TKC Health Services – Privacy & Cookie Policy (EN)
Version: v1.1
Effective date: 30 October 2025
Controller (legal name): Tekce Health Tourism, operating as TKC Health Services(“TKC”, “we”, “us”)
Contact (privacy): info@tkchealth.com
Registered address: Kazım Dirik Neighborhood, 284th Street, No: 2, Apartment: 409, Folkart Time, Bornova/İzmir, Türkiye
This Policy explains how TKC collects, uses, shares, and protects personal data across all TKC websites, landing pages, portals, chat widgets (including WhatsApp Business), online forms, social-media pages and advertising platforms (the “Online Services”) and during our medical-tourism coordination services (the “Services”). Where applicable, this Policy is interpreted to comply with EU GDPR, UK GDPR and Türkiye’s Law on the Protection of Personal Data No. 6698 (KVKK). If multiple laws apply, we apply the protection that is most favourable to you in your jurisdiction.
- TKC is a medical tourism intermediary/organiser. We do not provide medical treatment and are not a healthcare provider. Medical services are delivered by independent physicians, clinics and hospitals (“Service Providers”).
- TKC acts as a data controller for coordination, customer service, marketing and legal compliance. Service Providers act as independent controllers for the medical care they provide. In limited cases, TKC may act as a processor (e.g., hosting tools) under a Service Provider’s instructions.
Anyone who interacts with TKC: enquirers, patients, companions/emergency contacts, website/app users, and marketing recipients.
Depending on your interaction with us, we may collect:
- Identification & contact: name, surname, date of birth, nationality, preferred language, phone/WhatsApp number, email, postal address, communication preferences.
- Travel & identity: flight details, itinerary, and where necessary to arrange logistics or fulfil legal checks passport/ID details.
- Medical & pre-assessment (special-category): medical history, medications, allergies, prior surgeries, lifestyle information (e.g., smoking), lab/test results provided to us, treatment preferences and contraindications.
- Images & media: consultation photos/videos you share; before/after images only with your explicit consent for follow-up and/or marketing.
- Transaction & contract: quotes, package selection, deposit and payment records, invoices, insurance details (travel/medical), refund/complaint records.
- Communications: emails, WhatsApp messages, web-chat transcripts, call notes, feedback and complaint submissions.
- Technical & usage: IP address, device identifiers, browser/OS, pages viewed, session IDs, approximate location and similar telemetry collected via cookies, SDKs and pixels (see Section 8).
If you provide a companion’s or emergency contact’s details, you confirm you have informed them of this Policy.
- Directly from you via our Online Services or during coordination.
- From Service Providers where needed to arrange/confirm treatment or aftercare.
- From travel/logistics vendors (airlines, hotels, transfers, insurance) where you authorise coordination.
- From analytics/advertising partners when you consent to cookies/pixels (see Section 8).
- From public sources that you make available (e.g., social handles you share).
5) Why we process data & legal bases
We process personal data only where a lawful basis exists. For health data, we rely primarily on your explicit consent.
- Responding to enquiries & pre-assessment: providing quotes, assessing suitability, scheduling. Legal bases: contract necessity; legitimate interests; explicit consent for health data.
- Arranging & managing your package: liaising with Service Providers; booking accommodation, transfers; travel insurance. Bases: contract necessity; explicit consent for health data; vital interests in emergencies.
- Payments & accounting: deposits/balances, invoicing, tax. Bases: contract necessity; legal obligation.
- Customer support & aftercare: follow-ups, reminders, handling queries. Bases:contract necessity; legitimate interests.
- Safety, security & fraud prevention: identity checks; preventing abuse or spam. Bases: legitimate interests and/or legal obligation.
- Marketing communications: newsletters/offers similar to your enquiry. Bases:consent; or, where permitted for existing customers, legitimate interests (opt-out anytime).
- Analytics & advertising/remarketing: traffic measurement, personalised ads. Basis:consent for non-essential cookies/pixels.
- Legal claims & compliance: complaints, disputes, regulatory requests. Bases:legitimate interests and/or legal obligation; for health data, legal-claims condition may apply.
- Before/after images for marketing: Basis: explicit, written consent (withdrawable at any time).
Withdrawing consent: Where we rely on consent (e.g., health data, cookies, marketing, before/after media), you can withdraw it at any time by emailing info@tkchealth.com. This does not affect processing carried out before withdrawal.
We share data only as needed and under confidentiality/data-protection commitments:
- Service Providers: independent clinics/hospitals/surgeons for consultation, treatment and aftercare.
- Travel & accommodation partners: airlines, hotels, transfer companies (when you authorise coordination).
- Insurance partners: travel/medical insurance included in your package.
- Labs/diagnostics: engaged by Service Providers.
- Payment processors & banks; fraud-prevention services.
- IT/CRM, communications & analytics vendors: hosting/CDN, CRM, email/SMS/WhatsApp tools, call/chat systems, analytics/ad platforms.
- Professional advisors & authorities: auditors, lawyers, regulators, courts (where required by law or to establish/defend legal claims).
We do not sell personal data.
7) International transfers (UK/EU safeguards)
We operate in Türkiye and work with partners/vendors that may be located outside the UK/EEA. Where personal data is transferred internationally, we implement lawful mechanisms and extra safeguards, including:
- EU Standard Contractual Clauses (SCCs) and, where the UK regime applies, the UK International Data Transfer Addendum (IDTA);
- Use of services in countries with an adequacy decision, where available;
- Encryption in transit and at rest, strict access controls (least-privilege/MFA), logging, vendor due diligence and data-processing agreements;
- Transfer impact assessments for higher-risk destinations.
You may request a description of relevant safeguards at info@tkchealth.com (commercial terms may be redacted).
8) Cookies, pixels & similar technologies
We use cookies and similar technologies to:
- Make the site work (strictly necessary),
- Remember your choices (functionality),
- Measure performance (analytics),
- Deliver and measure ads (advertising/remarketing).
We request your consent for non-essential cookies/pixels. You can manage preferences anytime via the Cookie Settings link in our site footer. Until consent is given, non-essential tags are blocked.
Examples of tools we use: Google Analytics/Ads/Tag Manager, Meta Pixel, TikTok Pixel, Microsoft Ads/Clarity, Hotjar.
Do Not Track: Due to industry variability, our sites do not currently respond to browser DNT signals.
9) How long we keep data (retention)
We keep personal data only as long as necessary for the purposes in this Policy and to meet legal, accounting and reporting requirements. Typical periods are:
- Enquiry records (no booking): up to 24 months from last interaction.
- Patient coordination files (including health data): up to 10 years from last activity or as required by law.
- Contracts, invoices and tax records: 10 years (or the statutory period).
- Communications and complaints: up to 6 years from closure.
- Marketing preferences and consent logs: for the duration of your subscription plus 24 months.
- Cookie identifiers and analytics events: per tool defaults or up to 13 months, where required.
When these periods lapse, we delete the data or irreversibly anonymise it.
We implement appropriate technical and organisational measures to protect personal data, including encryption (in transit/at rest where feasible), access controls with least-privilege and MFA for admin accounts, vendor due diligence and DPAs, staff confidentiality and training, secure development and logging, and incident-response procedures. If we become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify you and the relevant authority in line with applicable law.
Our Services are not directed to individuals under 18. We do not knowingly collect data from children under 18 without guardian involvement. If you believe a child has provided data, contact us and we will delete it.
12) Your data-protection rights
Depending on where you live, you may have the right to access, rectify, erase, restrict or object to processing of your personal data; to data portability; to withdraw consent at any time (where processing is based on consent); to not be subject to decisions based solely on automated processing that produce legal or similarly significant effects; and to lodge a complaint with a supervisory authority.
How to exercise your rights: email info@tkchealth.com. We may request information to verify your identity and help locate your data.
Supervisory authorities:
- United Kingdom: Information Commissioner’s Office (ICO)
- Türkiye: Kişisel Verileri Koruma Kurumu (KVKK)
We will guide you on contacting the appropriate authority upon request.
13) Marketing & before/after images
- We send electronic marketing only with your consent or, where permitted, to existing customers about similar Services. You can opt out at any time via links in our messages or by emailing info@tkchealth.com.
- Before/after images: We only use identifiable images for marketing with your explicit, written consent. Consent can be withdrawn at any time; TKC will cease future use and, where feasible, remove content from our channels (note that third-party caching beyond our control may persist for a period).
14) Profiling & automated decisions
We may use analytics and advertising tools to profile interests (e.g., likely treatment category) to tailor content and ads. We do not make decisions with legal or similarly significant effects based solely on automated processing.
Our Online Services may link to third-party sites. Those sites have their own privacy terms; we are not responsible for their practices. Please review their policies before providing data.
We may update this Policy from time to time. Material changes will be highlighted on our sites and, where appropriate, communicated by email. The version and effective date appear at the top.
Email: info@tkchealth.com
Postal: TKC Health Services – Kazım Dirik Neighborhood, 284th Street, No: 2, Apartment: 409, Folkart Time, Bornova/İzmir, Türkiye
Appendix – Implementation Notes & Compliance Checklist
This appendix summarises the key compliance tweaks implemented within the policy and where they sit. It is provided for clarity and internal audits.
- Check 13 (Marketing & before/after images) – Electronic marketing complies with UK PECR and Türkiye’s Law No. 6563 and the Commercial Electronic Messages Regulation; always-available opt-out is stated.
- Check 12 (Your data-protection rights) – KVKK Article 11 rights explicitly listed (learn whether processed, request info/correction/deletion, notification to third parties, objection, compensation).
- Check 8 (Cookies, pixels & similar technologies) – In the EEA/UK we implement Google Consent Mode (v2) so ad/analytics tags respect consent choices.
- Check 4 (How we obtain data) – WhatsApp Business clarification: encrypted, subject to Meta’s terms, not a formal medical record system.
- Check 2 (Who this applies to) – Where applicable, Türkiye VERBIS obligations are fulfilled.
- Check 6 & 13 – Reaffirmed we do not sell personal data; before/after images used only with explicit, written consent; withdrawal stops future use with best-effort removals.
- Check 7 (International transfers) – Confirmed EU SCCs and UK IDTA, plus technical safeguards (encryption/MFA, vendor DPAs) and transfer impact assessments for higher-risk destinations.
