Privacy Policy

1. Who We Are

ClinicIVF Istanbul ("we", "us", "our") is a fertility clinic operating at Suadiye Mah. Plaj Yolu Sk. 14/3, Kadıköy, Istanbul 34740, Turkey.

We are the data controller for personal data collected through this website and our clinical services. This policy explains how we handle your personal data in compliance with:

• EU General Data Protection Regulation (GDPR 2016/679)
• UK GDPR and Data Protection Act 2018
• California Consumer Privacy Act (CCPA) / CPRA
• Brazilian Lei Geral de Proteção de Dados (LGPD)
• Turkish Personal Data Protection Law (KVKK No. 6698)
• Canadian PIPEDA
• Australian Privacy Act 1988

2. Personal Data We Collect

⚕️ We never collect health data passively. All medical information is voluntarily submitted by you for the purpose of requesting a fertility consultation.

3. Legal Basis for Processing

• Consent (Art. 6(1)(a) GDPR): Analytics cookies, marketing communications (if opted in).
• Legitimate Interest (Art. 6(1)(f) GDPR): Responding to enquiries, website security, fraud prevention.
• Performance of contract (Art. 6(1)(b) GDPR): Providing fertility consultation and treatment services.
• Legal obligation (Art. 6(1)(c) GDPR): Compliance with Turkish healthcare regulations.
• Special category health data (Art. 9(2)(a) GDPR): Explicit consent when you submit medical information for consultation purposes.

4. How We Use Your Data

• Responding to consultation requests within 24 hours
• Providing personalised fertility treatment information and planning
• Coordinating your treatment journey, travel, and appointments
• Sending appointment confirmations and medical instructions
• Improving our website and services (analytics, with consent)
• Complying with Turkish medical record-keeping requirements
• We do NOT use your data for advertising, profiling, or automated decision-making.

5. Data Sharing

We do not sell, rent, or trade your personal data. We may share data only in these limited circumstances:

• Clinical team: Dr. Sağıroğlu and authorised clinical staff for treatment purposes.
• Google Analytics: Anonymised, aggregated technical data (only with your consent). Google LLC participates in the EU-U.S. Data Privacy Framework.
• Legal requirement: If required by Turkish law, court order, or regulatory authority.
• Emergency: Where necessary to protect your vital interests or those of another person.

6. Data Retention

• Consultation enquiries (no treatment): 2 years from last contact.
• Medical records (treated patients): Minimum 5 years per Turkish healthcare law (Regulation on Patient Rights).
• Analytics data: 14 months (Google Analytics default, reduced from 26 months).
• Cookie consent record: 1 year.
• Website server logs: 90 days.

7. Your Rights

Regardless of your location, you have the following rights:

To exercise any of these rights, email: privacy@clinicivf.com. We will respond within 30 days (GDPR standard). No fee is charged.

8. Data Security

We protect your data using:

• TLS/HTTPS encryption for all data in transit
• Bcrypt hashing for stored passwords
• Access controls — medical data accessible only to authorised clinical staff
• Regular security updates to website software
• No storage of payment card data (payments processed externally)

In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

9. International Data Transfers

Your data is primarily processed in Turkey. Where we use Google Analytics, data may be transferred to the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework. No other international transfers occur.

If you are in the EU/UK, transfers to Turkey are based on Standard Contractual Clauses (SCCs) or adequacy assessments where applicable.

10. Contact & Complaints

EU/UK residents may also contact their national data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.