BERGEM·HEALTH
Free consultation

Privacy Policy

Last updated: 5 May 2026

Privacy Policy

Last updated: 5 May 2026.

This document explains what data we collect, why, to whom we transfer it and how long we keep it. No “hereby notifies” wording — only what actually happens.

If anything in the policy is unclear or you wish to exercise your rights — write to DPO Anna Moroz: anna@bergemhealth.com.

1. Who we are

BergemHealth is a medical concierge: we connect international patients with professors of JCI-accredited hospitals in Istanbul and Antalya. We are not a clinic, an agency or an insurer.

Legal entity (data controller):

BERGEM TURİZM GIDA İTH. İHR. SAN. TİC. LTD. ŞTİ.

Üçgen Mah. Abdi İpekçi Cad. No:13/101, Muratpaşa, Antalya, Türkiye

Registration number: _to be confirmed_

Phone: _to be confirmed_

Email: anna@bergemhealth.com

Data Protection Officer (DPO): Anna Moroz, anna@bergemhealth.com. This is the only channel for personal-data requests — please write here.

2. Data we collect

We collect three categories of data. Nothing else.

2.1. Contact data. Name, phone or WhatsApp, email, country of residence, preferred messenger. We receive them when you fill in a form on the site or message us on WhatsApp, Telegram or Instagram.

2.2. Medical data — special category. Diagnosis description, medical discharge summaries, lab results, scans (CT, MRI, X-ray), doctor’s reports. This is a special category of personal data under article 6 of KVKK and article 9 of GDPR. We request these data only when you wish to obtain a second opinion or selection of a professor, and only with your explicit written consent.

2.3. Technical data. IP address, browser type, operating system, source of referral (UTM tags, referrer), pages you visited on the site. These are collected by cookies and analytics services (Google Analytics 4, Meta Pixel). Details — in Cookie Policy.

3. Legal basis for processing

For each category — its own basis.

| Data category | Basis | Reference | |—|—|—| | Contact | Performance of a contract (you requested a service) | KVKK art. 5(2)(c); GDPR art. 6(1)(b) | | Medical | Explicit written consent | KVKK art. 6(2); GDPR art. 9(2)(a) | | Technical — necessary cookies | Legitimate interest (site operation) | KVKK art. 5(2)(f); GDPR art. 6(1)(f) | | Technical — analytics and marketing | Consent via cookie banner | KVKK art. 5(1); GDPR art. 6(1)(a) |

Consent can be withdrawn at any time — withdrawal does not affect the lawfulness of processing prior to withdrawal.

4. Why we need your data

Specific purposes — and nothing beyond these:

  • Selecting a professor. We review your diagnosis and select a sub-specialty specialist at one of the partner clinics.
  • Obtaining a second opinion. We pass medical documents to a JCI-hospital professor for a written conclusion (deadline — 48 hours).
  • Coordinating bookings and appointments. We set the date, book a slot at the clinic, and our coordinator accompanies you at the appointment.
  • Estimating costs. We request from the clinic a preliminary treatment plan and cost, and pass it to you.
  • Travel logistics. We help with transfer and hotel selection (at your request).
  • Communication with you. We answer questions on WhatsApp, Telegram or email.
  • Site analytics. We learn what content is useful and what is not (anonymised only).
  • Marketing. If you have given separate consent — we send curated materials about treatment in Türkiye. Without consent — we do not.

5. To whom we transfer data

We do not sell data. To anyone. Ever. Transfer occurs only to those needed for the service.

5.1. Partner clinics in Türkiye. To obtain a second opinion and book your appointment, we transfer your contact and medical data to one of the clinics:

  • İSÜ Liv Hospital Bahçeşehir (Istanbul)
  • Liv Hospital Ulus (Istanbul)
  • Liv Hospital Vadistanbul (Istanbul)
  • Memorial Antalya Hospital (Antalya)
  • Memorial Bahçelievler Hospital (Istanbul)
  • Akdeniz University Hospital (Antalya)

Transfer occurs only to the clinic where you will receive treatment, and only after your consent.

5.2. Logistics contractors. Transport companies and hotels — receive only your name and contact phone for pick-up and check-in. They do not receive medical data.

5.3. Communication platforms. WhatsApp Business (Meta Platforms Inc.), Telegram (Telegram FZ-LLC), Instagram (Meta Platforms Inc.) — store messages on their servers under their own rules. We use these services only for correspondence.

5.4. Hosting and infrastructure.

  • The site is hosted by Hostinger International Ltd. (servers in the EU).
  • The CRM system is hosted in Germany (EU).
  • Site analytics — Google Analytics 4 (Google Ireland Ltd.) and Meta Pixel (Meta Platforms Ireland Ltd.).

5.5. Government authorities. Only on a mandatory request — court, prosecutor, regulator. We will notify you if the law does not prohibit notification.

6. Where data is stored and cross-border transfers

Primary storage is in Türkiye (our CRM, paper documents, contact data). Part of the infrastructure is in the European Union (site hosting, analytics platforms, our operational CRM in Germany). Some data is physically processed on servers in the USA (Google Analytics, Meta Pixel).

This means your data may cross borders:

  • Türkiye → EU — when submitting a request on the site, when working in CRM, when using Google Analytics or Meta Pixel.
  • EU → Türkiye — when synchronising CRM with the team in Antalya.
  • EU/Türkiye → partner clinic in Türkiye — for second opinion and booking.
  • EU/Türkiye → USA — when using Google Analytics 4 and Meta Pixel (see below).

Transfer of data to the USA

Google Analytics 4 (provider — Google Ireland Ltd., physical processing partly on Google LLC servers in the USA) and Meta Pixel (Meta Platforms Ireland Ltd. / Meta Platforms Inc.) transfer anonymised technical data to servers in the USA.

The USA does not have a general adequacy decision either from the KVKK Authority or the European Commission (for transfers from the EU, the EU–US Data Privacy Framework applies, but only to companies that have self-certified).

Data transfer to the USA is performed on the following bases:

  • Your explicit consent in the cookie banner — this is the principal legal basis (KVKK art. 9, GDPR art. 49(1)(a)). Without consent, Google Analytics and Meta Pixel are not loaded and no data is transferred to the USA.
  • Standard Contractual Clauses (SCC) — modules adopted by the European Commission, executed between Google and Meta with us as the customer. This is a technical safeguard for data protection during transfer.
  • EU–US Data Privacy Framework — Google LLC and Meta Platforms Inc. are certified under this scheme to receive data from the EU.

General principle of transfer

Cross-border transfer of personal data is governed by article 9 of KVKK and chapter V of GDPR. For medical data, the basis for transfer is always your explicit written consent (KVKK art. 6(2), GDPR art. 49(1)(a)). Medical data is never transferred to the USA — it is processed only in Türkiye and the EU.

7. How long we keep data

Specific timelines, no “as needed”.

| Data type | Retention period | Why | |—|—|—| | Request without a deal (form filled, no clinic engagement) | 12 months | To resume the dialogue if you return | | Patient data after treatment is completed | 5 years | Turkish Ministry of Health requirement for medical tourism | | Marketing contacts (newsletter) | Until consent is withdrawn | Law requires processing to stop immediately upon withdrawal | | Accounting documents | 10 years | Turkish tax law | | Site logs and analytics cookies | 14 months | GA4 standard period |

After the period expires, data is deleted or anonymised. This is not a hollow phrase: the process is automated in the CRM and verified quarterly by the DPO.

8. How we protect data

Security is not a slogan but specific measures. What we do technically and organisationally:

  • Encryption in transit. The site runs over HTTPS (TLS 1.2+). Communication with the CRM — through encrypted channels.
  • Encryption at rest. Databases and backups are stored encrypted.
  • Access control. Medical data is accessible only to staff who need it for work (coordinator, translator, DPO). Access — with individual accounts and two-factor authentication.
  • Minimisation. Contractors receive only the minimum needed. Logistics partners do not get the diagnosis. The clinic does not receive UTM tags.
  • Logging. Every access to medical data is recorded — who, when, what was viewed.
  • Team training. All staff complete KVKK and GDPR training at least once a year and sign an NDA.
  • Incident response. In case of a leak we notify the regulator within 72 hours (GDPR art. 33) and affected patients without undue delay.

We do not claim the system is impenetrable — none in the world is. But we build defences at the level of industry standards and verify them regularly.

9. Automated decisions and profiling

We do not use automated systems for decisions that have significant legal or material consequences for you (in the meaning of GDPR article 22).

In practice this means:

  • A live person — the medical coordinator — selects the professor. No “diagnosis → clinic” algorithms.
  • Prices and estimates are calculated by the clinic, not by an algorithm on our side.
  • Site analytics are anonymised and are not used for individual decisions about specific patients.

If this ever changes — we will notify you in advance, explain the logic and give you the right to human intervention.

10. Your rights

You have a full set of rights under article 11 of KVKK and articles 15–22 of GDPR.

Right to information and access.

  • To know whether we process your data. We will confirm within 30 days.
  • To know exactly what data we hold and why — we will provide a structured export within 30 days.
  • To know to whom your data has been transferred — within Türkiye and beyond. We will provide a list of recipients, transfer countries and bases.

Right to rectification and erasure.

  • Correct inaccurate or incomplete data — corrected within 7 days.
  • Erase data (“right to be forgotten”) — we will delete, except for what we are obliged to keep by law (e.g. patient medical data — 5 years per Turkish Ministry of Health).
  • Require third parties to whom data was previously transferred to be informed of the rectification or erasure — we will contact partner clinics, contractors and platforms and require synchronisation.

Right to object and withdraw consent.

  • Withdraw consent — at any time without explanation. Withdrawal does not affect lawfulness of processing prior to withdrawal.
  • Object to processing based on legitimate interest or carried out by automated means — including marketing. This right is unconditional.
  • Object to the result of an automated decision (see section 9 — we do not have such decisions, but the right is reserved if this changes).

Right to data portability.

  • Receive your data in a machine-readable format (JSON or CSV) and transfer it to another controller.

Right to compensation.

  • Claim compensation for harm caused by unlawful processing of your data (KVKK art. 11(1)(g)).

Right to lodge a complaint.

  • Complain to the regulator — KVKK in Türkiye or your national data-protection authority in the EU/EEA. List in section 14.

How to exercise the right

Write to anna@bergemhealth.com with the subject “Personal data request”. Response time — 30 days. In complex cases we may extend by another 60 days, notifying you in writing of the reasons.

The service is free, except for manifestly unfounded or repetitive requests, where we may charge a reasonable fee or refuse with an explanation.

To enable us to verify your identity, please include in your request the name, contact email and phone you used when communicating with us. For medical data we may additionally request a copy of an identity document (KVKK Communiqué No. 30356 on the application procedure).

11. Cookies and analytics

The site uses cookies — necessary (for forms and session), analytical (Google Analytics 4) and marketing (Meta Pixel). Analytics and marketing are activated only after your consent in the cookie banner.

Details — in Cookie Policy. The same page contains instructions for changing your choice or disabling cookies entirely.

12. Minors

BergemHealth services are intended for adult patients (18+). We do not collect data of minors intentionally.

If a patient is a minor, we work through their legal representative (parent or guardian). All consents are given by the representative, who also transfers the medical documents.

If you believe we have inadvertently collected data of a minor without parental consent, please write to Anna Moroz; we will delete that data.

13. Changes to the policy

We may amend this policy — for example, when adding a new contractor or analytics service. For material changes we will notify you 30 days in advance:

  • with a banner on the site’s home page;
  • by email to those who have consented to marketing;
  • by individual letter to patients in active care.

The date of the latest update is in the document header. If you continue to use the site after notification, this is deemed acceptance of the new version. If you disagree, withdraw your consent and we will delete the data.

14. Regulators and where to complain

If you believe we have violated your rights, you have two levels of recourse.

First — to us. anna@bergemhealth.com, response time 10 business days. This is faster and usually resolves the matter.

If unresolved — to the regulator.

Primary regulator (Türkiye):

Türkiye Kişisel Verileri Koruma Kurumu (KVKK)

Nasuh Akar Mahallesi 1407. Sokak No: 4, 06520 Çankaya, Ankara, Türkiye

www.kvkk.gov.tr

Regulator in your country of residence (for EU/EEA residents). GDPR gives you the right to address the supervisory authority of your country of residence. Full list — at the European Data Protection Board (EDPB):

https://www.edpb.europa.eu/about-edpb/board/members_en

For example:

  • Lithuania — Valstybinė duomenų apsaugos inspekcija (VDAI)
  • Latvia — Datu valsts inspekcija (DVI)
  • Estonia — Andmekaitse Inspektsioon (AKI)
  • Germany — Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
  • Ireland — Data Protection Commission (DPC)

Related documents