Privacy Policy

1. Scope and who this policy applies to

This policy applies to personal information we handle when you:

• visit our website
• contact us through phone, WhatsApp, email, forms, or social media
• request a consultation or coordination support
• use our services as a patient or as a patient representative
• interact with our partners, clinic representatives, and service providers through our platform

This policy does not cover the independent privacy practices of clinics, hospitals, doctors, airlines, hotels, payment providers, or other third parties. You should review their privacy notices separately.

2. Laws and frameworks we align with

We design our privacy and security practices to align with major privacy regimes, including:

New Zealand
• Privacy Act 2020  
• Health Information Privacy Code 2020 when health information rules apply  

Australia
• Privacy Act 1988 and Australian Privacy Principles  

Canada
• PIPEDA, including breach notification requirements  

European Union
• General Data Protection Regulation, including special category health data rules and international transfer safeguards  

United States
US privacy laws differ by state and by the type of entity. HIPAA applies only to covered entities and their business associates, and not to every business that handles health related information.  

In addition, some state laws provide consumer privacy rights, such as California’s CCPA for eligible businesses.  

Some states also protect consumer health data that may fall outside HIPAA, such as Washington’s My Health My Data Act.  

3. What personal information we collect

We collect information that you provide directly, information collected automatically from your device, and information from third parties when relevant.

3.1 Information you provide

Identity and contact details

• full name
• date of birth or age range
• email address
• phone number, WhatsApp number
• country and city of residence
• preferred language and communication preferences

Health and treatment related information (sensitive)

• photos you choose to share (for example scalp, teeth, face, or other relevant medical images)
• medical history relevant to your request
• current medications and allergies if you choose to share
• treatment goals and concerns
• clinician reports or lab results if you choose to share

Travel and coordination information

• preferred travel dates
• passport information only if needed for booking support and only if you choose to provide it
• accommodation preferences
• emergency contact details (optional)

Budget and payment related information

• budget range and package preferences
• invoices, payment confirmations, and transaction references

We do not want you to send full card numbers by message. Payments should be made through approved payment providers or bank transfer channels.

Communications

• messages, emails, call notes, and WhatsApp conversations
• support tickets and complaint handling records

3.2 Information collected automatically

When you use our website, we may collect:

• IP address, device type, browser type, and operating system
• pages viewed, time spent, referral source
• cookie identifiers and analytics events (subject to your cookie choices)

4. Why we use your information

We use your personal information for the following purposes:

To provide coordination services

• respond to your consultation request
• assess which clinics and options match your goals, timeline, and budget
• coordinate appointments, schedules, and communication
• support pre procedure and post procedure planning and follow up coordination

To communicate and support you

• send confirmations, instructions, and updates
• answer questions and provide ongoing coordination support
• provide 24/7 coverage through our distributed team based on time zones

To ensure quality, safety, and integrity

• prevent fraud and misuse
• improve our service processes
• maintain internal records and quality assurance

For legal and compliance reasons

• meet legal obligations and respond to lawful requests
• handle complaints, disputes, and enforcement matters
• maintain security and incident response processes

For marketing (only where allowed)

• send service updates or educational content if you have opted in or where permitted by law

You can opt out at any time.

5. Legal bases for processing, including GDPR

Where the GDPR applies, we process personal data under one or more legal bases, including:

• Consent (especially for sensitive health data, where required)  
• Contract (to take steps you request before entering a service arrangement and to deliver coordination services)
• Legitimate interests (for security, fraud prevention, service improvement, and communications that are reasonably expected)
• Legal obligation (compliance, recordkeeping, and responding to lawful requests)

For special category data such as health data, we only process it when a valid condition applies, commonly explicit consent or another lawful basis permitted by applicable law.  

6. Consent and how you can withdraw it

When we rely on consent, you may withdraw it at any time by contacting us. Withdrawal does not affect lawful processing already performed. If you withdraw consent for health data that is necessary for coordination, our ability to support your request may be limited.

7. Who we share information with

We share personal information only when needed for the purposes above, and with appropriate safeguards.

7.1 Clinics and medical professionals

With your direction and as necessary for coordination, we may share relevant information with clinics and doctors for consultation, eligibility assessment, scheduling, and continuity planning. Clinics and doctors are responsible for their own medical services and their own privacy practices.

7.2 Travel and logistics providers

If you request travel support, we may share necessary details with airlines, hotels, transport providers, or travel coordinators. We share only what is needed for booking and coordination.

7.3 Service providers and processors

We may use service providers to support operations, such as:

• secure email and collaboration tools
• CRM systems and ticketing systems
• cloud hosting and storage
• analytics and cookie management tools
• telephony and messaging providers

These providers process data under contractual obligations and confidentiality requirements.

7.4 Legal and regulatory disclosures

We may disclose information if required by law, court order, or to protect rights, safety, and security.

8. International data transfers

Because we operate internationally, your information may be accessed or stored in multiple countries.

Where GDPR applies and data is transferred outside the EU or EEA, we use appropriate safeguards such as Standard Contractual Clauses and supplementary measures where needed.  

We also evaluate cross border transfers in line with the requirements of applicable privacy laws.

9. Data retention

We keep personal information only for as long as necessary for the purposes described in this policy, including coordination support, dispute handling, and legal compliance. We apply retention limits and secure deletion practices consistent with privacy principles requiring that information not be kept longer than necessary.  

Retention periods depend on the type of data and the nature of your engagement. You may request deletion where legally permitted.

10. Security safeguards

We take security seriously, especially for health related information. Our safeguards include administrative, technical, and physical measures such as:

• access control and role based permissions
• secure authentication and strong password standards
• encryption in transit and where appropriate at rest
• audit logs and monitoring for unusual activity
• staff confidentiality obligations and training
• secure handling guidelines for images and medical documents
• vendor security review for key systems
• incident response procedures

No system is 100 percent secure. If a security incident occurs, we will respond promptly and follow applicable breach notification requirements.

11. Data breach notification

We maintain procedures to evaluate and respond to data breaches.

• In Canada, PIPEDA requires notification when there is a real risk of significant harm, and recordkeeping for breaches.  
• In other jurisdictions, we follow applicable rules and guidance, which may include notifying affected individuals and regulators where required.

12. Your privacy rights

Your rights depend on where you live and which laws apply. We aim to honor rights requests in a consistent way across regions.

12.1 Rights commonly available

You may have the right to:

• request access to your personal information
• request correction of inaccurate information
• request deletion where legally permitted
• object to certain processing
• request restriction of processing
• request data portability where applicable
• withdraw consent where consent is the basis
• opt out of marketing communications

12.2 GDPR rights for EU and EEA individuals

Where GDPR applies, you have specific rights, including rights described in GDPR Articles 12 to 23, such as access, rectification, erasure, restriction, portability, and objection.  

You also have the right to lodge a complaint with your local supervisory authority.

12.3 New Zealand rights

Under New Zealand’s Privacy Act framework, individuals have rights to access and request correction of personal information.  

Health agencies may also be subject to Health Information Privacy Code rules for health information handling.  

12.4 Australia rights

Under Australia’s privacy framework, individuals may request access and correction consistent with the Australian Privacy Principles.  

12.5 Canada rights

Under PIPEDA, individuals have rights relating to access and correction, and organizations must provide appropriate transparency and safeguards.  

12.6 United States rights

The United States does not have a single national privacy law that applies to all businesses in the same way. Depending on your state and our legal obligations, you may have rights such as those described under the California Consumer Privacy Act if applicable, including rights to know, delete, and limit certain uses of sensitive information for eligible businesses.  

Some states also regulate consumer health data outside HIPAA, such as Washington’s My Health My Data Act.  

13. HIPAA clarification for US users

AestheMedLink is a medical coordination company. HIPAA applies to covered entities and business associates in defined circumstances.  

If we act as a business associate to a HIPAA covered entity under a written agreement, we will follow HIPAA required safeguards for protected health information within that relationship. Otherwise, HIPAA may not apply to our services, but we still apply strict health data protection practices.

14. Cookies and tracking technologies

We use cookies and similar technologies to operate the website, enhance functionality, measure performance, and support marketing where permitted.

You can manage cookie preferences through our cookie banner and browser settings. Some cookies are necessary for core site functionality.

15. Children’s privacy

Our services are not intended for children unless coordinated through a parent or legal guardian. If we learn that we have collected personal information from a child without appropriate authorization, we will take steps to delete it where required.

16. Communications and WhatsApp

If you contact us through WhatsApp or social platforms, your messages will be processed through those providers’ systems. We recommend avoiding sending highly sensitive information through social messaging unless necessary. When sensitive information is required, we may offer more secure channels.

17. Automated decision making

We do not make decisions that produce legal or similarly significant effects solely by automated processing. Coordination decisions involve human review.

18. Third party links

Our website may contain links to third party sites. We are not responsible for their privacy practices. Please review their policies before sharing information.

19. Changes to this Privacy Policy

We may update this policy from time to time. We will post the updated version on our website with a new effective date. Material changes may also be communicated through appropriate channels.

20. Contact us and complaints

For privacy questions or requests, contact:

Business Contact: info@aesthemedlink.com

2026 AestheMedLink LTD