Privacy Policy

1. Who we are

The data controller responsible for your personal information is:

We have not appointed a Data Protection Officer. Please direct all privacy questions to the email address above.

2. Information we collect

2.1 Information you provide

• Contact form: your name, email address and the content of your message.
• Listing submission or claim: the business name and details, and your name, role and contact details when you add or claim a clinic.
• Newsletter (optional): your email address, if you choose to subscribe.

2.2 Information collected automatically

• Server logs: IP address, browser/user-agent, request time and URL path, kept for security and diagnostics (via Cloudflare).
• Cookies: see section 8.
• Analytics (only with your consent, if enabled): anonymized usage statistics such as pages viewed and approximate location.

2.3 Business directory data

The clinic names, addresses, phone numbers, websites, opening hours, ratings and review counts shown in our directory are compiled from publicly available sources — including Google Business Profile data (through our data provider, DataForSEO) and the businesses’ own websites. This is business contact information about the listed clinics, not personal data about you as a visitor. Business owners can claim, correct or request removal of a listing (see section 5).

3. How we use your information & legal bases

Under the EU/UK General Data Protection Regulation (GDPR), we rely on the following legal bases:

• Responding to your inquiries — legitimate interest, or steps taken at your request (Art. 6(1)(b)/(f)).
• Publishing and managing listings — legitimate interest in operating a business directory, or performance of a contract where you submit/claim a listing (Art. 6(1)(b)/(f)).
• Security and abuse prevention — legitimate interest (Art. 6(1)(f)).
• Newsletter and analytics — your consent (Art. 6(1)(a)), which you can withdraw at any time.

4. Sharing and service providers

We do not sell your personal information. We share data only with providers who help us run the service:

• Cloudflare, Inc. (USA) — hosting, content delivery (CDN), web application firewall, and the D1 database and R2 storage.
• Resend, Inc. (USA) — delivery of transactional emails (it processes only the message content and recipient address).
• Analytics provider (only if analytics is enabled and you consent) — aggregated, anonymized usage statistics.

International transfers: these providers may process data in the United States. Transfers outside the European Economic Area are covered by the EU Standard Contractual Clauses and appropriate safeguards.

5. Business listings and public data

If you own or represent a clinic listed on MedSpa Compass and want to claim, correct or remove your listing, email hello@medspacompass.com. After we verify your connection to the business, we will update or remove the listing promptly.

6. Your rights

If you are in the EEA or UK, you have the right to access, rectify, erase, restrict or port your data, to object to processing based on legitimate interest, and to withdraw consent at any time.

If you are a California resident, you have the right to know what personal information we collect, to request deletion or correction, and to opt out of the sale or sharing of personal information. We do not sell or share personal information, and we will not discriminate against you for exercising your rights. To manage analytics, use Your Privacy Choices in the site footer; we also honor Global Privacy Control (GPC) browser signals automatically.

To exercise any of these rights, email hello@medspacompass.com. We respond within 30 days.

7. Data retention

• Contact messages — up to 12 months after our last correspondence.
• Listing submissions — while the listing is published, plus a reasonable period afterwards for record-keeping.
• Server logs — about 30 days (Cloudflare).
• Newsletter — until you unsubscribe.

8. Cookies

MedSpa Compass uses cookies and Google Analytics 4 (with IP anonymization) to measure how the site is used.

• Essential (always active): session and your saved privacy choice. The site does not work properly without them.
• Analytics (Google Analytics): aggregated, anonymized usage statistics, enabled by default. We do not use advertising cookies.

To opt out of analytics, open Your Privacy Choices (in the site footer or the cookie notice) and turn analytics off, enable Global Privacy Control (GPC) in your browser (we honor it automatically), or install Google's Analytics opt-out browser add-on. We use Google Consent Mode v2 to apply your choice.

9. Security

We use technical and organizational measures to protect data, including HTTPS/TLS encryption, restricted administrative access, a web application firewall, and Standard Contractual Clauses for transfers outside the EEA. No method of transmission over the internet is completely secure, but we work to protect your information.

10. Children

MedSpa Compass is intended for adults and is not directed to children under 16. We do not knowingly collect personal information from children.

11. Complaints

If you believe we have mishandled your personal information, please contact us first at hello@medspacompass.com. You may also contact a regulator:

• United States: your state Attorney General or consumer-protection office. California residents may contact the California Privacy Protection Agency (cppa.ca.gov) or the California Attorney General (oag.ca.gov).
• EEA / UK: your local data protection authority.

12. Changes to this policy

We may update this Privacy Policy from time to time. The version date at the top of this page will always reflect the latest revision, and we will communicate material changes where required.