How we handle your information.
This policy explains what personal information Dr. Dan Kopeliovich collects when you use this website, why we collect it, how long we keep it, and the rights you have under US, Canadian, Mexican, and EU data protection law. Plain language, no legal tricks.
1 · Who is responsible (data controller)
The data controller for this website is:
- Dr. Dan Kopeliovich Clinic, Cancún, Quintana Roo, Mexico
- Privacy contact:
[email protected]
For technical operations (hosting, analytics, form storage), the clinic uses Kfir Harbi Studio as a data processor under a written Data Processing Agreement.
2 · What we collect
2.1 · Information you give us directly
- Name (as entered in the form)
- Email address
- WhatsApp / phone number
- Message content (what you want to ask Dr. Dan)
2.2 · Information collected automatically
- UTM parameters (which campaign, source, medium brought you to the page)
- Referrer URL and the exact landing URL
- Browser user agent
- Analytics signals (Google Analytics 4), enabled by default; you can opt out via the cookie banner
- Advertising signals (Meta Pixel), off by default; collected only if you turn them on in the cookie banner
2.3 · What we do NOT collect
- Precise geolocation (we don't ask for location permission)
- Financial information, credit card numbers, or banking details
- Medical history beyond what you voluntarily put in the message field
- Biometric data, facial recognition, or voice prints
3 · Why we use it (lawful basis)
- To reply to you about a consultation, consent / contract preparation
- To measure campaign effectiveness, our legitimate interest in understanding which campaigns bring patients (analytics runs by default; you can opt out at any time)
- To detect spam and fraud, legitimate interest
- To comply with legal obligations in Mexico, the US, Canada, and the EU
4 · Where your data lives and how it moves
Form submissions are stored on Supabase (a PostgreSQL-as-a-service provider). If you are filling this form from the United States, Canada, or Europe, your data is transferred across borders to reach the clinic in Mexico. This transfer happens with appropriate safeguards in place (Standard Contractual Clauses for EU data, explicit consent for North American data).
Analytics data (if you opted in) is processed by Google (GA4) with IP anonymization enabled. Advertising measurement data (if you opted in) is processed by Meta Platforms Ireland Ltd under their standard terms, with Limited Data Use flags applied for California residents.
5 · How long we keep it
- Converted leads (you became a patient): 7 years, required by Mexican medical records law
- Non-converted leads (no consultation scheduled): 24 months, then auto-deleted
- Analytics data in GA4: 14 months (configurable retention, minimum available)
- Meta Pixel data: governed by Meta's retention policies, typically 180 days for attribution
6 · Your rights
6.1 · Everyone, everywhere
- Access, ask what we have on you, get a copy
- Correction, fix anything wrong
- Deletion, have everything erased (subject to medical records law exceptions)
- Objection, tell us to stop processing your data
6.2 · California residents (CCPA / CPRA)
Under California law you have the right to:
- Know what personal information we collect, use, and share
- Delete personal information (with some exceptions)
- Correct inaccurate personal information
- Opt out of the sale or sharing of personal information
- Limit use of sensitive personal information
- Non-discrimination for exercising these rights
We do not sell your personal information. The "Do Not Sell or Share My Personal Information" link in the footer exists to let you opt out of advertising cookies (Meta Pixel), which under CCPA's broad definition may qualify as "sharing." Clicking it is equivalent to declining the "Advertising" toggle in the cookie banner.
6.3 · Mexican residents (LFPDPPP, ARCO rights)
Under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares you have the rights of Access, Rectification, Cancellation, and Opposition (ARCO). The designated controller is Dr. Dan Kopeliovich. Send ARCO requests to the privacy contact above. We respond within 20 business days.
6.4 · Canadian residents (PIPEDA)
Under the Personal Information Protection and Electronic Documents Act you have the right to access your personal information, challenge its accuracy, and know how it is used. We disclose that your data may be transferred to Mexico (for clinic operations) and the United States (for analytics infrastructure). You consent to this transfer by submitting the form.
6.5 · EU / EEA visitors
This website and clinic are directed at patients in the United States, Canada, and Mexico, not the EU/EEA, and analytics is enabled by default as permitted in those markets. If you nevertheless access the site from the EU/EEA, you may still exercise your rights of access, rectification, erasure, restriction, portability, and objection under Regulation (EU) 2016/679, and you can opt out of analytics at any time via Manage Cookies.
7 · Cookies and tracking
This website is directed at patients in the United States, Canada, and Mexico. We use essential cookies plus Google Analytics, which is enabled by default to measure site performance. Advertising cookies (Meta Pixel) stay off until you turn them on. Google Consent Mode v2 is set to analytics "granted" and advertising "denied" by default. You can opt out of analytics, or change any choice, at any time via Manage Cookies in the footer or the Do Not Sell or Share link.
The cookies used, when enabled:
- Google Analytics 4, page views, video engagement, form submissions (conversion tracking)
- Meta Pixel, ad effectiveness measurement, lookalike audience building, conversion tracking
You can change your choices at any time by clicking Manage Cookies in the footer.
8 · Security
Data is transmitted over HTTPS (TLS 1.2 or higher). The form submits to Supabase using a public anonymous key with Row Level Security policies that permit only INSERT operations. No lead data is ever readable from the public website. Dashboard access (for clinic operations) uses a separate service-role key that lives only on an operator's machine, never in the browser.
9 · Children
This website and the services described on it are intended for adults 18 years or older. We do not knowingly collect personal information from minors.
10 · Changes to this policy
We may update this policy from time to time. The "Last updated" date above will reflect any change. Material changes will be communicated via the website.
11 · Contact
Questions, requests, or complaints about this policy or how your data is handled:
- Privacy contact:
[email protected] - Clinic phone (WhatsApp):
[phone-to-fill-in] - Postal address:
[clinic-address-to-fill-in], Cancún, Quintana Roo, Mexico