document what security controls exist in AWS’ Infrastructure as a Service offerings. The CAIQ provides 298 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider.
Cyber Essentials Plus is a UK Government-backed, industry-supported certification scheme introduced in the UK to help organizations demonstrate operational security against common cyber-attacks.
It demonstrates the baseline controls AWS implements to mitigate the risk from common Internet-based threats, within the context of the UK Government's "10 Steps to Cyber Security". It is backed by industry, including the Federation of Small Businesses, the Confederation of British Industry and a number of insurance organizations that offer incentives for businesses holding this certification.
Cyber Essentials sets out the necessary technical controls; the related assurance framework shows how the independent assurance process works for Cyber Essentials Plus certification through an annual external assessment conducted by an accredited assessor. Due to the regional nature of the certification, the certification scope is limited to EU (Ireland) region.
The Department of Defense (DoD) Cloud Security Model (SRG) provides a formalized assessment and authorization process for cloud service providers (CSPs) to gain a DoD Provisional Authorization, which can subsequently be leveraged by DoD customers. A Provisional Authorization under the SRG provides a reusable certification that attests to our compliance with DoD standards, reducing the time necessary for a DoD mission owner to assess and authorize one of their systems for operation on AWS. AWS currently holds provisional authorizations at Levels 2 and 4 of the SRG.
AWS is a Federal Risk and Authorization Management Program (FedRAMPsm) Compliant Cloud Service Provider. AWS has completed the testing performed by a FedRAMPsm accredited Third-Party Assessment Organization (3PAO) and has been granted two Agency Authority to Operate (ATOs) by the US Department of Health and Human Services (HHS) after demonstrating compliance with FedRAMPsm requirements at the Moderate impact level. All U.S. government agencies can leverage the AWS Agency ATO packages stored in the FedRAMPsm repository to evaluate AWS for their applications and workloads, provide authorizations to use AWS, and transition workloads into the AWS environment. The two FedRAMPsm Agency ATOs encompass all U.S. regions (the AWS GovCloud (US) region and the AWS US East/West regions).
For a complete list of the services that are in the accreditation boundary for the regions stated above, see the AWS Services in Scope by Compliance Program page.
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18, or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."
AWS enables covered entities and their business associates subject to FERPA to leverage the secure AWS environment to process, maintain, and store protected education information.
AWS also offers a FERPA-focused whitepaper for customers interested in learning more about how they can leverage AWS for the processing and storage of educational data.
The FERPA Compliance on AWS whitepaper outlines how companies can use AWS to process systems that facilitate FERPA compliance:
The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS 140-2 requirements, SSL terminations in AWS GovCloud (US) operate using FIPS 140-2 validated hardware. AWS works with AWS GovCloud (US) customers to provide the information they need to help manage compliance when using the AWS GovCloud (US) environment.
AWS enables US government agencies to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). The AWS infrastructure has been evaluated by independent assessors for a variety of government systems as part of their system owners' approval process. Numerous Federal Civilian and Department of Defense (DoD) organizations have successfully achieved security authorizations for systems hosted on AWS in accordance with the Risk Management Framework (RMF) process defined in NIST 800-37 and DoD Information Assurance Certification and Accreditation Process (DIACAP).
GxP is an acronym that refers to the regulations and guidelines applicable to life sciences organizations that make food and medical products such as drugs, medical devices, and medical software applications. The overall intent of GxP requirements is to ensure that food and medical products are safe for consumers and to ensure the integrity of data used to make product-related safety decisions.
AWS offers a GxP whitepaper, which details a comprehensive approach for using AWS for GxP systems. This whitepaper provides guidance for using AWS Products in the context of GxP and the content has been developed in conjunction with AWS pharmaceutical and medical device customers, as well as software partners, who are currently using AWS Products in their validated GxP systems.
AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure AWS environment to process, maintain, and store protected health information and AWS will be signing business associate agreements with such customers. AWS also offers a HIPAA-focused whitepaper for customers interested in learning more about how they can leverage AWS for the processing and storage of health information. The Architecting for HIPAA Security and Compliance on Amazon Web Services whitepaper outlines how companies can use AWS to process systems that facilitate HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) compliance.
SmileStream has a AWS BAA may use any AWS service in this account designated as a HIPAA Account, but they may only process, store and transmit PHI using the HIPAA-eligible services defined in the AWS BAA. For a complete list of these services, see the HIPAA Eligible Services Reference page.
AWS maintains a standards-based risk management program to ensure that the HIPAA-eligible services specifically support the administrative, technical, and physical safeguards required under HIPAA. Using these services to store, process, and transmit PHI allows our customers and AWS to address the HIPAA requirements applicable to the AWS utility-based operating model.
The Information Security Registered Assessors Program (IRAP) enables Australian government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the needs of the Australian Signals Directorate (ASD) Information Security Manual (ISM).
Amazon Web Services has completed an independent assessment that has determined all applicable ISM controls are in place relating to the processing, storage and transmission of Unclassified (DLM) for the AWS Sydney Region.
AWS has achieved ISO 9001 certification, AWS’ ISO 9001 certification directly supports customers who develop, migrate and operate their quality-controlled IT systems in the AWS cloud. Customers can leverage AWS’ compliance reports as evidence for their own ISO 9001 programs and industry-specific quality programs, such as GxP in life sciences, ISO 13485 in medical devices, AS9100 in aerospace, and ISO/TS 16949 in automotive. AWS customers who don't have quality system requirements will still benefit from the additional assurance and transparency that an ISO 9001 certification provides.
The ISO 9001 certification covers the quality management system over a specified scope of AWS services and Regions of operations. For a complete list of services, see the AWS Services in Scope by Compliance Program.
ISO 9001:2008 is a global standard for managing the quality of products and services. The 9001 standard outlines a quality management system based on eight principles defined by the International Organization for Standardization (ISO) Technical Committee for Quality Management and Quality Assurance. They include:
AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers, and services. For a complete list of services, see the AWS Services in Scope by Compliance Program page.
ISO 27001/27002 is a widely-adopted global security standard that sets out requirements and best practices for a systematic approach to managing company and customer information that’s based on periodic risk assessments appropriate to ever-changing threat scenarios. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This certification reinforces Amazon’s commitment to providing significant information regarding our security controls and practices.
ISO 27017 is the newest code of practice released by the International Organization for Standardization (ISO). It provides implementation guidance on information security controls that specifically relate to cloud services.
AWS has achieved ISO 27017 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers, and services. For a complete list of services, see the AWS Services in Scope by Compliance Program page.
ISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII). It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO 27002 control set.
AWS has achieved ISO 27018 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers, and services. For a complete list of services, see the AWS Services in Scope by Compliance Program page.
The AWS GovCloud (US) region supports US International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons and restricting physical location of that data to the US. AWS GovCloud (US) provides an environment physically located in the US and where access by AWS Personnel is limited to US Persons, thereby allowing qualified companies to transmit, process, and store protected articles and data subject to ITAR restrictions. The AWS GovCloud (US) environment has been audited by an independent third-party to validate the proper controls are in place to support customer export compliance programs for this requirement.
The Motion Picture Association of America (MPAA) has established a set of best practices for securely storing, processing and delivering protected media and content. Media companies use these best practices as a way to assess risk and security of their content and infrastructure. AWS has demonstrated alignment with the MPAA best practices and the AWS infrastructure is compliant with all applicable MPAA infrastructure controls. While the MPAA does not offer a “certification,” media industry customers can use the AWS MPAA documentation to augment their risk assessment and evaluation of MPAA-type content on AWS.
The Multi-Tier Cloud Security (MTCS) is an operational Singapore security management Standard (SPRING SS 584:2013), based on ISO 27001/02 Information Security Management System (ISMS) standards. The certification assessment requires us to:
In June 2015 The National Institute of Standards and Technology (NIST) released guidelines 800-171, "Final Guidelines for Protecting Sensitive Government Information Held by Contractors". This guidance is applicable to the protection of Controlled Unclassified Information (CUI) on nonfederal systems.
AWS is already compliant with these guidelines, and customers can effectively comply with NIST 800-171 immediately. NIST 800-171 outlines a subset of the NIST 800-53 requirements, a guideline under which AWS has already been audited under the FedRAMP program. The FedRAMP Moderate security control baseline is more rigorous than the recommended requirements established in Chapter 3 of 800-171, and includes a significant number of security controls above and beyond those required of FISMA Moderate systems that protect CUI data. A detailed mapping is available in the NIST Special Publication 800-171.
AWS is Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS). Customers can run applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. In February 2013, the PCI Security Standards Council released PCI DSS Cloud Computing Guidelines. These guidelines provide customers who are managing a cardholder data environment with considerations for maintaining PCI DSS controls in the cloud. AWS has incorporated the PCI DSS Cloud Computing Guidelines into the AWS PCI Compliance Package for customers. The AWS PCI Compliance Package includes the AWS PCI Attestation of Compliance (AoC), which shows that AWS has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 3.1, and the AWS PCI Responsibility Summary, which explains how compliance responsibilities are shared between AWS and our customers in the cloud.
Amazon Web Services publishes a Service Organization Controls 1 (SOC 1), Type II report. The audit for this report is conducted in accordance with American Institute of Certified Public Accountants (AICPA): AT 801 (formerly SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402). This dual-standard report is intended to meet a broad range of financial auditing requirements for U.S. and international auditing bodies. The SOC 1 report audit attests that AWS’ control objectives are appropriately designed and that the individual controls defined to safeguard customer data are operating effectively. This report is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II Audit report.
The AWS SOC 1 control objectives are provided here. The report itself identifies the control activities that support each of these objectives and the independent auditor’s results of their testing procedures of each control.
|Objective Area||Objective Description|
|Security Organization||Controls provide reasonable assurance that information security policies have been implemented and communicated throughout the organization.|
|Employee User Access||Controls provide reasonable assurance that procedures have been established so that Amazon employee user accounts are added, modified and deleted in a timely manner and reviewed on a periodic basis.|
|Logical Security||Controls provide reasonable assurance that policies and mechanisms are in place to appropriately restrict unauthorized internal and external access to data and customer data is appropriately segregated from other customers.|
|Secure Data Handling||Controls provide reasonable assurance that data handling between the customer’s point of initiation to an AWS storage location is secured and mapped accurately.|
|Physical Security and Environmental Protection||Controls provide reasonable assurance that physical access to data centers is restricted to authorized personnel and that mechanisms are in place to minimize the effect of a malfunction or physical disaster to data center facilities.|
|Change Management||Controls provide reasonable assurance that changes (including emergency / non-routine and configuration) to existing IT resources are logged, authorized, tested, approved and documented.|
|Data Integrity, Availability and Redundancy||Controls provide reasonable assurance that data integrity is maintained through all phases including transmission, storage and processing.|
|Incident Handling||Controls provide reasonable assurance that system incidents are recorded, analyzed, and resolved.|
The SOC 1 reports are designed to focus on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements. As AWS’ customer base is broad, and the use of AWS services is equally as broad, the applicability of controls to customer financial statements varies by customer. Therefore, the AWS SOC 1 report is designed to cover specific key controls likely to be required during a financial audit, as well as covering a broad range of IT general controls to accommodate a wide range of usage and audit scenarios. This allows customers to leverage the AWS infrastructure to store and process critical data, including that which is integral to the financial reporting process. AWS periodically reassesses the selection of these controls to consider customer feedback and usage of this important audit report.
AWS’ commitment to the SOC 1 report is ongoing, and AWS will continue the process of periodic audits. For the current scope of the SOC 1 report, see the AWS Services in Scope by Compliance Program.
In addition to the SOC 1 report, AWS publishes a Service Organization Controls 2 (SOC 2), Type II report. Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations such as AWS. The AWS SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security and availability principles set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into AWS security and availability based on a pre-defined industry standard of leading practices and further demonstrates AWS’ commitment to protecting customer data. The SOC 2 report scope covers the same services covered in the SOC 1 report. See the SOC 1 description above for the in-scope services.
AWS publishes a Service Organization Controls 3 (SOC 3) report. The SOC 3 report is a publically-available summary of the AWS SOC 2 report. The report includes the external auditor’s opinion of the operation of controls (based on the AICPA’s Security Trust Principles included in the SOC 2 report), the assertion from AWS management regarding the effectiveness of controls, and an overview of AWS Infrastructure and Services. The AWS SOC 3 report includes all AWS data centers worldwide that support in-scope services. This is a great resource for customers to validate that AWS has obtained external auditor assurance without going through the process to request a SOC 2 report. The SOC 3 report scope covers the same services covered in the SOC 1 report. See the SOC 1 description above for the in-scope services.
Refunds of tuitions are allowed within 30 days of enrollment or only for valid reasons or force majeure that causes the students to be unable to continue the education. When refunds are made, any discounts or incentives that are given for early payment or other incentives will be deducted before a refund is made. Refunds will not be made for tuition paid for a period exceeding 24 months or if the student had access to the educational material online.. All refunds have to be approved by the CFO in consultation with the sales team member assigned to the student. Refunds can either be made to the same credit card used to pay the tuition, a store credit at SmileStream or by check or money transfer.
Refunds of consulting fees will be made at the instructors’ discretion in case the nature of the consulting requires much less time than expected. Refunds cannot be made for case diagnosis started more than 12 months prior to the refund request. Refunds can be made for cancelled case diagnosis orders as long as they are cancelled before work is done by the instructors. Refunds initiated by instructors can only be made by store credit at SmileStream and can be used for future orders.
Orders should be inspected upon receiving and any issues or concerns must be addressed within 48 hours. Same day refunds can be made for cancelled orders within 24 hours of ordering. No refunds will be made for shipped orders unless the items shipped are inconsistent with the orders made and the differences are documented and evidenced. Back-order items will be refunded if not shipped within 6 months of ordering. Refunds can be made for orders that are changed, amended before the related items are shipped. Refunds will not include shipping costs in all situations except faulty shipments. Refunds will mainly be for store credit at SmileStream and can be used for future orders. SmileStream and partner companies have a 30-day return policy on all peripheral (Non-IP) product that is unused and in the original packaging. IP Orders (bands, brackets, archwires) are non-returnable, as they are custom-made for each patient. Health concerns prevent us from accepting returns of this product. Cleaning, retipping, and sharpening of your instruments can be performed by Precision Plier Service, 14175 Telephone Ave #D, Chino, CA 91710 Tel (909) 590-2085. If you have a problem, question or concern with any product, Contact Supplies at +1 714-973-2266+1 714-973-2266 ext 352 or, email email@example.com.
SmileStream is committed to your privacy. This privacy notice explains our collection, use, disclosure, retention, and protection of your personal information.
This privacy notice applies to any SmileStream website, application, service, or tool (collectively "Services") where this privacy notice is referenced, regardless of how you access or use them, including through mobile devices.
This privacy notice also applies to the provision of SmileStream services through any SmileStream partner's website, application, service, or tool where it is referenced and where your listings and their content are published or advertised in accordance with the terms of this privacy notice.
What is personal information?
Personal Information is information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
We do not consider personal information to include information that has been anonymized or aggregated so that it can no longer be used to identify a specific natural person, whether in combination with other information or otherwise.
We collect personal information from you when you use our Services.
We collect personal information from you and any devices (including mobile devices) you use when you: use our Services, register for an account with us, provide us information on a web form, update or add information to your account, participate in a community board discussion chat, or when you otherwise correspond with us.
The provision of all other personal information is voluntary, but may be necessary in order to use our Services, buying or selling information needed to conclude a transaction.
We may also collect personal information from other sources, as described below.
Personal information you give us when you use our Services or register for an account with us
Personal information we collect automatically when you use our Services or register for an account with us
Personal information we collect using cookies and similar technologies
Personal information collected from other sources
We use your personal information to provide and improve our Services, provide you with a personalized experience on our sites, contact you about your account and our Services, provide you customer service, provide you with personalized advertising and marketing, and to detect, prevent, mitigate and investigate fraudulent or illegal activities.
We use the personal information we collect from you for a range of different business purposes and according to different legal bases of processing. The following is a summary of how and according to which legal bases we use your personal information.
We use your personal information to fulfill a contract with you and provide you with our Services, to comply with our legal obligation, protect your vital interest, or as may be required for the public good. This includes:
We use your personal information to pursue our legitimate interests where your rights and freedoms do not outweigh these interests. We have implemented controls to balance our interests with your rights. This includes to:
With your consent, we may use your personal information to:
We may use technologies considered automated decision making or profiling. We will not make automated-decisions about you that would significantly affect you, unless such a decision is necessary as part of a contract we have with you, we have your consent, or we are required by law to use such technology.
You have choices about how we use your personal information to communicate with you, to send you marketing information, how we provide you with customized and relevant advertising, and whether you want to stay signed into your account.
If you do not wish to participate in our advertising personalization programs, you can opt-out by following the directions provided within the applicable advertisement. The effect of an opt-out will be to stop personalized advertising, but it will still allow the collection of personal information as otherwise described in this privacy notice. We do not allow third parties to track or collect your personal information on our sites for their own advertising purposes, without your consent.
When you sign in to your account on our Services, we give you the option to stay signed in to your account for certain amount of time. If you are using a public or shared computer, we encourage you not to choose to stay signed in. You or any other user of the computer/browser you signed in on will be able to view and access most parts of your account and take certain specific actions during this signed in period without any further authorization. The specific actions and account activities that you or any other user of this computer/browser may take include:
If you attempt to change your password, User ID, update any other account information or attempt other account activity beyond those listed above, you may be required to enter your password.
You can typically end your signed in session by either signing out and/or clearing your cookies. If you have certain browser privacy settings enabled, simply closing your browser may also end your signed in session. If you are using a public or shared computer, you should sign out and/or clear your cookies when you are done using our Services to protect your account and your personal information.
We respect your right to access, correct, request deletion or request restriction of our usage of your personal information as required by applicable law. We also take steps to ensure that the personal information we collect is accurate and up to date.
Access, correction, and deletion of your personal information
You can see, review and change most of your personal information by signing in to your account. Please, update your personal information immediately if it changes or is inaccurate. Keep in mind, once you make a public posting, you may not be able to change or remove it.
We will honor any statutory right you might have to access, modify or erase your personal information. To request access and to find out whether any fees may apply, if permitted by applicable national laws, please contact us following the instructions in the Contact Us section below. Where you have a statutory right to request access or request the modification or erasure of your personal information, we can still withhold that access or decline to modify or erase your personal information in some cases in accordance with applicable national laws.
If you request that we stop processing some or all of your personal information or you withdraw (where applicable) your consent for our use or disclosure of your personal information for purposes set out in this privacy notice, we might not be able to provide you all of the Services and customer support offered to our users and authorized under this privacy notice.
Upon your request, we will close your account and remove your personal information from view as soon as reasonably possible, based on your account activity and in accordance with applicable national laws.
We may disclose your personal information to other members of the SmileStream, Inc. or to third parties. This disclosure may be required for us to provide you access to our Services, to comply with our legal obligations, to facilitate our marketing and advertising activities, or to prevent, detect, mitigate, and investigate fraudulent or illegal activities related to our Services. We attempt to minimize the amount of personal information we disclose to what is directly relevant and necessary to accomplish the specified purpose. We do not sell, rent, or otherwise disclose your personal information to third parties for their marketing and advertising purposes without your consent.
We may disclose your personal information to the following parties for the following purposes:
SmileStream, Inc. who may use it to:
Service Providers and financial institutions partners as follows:
Law enforcement, legal proceedings, and as authorized by law
Change of ownership
If we are subject to a merger or acquisition with/by another company, we may share information with them in accordance with our global privacy standards. Should such an event occur, we will require that the new combined entity follow this privacy notice with respect to your personal information. If we intend to handle your personal information for any purposes not covered in this privacy notice, you will receive prior notification of the processing of your personal information for the new purposes.
We retain your personal information for as long as necessary to provide the Services you have requested, or for other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our policies.
Our specific retention times for personal information are documented in our regional records retention schedules. How long we retain personal information can vary significantly based on context of the Services we provide and on our legal obligations. The following factors typically influence retention periods:
After it is no longer necessary for us to retain your personal information, we will dispose of it in a secure manner according to our data retention and deletion policies.
We protect your personal information using technical and administrative security measures to reduce the risks of loss, misuse, unauthorized access, disclosure and alteration. Some of the safeguards we use are firewalls and data encryption, physical access controls to our data centers, and information access authorization controls. For more information about staying safe while buying and selling online, or to report an issue with your account please mail us Customer.Service@SmileStream.com or call us on +1-714-973-2266 USA Toll Free 1-800-443-3106.
We have established a set of global privacy standards for all our commitment to protect your personal information and honor our privacy obligations within SmileStream, Inc.
Learn more about who is your data controller, and is responsible for the collection, use, disclosure, retention and protection of your personal information in accordance with our global privacy standards, this privacy notice, as well as any applicable national laws.
If you reside in the United States, you are contracting with SmileStream, 135 Columbia, Suite 101 Aliso Viejo, CA 92656 and, if you use our payments services, also with SmileStream, 135 Columbia, Suite 101 Aliso Viejo, CA 92656, for such payments services.
The company you are contracting with is your data controller, and is responsible for the collection, use, disclosure, retention and protection of your personal information in accordance with our global privacy standards, this privacy notice, as well as any applicable national laws.
Your data controller may transfer data to other members as described in this privacy notice.
We may process and retain your personal information on our servers in the U.S. and elsewhere in the world where our data centers are located.
This section describes some additional privacy information related to your use of our Services that you may find important.
When you share your personal information on our sites or applications – what happens?
Other users have access to the information you share on SmileStream. For example, other users can see your purchases, items for sale, feedback, ratings, product reviews and associated comments. Other users can also see any information you chose to share in your profile.
When you use our Services, your public user ID may be displayed and available to the public and associated with all of your public SmileStream activity. Notices sent to other users about suspicious activity and notice violations on our sites may refer to your public user ID and specific items. If you associate your name with your user ID, the people to whom you have revealed your name may then be able to identify your SmileStream activities.
Your responsibilities over transactional information you receive through SmileStream
When you transact with another user, we enable you to obtain or we may provide you with the personal information of the other user (such as their name, account ID, email address, contact details, shipping and billing address) to complete the transaction. Independent from us, you are the controller of such data and we encourage you to inform the other user about your privacy practices and respect their privacy. In all cases, you must comply with the applicable privacy laws, and must give the other user a chance to remove them from your database and them a chance to review what information you have collected about them.
You may use the personal information that you have access to only for SmileStream transaction-related purposes, or for other services offered through SmileStream (such as shipping, fraud complaints, and member-to-member communications), and for purposes expressly consented by the user to whom the information relates.
Unwanted or threatening email
We do not tolerate abuse of our Services. You do not have permission to add other users to your mailing list (email or postal), call, or send him/her text messages for commercial purposes, even if this user purchased something from you, unless the user has given his/her explicit consent.
Our websites are general audience websites and not intended for children. We do not knowingly collect personal information from users deemed to be children under their respective national laws.
Third Party Privacy Practices
This privacy notice addresses only our use and handling of personal information we collect from you in connection with providing you our Services. If you disclose your information to a third party, or visit a third party website via a link from our Services, their privacy notices and practices will apply to any personal information you provide to them or they collect from you.
We cannot guarantee the privacy or security of your personal information once you provide it to a third party and we encourage you to evaluate the privacy and security policies of your trading partner before entering into a transaction and choosing to share your personal information. This is true even where the third parties to whom you disclose personal information are bidders, buyers or sellers on our site.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact us
If you have a question or a complaint about this privacy notice, our global privacy standards, or our information handling practices, you can reach the Global Privacy Office in writing at: 135 Columbia, Suite 101, Aliso Viejo, CA 92656
You can also email our Global Privacy team at Customer.Service@SmileStream.com
Your right to file complaints with a data protection supervisory authority remains unaffected.