PreClear Health

Privacy Policy

Effective: TBD — pending legal review · Last updated: 2026-05-18

PreClear Health (“PreClear,” “we,” “our”) provides remote pre-operative anesthesia clearance for international patients travelling for elective aesthetic surgery. This Privacy Policy explains what personal data we collect from patients, the operating clinics that engage us, and visitors to this website; the legal bases on which we rely; how we protect that data; and the rights you have over it. The text applies to all PreClear services unless a separate notice is provided at the point of collection.

1. Who we are

PreClear Health is the data controller for personal data processed in connection with our pre-operative clearance service. The legal entity, its registered address, and the appointed Data Protection Officer will be confirmed before the service opens to patients.

You can reach our clinical leadership for any privacy enquiry at the contact address at the bottom of this document. A Data Protection Officer (DPO) will be designated under Article 37 GDPR and KVKK Article 16 ahead of public launch.

2. Personal data we collect

We collect only the data we need to deliver the pre-operative clearance service and to meet the documentation duties imposed on us as a medical service provider. Categories of personal data we may collect include:

CategoryExamplesSource
IdentifiersFull legal name, date of birth, country of residence, contact email, contact phoneProvided by the patient during intake
Health data (GDPR Art. 9 special category; KVKK Art. 6 special quality)Past medical history, current medications, allergies, surgical history, sleep-apnea screening (STOP-BANG), thrombosis screening (Caprini), open-mouth photograph for airway assessment, uploaded lab or imaging documentsProvided by the patient during intake; structured by our intake agent
Clinical assessment dataPreClear Score™ components, structured review form completed by our consultant anesthesiologists, the PreClear Verified™ advisory reportGenerated by PreClear staff and systems
Buyer-side business dataClinic name, country, contact email, contract termsOperating clinics that engage us
Payment and billing dataCard-payment status, subscription identifiers from our payment processor; we never store full card numbers ourselvesPatient or operating clinic via Stripe
Technical and security dataHashed IP address, hashed User-Agent string, audit-event metadata, login session timestampsAutomatically collected for security and audit

We do not collect, request, or use personal data outside the categories listed above. We do not buy personal data from third parties and we do not enrich your record from external sources.

4. How we use your data

We use personal data to operate the documented PreClear Protocol™. In practice that means:

  • Structuring your intake so that our consultant anesthesiology team has the information needed to produce an advisory pre-operative opinion.
  • Running deterministic risk-scoring (ASA suggestion, STOP-BANG, Caprini, PreClear Score™) on the data you submit. No clinical decision is made automatically; every opinion that leaves PreClear is signed by a human consultant.
  • Translating your answers between English and the language you prefer. AI-assisted translation is used only to render the conversation; the clinical reasoning is performed by our human reviewers.
  • Generating the PreClear Verified™ advisory report and sharing the report with you and the operating clinic.
  • Maintaining an immutable, hash-chained audit log of every clinical action so that, under our Shared Liability Framework, the operating clinic, the patient, and PreClear Health can all rely on a verifiable record of what was assessed and when.
  • Operating the service securely — detecting abuse, defending against unauthorised access, recovering from incidents.

AI providers we use for translation and document structuring operate under signed Data Processing Agreements and either do not retain prompt content or retain it only for the limited support window contractually agreed. Patient data is sent to AI providers only where it is strictly necessary for the task and is logged for data-minimisation review (see Section 8 “Sub-processors”).

5. Who we share your data with

We share personal data only with parties who need it to deliver our service to you or who help us meet our legal obligations. Specifically:

  • The operating clinic you have selected for your procedure receives the PreClear Verified™ advisory report and the structured supporting data the report references. The clinic uses this material to plan your anesthesia and surgical care.
  • Our consultant anesthesiologists access your clinical record through our internal dashboard for the purpose of producing the advisory opinion. Access is logged.
  • Our service providers (“sub-processors”) listed in Section 8 process limited categories of data on our instructions and under contract.
  • Regulators, supervisory authorities, and courts where we are legally compelled to disclose data — we will tell you when this happens unless prohibited from doing so by law.

We do not sell personal data and we do not share it for advertising, profiling, or any purpose unrelated to delivering pre-operative clearance.

6. International transfers

Our data store — the primary database, audit log, object storage, and key vault — is hosted in the European Union (Frankfurt region) by Supabase; patient health data is stored in the EU by default. Our web frontends, including the marketing site, patient intake, and the clinical dashboard, are served from Vercel Edge; sensitive operations (authentication, encryption and decryption, identity lookups) execute against our EU Supabase store rather than at the edge. Where a sub-processor (for example, an AI provider) processes data outside the EU on our behalf, we rely on the Standard Contractual Clauses adopted by the European Commission together with supplementary technical measures (pseudonymisation, application-layer AES-256-GCM encryption, audit logging) to maintain an essentially equivalent level of protection.

Operating clinics and patients located in Turkey are additionally protected by KVKK Article 9 transfer rules; transfers outside Turkey rely on explicit consent or on KVKK Board-approved transfer mechanisms as applicable.

7. Your rights

Under GDPR (Articles 15–22) and KVKK (Article 11) you have the right to:

  • Access the personal data we hold about you and receive a copy.
  • Rectify inaccurate or incomplete data.
  • Erase data that is no longer necessary or that you withdraw consent for, subject to our legal obligation to retain audit-log entries.
  • Restrict processing while a request is reviewed.
  • Receive a portable copy of data you provided to us.
  • Object to processing based on legitimate interest.
  • Withdraw consent to health-data processing at any time, without affecting the lawfulness of processing already carried out.
  • Lodge a complaint with a supervisory authority — the Turkish Personal Data Protection Authority (KVKK Kurumu) and, for EU residents, the supervisory authority in your country of habitual residence.

To exercise any right contact us at the address at the bottom of this document. We will respond within thirty (30) days of receipt; complex requests may take longer and we will tell you why.

Erasure of audit-log entries is restricted: those entries are required for the regulatory technical file and for the legal defence of operating clinics, PreClear Health, and treating physicians under the Shared Liability Framework. Where we cannot erase audit entries, we will explain why and we will identify the legal basis on which we are required to retain them.

8. Sub-processors

We rely on the following sub-processors. Each one is contractually bound by a Data Processing Agreement that mirrors our own obligations under GDPR / KVKK.

Sub-processorPurposeRegion
SupabaseManaged Postgres, authentication, object storage, vaultEU (Frankfurt)
ResendTransactional email deliveryEU (Frankfurt)
StripePayment processing for participating clinicsEU / global
Anthropic (or OpenAI / Azure OpenAI / Mistral, deployment-time choice)Translation and document structuring for the intake conversation. Single provider at runtime; provider per deployment is selected to maximise EU data residency and the strongest DPA terms available.EU / contractual zero-retention

An up-to-date sub-processor list is maintained on our compliance page. Material changes (a new sub-processor, a region change) will be announced at least thirty (30) days before they take effect, giving operating clinics time to raise objections.

9. Retention

We retain personal data only for as long as it remains necessary for the purpose for which it was collected, subject to overriding legal obligations:

  • Intake content (chat turns, uploaded photos, structured answers): retained for the duration of the case plus a period sufficient for the operating clinic and the patient to complete follow-up, then minimised. Default retention is twenty-four (24) months from delivery; longer retention is possible only under explicit patient consent or legal obligation.
  • PreClear Verified™ advisory report and audit chain: retained for the period required by the Turkish Remote Health Services Regulation and KVKK record-keeping rules, expected to be ten (10) years.
  • Buyer-side business data (clinic name, contact email): retained for the lifetime of the contractual relationship plus the limitation period under Turkish commercial law.
  • Technical security data (hashed IP, hashed UA in audit rows): retained for the duration of the audit-chain row it appears on.

Retention windows are documented in our internal data-classification register and reviewed annually under our quality-management system (ISO 13485-aligned).

10. Security

PreClear Health applies defence-in-depth controls appropriate to special-category data:

  • Transport encryption: TLS 1.2 or higher on every connection.
  • Application-layer encryption: AES-256-GCM (HKDF-SHA256 key derivation) applied to selected identity fields stored in our identity schema — patient full name, date of birth, email, and phone, and clinician full name and email — and to specific PHI-capable fields elsewhere by field-specific rule, including the referral label and the encrypted metadata on biometric artifacts. This does not mean every clinical field or all free-text content is field-level encrypted: clinical free-text answers are minimised and redacted by field-specific rule. Country of residence is not encrypted, because it is needed for routing and data residency.
  • Key management: production-grade key custody through a managed Key Management System (Supabase Vault) with scheduled rotation. Encryption keys never live in application memory in production.
  • Access control: role-based access with capability-level authorisation, and just-in-time “break-the-glass” access logged in the audit chain. Multi-factor authentication is supported at the identity-provider level; privileged-role MFA enforcement is a launch policy and configuration item pending legal and security sign-off.
  • Audit logging: hash-chained, append-only audit chain covering every clinical action; the chain head is anchored through an EU-based Qualified Trust Service Provider (RFC 3161). Anchoring runs on a weekly operational schedule — a scheduled job rather than a legally mandated frequency — and a missed run is caught up by the next.
  • Vulnerability management: dependency monitoring, regular penetration testing, and a coordinated disclosure programme described in our compliance page.

No system is perfectly secure. We commit to notifying you and the relevant supervisory authority within the timelines mandated by Article 33 GDPR (72 hours) and KVKK Article 12 (“as soon as possible”) of any personal-data breach likely to result in a risk to your rights.

11. Cookies, analytics, and tracking

This website uses only strictly necessary cookies for session and security purposes. We do not deploy advertising trackers, third-party analytics that profile users, or cross-site identifiers. Where we use product analytics on our patient-facing surfaces (intake, certificate portal), the analytics are first-party, aggregated, and never include health-data content.

12. Children

PreClear Health is a service for adults considering elective aesthetic, ENT, or bariatric surgery. We do not knowingly collect personal data from individuals under eighteen (18) years of age. If you believe we hold data about a minor, please contact us so we can investigate and delete the data.

13. Changes to this policy

Material changes to this Privacy Policy will be published on this page with an updated “Effective date.” Where the change affects how we process special-category health data, we will additionally notify affected patients by email. The version-history of this document is preserved on our internal regulatory record.

Contact

PreClear Health · Clinical Leadership

founders@preclear.health

For data-protection enquiries (access / rectification / erasure / objection): privacy@preclear.health

For incident reports: security@preclear.health

← Back to home