PreClear Health
Privacy Policy
Effective: TBD — pending legal review · Last updated: 2026-05-18
Draft — pending legal review
This document is a draft prepared by the PreClear Health clinical leadership. It will be reviewed and finalised by a licensed healthcare lawyer specialising in cross-border medical liability before any patient data is collected. The substantive commitments below describe our intended processing; the binding text is the version this banner no longer appears on.
PreClear Health (“PreClear,” “we,” “our”) provides remote pre-operative anesthesia clearance for international patients travelling for elective aesthetic surgery. This Privacy Policy explains what personal data we collect from patients, the operating clinics that engage us, and visitors to this website; the legal bases on which we rely; how we protect that data; and the rights you have over it. The text applies to all PreClear services unless a separate notice is provided at the point of collection.
1. Who we are
PreClear Health is the data controller for personal data processed in connection with our pre-operative clearance service. The legal entity, its registered address, and the appointed Data Protection Officer will be confirmed before the service opens to patients.
You can reach our clinical leadership for any privacy enquiry at the contact address at the bottom of this document. A Data Protection Officer (DPO) will be designated under Article 37 GDPR and KVKK Article 16 ahead of public launch.
2. Personal data we collect
We collect only the data we need to deliver the pre-operative clearance service and to meet the documentation duties imposed on us as a medical service provider. Categories of personal data we may collect include:
| Category | Examples | Source |
|---|---|---|
| Identifiers | Full legal name, date of birth, country of residence, contact email, contact phone | Provided by the patient during intake |
| Health data (GDPR Art. 9 special category; KVKK Art. 6 special quality) | Past medical history, current medications, allergies, surgical history, sleep-apnea screening (STOP-BANG), thrombosis screening (Caprini), open-mouth photograph for airway assessment, uploaded lab or imaging documents | Provided by the patient during intake; structured by our intake agent |
| Clinical assessment data | PreClear Score™ components, structured review form completed by our consultant anesthesiologists, the PreClear Verified™ advisory report | Generated by PreClear staff and systems |
| Buyer-side business data | Clinic name, country, contact email, contract terms | Operating clinics that engage us |
| Payment and billing data | Card-payment status, subscription identifiers from our payment processor; we never store full card numbers ourselves | Patient or operating clinic via Stripe |
| Technical and security data | Hashed IP address, hashed User-Agent string, audit-event metadata, login session timestamps | Automatically collected for security and audit |
We do not collect, request, or use personal data outside the categories listed above. We do not buy personal data from third parties and we do not enrich your record from external sources.
3. Legal bases for processing
We rely on the following legal bases under GDPR (read together with KVKK’s corresponding provisions):
- Health data is processed on the basis of your explicit consent (GDPR Article 9(2)(a); KVKK Article 6(2)). We obtain that consent as the first step of the patient intake flow and record it in our audit log. You may withdraw consent at any time — see Section 7 (“Your rights”).
- Identifier and clinical-assessment data are processed because they are necessary for the provision of preventive or occupational medicine, and the assessment of the working capacity of the patient, under the responsibility of a health professional (GDPR Article 9(2)(h)).
- Buyer-side business data, payment data, and technical data are processed on the basis of the contract you or your clinic enters with us (GDPR Article 6(1)(b); KVKK Article 5(2)(c)) and our legitimate interest in operating the service securely (GDPR Article 6(1)(f); KVKK Article 5(2)(f)).
- Audit-log entries are retained because of our legal obligation under the Turkish Remote Health Services Regulation (2022) and KVKK Article 12 (“data security” obligations).
4. How we use your data
We use personal data to operate the documented PreClear Protocol™. In practice that means:
- Structuring your intake so that our consultant anesthesiology team has the information needed to produce an advisory pre-operative opinion.
- Running deterministic risk-scoring (ASA suggestion, STOP-BANG, Caprini, PreClear Score™) on the data you submit. No clinical decision is made automatically; every opinion that leaves PreClear is signed by a human consultant.
- Translating your answers between English and the language you prefer. AI-assisted translation is used only to render the conversation; the clinical reasoning is performed by our human reviewers.
- Generating the PreClear Verified™ advisory report and sharing the report with you and the operating clinic.
- Maintaining an immutable, hash-chained audit log of every clinical action so that, under our Shared Liability Framework, the operating clinic, the patient, and PreClear Health can all rely on a verifiable record of what was assessed and when.
- Operating the service securely — detecting abuse, defending against unauthorised access, recovering from incidents.
AI providers we use for translation and document structuring operate under signed Data Processing Agreements and either do not retain prompt content or retain it only for the limited support window contractually agreed. Patient data is sent to AI providers only where it is strictly necessary for the task and is logged for data-minimisation review (see Section 8 “Sub-processors”).
6. International transfers
Our data store — the primary database, audit log, object storage, and key vault — is hosted in the European Union (Frankfurt region) by Supabase; patient health data is stored in the EU by default. Our web frontends, including the marketing site, patient intake, and the clinical dashboard, are served from Vercel Edge; sensitive operations (authentication, encryption and decryption, identity lookups) execute against our EU Supabase store rather than at the edge. Where a sub-processor (for example, an AI provider) processes data outside the EU on our behalf, we rely on the Standard Contractual Clauses adopted by the European Commission together with supplementary technical measures (pseudonymisation, application-layer AES-256-GCM encryption, audit logging) to maintain an essentially equivalent level of protection.
Operating clinics and patients located in Turkey are additionally protected by KVKK Article 9 transfer rules; transfers outside Turkey rely on explicit consent or on KVKK Board-approved transfer mechanisms as applicable.
7. Your rights
Under GDPR (Articles 15–22) and KVKK (Article 11) you have the right to:
- Access the personal data we hold about you and receive a copy.
- Rectify inaccurate or incomplete data.
- Erase data that is no longer necessary or that you withdraw consent for, subject to our legal obligation to retain audit-log entries.
- Restrict processing while a request is reviewed.
- Receive a portable copy of data you provided to us.
- Object to processing based on legitimate interest.
- Withdraw consent to health-data processing at any time, without affecting the lawfulness of processing already carried out.
- Lodge a complaint with a supervisory authority — the Turkish Personal Data Protection Authority (KVKK Kurumu) and, for EU residents, the supervisory authority in your country of habitual residence.
To exercise any right contact us at the address at the bottom of this document. We will respond within thirty (30) days of receipt; complex requests may take longer and we will tell you why.
Erasure of audit-log entries is restricted: those entries are required for the regulatory technical file and for the legal defence of operating clinics, PreClear Health, and treating physicians under the Shared Liability Framework. Where we cannot erase audit entries, we will explain why and we will identify the legal basis on which we are required to retain them.
8. Sub-processors
We rely on the following sub-processors. Each one is contractually bound by a Data Processing Agreement that mirrors our own obligations under GDPR / KVKK.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Managed Postgres, authentication, object storage, vault | EU (Frankfurt) |
| Resend | Transactional email delivery | EU (Frankfurt) |
| Stripe | Payment processing for participating clinics | EU / global |
| Anthropic (or OpenAI / Azure OpenAI / Mistral, deployment-time choice) | Translation and document structuring for the intake conversation. Single provider at runtime; provider per deployment is selected to maximise EU data residency and the strongest DPA terms available. | EU / contractual zero-retention |
An up-to-date sub-processor list is maintained on our compliance page. Material changes (a new sub-processor, a region change) will be announced at least thirty (30) days before they take effect, giving operating clinics time to raise objections.
9. Retention
We retain personal data only for as long as it remains necessary for the purpose for which it was collected, subject to overriding legal obligations:
- Intake content (chat turns, uploaded photos, structured answers): retained for the duration of the case plus a period sufficient for the operating clinic and the patient to complete follow-up, then minimised. Default retention is twenty-four (24) months from delivery; longer retention is possible only under explicit patient consent or legal obligation.
- PreClear Verified™ advisory report and audit chain: retained for the period required by the Turkish Remote Health Services Regulation and KVKK record-keeping rules, expected to be ten (10) years.
- Buyer-side business data (clinic name, contact email): retained for the lifetime of the contractual relationship plus the limitation period under Turkish commercial law.
- Technical security data (hashed IP, hashed UA in audit rows): retained for the duration of the audit-chain row it appears on.
Retention windows are documented in our internal data-classification register and reviewed annually under our quality-management system (ISO 13485-aligned).
10. Security
PreClear Health applies defence-in-depth controls appropriate to special-category data:
- Transport encryption: TLS 1.2 or higher on every connection.
- Application-layer encryption: AES-256-GCM (HKDF-SHA256 key derivation) applied to selected identity fields stored in our identity schema — patient full name, date of birth, email, and phone, and clinician full name and email — and to specific PHI-capable fields elsewhere by field-specific rule, including the referral label and the encrypted metadata on biometric artifacts. This does not mean every clinical field or all free-text content is field-level encrypted: clinical free-text answers are minimised and redacted by field-specific rule. Country of residence is not encrypted, because it is needed for routing and data residency.
- Key management: production-grade key custody through a managed Key Management System (Supabase Vault) with scheduled rotation. Encryption keys never live in application memory in production.
- Access control: role-based access with capability-level authorisation, and just-in-time “break-the-glass” access logged in the audit chain. Multi-factor authentication is supported at the identity-provider level; privileged-role MFA enforcement is a launch policy and configuration item pending legal and security sign-off.
- Audit logging: hash-chained, append-only audit chain covering every clinical action; the chain head is anchored through an EU-based Qualified Trust Service Provider (RFC 3161). Anchoring runs on a weekly operational schedule — a scheduled job rather than a legally mandated frequency — and a missed run is caught up by the next.
- Vulnerability management: dependency monitoring, regular penetration testing, and a coordinated disclosure programme described in our compliance page.
No system is perfectly secure. We commit to notifying you and the relevant supervisory authority within the timelines mandated by Article 33 GDPR (72 hours) and KVKK Article 12 (“as soon as possible”) of any personal-data breach likely to result in a risk to your rights.
12. Children
PreClear Health is a service for adults considering elective aesthetic, ENT, or bariatric surgery. We do not knowingly collect personal data from individuals under eighteen (18) years of age. If you believe we hold data about a minor, please contact us so we can investigate and delete the data.
13. Changes to this policy
Material changes to this Privacy Policy will be published on this page with an updated “Effective date.” Where the change affects how we process special-category health data, we will additionally notify affected patients by email. The version-history of this document is preserved on our internal regulatory record.
Contact
PreClear Health · Clinical Leadership
founders@preclear.health
For data-protection enquiries (access / rectification / erasure / objection): privacy@preclear.health
For incident reports: security@preclear.health