Open main menu

title: 'SurgeryTrips Legal Terms and Policies - Privacy Policy'

Privacy Policy
Last Updated: April 26, 2025

SurgeryTrips is committed to protecting your privacy and handling your personal data in a transparent and secure manner. This Privacy Policy explains what information we collect, how we use and share it, and your rights regarding your personal data. This Policy is in accordance with the EU General Data Protection Regulation (GDPR) and relevant Danish data protection laws. By using our Site, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Data Controller
   The data controller responsible for your personal data is Yonas Valentin Mougaard Kristensen (SurgeryTrips), located at Callisensvej 20, 1. th., 2900 Hellerup, Denmark. If you have any questions about your data or this policy, you can contact us at privacy@surgerytrips.com.

2. Personal Data We Collect
   We may collect and process the following categories of personal data:

Contact and Identity Information: When you fill out a form to request information or a consultation with a Clinic, we collect information such as your name, email address, phone number, and city/country of residence. We might also collect your language preference to ensure Clinics can communicate with you.

Medical and Inquiry Details: In the context of connecting you with Clinics, we may collect information about your health and treatment interests. For example, if you provide details about the procedure you are interested in (e.g., type of surgery or dental treatment) or relevant medical history/conditions, we will process that information to forward it to the Clinic. This may include special category data (health information) that you choose to share. We only collect such information with your explicit consent and solely to pass it to the Clinic you select, as part of your inquiry.

Account Data: If you create an account on SurgeryTrips, we collect the credentials you use (such as your email and password) and any profile information you provide (e.g., your name or avatar). Our authentication system is powered by Clerk – meaning that some account-related data (like your email and hashed password or login tokens) are processed by Clerk on our behalf to manage secure logins.

Communication Data: If you contact us directly (e.g., via email or a contact form) or communicate through the platform (for instance, messages to a Clinic via a SurgeryTrips interface), we will collect the content of your communications and any associated metadata (like timestamp or possible attachments). We may monitor or review such communications for customer support, compliance, and to assist you in your interaction with Clinics.

Newsletter or Marketing Sign-Up: If you subscribe to any newsletters or request promotional information, we will collect your email address and perhaps your name to send you updates. We use Mailchimp to manage email subscriptions and campaigns, so your email address and name will be stored in our Mailchimp account.

Usage Data and Analytics: When you use our Site, we automatically collect certain information about your device and usage of the Site:

• Technical Data: This includes your IP address, browser type and version, device type, operating system, and device identifiers.
• Usage Data: We record how you interact with our Site – e.g., the pages or profiles you view, the time spent on pages, clickstreams, and referral website information. This information may be collected via cookies and similar technologies (see our Cookie Policy). For analytics, we utilize Amplitude (a third-party analytics platform) to help us understand user behavior and improve our service. Amplitude may set cookies or use similar identifiers to track usage on our site (with your consent).

Advertising Data: If you consent to marketing cookies, Google (via Google AdSense) may collect data about your visits and interactions (such as pages visited, links clicked, and other sites you have visited) in order to serve you personalized advertisements. This can include cookie identifiers or mobile ad IDs, and it might use your IP to infer geolocation. (See Cookie Policy for more on how AdSense works on our Site.)

Cookies and Similar Technologies: We use cookies, pixels, and local storage to collect data as you navigate the site. Some cookies are essential for site functionality (e.g., to keep you logged in or remember your cookie preferences), while others are for analytics or advertising. For details on each type of cookie and what data they collect, please read our Cookie Policy below. We obtain your consent for non-essential cookies through the cookie banner when you first visit our site, in compliance with Danish and EU law.

We generally do not collect any payment information because SurgeryTrips does not charge patients (all services for patients are free). We also do not intentionally collect any national identification numbers, credit card numbers, or other financial information from users. Please do not provide such information on our Site.

Children’s Data: SurgeryTrips is not intended for use by children. We do not knowingly collect personal data from anyone under the age of 16. If you are under 16 (or a minor under the laws of your country), please do not use our Site or send us any personal data. If we learn that we have inadvertently collected personal data from a child, we will delete it. Parents or guardians who believe their child may have provided personal data to us should contact us so we can remove it.

3. How We Use Your Data (Purposes of Processing)
   We use the collected personal data for the following purposes:

Facilitating Clinic Connections: The primary purpose of our processing is to connect you with Clinics. We use the contact, identity, and medical/treatment information you provide in an inquiry form to match you with suitable Clinics and to forward your details and request to the Clinic(s) you have selected or agreed to be contacted by. For example, if you request a quote or more information about a certain procedure, we will send your name, contact info, and relevant details to the clinic in Turkey or Tunisia that offers that procedure, so they can respond to you.

Communication:

• User Support: We may use your contact information to communicate with you about your use of our service. For instance, we might send you confirmation emails when you submit an inquiry, notifications if a Clinic responds via our platform, or reminders if you have incomplete requests. We also respond to any questions or support requests you send us.
• Updates and Newsletters: If you signed up for our newsletter or asked to receive updates/promotions, we will use your email to send you the requested information. You can unsubscribe at any time, and we will not send you marketing emails unless you have opted in.
• Feedback: We might contact you to request feedback about your experience (e.g., after you have interacted with a Clinic, to ask if you have any review or if the process went well). Providing feedback is optional.

Account Management: If you have an account, we process your data to maintain your account and preferences. For example, we (via Clerk) authenticate you when you log in, and we may store your settings (such as saved clinics or preferred language) to personalize your experience.

Improving Our Services (Analytics): We use usage and analytics data to understand how our website is used and to improve its functionality and user experience. For example, analyzing which pages are most visited or where users drop off helps us optimize content and navigation. Analytics also help us debug issues and monitor the health of our platform (e.g., tracking if certain pages are causing errors). Data used for analytics is typically aggregated or pseudonymized. We use Amplitude for these purposes, which helps us collect and analyze usage patterns. We only deploy analytics cookies or similar tracking with your consent (via our cookie banner) in jurisdictions where consent is required.

Personalized Advertising: If you have consented to marketing cookies, we allow third-party advertising networks like Google AdSense to show ads on our Site. These ads may be tailored to you based on the data Google collects about your interests (including your browsing on our site and across other sites). We integrate AdSense to generate revenue which helps keep our service free for users. Important: We do not hand over your contact or identity details to advertisers; however, by enabling AdSense on our pages, Google may collect certain information from your browser as described in Cookies. You can manage your cookie preferences at any time (see Cookie Policy, Section on Cookie Consent). If you opt out of marketing cookies, ads may be non-personalized or limited.

Security and Fraud Prevention: We may process data (especially technical and usage data) to protect our platform, you, and Clinics from fraud, abuse, or security threats. This includes using certain tools or logs to detect multiple fake requests, prevent misuse of our contact forms (spam), and safeguard against cyberattacks. If necessary, we might use IP addresses or cookies to implement security measures (for example, rate-limiting requests or blocking malicious actors).

Legal Compliance: In some cases, we need to process personal data to comply with our legal obligations. For instance:

• We may keep records of communications or inquiries as required by consumer protection laws or medical advertising regulations.
• If you exercise your GDPR rights (such as requesting data deletion), we will process your request and maintain a record of our response as required by law.
• We may also process and retain data as needed to comply with obligations under Danish law, to respond to lawful requests by public authorities, or to comply with a court order.

Statistics and Research: We might aggregate and anonymize data to produce statistical insights (e.g., “X% of our users inquire about dental treatments versus cosmetic surgeries”). Such aggregated data will not identify you personally and may be used for market analysis, improving our business strategy, or sharing trends with partner Clinics (for example, letting Clinics know how many leads were generated in a given period, without personal details).

We will not use your personal data for purposes that are incompatible with the above, unless we obtain your consent or are required/permitted by law to do so.

4. Legal Bases for Processing Personal Data
   Under GDPR, we must have a valid “legal basis” to process your personal data. Depending on the specific processing activity, one or more of the following bases apply:

Consent (GDPR Art. 6(1)(a)): We rely on your consent in certain cases. For example:

• When you provide health-related information (which is special category data under GDPR) through our inquiry form, we process that information only with your explicit consent. By voluntarily providing such details and submitting a request to be connected with a Clinic, you consent to our processing of that information for the purpose of referral and to its transfer to the chosen Clinic.
• We use cookies for analytics and advertising only if you consent via the cookie banner. Similarly, if we send you marketing emails (like a newsletter), it’s based on your opt-in consent.

You have the right to withdraw your consent at any time (see Section 8 on Your Rights), which will not affect the lawfulness of processing based on consent before its withdrawal.

Performance of a Contract (GDPR Art. 6(1)(b)): When you use our service to request a Clinic connection or when you create an account, you are entering into an arrangement with us where we provide a service. We consider the processing of your basic personal data (contact info and requested service details) as necessary to perform the service you requested. For example, to fulfill your request to get information from a Clinic, we must process and forward your details to that Clinic – this is essentially a step at your request prior to potentially entering into a contract with the Clinic. Likewise, maintaining your user account and allowing you to log in is part of our service to you.

Legal Obligation (GDPR Art. 6(1)(c)): We may process certain data to comply with legal obligations. For instance, maintaining transaction records or communications might be required for compliance with consumer protection laws or to respond to legal processes. If a government authority lawfully requires us to provide information (e.g., for public health monitoring or law enforcement), we will process data as needed to comply.

Legitimate Interests (GDPR Art. 6(1)(f)): We process some data under the doctrine of legitimate interests, after carefully considering the impact on your rights and freedoms. We have legitimate interests in:

• Operating, maintaining, and improving our platform (ensuring it functions smoothly, is secure, and provides a good user experience).
• Preventing fraud and misuse of our services.
• Communicating with users about their inquiries or similar service-related issues (for example, sending a follow-up about an inquiry you made is in our interest to ensure you received the help you needed, and it does not unduly harm your privacy expectations).
• Understanding our business performance (analytics) in a way that doesn’t heavily impact user privacy (we use aggregated or pseudonymized data wherever possible).

When we rely on legitimate interests, we ensure that our interests are not overridden by your privacy rights. For example, for analytics, we do not collect more data than necessary and you can opt out of tracking. For security measures, it is in both your and our interest that we process some data to keep the service safe.

If we ever need to process personal data for a new purpose that is not covered by the above, we will inform you and, if required, obtain your consent or provide the applicable legal basis at that time.

5. How We Share and Disclose Data
   We treat your personal data with care and confidentiality. We do not sell your personal information to third-party marketers. We only share your data in the following circumstances:

With Selected Clinics (Service Purpose): The core function of SurgeryTrips is to send your inquiry to the Clinic(s) you choose. When you fill out a request form and select or agree to connect with a particular Clinic, we forward your relevant personal data to that Clinic. This typically includes your name, contact details, and the information about your desired treatment (including any health information you provided). The Clinic will use this data to contact you and discuss your inquiry. Important: Once your data is transferred to a Clinic, that Clinic becomes an independent data controller of your information. We require that Clinics handle your data securely and lawfully, but we do not control their detailed processing. For example, a Clinic in Turkey will handle your inquiry data according to their own privacy practices and the laws of their jurisdiction. (We advise you to review any privacy information the Clinic provides when you engage with them.) We will not send your personal data to any Clinic without your explicit request/consent (i.e., you choose which clinic or clinics get your data when you submit a form).

With Service Providers (Data Processors): We use trusted third-party companies to help us run our website and services. We only share data with them to the extent necessary for them to perform tasks on our behalf, and they are contractually obligated to protect it and use it only for our purposes. Our key service providers include:

• Firebase (by Google): We may use Google Firebase for our website infrastructure (such as hosting our database or files, and possibly for storing inquiry data securely). Firebase may store personal data (like form submissions or user account info) on servers. We typically choose servers located in the EU when possible. Google, as our processor, is bound by Standard Contractual Clauses and other safeguards for any transfer of personal data out of the EU.
• Clerk: Clerk manages user authentication and login sessions for our platform. If you create an account or log in, Clerk will handle your login credentials and session cookies. Clerk is a U.S.-based company but is self-certified under the EU-U.S. Data Privacy Framework and offers a Data Processing Addendum, which means they commit to GDPR principles and protecting any EU personal data.
• Mailchimp: We use Mailchimp (The Rocket Science Group LLC, based in the USA) to manage our mailing list and send newsletters or bulk emails. If you subscribe to our newsletter, your email (and name, if provided) is stored on Mailchimp’s servers. Mailchimp has committed to GDPR compliance and transfers EU data under Standard Contractual Clauses or similar safeguards. They are also certified under the EU-U.S. Data Privacy Framework (as of 2023), ensuring an adequate level of protection for EU personal data.
• SendGrid: For transactional emails (like confirmation messages or one-to-one emails triggered by your actions on the Site), we use SendGrid (owned by Twilio, Inc.). SendGrid is a service that sends out emails on our behalf. For example, when you submit a lead, we might send you an email confirmation via SendGrid, or we might forward your inquiry to a Clinic via email through SendGrid’s system. SendGrid will process your email address and message content as needed to deliver the email. Twilio/SendGrid is a U.S. company but provides Standard Contractual Clauses for EU data transfers and is committed to GDPR compliance.
• Amplitude: As mentioned, we use Amplitude for analytics. Amplitude may collect certain pseudonymous data (like cookie IDs or mobile IDs, IP address, and site usage events). We have configured Amplitude in compliance with GDPR as much as possible (e.g., IP addresses can be truncated or not stored long-term, and we avoid sending personal identifiers to Amplitude). Amplitude has servers in the EU (Amplitude has an EU data center option which we utilize to store analytics data within Europe whenever feasible) and they also comply with EU-U.S. transfer requirements (Privacy Shield framework historically, now the Data Privacy Framework, and SCCs in their Data Processing Addendum).
• Advertising Partners (Google AdSense): If you consent to advertising cookies, we allow Google AdSense to serve ads on our site. This means we load Google’s ad scripts, which may collect data from your browser for ad targeting. Google acts as a separate data controller for the data it collects for ads. We do not directly hand Google your personal details like name or email; however, through the AdSense cookies and tags, Google may collect information such as your device identifiers, browsing activity, and show you personalized ads. We have configured AdSense to comply with EU ePrivacy rules by obtaining consent before enabling personalized ads. Google, as a major ad provider, is certified under the EU-U.S. Data Privacy Framework (as of 2023) and uses Standard Contractual Clauses for data transfers as needed. (See Google’s privacy policy for details on how they process data.) If you opt out of marketing cookies, Google will either not set cookies or will serve only non-personalized ads (which might still use cookies but not for profiling).

Other Providers: We may use other tools and services for specific functions (for example, a content delivery network for faster site load, or a form builder). If those services process personal data, we will ensure they have proper GDPR-compliant contracts in place. Any significant additional processors will be listed in an updated version of this policy.

Within Our Organization: The data may be accessed by authorized personnel of SurgeryTrips (which at present is the owner/operator and any direct staff or contractors he employs). All such access is on a need-to-know basis and personnel are bound by confidentiality.

Legal and Safety Reasons: We might disclose personal information outside of our organization if required to do so by law or if such action is necessary to:

• Comply with legal obligations or respond to valid legal process (e.g., a court order, subpoena, or regulatory request).
• Protect the rights, property, or safety of SurgeryTrips, our users, or others. For example, we may share information with government authorities if you have provided information suggesting you may harm yourself or others, or if there is an investigation into fraud or a cyber incident.
• Enforce our Terms of Service or other agreements, or investigate potential violations thereof.

Business Transfers: If SurgeryTrips (or substantially all of its assets) is involved in a merger, acquisition, sale, or insolvency process, personal data we hold may be transferred to the successor or acquirer as part of that transaction. We will ensure any such transfer is subject to appropriate confidentiality and that users are notified via the website or email of any change in data controllers or use of their personal data, giving an opportunity to opt-out if applicable.

We will not share your personal information with any third parties other than those described above without informing you and obtaining your consent if required.

6. International Data Transfers
   Given the international nature of our service (connecting users in Europe with Clinics in non-EU countries), some personal data will be transferred across borders:

Transfer to Clinics Abroad: When you request to connect with a Clinic outside the European Economic Area (EEA), such as in Turkey or Tunisia, your personal data will be transferred to that country. These countries may not have been deemed by the European Commission to have an “adequate” level of data protection. For example, the laws in Turkey or Tunisia might not provide the same rights or protections as GDPR. We will only transfer your personal data to a Clinic outside the EEA with your explicit consent, which you provide when you choose to submit your personal data for that very purpose. This falls under GDPR Article 49(1)(a) – transfer with explicit consent, after being informed of the possible risks. We mitigate risks by only sharing with Clinics we believe are reputable and by conveying to them the importance of handling data carefully, but we cannot enforce GDPR on those Clinics. Once the Clinic receives your data, it is responsible for protecting it. If you do not want your data transferred outside the EEA, you should not request services from Clinics in those countries.

EU-U.S. and Other Transfers via Service Providers: Many of our service providers (Firebase/Google, Clerk, Mailchimp, SendGrid/Twilio, Amplitude, Google Ads) involve infrastructure in the United States or other countries outside the EEA. Whenever we transfer your data to a country that the EU has not found to provide adequate protection, we ensure appropriate safeguards are in place:

• We have Data Processing Agreements (DPAs) with our service providers that include the European Commission’s Standard Contractual Clauses (SCCs), which are legal contracts that require the recipient to protect your data according to EU standards.
• Some providers, such as Google, Mailchimp, and Clerk, are additionally certified under the EU-U.S. Data Privacy Framework, which confirms their adherence to certain protection principles for personal data transferred to the U.S.
• We evaluate on a case-by-case basis if supplementary measures are needed (for example, encryption at rest and in transit, minimizing data storage outside the EU, etc.).

We can provide more information on the safeguards for international transfers upon request. By using our service or submitting information to us, you acknowledge that your data may be transferred internationally as explained.

7. Data Retention
   We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to meet legal or business requirements. Retention periods will vary depending on the type of data and purpose:

Inquiry Data: If you submit an inquiry to a Clinic, we will retain a copy of that inquiry and your personal data as part of our records. This helps us track referrals and is useful in case of any follow-up or dispute. Typically, we may retain inquiry records for, at minimum, 2 years from the date of the inquiry. This period allows time for the typical cycle of a patient considering treatment (which could be many months) and also aligns with general statutes of limitation for legal claims. We may retain it longer if necessary (for example, if there is an ongoing issue or if required by law). If you want us to delete your inquiry data sooner, you can contact us (see Your Rights below) and, unless we have a specific legal reason to keep it, we will delete or anonymize it.

Account Data: For registered users, we keep your account information as long as your account is active. If you choose to delete your account or if we close it due to inactivity or other reasons, we will delete or anonymize your personal data associated with the account within a reasonable time (usually within 30 days of account deletion). We may keep some minimal data to prove that we fulfilled a deletion request or to prevent fraud (e.g., we might retain email addresses of deleted accounts in a suppression list to avoid reusing them improperly).

Newsletter Data: We retain your email on our mailing list until you unsubscribe. If you unsubscribe or the mailing list is discontinued, we will promptly remove your contact from the active list. Mailchimp may keep some metadata about our campaigns or your subscription status (subscribed/unsubscribed) as part of its auditing; we will ensure it’s only retained as needed.

Communications: If you correspond with us (customer support emails, etc.), we may retain those communications for record-keeping for up to 5 years, unless you request deletion and it’s something we can delete. Communications related to an inquiry or a complaint may be kept as long as the inquiry record or until the issue is resolved plus a reasonable period.

Analytics Data: Analytics data in Amplitude is kept for as long as we have an account with Amplitude and find it useful. We periodically review and may delete old raw data if it’s no longer needed. Typically, aggregated analytics do not identify individuals, and raw event data may be retained for a shorter period (e.g., 12-24 months) before being purged or anonymized.

Cookies: Cookie lifetimes vary. Some cookies (like session cookies) expire as soon as you close your browser. Others (like analytics or advertising cookies) may persist from a few months up to a couple of years if not deleted. See Cookie Policy for specific durations. You can clear cookies at any time to remove those stored on your browser.

Legal Retention: In certain cases, we might need to retain data for longer if required by law. For example, under Danish law, certain business records must be kept for a number of years. If there is a legal claim or investigation, we will retain relevant data throughout the duration of that process and for any subsequent time period required by law. We also retain records of consent and preferences (like proof that you agreed to these Terms or Privacy Policy, or proof of any consents given) as long as necessary to demonstrate compliance with data protection laws (typically this could be up to 5 years or more, aligning with the statute of limitations for regulatory claims).

When we no longer need personal data, we will either delete it or anonymize it (so it can no longer be associated with you). We also periodically review the data we have; if we determine we no longer need certain data and have no legal obligation to keep it, we will proactively remove it.

8. Your Rights Under GDPR
   If you are in the EU/EEA or otherwise subject to GDPR, you have certain rights regarding your personal data, which we fully respect and support. These rights include:

Right of Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to request a copy of the data and information about how it’s used. This allows you to know what personal data we have about you. We will provide this in a commonly used electronic form unless you request otherwise. (For example, we can email you the information we have on file.)

Right to Rectification: If any personal data we hold about you is incorrect or incomplete, you have the right to have it corrected or updated without undue delay. For instance, if you change your phone number or notice we misspelled your name, please inform us so we can fix it.

Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data in certain circumstances. For example, if you no longer want our services and you withdraw consent (where consent was the basis), or if you believe our processing is unlawful or no longer necessary. We will honor such requests to the extent required by law. Note that this right is not absolute – sometimes we may retain certain information if we have a compelling legitimate reason or legal obligation to keep it (for example, we might need to keep a record that you had asked us not to contact you, or retain certain transaction records for auditing). But we will always explain to you if that’s the case.

Right to Restrict Processing: You have the right to ask us to restrict (pause) the processing of your data in certain situations. For instance, if you contest the accuracy of your data, you can request we restrict processing until we verify the accuracy; or if you object to our processing based on legitimate interests, you can request restriction while we consider your objection. When processing is restricted, we will still store your data, but not use it (except perhaps to defend legal claims or for other exceptions allowed by law).

Right to Data Portability: For data that you provided to us and which we process by automated means based on your consent or in performance of a contract, you have the right to request that we provide it to you in a structured, commonly used, machine-readable format, and you have the right to transmit that data to another controller (for example, to another service). Where technically feasible, you can also ask us to transfer it directly to the other service. In practical terms, this might apply to account data or inquiry data you gave us (though inquiry data often contains health info, which is sensitive; if you want it ported to another platform, we’d do so carefully and with explicit instruction).

Right to Object:

• Direct Marketing: You have the absolute right to object to your personal data being used for direct marketing purposes at any time. If you object, we will stop using your data for that purpose immediately. (This is typically as simple as unsubscribing from emails or contacting us to opt out of future marketing.)
• Legitimate Interest Processing: When we process data based on our legitimate interests (or those of a third party), you have the right to object to that processing on grounds relating to your particular situation. If you lodge such an objection, we will evaluate your request and will stop or adjust the processing unless we have compelling legitimate grounds to continue that override your interests, rights, and freedoms, or unless continuing to process is needed for legal claims.

Right not to be subject to Automated Decision-Making: SurgeryTrips does not make any decisions about you that have legal or similarly significant effects solely by automated means (without human involvement). We do not profile you in a way that produces legal effects. Therefore, this right is generally not applicable in the context of our service. If this changes, we will inform you and ensure your rights under Article 22 GDPR are respected.

Right to Withdraw Consent: If we are processing your data based on your consent, you have the right to withdraw that consent at any time. For example, you can withdraw your consent for marketing emails by unsubscribing, or withdraw consent for cookies by updating your cookie settings (see Cookie Policy). Withdrawing consent will not affect the lawfulness of any processing we conducted prior to withdrawal, and it won’t affect processing under other bases (for instance, if you withdraw consent for us to have your health info, we might still process some minimal data under contract basis to facilitate a cancellation of your inquiry). But if you withdraw consent, we will cease the processing that relied on consent.

Right to Lodge a Complaint: If you believe we have infringed your data protection rights or violated GDPR, you have the right to lodge a complaint with a supervisory authority – in particular, in the EU country where you live, where you work, or where the alleged infringement took place. For Denmark, the supervisory authority is the Datatilsynet (Danish Data Protection Agency). You can find their contact details on Datatilsynet’s website (usually: Borgergade 28, 5., 1300 København K, Denmark; phone +45 33 19 32 00; email dt@datatilsynet.dk). We would, however, appreciate the chance to address your concerns directly before you approach the DPA – so we invite you to contact us with any complaints or issues, and we will do our best to resolve them.

Exercising Your Rights: You may contact us at privacy@surgerytrips.com to make any request regarding your personal data. For security, we may need to verify your identity (for example, by confirming you have access to the email associated with your request or asking for some identifying info) before acting on your request. We will respond to your request as soon as possible, typically within one month. If your request is complex or if we have received many requests, we may extend this period by up to two further months, but we will inform you of any delay within one month and explain why. Generally, we will not charge a fee for fulfilling rights requests. However, if a request is manifestly unfounded or excessive (e.g., repetitive requests), we may either charge a reasonable fee to cover administrative costs or refuse the request (providing our reasons).

We value your rights and will handle all requests in accordance with applicable laws.

9. Data Security
   We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration. These measures include:

• Encryption: We use SSL/TLS encryption on our website, which means that information you submit through web forms is encrypted in transit between your browser and our servers. Where possible, we also ensure data is encrypted at rest. For instance, if using Firebase, it inherently encrypts data on their servers. Passwords are stored in hashed form (never in plain text).
• Access Controls: Personal data is accessible only by those who need it to perform their duties. For example, our database and administrative interfaces are protected with strong passwords and two-factor authentication (2FA) where available, and access is limited to the site operator and essential personnel. Clerk manages authentication data securely to ensure user accounts are protected. Our staff and any contractors are bound by confidentiality obligations.
• Data Minimization: We strive to collect only the data we need. For example, we don’t collect national ID numbers or unnecessary details in our inquiry form. By limiting what we store, we reduce the risk exposure. We also pseudonymize data where feasible for analytics (e.g., using user IDs that don’t directly reveal your identity).
• Monitoring and Testing: We keep our software and systems up-to-date to protect against security vulnerabilities. We monitor our Site for potential threats and have firewalls and intrusion detection in place for our servers. Regular backups are performed to prevent data loss, and those backups are secured. We also rely on the robust security measures of our service providers (for example, Google’s data centers have extensive security certifications and measures).
• Employee Training: Any persons working on SurgeryTrips are educated about data protection responsibilities and are required to follow our privacy and security guidelines.

However, please be aware that no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. Users also play a role in security: remember that email communications may not be encrypted, so avoid sending sensitive information via email if possible; also, protect your account credentials and log out after use. If you have reason to believe that your interaction with us or our Site is no longer secure (for example, if you suspect your account has been compromised), please contact us immediately. In the unfortunate event of a data breach that poses a risk to your rights and freedoms, we will notify you and the appropriate authorities (like the Datatilsynet) as required by law, and we will take necessary steps to mitigate any harm.

10. Third-Party Links
    Our Site may contain links to websites or services that are not operated by SurgeryTrips (for example, a Clinic’s own website, or an article about a procedure on a third-party site). This Privacy Policy does not cover those external websites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We are not responsible for the content or privacy practices of those third-party sites. We encourage you to read the privacy policies of every site you visit. Nonetheless, we aim not to share your personal data with third-party sites unless it’s clearly part of our service (as described in Section 5).

11. Cookies and Tracking Technologies
    For details about how we use cookies and similar technologies, please see our Cookie Policy below. In summary, we use cookies to provide core site functionality (like session management) and, with consent, for analytics and advertising. You can control cookies through our consent banner and through your browser settings.

12. Changes to this Privacy Policy
    We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make material changes, we will notify you by posting a prominent notice on our website (and/or by email if appropriate) prior to the change becoming effective. The “Last Updated” date at the top indicates when the latest changes were made. We encourage you to review this Policy periodically to stay informed about how we are protecting your information. If you continue to use SurgeryTrips after an updated Privacy Policy has been posted, it will signify your acceptance of the updated terms, to the extent permitted by law.

13. Contact Us
    If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
    Email: privacy@surgerytrips.com
    Postal Address: SurgeryTrips – Yonas Valentin Mougaard Kristensen, Callisensvej 20, 1. th., 2900 Hellerup, Denmark.

We will be happy to assist you and respond to any inquiries.