Privacy Policy

How we handle your information.

Last updated: April 2026 · Version 1.0

This policy explains what personal information Dr. Dan Kopeliovich collects when you use this website, why we collect it, how long we keep it, and the rights you have under US, Canadian, Mexican, and EU data protection law. Plain language, no legal tricks.

The short version. We only collect what you voluntarily type into the contact form (name, email, WhatsApp number, message) plus basic web analytics that runs by default, which you can opt out of at any time. We use it to contact you about a possible consultation and to understand which campaigns bring real patients. We never sell your data. You can delete everything we have on you at any time by emailing the privacy contact below.

1 · Who is responsible (data controller)

The data controller for this website is:

For technical operations (hosting, analytics, form storage), the clinic uses Kfir Harbi Studio as a data processor under a written Data Processing Agreement.

2 · What we collect

2.1 · Information you give us directly

2.2 · Information collected automatically

2.3 · What we do NOT collect

3 · Why we use it (lawful basis)

4 · Where your data lives and how it moves

Form submissions are stored on Supabase (a PostgreSQL-as-a-service provider). If you are filling this form from the United States, Canada, or Europe, your data is transferred across borders to reach the clinic in Mexico. This transfer happens with appropriate safeguards in place (Standard Contractual Clauses for EU data, explicit consent for North American data).

Analytics data (if you opted in) is processed by Google (GA4) with IP anonymization enabled. Advertising measurement data (if you opted in) is processed by Meta Platforms Ireland Ltd under their standard terms, with Limited Data Use flags applied for California residents.

5 · How long we keep it

6 · Your rights

6.1 · Everyone, everywhere

6.2 · California residents (CCPA / CPRA)

Under California law you have the right to:

We do not sell your personal information. The "Do Not Sell or Share My Personal Information" link in the footer exists to let you opt out of advertising cookies (Meta Pixel), which under CCPA's broad definition may qualify as "sharing." Clicking it is equivalent to declining the "Advertising" toggle in the cookie banner.

6.3 · Mexican residents (LFPDPPP, ARCO rights)

Under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares you have the rights of Access, Rectification, Cancellation, and Opposition (ARCO). The designated controller is Dr. Dan Kopeliovich. Send ARCO requests to the privacy contact above. We respond within 20 business days.

6.4 · Canadian residents (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act you have the right to access your personal information, challenge its accuracy, and know how it is used. We disclose that your data may be transferred to Mexico (for clinic operations) and the United States (for analytics infrastructure). You consent to this transfer by submitting the form.

6.5 · EU / EEA visitors

This website and clinic are directed at patients in the United States, Canada, and Mexico, not the EU/EEA, and analytics is enabled by default as permitted in those markets. If you nevertheless access the site from the EU/EEA, you may still exercise your rights of access, rectification, erasure, restriction, portability, and objection under Regulation (EU) 2016/679, and you can opt out of analytics at any time via Manage Cookies.

7 · Cookies and tracking

This website is directed at patients in the United States, Canada, and Mexico. We use essential cookies plus Google Analytics, which is enabled by default to measure site performance. Advertising cookies (Meta Pixel) stay off until you turn them on. Google Consent Mode v2 is set to analytics "granted" and advertising "denied" by default. You can opt out of analytics, or change any choice, at any time via Manage Cookies in the footer or the Do Not Sell or Share link.

The cookies used, when enabled:

You can change your choices at any time by clicking Manage Cookies in the footer.

8 · Security

Data is transmitted over HTTPS (TLS 1.2 or higher). The form submits to Supabase using a public anonymous key with Row Level Security policies that permit only INSERT operations. No lead data is ever readable from the public website. Dashboard access (for clinic operations) uses a separate service-role key that lives only on an operator's machine, never in the browser.

9 · Children

This website and the services described on it are intended for adults 18 years or older. We do not knowingly collect personal information from minors.

10 · Changes to this policy

We may update this policy from time to time. The "Last updated" date above will reflect any change. Material changes will be communicated via the website.

11 · Contact

Questions, requests, or complaints about this policy or how your data is handled: