Privacy Policy and GDPR
Ostatnia aktualizacja / Last updated: April 2026
Data Controller
The data controller is:
ASF Seyahat Acentesi Sağlık Turizmi Ltd. Şti.
Etiler Mah. Evliya Çelebi Cad. No:23/106 Muratpaşa/Antalya, Turkey
MERSIS: 0086175554900001 | VN: 0861755549 | VD: Antalya Kurumlar
E-mail: contact@drneptune.com
1. Scope and Overview
This Privacy Policy describes how Dr. Neptune (“we”, “us”, “our”) collects, uses, stores, and discloses personal data when you interact with our services — including our website, CRM system, and communications sent via WhatsApp Business, SMS, and email.
We act as the Data Controller under the General Data Protection Regulation (GDPR – Regulation EU 2016/679).
2. What Data Do We Collect?
a) Data you provide voluntarily:
- Full name and surname
- Email address
- Phone number
- Inquiry or message content
- Medical preferences and travel requirements
b) Contract data:
- Billing address and invoice details
- Travel organization data
c) Communication data:
- Content of messages exchanged via WhatsApp Business, SMS, and email
- Attachments and media sent through these channels
d) Technical data:
- IP address, browser type, device information (for security and service continuity only)
e) Push notification subscription data:
- Browser endpoint identifiers and cryptographic keys (used solely to deliver in-app notifications; never shared with advertising platforms)
f) Analytics and marketing data (only with your consent):
- Pages visited, traffic sources, time on site, and user behaviour events (Google Analytics via Google Tag Manager)
- Website events and conversion data passed to Meta (Meta Pixel) for measuring ad effectiveness and building audiences
- Third-party advertising identifiers and cookies set by the above tools
3. Purposes and Legal Basis for Processing
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Responding to inquiries and preparing offers | Art. 6(1)(b) — pre-contractual steps |
| Sending offers via WhatsApp, SMS, and email | Art. 6(1)(b) or Art. 6(1)(a) — consent |
| Conclusion and performance of the contract | Art. 6(1)(b) — contract performance |
| Customer service and after-care | Art. 6(1)(b) & Art. 6(1)(f) — legitimate interests |
| Legal and tax compliance | Art. 6(1)(c) — legal obligation |
| Marketing communications (opt-in only) | Art. 6(1)(a) — explicit consent |
| Website traffic analysis and user behaviour (Google Analytics) | Art. 6(1)(a) — explicit consent |
| Advertising measurement and remarketing (Meta Pixel) | Art. 6(1)(a) — explicit consent |
| Security, anti-fraud, audit logging | Art. 6(1)(f) — legitimate interests |
4. WhatsApp Business Communication
We use the WhatsApp Business Platform (provided by Meta Platforms Ireland Ltd.) to send and receive messages. By submitting your phone number and indicating consent to WhatsApp contact, you agree that we may reach you on that platform.
Message content and metadata (including delivery status) may be processed by Meta in accordance with Meta’s own privacy policy, available at: https://www.whatsapp.com/legal/privacy-policy
You may opt out of WhatsApp communications at any time by:
- Replying STOP to any WhatsApp message from us
- Sending an email to contact@drneptune.com
- Blocking our number in the WhatsApp application
Opt-out requests are honoured within 24 hours. Records of opt-out are retained for audit purposes.
5. Sub-processors and Data Recipients
Data may be shared only with entities strictly necessary for service delivery:
Infrastructure and Hosting
| Sub-processor | Country | Role | Data Transferred | Basis |
|---|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | VPS hosting — database, app server, queues, chat | All CRM data (PII, messages, leads) | DPA signed |
| Cloudflare, Inc. (R2) | EU (Jurisdictional Restriction: eu) | Object storage — files, PDFs, media | Uploaded files and offer PDFs | Data stored exclusively within EEA — no transfer to USA |
Communication
| Sub-processor | Country | Role | Data Transferred | Basis |
|---|---|---|---|---|
| Meta Platforms Ireland Ltd. | Ireland (EEA) | WhatsApp Cloud API — send/receive messages | Phone numbers, message text, templates, media | Meta DPA + SCCs |
| Twilio Inc. | USA | SMS gateway — fallback offer delivery | Phone number (E.164), SMS body (name + link) | SCCs + EU-U.S. DPF |
| Webh.email / SMTP | EU | Transactional email — offers, confirmations | Email address, name, offer PDF | Contractual |
Analytics and Marketing (only with consent)
| Sub-processor | Country | Role | Data Transferred | Basis |
|---|---|---|---|---|
| Google Ireland Limited (Google Tag Manager + Analytics) | Ireland (EEA) | Tag management and website traffic analysis | Anonymised IP, page behaviour, traffic source, events | Art. 6(1)(a) — consent; Google DPA; SCCs for transfers to Google LLC (USA) |
| Meta Platforms Ireland Ltd. (Meta Pixel) | Ireland (EEA) | Conversion measurement and ad remarketing | Page events, IP, cookie identifiers, conversion data | Art. 6(1)(a) — consent; Meta DPA + SCCs |
Other
| Sub-processor | Country | Role | Data Transferred | Basis |
|---|---|---|---|---|
| Gotenberg (self-hosted) | Hetzner DE | PDF generation — offer documents | Offer data in HTML/PDF | Same infra, no transfer |
| Google FCM / Mozilla / Apple APNs | USA/EU | Browser push notifications | Encrypted payload: notification text + URL | Standard browser APIs |
| Medical partners (clinics, hotels, carriers) | Various | Organization of medical travel | Only data necessary for service delivery | Contractual confidentiality obligations |
| Legal and accounting professionals | EU/Turkey | Legal and tax compliance | Only data required by law | Legal obligation |
Analytics and marketing tools (Google Analytics, Meta Pixel) are only activated after the user provides explicit consent via the cookie banner. No personal data is sold to data brokers.
6. International Data Transfers
Where sub-processors are located outside the EEA, data transfers are governed by:
- Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
- EU-U.S. Data Privacy Framework (DPF) — where applicable
This applies in particular to:
- Twilio Inc. (USA) — SMS gateway
- Google LLC (USA) — Google Analytics data may be transferred to Google servers in the USA (basis: SCCs + EU-U.S. DPF; IP anonymised before transfer)
- Meta Platforms, Inc. (USA) — Meta Pixel data may be transferred to Meta servers in the USA (basis: SCCs + EU-U.S. DPF)
Cloudflare R2 is configured with a Jurisdictional Restriction (eu), which guarantees data is stored exclusively within the EEA with no transfer to the USA.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Inquiry data (no contract formed) | 12 months from last contact |
| Contract and billing data | 5 years from contract completion |
| WhatsApp and SMS message logs | 12 months (longer if required by law or ongoing dispute) |
| Technical and security logs | 90 days |
| Consent records | Until withdrawal + 3 years for audit |
After the retention period, data is securely deleted or anonymised.
8. Cookies and Tracking
Our website uses cookies in the following categories:
| Category | Examples | Consent required | Retention |
|---|---|---|---|
| Essential | Session cookie, CSRF protection, language preference | No (legitimate interest) | Session or up to 1 year |
| Analytics | Google Analytics (via Google Tag Manager) — traffic analysis, source tracking, user behaviour | Yes — consent required | Up to 2 years |
| Marketing | Meta Pixel — conversion tracking, remarketing, Facebook/Instagram audience building | Yes — consent required | Up to 90 days (pixel session) / up to 180 days (conversions) |
Google Tag Manager acts as a container that manages when third-party scripts are loaded — GTM itself does not set marketing cookies, but loads other vendors’ scripts only after your consent is given.
You may withdraw or change your cookie preferences at any time by clicking the “Cookie settings” link at the bottom of any page, or by contacting us at contact@drneptune.com.
A full list of cookies is available in our separate Cookie Policy.
9. Your Rights under GDPR
| Right | GDPR Article | How to exercise |
|---|---|---|
| Access — obtain a copy of your data | Art. 15 | Email: contact@drneptune.com |
| Rectification — correct inaccurate data | Art. 16 | Email: contact@drneptune.com |
| Erasure (Right to be Forgotten) | Art. 17 | Email: contact@drneptune.com |
| Restriction of processing | Art. 18 | Email: contact@drneptune.com |
| Data portability | Art. 20 | Email: contact@drneptune.com |
| Object to processing | Art. 21 | Email: contact@drneptune.com |
| Withdraw consent | Art. 7(3) | Reply STOP (WhatsApp) or email |
| Lodge a complaint with supervisory authority | Art. 77 | UODO (Poland) or your local DPA |
We will respond to all data subject requests within 30 days as required by GDPR Art. 12(3).
Supervisory authorities:
- Poland: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl
- Ireland (Meta/WhatsApp lead SA): Data Protection Commission, dataprotection.ie
10. Children’s Data
Our services are not directed at individuals under 16 years of age. We do not knowingly collect personal data from minors.
11. Changes to This Policy
We may update this policy periodically. Material changes will be communicated via email or a prominent notice on our website. The “Last updated” date at the top of this document reflects the current version.
12. Contact
For all data protection queries, please contact us at:
Email: contact@drneptune.com
Company: ASF Seyahat Acentesi Sağlık Turizmi Ltd. Şti.
Address: Etiler Mah. Evliya Çelebi Cad. No:23/106 Muratpaşa/Antalya, Turkey