Privacy Policy

Effective Date: 1 January 2025

Last Updated: 7 April 2026

1. Introduction

Dr Christine May and ViDe Virtual Dental Pty Ltd trading as XO Smiles (XO Smiles, we, us, or our) is committed to protecting your privacy and handling your personal and health information in accordance with the Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles (APPs), and all applicable laws and professional standards.

This Privacy Policy explains how we collect, hold, use, disclose, and otherwise handle personal information and health information in connection with our website at xosmiles.com.au and our in-person dental, surgical, and implant services.

This Privacy Policy should be read in conjunction with our Terms and Conditions and any consent forms provided to you.

2. Scope and Application

This Privacy Policy applies to all personal information and health information collected by XO Smiles, whether collected through:

• our Website (xosmiles.com.au);

• in-person consultations and treatment;

• telephone, email, SMS, or other electronic communications;

• online booking platforms and patient portals;

• referrals from other health practitioners;

• third-party service providers acting on our behalf.

As a private sector health service provider, XO Smiles is subject to the Privacy Act regardless of annual turnover, in accordance with section 6D(4)(b) of the Privacy Act. We are also subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.

3. Regulatory Framework

This Privacy Policy has been developed to comply with:

• the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs);

• the Privacy and Other Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth);

• the Privacy and Other Legislation Amendment Bill 2024 (Cth) (to the extent in force);

• the Notifiable Data Breaches scheme (Part IIIC, Privacy Act);

• the Health Practitioner Regulation National Law, including the Dental Board of Australia’s Code of Conduct for registered health practitioners;

• AHPRA’s Guidelines for Advertising a Regulated Health Service;

• the Australian Dental Association (ADA) policies and guidelines on data privacy and information management security;

• applicable Queensland health records legislation;

• the Competition and Consumer Act 2010 (Cth), including the Australian Consumer Law.

4. Key Definitions

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether recorded in material form or not (as defined in section 6(1) of the Privacy Act).

Sensitive information is a subset of personal information that includes health information, genetic information, biometric information, racial or ethnic origin, and other categories defined in section 6(1) of the Privacy Act. Health information is sensitive information and is afforded a higher level of protection under the APPs.

Health information includes information or an opinion about the health, including an illness, disability, or injury, of an individual; an individual’s expressed wishes about the future provision of health services; a health service provided or to be provided to an individual; and other information collected in connection with the provision of a health service (as defined in section 6(1) of the Privacy Act).

5. Information We Collect

5.1 Personal Information

We may collect the following categories of personal information:

• name, date of birth, gender, and contact details (address, telephone number, email address);

• emergency contact details and next of kin;

• health fund or insurance membership details;

• Medicare number and other government identifiers where required;

• payment and billing information;

• occupation (where clinically relevant);

• communication preferences.

5.2 Health Information

In the course of providing dental services, we collect health information, including:

• medical and dental history, including current and past conditions, surgeries, and hospitalisations;

• current medications (including prescription, over-the-counter, herbal, and complementary medicines);

• allergies and adverse reactions;

• clinical examination findings, diagnoses, and treatment plans;

• radiographs (X-rays), clinical photographs, impressions, scans, and other diagnostic records;

• laboratory and pathology results;

• referral correspondence and reports from other health practitioners;

• consent forms and treatment records;

• lifestyle factors relevant to treatment (such as smoking, alcohol use, and diet);

• post-operative and follow-up notes.

5.3 Website and Digital Information

When you visit our Website, we may automatically collect:

• IP address, browser type, device type, and operating system;

• pages visited, time spent on pages, and referring URLs;

• cookies and similar tracking technologies (see clause 14);

• information submitted through online forms, including appointment requests and enquiry forms.

6. How We Collect Information (APP 3)

We collect personal and health information by lawful and fair means. Wherever reasonably practicable, we collect information directly from you. This includes information you provide:

• in person during consultations and treatment;

• via patient registration and medical history forms;

• by telephone, email, SMS, or through our Website;

• through online booking systems and patient portals.

In some circumstances, we may collect information about you from third parties, including:

• referring dental or medical practitioners;

• other health service providers involved in your care;

• pathology and radiology providers;

• health insurance funds;

• your authorised representative (such as a parent, guardian, or attorney under a power of attorney).

Where we collect personal information from a third party, we will take reasonable steps to ensure that you are aware of the information collected and the circumstances of its collection, unless doing so would be unreasonable in the circumstances.

6.1 Consent

As health information is sensitive information under the Privacy Act, we will generally obtain your consent before collecting it, unless an exception under APP 3.4 applies (for example, where collection is required by law or is necessary to lessen or prevent a serious threat to life, health, or safety).

Consent may be express (written or oral) or implied from the circumstances. By attending a consultation and providing your health information, you consent to its collection for the purposes set out in this Privacy Policy.

6.2 Unsolicited Information

If we receive personal or health information that we did not solicit and that we could not have collected under APP 3, we will assess within a reasonable period whether the information could have been collected under APP 3. If not, and the information is not contained in a Commonwealth record, we will destroy the information or ensure it is de-identified as soon as practicable (APP 4).

7. Why We Collect, Hold, Use, and Disclose Information (APP 5 and APP 6)

7.1 Primary Purposes

We collect and use your personal and health information for the primary purpose of providing you with dental health services, including:

• conducting clinical assessments, diagnoses, and treatment planning;

• providing dental, surgical, and implant treatment;

• managing prescriptions and referrals;

• communicating with you about your treatment, appointments, and follow-up care;

• billing, invoicing, and processing payments and health fund claims;

• managing your patient records;

• fulfilling legal and regulatory obligations, including record-keeping requirements under the National Law and the Dental Board of Australia’s Code of Conduct.

7.2 Secondary Purposes

We may also use or disclose your information for secondary purposes that are directly related to the primary purpose and within your reasonable expectations, including:

• internal quality assurance, clinical auditing, and practice improvement;

• professional development and peer review (de-identified where practicable);

• complying with mandatory reporting obligations under the National Law;

• responding to complaints, legal claims, or regulatory investigations;

• communicating practice updates, appointment reminders, and recall notices (you may opt out at any time).

We will not use or disclose your personal information for a secondary purpose that is not related to the primary purpose of collection unless we have your consent, or an exception under APP 6 applies.

7.3 Direct Marketing

We will not use your personal information for direct marketing purposes unless you have consented to receiving marketing communications from us, or where we have collected the information directly from you, and you would reasonably expect us to use the information for direct marketing (for example, practice newsletters). You may opt out of direct marketing at any time by contacting us or using the unsubscribe function in any electronic communication. We will process your opt-out request without charge and within a reasonable period.

8. Disclosure of Information (APP 6)

We may disclose your personal and health information to:

• other dental or medical practitioners involved in your care, including specialists, hospitals, and allied health professionals, for the purposes of referral, consultation, or continuity of care;

• pathology, radiology, and dental laboratory providers;

• health insurance funds, for the purpose of processing claims;

• Medicare Australia and the Department of Veterans’ Affairs, where applicable;

• our professional advisers, including lawyers, accountants, and insurers;

• our IT service providers, practice management software providers, and cloud storage providers, subject to appropriate contractual protections;

• regulatory bodies, including AHPRA, the Dental Board of Australia, the Office of the Health Ombudsman (Queensland), and the Office of the Australian Information Commissioner (OAIC), where required by law;

• courts, tribunals, or law enforcement agencies, where required or authorised by law or court order;

• any person authorised by you in writing.

We will not sell, rent, or trade your personal or health information to any third party.

9. Cross-Border Disclosure (APP 8)

We generally store personal and health information within Australia. However, some of our IT service providers, cloud storage providers, or software platforms may store data on servers located outside Australia.

Before disclosing personal information to an overseas recipient, we will take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information, in accordance with APP 8. Where we use cloud-based services with overseas data storage, we select providers that offer appropriate privacy and security protections consistent with Australian law.

If we disclose personal information overseas, we will inform you of the countries in which the recipients are likely to be located, to the extent practicable. Current overseas disclosure locations may include: EU, UK, USA, Singapore.

10. Data Quality (APP 10)

We take reasonable steps to ensure that the personal and health information we collect, use, and disclose is accurate, up to date, complete, and relevant. We rely on you to advise us of any changes to your personal or health information. Please notify us promptly if any of your details change.

11. Data Security (APP 11)

11.1 Security Measures

We take reasonable steps to protect your personal and health information from misuse, interference, loss, unauthorised access, modification, and disclosure. Security measures include:

• electronic records are stored in secure, password-protected practice management systems with role-based access controls;

• physical records (where applicable) are stored in locked, access-controlled areas;

• data encryption in transit and at rest for electronic records;

• regular software updates and security patching;

• staff training on privacy obligations and information security;

• contractual requirements on third-party service providers to maintain appropriate security standards;

• regular review and testing of security measures.

11.2 Data Retention and Destruction

We retain clinical records for the minimum periods required by law and the Dental Board of Australia’s Code of Conduct. For adult patients, clinical records are generally retained for a minimum of seven (7) years from the date of the last entry. For patients who were children at the time of treatment, records are retained until the patient turns 25 years of age, or for seven (7) years from the date of the last entry, whichever is later.

When personal information is no longer needed for any purpose for which it may be used or disclosed under the APPs, and is not required to be retained by law, we will take reasonable steps to destroy it or ensure it is de-identified (APP 11.2).

12. Notifiable Data Breaches

As a health service provider, XO Smiles is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.

If we have reasonable grounds to believe that an eligible data breach has occurred (that is, unauthorised access to, disclosure of, or loss of personal information that is likely to result in serious harm to any affected individual), we will:

1. promptly assess whether the breach is an eligible data breach;

2. take reasonable steps to contain the breach and mitigate any resulting harm;

3. notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable;

4. notify affected individuals as soon as practicable, including a description of the breach, the types of information involved, and recommended steps for individuals to take.

We maintain a data breach response plan and conduct periodic reviews to ensure our readiness to respond to data breaches in compliance with the NDB scheme.

13. Access to and Correction of Information (APP 12 and APP 13)

13.1 Access

You have a right to request access to the personal and health information we hold about you (APP 12). To request access, please contact us in writing using the details in clause 19. We will respond to your request within 30 days.

We will provide access in the manner you request, where it is reasonable and practicable to do so. An administrative fee may apply for the preparation and provision of records.

In limited circumstances, we may refuse access to information, in whole or in part, on grounds permitted under APP 12.3. These grounds include where:

• providing access would pose a serious threat to the life, health, or safety of any individual or to public health or safety;

• providing access would have an unreasonable impact on the privacy of other individuals;

• the request is frivolous or vexatious;

• providing access would be unlawful or would prejudice legal proceedings;

• denying access is required or authorised by or under an Australian law or court order.

If we refuse access, we will provide you with written reasons for the refusal and advise you of your right to complain to the OAIC.

13.2 Correction

If you believe that personal or health information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you may request that we correct it (APP 13). We will take reasonable steps to correct the information unless we disagree that correction is required. If we refuse to correct information, we will provide you with written reasons and, at your request, associate a statement with the information noting your belief that it is inaccurate or incomplete.

Please note that under the Dental Board of Australia’s Code of Conduct and applicable record-keeping requirements, clinical records cannot be altered retrospectively; corrections are made by way of addendum.

14. Cookies and Website Analytics

Our Website may use cookies and similar technologies to enhance your browsing experience, analyse website traffic, and understand user behaviour. Cookies are small text files stored on your device when you visit a website.

We may use:

• essential cookies required for the Website to function;

• analytics cookies (such as Google Analytics) to collect de-identified usage data, including pages visited, time spent, and referring URLs;

• functionality cookies to remember your preferences.

You can manage your cookie preferences through your browser settings. Disabling cookies may affect the functionality of certain parts of the Website.

Where our Website uses third-party analytics tools, these tools may collect and process data in accordance with their own privacy policies. We encourage you to review those policies.

15. Automated Decision-Making

To the extent that we use automated systems or artificial intelligence tools in connection with the provision of dental services (for example, AI-assisted radiographic analysis, note-taking, or diagnostic support), we will notify you of such use. Any automated analysis is used as a clinical support tool only and does not replace the professional judgement of the treating practitioner. Clinical decisions remain the responsibility of the treating dentist.

This clause is included in anticipation of the automated decision-making transparency requirements under the Privacy and Other Legislation Amendment Bill 2024 (Cth), to the extent they apply to XO Smiles.

16. Children and Young People

Where we provide dental services to children or young people under the age of 18, we will generally collect personal and health information from, and with the consent of, a parent or guardian. We recognise that as children mature, they may develop the capacity to consent to the collection and use of their own information. We assess this on a case-by-case basis in accordance with the Privacy Act and the Code of Conduct.

17. Anonymity and Pseudonymity (APP 2)

You have the option of not identifying yourself, or using a pseudonym, when dealing with us, unless it is impracticable for us to deal with you in this way. Due to the nature of dental health services, it is generally impracticable for us to provide clinical treatment without knowing your identity, as accurate identification is essential for clinical safety, record-keeping, and regulatory compliance.

You may choose to make general enquiries about our services without identifying yourself.

18. Complaints (APP 1)

If you believe that we have breached this Privacy Policy or the APPs, you are entitled to make a complaint. To lodge a privacy complaint, please contact us using the details in clause 19. We will:

1. acknowledge your complaint within 5 business days.

2. investigate the complaint and provide a response within 30 days;

3. take reasonable steps to remedy any breach, where identified.

If you are not satisfied with our response, you may lodge a complaint with:

• the Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au or 1300 363 992;

• the Australian Health Practitioner Regulation Agency (AHPRA): www.ahpra.gov.au or 1300 419 495;

• the Office of the Health Ombudsman (Queensland): www.oho.qld.gov.au or 133 OHO (133 646);

• the Dental Board of Australia: www.dentalboard.gov.au.

19. Contact Information

If you have any questions about this Privacy Policy, wish to access or correct your information, make a complaint, or opt out of direct marketing, please contact our Privacy Officer:

ViDe Virtual Dental Pty Ltd trading as XO Smiles

Dr Christine May, Dentist

Website: www.xosmiles.com.au

Email: smile@xosmiles.com.au

Phone: 0432088920

Address: 

1. XO Smiles @ Kawana Dental: 134a Point Cartwright Dr, Buddina, Qld, 4575

2. XO Smiles @ Oris Dental: 1/66 Nicklin Way, Parrearra, Qld, 4575

AHPRA Registration Number: DEN0001330639

ABN: 30641256224

20. Limitation of Liability

To the maximum extent permitted by law, and subject to obligations that cannot be excluded under the Privacy Act, the Australian Consumer Law, or any other applicable legislation:

1. XO Smiles and Dr Christine May exclude all liability for any loss, damage, cost, or expense (whether direct, indirect, incidental, special, consequential, or punitive) arising out of or in connection with any unauthorised access to, use of, or disclosure of your personal information, except to the extent caused by our negligence or wilful misconduct;

2. our total aggregate liability arising out of or in connection with any breach of this Privacy Policy or the APPs is limited, at our election, to the re-performance of the relevant service or the payment of the cost of having the relevant service re-performed;

3. we accept no liability for the privacy practices or security of third-party websites, platforms, or services linked to or from our Website;

4. we accept no liability for any loss arising from your failure to maintain the confidentiality of your own account credentials, passwords, or login details for any patient portal or online booking system.

Nothing in this Privacy Policy excludes, restricts, or modifies any right or remedy, or any guarantee, warranty, or other term or condition, implied or imposed by the Privacy Act, the Australian Consumer Law, or any other applicable legislation which cannot be lawfully excluded or limited.

21. Statutory Tort for Serious Invasion of Privacy

You should be aware that the Privacy and Other Legislation Amendment Bill 2024 (Cth) introduced a statutory tort for serious invasions of privacy, which came into force in June 2025. This provides individuals with a right to bring a civil action for serious invasions of privacy, independent of the complaint mechanisms described in clause 18. XO Smiles takes all reasonable steps to ensure that its handling of personal information does not constitute a serious invasion of privacy.

22. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory guidance. Updated versions will be published on our Website with a revised effective date. We encourage you to review this Privacy Policy periodically. Where changes are material, we will take reasonable steps to notify affected patients.

23. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of Queensland, Australia, and the Commonwealth of Australia. You irrevocably submit to the jurisdiction of the courts of Queensland and any courts of appeal therefrom.