ReadyMaxer
Sign inPricing

Data Processing Addendum

Version 1.0 · Effective July 10, 2026

English · Español · Français · Português

This DPA forms part of the Terms of Service between SmileMaxer LLC (the "Processor") and the Practice (the "Controller") and applies whenever SmileMaxer processes personal data on the Practice's behalf that is subject to the GDPR, UK GDPR, Swiss FADP, or similar laws. It is automatically incorporated into the Terms for such Practices; no signature is required. Need a countersigned copy? Email legal@readymaxer.com.

1. Scope and roles

For team data the Practice enters or generates (member names, departments, rooms, devices, signals, activity logs, digital-line entries), the Practice is controller and SmileMaxer is processor. For admin accounts, billing, and website data, SmileMaxer is an independent controller under the Privacy Policy, and this DPA does not apply.

2. Details of processing

Subject matter and duration: providing ReadyMaxer for the subscription term. Nature and purpose: hosting, storing, transmitting, and displaying team-signaling data; push notifications; sign-in and pairing; the Practice's activity log. Data subjects: the Practice's staff and admins; visitors who join its digital line. Personal data: first names or display names; department and shift status; device names, models, and push tokens; signal records with timestamps and optional short notes; digital-line names. No special categories: the service prohibits entering patient or health information, and the Practice agrees not to submit any.

3. Processor obligations

SmileMaxer will: (1) process only on the Practice's documented instructions (the Terms, this DPA, and the Practice's use of the service's controls), unless required by law, informing the Practice unless the law forbids it; (2) bind authorized persons to confidentiality; (3) implement the technical and organizational measures below; (4) respect the subprocessor conditions in Section 4; (5) assist the Practice with data subject requests and, considering the information available, with security, breach-notification, and impact-assessment obligations; (6) notify the Practice without undue delay after becoming aware of a personal data breach affecting its data; (7) at the end of the service, delete the Practice's personal data within 60 days except where law requires retention; and (8) make available information reasonably necessary to demonstrate compliance and, at the Practice's cost and at most annually, allow audits (satisfiable with documentation and third-party reports).

4. Subprocessors

The Practice generally authorizes the subprocessors listed at readymaxer.com/subprocessors. We will update that page at least 15 days before adding or replacing a subprocessor; the Practice may object on reasonable data-protection grounds at legal@readymaxer.com and, failing resolution, cancel its subscription. We impose consistent data protection obligations on subprocessors and remain responsible for their performance.

5. International transfers

The service is hosted in the United States. Where a transfer mechanism is required, the parties incorporate the EU Standard Contractual Clauses (2021/914, Module Two, controller to processor), Practice as exporter, SmileMaxer as importer, with: Clause 7 included; Clause 9(a) Option 2 with 15 days' notice; Clause 11 optional language omitted; Clause 17 Option 1 (Irish law); Clause 18 (courts of Ireland). Annex I is Section 2 plus the parties' account details; Annex II is the measures below; Annex III is the subprocessors page. UK transfers: the UK International Data Transfer Addendum (B1.0) applies with tables completed by the foregoing; Swiss transfers: the Clauses as adapted per the FDPIC.

6. Liability and precedence

Each party's liability under this DPA is subject to the limitations in the Terms except where Data Protection Laws do not permit. This DPA controls over the Terms for data protection matters; the Clauses control over this DPA.

Annex II: Technical and organizational measures

All transport encrypted (HTTPS/TLS). Passwords hashed with argon2id; session, device, and QR tokens stored only as SHA-256 hashes; single-use short-expiry pairing codes. Data minimization by design: no member phone numbers or emails; notes capped at 200 characters and labeled to exclude patient information; no analytics in the signed-in service. Tenant isolation at the application layer; role-based access. Optional platform attestation on sensitive endpoints. Hosting on Google Cloud with provider physical and network security; production access limited to authorized personnel. IPs processed transiently in memory, not persisted. Automated retention enforcement: finished signals and digital-line entries purged after 90 days, activity log after 12 months, removed members anonymized after 60 days (Privacy Policy §8). Practice-facing controls: device revocation, member deactivation, data deletion, activity log.

Questions: legal@readymaxer.com · SmileMaxer LLC, 11 S Eutaw St, Apt 915, Baltimore, MD 21201, USA

← Back home

ReadyMaxer
A SmileMaxer LLC product · About · Security · How it works · Terms · Privacy · DPA · Subprocessors · Privacy choices · support@readymaxer.com · SmileMaxer.com