Privacy Policy

1. Who We Are

This Patient Portal ("Portal") is operated by Electivio AG, Talstrasse 88, Pfäffikon SZ 8808, Switzerland (Business Registration CHE-253.230.953). When we say "Electivio", "we" or "us" in this policy, we mean Electivio AG as the data controller.

2. What Data We Collect

We collect the following categories of personal data through the Portal:

• Identity & contact details - name, email address, phone number, country of residence, passport details (when required for travel arrangements).
• Medical information - your medical profile, health questionnaire responses, and treatment-related data submitted through the Portal.
• Photos - consultation and recovery photos uploaded to your gallery.
• Authentication data - email address and one-time passcodes (OTPs) used for sign-in. We do not store passwords.
• Emergency contact - name, phone number, and relationship of a person you designate.
• Usage data - pages visited, actions taken in the Portal, and technical logs (IP address, browser type) collected automatically.

3. Why We Process Your Data

We process your personal data for the following purposes:

• Providing your treatment - managing your consultation, treatment plan, surgery logistics, and aftercare.
• Authentication - verifying your identity when you sign in via one-time passcode.
• Communication - sending you appointment reminders, treatment updates, and responding to your enquiries.
• Medical assessment - reviewing your health information to determine eligibility and create a personalised treatment plan.
• Travel coordination - arranging transfers, hotel accommodation, and flight logistics.
• Invoicing and payments - issuing invoices and processing payments via secure payment links.
• Recovery monitoring - tracking your post-operative progress through recovery photos.
• Legal compliance - fulfilling our legal and regulatory obligations.

4. Legal Basis (GDPR)

We rely on the following legal bases under the GDPR:

• Contract - processing necessary to perform our treatment agreement with you (Art. 6(1)(b)).
• Consent - for processing special category data (health data, photos) and optional marketing use of photos (Art. 9(2)(a)).
• Legitimate interest - for Portal security, fraud prevention, and service improvement (Art. 6(1)(f)).
• Legal obligation - where required by healthcare regulations or tax law (Art. 6(1)(c)).

5. Who We Share Data With

We share your data only with parties necessary for your treatment:

• Partner clinics - your medical profile and treatment plan are shared with the clinic performing your procedure in Istanbul.
• Coordination team - your assigned coordinator accesses your Portal data to manage your treatment.
• Service providers - Zoho (CRM and invoicing), Resend (email delivery), Google (secure photo storage), and Vercel (hosting). All are bound by data processing agreements.
• Payment processors - payment data is handled by Zoho SecurePay. We do not store credit card details.
• Legal authorities - only if required by law.

6. International Transfers

Your data may be transferred to and processed in countries outside the EEA, including Turkey (clinic) and the United States (some service providers). We ensure adequate protection through Standard Contractual Clauses (SCCs) and by selecting providers certified under recognised frameworks.

7. How Long We Keep Your Data

We retain your data for the duration of your treatment relationship plus 12 months of aftercare follow-up. Medical records are retained for the period required by applicable healthcare regulations (typically 10 years). You can request deletion of non-legally-required data at any time.

8. Your Rights

Under the GDPR, you have the right to:

• Access - request a copy of the personal data we hold about you.
• Rectification - ask us to correct inaccurate data.
• Erasure - request deletion of your data (subject to legal retention requirements).
• Restriction - ask us to limit processing of your data.
• Portability - receive your data in a structured, machine-readable format.
• Objection - object to processing based on legitimate interest.
• Withdraw consent - withdraw consent at any time without affecting prior processing.

9. Photo Consent

If you give consent for marketing use of your photos, Electivio may use them for promotional and educational purposes. You can withdraw this consent at any time by contacting your coordinator. Withdrawal does not affect the lawfulness of processing before withdrawal.

10. Security

We protect your data with industry-standard measures including: encrypted connections (TLS), HTTP-only secure authentication cookies, server-side API proxying (your photos are never exposed directly), and access controls limiting data visibility to authorised personnel.

11. Contact & Complaints

For any privacy-related questions or to exercise your rights, contact us at: privacy@electivio.com or write to Electivio AG, Talstrasse 88, Pfäffikon SZ 8808, Switzerland. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.