Privacy Policy

    Last updated: April 2026

    1. Who We Are

    GlobMedTrust ("we," "us," or "our") is a medical tourism consultancy that connects individuals with accredited clinics and surgeons in Turkey. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services. It is designed to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable data protection laws.

    2. Legal Basis for Processing (GDPR)

    Under the GDPR, we process personal data on the following legal bases:

    • Consent — When you provide explicit consent, such as agreeing to receive marketing communications or accepting non-essential cookies
    • Contractual necessity — When processing is necessary to fulfil a service you have requested (e.g., coordinating your treatment journey)
    • Legitimate interest — When processing is necessary for our legitimate business interests, provided these do not override your rights (e.g., improving our services, fraud prevention)
    • Legal obligation — When processing is required to comply with applicable laws

    3. Information We Collect

    We may collect information you provide directly, including:

    • Full name, email address, phone number, and country of residence
    • Medical history and treatment preferences shared during consultations
    • Photographs or documents you upload for assessment purposes
    • Communications between you and our coordinators

    We also collect certain information automatically:

    • Device type, browser, IP address, and operating system
    • Pages visited, time spent, and referring URLs
    • Cookies and similar tracking technologies (only with your consent for non-essential cookies)

    4. How We Use Your Information

    • To respond to your enquiries and facilitate consultations
    • To match you with appropriate clinics and surgeons
    • To coordinate travel, accommodation, and treatment logistics
    • To send you relevant updates about your treatment journey
    • To improve our website, services, and customer experience (with consent where required)
    • To comply with legal obligations

    5. Sharing Your Information

    We do not sell your personal data. Under CCPA/CPRA, we confirm that we have not sold or shared personal information of consumers for cross-context behavioural advertising in the preceding 12 months. We may share relevant information with partner clinics and surgeons in Turkey solely to facilitate your treatment. We may also share data with service providers who assist us in operating our website and business (e.g., email platforms, analytics providers), and when required by law.

    6. International Data Transfers

    Your data may be transferred to and processed in Turkey and other countries where our service providers operate. When transferring data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognised mechanisms to protect your data.

    7. Medical Data (Special Category Data)

    Medical information constitutes "special category data" under the GDPR. We process this data only with your explicit consent (Article 9(2)(a) GDPR). We only share medical details with the specific clinic or surgeon involved in your consultation. We do not use medical data for marketing purposes. You may withdraw consent for processing of medical data at any time.

    7A. Photographs & Visual Content Consent

    We may collect photographs from you in two distinct contexts, each governed by separate consent:

    • Medical assessment photographs — Photos you submit during the consultation process are used solely for clinical evaluation by your treating surgeon. These are processed under explicit consent (Article 9(2)(a) GDPR) and are shared only with the specific clinic involved in your care. They are never used for marketing without separate consent.
    • Marketing & case study photographs — If we wish to use before-and-after photographs, testimonials, or case studies featuring your likeness for promotional purposes (website, social media, or printed materials), we will request your separate, explicit written consent. You may decline without any impact on your treatment or services. You may withdraw marketing consent at any time, after which we will cease using your images in new materials within 30 days, though removal from previously distributed materials may not always be possible.

    All photographs are stored securely and are subject to the same data protection standards described in this policy. You have the right to request deletion of your photographs at any time.

    8. Cookies & Tracking Technologies

    In compliance with the EU ePrivacy Directive and GDPR, we request your consent before placing non-essential cookies on your device. Our cookie categories are:

    • Essential cookies — Required for basic website functionality. Always active.
    • Analytics cookies — Help us understand how visitors use our site. Require your consent.
    • Marketing cookies — Used to deliver relevant advertisements. Require your consent.

    You can manage your cookie preferences at any time via the cookie banner or your browser settings. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal. For a detailed list of all cookies we use, including their providers, purposes, and expiry times, please see our Cookie Policy.

    9. Data Security

    We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR. However, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.

    9A. Data Breach Notification

    In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Article 34 GDPR). For US consumers, we will comply with applicable state data breach notification laws, which generally require notification within 30–90 days depending on the jurisdiction.

    10. Data Retention

    We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy, or as required by law. Medical consultation data is retained for a maximum of 3 years after your last interaction, unless a longer retention period is required by law. You may request deletion of your data at any time.

    10A. Automated Decision-Making

    GlobMedTrust does not use automated decision-making or profiling (as defined in Article 22 of the GDPR) that produces legal effects concerning you or similarly significantly affects you. All decisions regarding your treatment eligibility, package recommendations, and service coordination are made by our human team in consultation with medical professionals. If we introduce any automated decision-making in the future, we will update this policy and obtain your explicit consent where required.

    11. Your Rights Under the GDPR

    If you are located in the EEA, UK, or Switzerland, you have the right to:

    • Access — Request a copy of the personal data we hold about you
    • Rectification — Request correction of inaccurate or incomplete data
    • Erasure — Request deletion of your data ("right to be forgotten")
    • Restriction — Request restriction of processing in certain circumstances
    • Data portability — Receive your data in a structured, machine-readable format
    • Object — Object to processing based on legitimate interests or direct marketing
    • Withdraw consent — Withdraw consent at any time without affecting prior processing
    • Lodge a complaint — File a complaint with your local data protection authority

    UK Residents

    Following the UK's departure from the EU, your data is protected under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Your rights under UK GDPR mirror those listed above. Complaints may be directed to the Information Commissioner's Office (ICO) at ico.org.uk. When transferring data from the UK, we rely on International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses with the UK Addendum, as appropriate.

    12. Your Rights Under CCPA / CPRA

    If you are a California resident, you have additional rights:

    • Right to know — Request disclosure of what personal information we collect, use, and share
    • Right to delete — Request deletion of your personal information
    • Right to correct — Request correction of inaccurate personal information
    • Right to opt out — Opt out of the sale or sharing of personal information (we do not sell personal data)
    • Right to limit use of sensitive data — Limit the use and disclosure of sensitive personal information
    • Right to non-discrimination — We will not discriminate against you for exercising your privacy rights

    To exercise any CCPA/CPRA rights, contact us at Globmedtrust@gmail.com. We will respond within 45 days as required by law.

    13. Children's Privacy

    Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have inadvertently collected data from a minor, we will delete it promptly.

    14. Third-Party Service Providers

    To deliver our services, we integrate with the following third-party providers. Each provider operates under its own privacy policy and data processing practices:

    14.1 PayPal (Payment Processing)

    We use PayPal, Inc. to process consultation fee payments. When you complete a payment through PayPal on our website, PayPal collects and processes your financial data (e.g., payment card details, billing address, transaction history) directly. GlobMedTrust does not store your payment card information — this data is processed entirely by PayPal under its own Privacy Statement.

    • Data shared with PayPal: Transaction amount, currency, order description
    • Data PayPal collects directly: Payment method details, billing address, device information, IP address
    • Data we receive from PayPal: Transaction ID, payment status (approved/declined), payer email address
    • Legal basis: Contractual necessity (processing payment for a service you requested)
    • Data transfers: PayPal may transfer data to the United States and other countries. PayPal complies with applicable data protection frameworks including EU-US Data Privacy Framework

    14.2 Google Analytics (Website Analytics)

    We use Google Analytics 4, provided by Google LLC, to understand how visitors interact with our website. Google Analytics collects data such as pages visited, session duration, referral source, device type, and approximate geographic location. This data is aggregated and anonymised where possible. Google Analytics operates under Google's Privacy Policy.

    • Data collected: Page views, session duration, bounce rate, traffic sources, device/browser information, approximate location (country/city level)
    • Legal basis: Legitimate interest (improving website content and user experience) and/or consent where required
    • Data transfers: Google may transfer data to the United States. Google participates in the EU-US Data Privacy Framework
    • Opt-out: You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on

    14.3 PostHog (Product Analytics)

    We use PostHog, provided by PostHog Inc., to analyse user behaviour on our website, including page views, clicks, and navigation patterns. PostHog is configured to use EU-based servers (eu.posthog.com) to minimise cross-border data transfers. PostHog operates under its Privacy Policy.

    • Data collected: Page views, clicks, session recordings (if enabled), device/browser information, approximate location
    • Person profiles: Set to "identified_only" — anonymous visitors are not individually profiled
    • Legal basis: Legitimate interest (understanding user behaviour to improve our services) and/or consent where required
    • Data hosting: EU region (eu.i.posthog.com)

    14.4 Calendly (Appointment Scheduling)

    We use Calendly, LLC to enable you to book consultation appointments. The Calendly scheduling widget is embedded on our website. When you select a date and time, Calendly collects your information directly under its own Privacy Notice.

    • Data Calendly collects directly: Name, email address, time zone, any information you enter in booking form fields, IP address, browser/device information
    • Data we receive from Calendly: Booking confirmation (name, email, scheduled date/time)
    • Legal basis: Contractual necessity (scheduling a consultation you have requested and paid for)
    • Data transfers: Calendly is based in the United States. Data is transferred under Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework
    • Cookies: The Calendly embed may set its own cookies for functionality and analytics purposes. These are governed by Calendly's cookie policy

    14.5 WhatsApp (Communication)

    We offer WhatsApp (operated by Meta Platforms, Inc.) as a communication channel. When you contact us via WhatsApp, your messages and contact information are processed by Meta under its Privacy Policy. We only use WhatsApp for direct communication you initiate and do not share your WhatsApp data with other third parties.

    15. Third-Party Links

    Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites. We encourage you to review their privacy policies before providing any personal information.

    16. Changes to This Policy

    We may update this Privacy Policy from time to time. Any material changes will be communicated via a prominent notice on our website. We encourage you to review this policy periodically. Continued use of our services after changes constitutes acceptance of the updated policy.

    17. Contact Us & Data Protection

    If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at Globmedtrust@gmail.com or call +995 598 880 058.

    GlobMedTrust has not appointed a formal Data Protection Officer (DPO) at this time, as we do not meet the thresholds requiring mandatory DPO appointment under Article 37 of the GDPR. However, all data protection enquiries are handled with the same level of diligence and can be directed to the email address above. If our data processing activities change in scope, we will appoint a DPO and update this policy accordingly.

    If you are located in the EU/EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. UK residents may contact the Information Commissioner's Office (ICO). US residents may contact the Federal Trade Commission (FTC) or their state Attorney General.

    18. Do Not Sell or Share My Personal Information

    As required by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), we provide this explicit notice: GlobMedTrust does not sell your personal information, and we do not share your personal information for cross-context behavioural advertising purposes. We have not sold or shared personal information in the preceding 12 months. If this practice changes in the future, we will provide a clear "Do Not Sell or Share My Personal Information" mechanism on our website and update this policy prior to any such activity. To submit a request or enquiry regarding your CCPA rights, contact us at Globmedtrust@gmail.com.