Privacy Policy

We collect the following categories of personal information:

• Information you provide directly — name, email, phone number, city, procedure of interest, treatment timeline, budget, and any free-text message you submit when contacting a surgeon. Surgeons also provide professional credentials, biography, photos, and clinic information.
• Account information — surgeons creating an account provide an email, password (stored hashed), and may add a profile photo, bio, and subscription details.
• Payment information — handled by Stripe. We never store full card numbers. We receive only the last four digits, card brand, and billing ZIP for display.
• Reviews & photos — patient reviews, before-and-after photos, and any content you upload to a profile.
• Automatic data — IP address (truncated), device type, browser, pages viewed, referring URL, and approximate location (city-level). Collected via PostHog in a cookieless configuration.

HIPAA note: TrustClinic is a marketplace, not a covered healthcare provider, and information you submit through the Platform is not Protected Health Information (PHI) under HIPAA. Do not share clinical details, diagnoses, or treatment records through the Platform. If a surgeon needs that information, share it directly with their office through their HIPAA-compliant intake.

• To match prospective patients with surgeons and deliver leads to those surgeons.
• To operate, maintain, and improve the Platform.
• To process surgeon subscriptions and send billing receipts.
• To send transactional emails (account confirmations, lead notifications, review responses).
• To send marketing emails (only with your consent; you can unsubscribe at any time).
• To measure aggregate Platform usage and product performance via PostHog.
• To detect, prevent, and address fraud, abuse, or security incidents.
• To comply with legal obligations and enforce our Terms.

We share personal information only as described below. We do not sell personal information.

• With surgeons you contact. When you submit a lead form for a specific surgeon, we share your contact details and message with that surgeon and (if their plan allows) their clinic staff.
• With service providers bound by confidentiality and data-protection obligations: Stripe (payments), Supabase (database & storage), Resend (email delivery), PostHog (product analytics), Netlify (hosting).
• For legal reasons — to comply with valid legal process, enforce our Terms, or protect the rights, property, or safety of TrustClinic, our users, or the public.
• In a business transfer — if TrustClinic is involved in a merger, acquisition, or sale of assets, personal information may transfer as part of that transaction, subject to standard confidentiality protections.

TrustClinic uses a privacy-first analytics setup. PostHog is configured in cookieless mode, meaning we do not drop tracking cookies on your device. Stripe may set cookies for fraud prevention during checkout. See our Cookie Policy for details.

We retain personal information only as long as needed for the purposes described in this policy, to comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

• Lead form submissions: retained for 3 years from submission.
• Account information: retained while your account is active and for 90 days after deletion.
• Payment records: retained for 7 years to meet tax and accounting obligations.
• Anonymized analytics events: retained indefinitely.

We use industry-standard safeguards including TLS encryption in transit, encrypted storage at rest, row-level security on our database, hashed passwords, and least- privilege access controls for staff. No system is completely secure; we cannot guarantee absolute security but we work to protect your data and notify you of any material breach as required by law.

If you are a resident of California, Colorado, Connecticut, Utah, Virginia, or another state with a comprehensive privacy law, you may have the following rights:

• Right to know what personal information we have collected about you.
• Right to access a copy of that information in a portable format.
• Right to correct inaccurate information.
• Right to delete personal information, subject to exceptions.
• Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising. (We do not sell or share for this purpose.)
• Right to non-discrimination for exercising any of these rights.

To exercise these rights, email privacy@trustclinic.co from the email associated with your account. We will verify your request and respond within 45 days. You may also designate an authorized agent to submit requests on your behalf.

Shine the Light (California): California residents may request a list of the categories of personal information disclosed to third parties for their direct marketing purposes in the prior calendar year. We do not currently disclose information for third-party direct marketing.

If you are resident in the United Arab Emirates, the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) grants you the following rights regarding personal data we hold about you:

• Right to be informed of the processing of your personal data.
• Right to request access, correction, or deletion of your personal data.
• Right to restrict or object to certain processing activities.
• Right to data portability where technically feasible.
• Right to withdraw consent at any time for processing that is based on consent.
• Right to lodge a complaint with the UAE Data Office.

To exercise any of these rights, email privacy@trustclinic.co. We respond within 30 calendar days as required by the PDPL.

International transfers: Because the Platform is hosted on infrastructure operated by our service providers (Supabase, Netlify, Stripe, Resend, PostHog), your personal data may be transferred to and stored in jurisdictions outside the UAE, including the United States and the European Union. We rely on standard contractual safeguards with these providers to protect your data in line with PDPL requirements.

The Platform is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided information to us, contact privacy@trustclinic.co and we will delete it.

We do not currently respond to browser Do Not Track signals because no industry standard has been adopted. You can control tracking through your browser settings and our cookie preferences.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or post a prominent notice on the Platform before the changes take effect.

For privacy questions or to exercise your rights, contact:

B2A Consulting - FZCO (trading as TrustClinic)
Attn: Privacy
DSO-IFZA, IFZA Properties
Dubai Silicon Oasis, Dubai, United Arab Emirates
privacy@trustclinic.co