How we handle your information.

Last updated: April 2026 · Version 1.0

This policy explains what personal information Dr. Dan Kopeliovich's clinic collects when you use this website, why we collect it, how long we keep it, and the rights you have under US, Canadian, Mexican, and EU data protection law. Plain language, no legal tricks.

The short version. We only collect what you voluntarily type into the contact form (name, email, WhatsApp number, message) plus basic web analytics if you opt in. We use it to contact you about a possible consultation and to understand which campaigns bring real patients. We never sell your data. You can delete everything we have on you at any time by emailing the privacy contact below.

1 · Who is responsible (data controller)

The data controller for this website is:

Dr. Dan Kopeliovich Clinic, Cancún, Quintana Roo, Mexico
Privacy contact: dan@drkopeliovich.com

For technical operations (hosting, analytics, form storage), the clinic uses Kfir Harbi Studio as a data processor under a written Data Processing Agreement.

2 · What we collect

2.1 · Information you give us directly

Name (as entered in the form)
Email address
WhatsApp / phone number
Message content (what you want to ask Dr. Dan)

2.2 · Information collected automatically

UTM parameters (which campaign, source, medium brought you to the page)
Referrer URL and the exact landing URL
Browser user agent
Analytics signals (Google Analytics 4), only if you opt in via the cookie banner
Advertising signals (Meta Pixel), only if you opt in via the cookie banner

2.3 · What we do NOT collect

Precise geolocation (we don't ask for location permission)
Financial information, credit card numbers, or banking details
Medical history beyond what you voluntarily put in the message field
Biometric data, facial recognition, or voice prints

3 · Why we use it (lawful basis)

To reply to you about a consultation, consent / contract preparation
To measure campaign effectiveness, consent (analytics cookies opt-in)
To detect spam and fraud, legitimate interest
To comply with legal obligations in Mexico, the US, Canada, and the EU

4 · Where your data lives and how it moves

Form submissions are stored on Supabase (a PostgreSQL-as-a-service provider). If you are filling this form from the United States, Canada, or Europe, your data is transferred across borders to reach the clinic in Mexico. This transfer happens with appropriate safeguards in place (Standard Contractual Clauses for EU data, explicit consent for North American data).

Analytics data (if you opted in) is processed by Google (GA4) with IP anonymization enabled. Advertising measurement data (if you opted in) is processed by Meta Platforms Ireland Ltd under their standard terms, with Limited Data Use flags applied for California residents.

5 · How long we keep it

Converted leads (you became a patient): 7 years, required by Mexican medical records law
Non-converted leads (no consultation scheduled): 24 months, then auto-deleted
Analytics data in GA4: 14 months (configurable retention, minimum available)
Meta Pixel data: governed by Meta's retention policies, typically 180 days for attribution

6 · Your rights

6.1 · Everyone, everywhere

Access, ask what we have on you, get a copy
Correction, fix anything wrong
Deletion, have everything erased (subject to medical records law exceptions)
Objection, tell us to stop processing your data

6.2 · California residents (CCPA / CPRA)

Under California law you have the right to:

Know what personal information we collect, use, and share
Delete personal information (with some exceptions)
Correct inaccurate personal information
Opt out of the sale or sharing of personal information
Limit use of sensitive personal information
Non-discrimination for exercising these rights

We do not sell your personal information. The "Do Not Sell or Share My Personal Information" link in the footer exists to let you opt out of advertising cookies (Meta Pixel), which under CCPA's broad definition may qualify as "sharing." Clicking it is equivalent to declining the "Advertising" toggle in the cookie banner.

6.3 · Mexican residents (LFPDPPP, ARCO rights)

Under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares you have the rights of Access, Rectification, Cancellation, and Opposition (ARCO). The designated controller is Dr. Dan Kopeliovich's clinic. Send ARCO requests to the privacy contact above. We respond within 20 business days.

6.4 · Canadian residents (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act you have the right to access your personal information, challenge its accuracy, and know how it is used. We disclose that your data may be transferred to Mexico (for clinic operations) and the United States (for analytics infrastructure). You consent to this transfer by submitting the form.

6.5 · EU / EEA residents (GDPR, Phase 2 markets)

Under Regulation (EU) 2016/679 you have the rights of access, rectification, erasure, restriction, portability, and objection, plus the right to lodge a complaint with your national supervisory authority. The lawful basis for processing is consent (Article 6(1)(a)) for analytics and advertising, and pre-contractual measures (Article 6(1)(b)) for replying to your consultation request.

7 · Cookies and tracking

We use a minimum of essential cookies (to store your consent choice itself). Analytics and advertising cookies are loaded only after you opt in via the banner. Google Consent Mode v2 is enabled and set to "denied" by default for all non-essential categories.

The cookies used, when enabled:

Google Analytics 4, page views, video engagement, form submissions (conversion tracking)
Meta Pixel, ad effectiveness measurement, lookalike audience building, conversion tracking

You can change your choices at any time by clicking Manage Cookies in the footer.

8 · Security

Data is transmitted over HTTPS (TLS 1.2 or higher). The form submits to Supabase using a public anonymous key with Row Level Security policies that permit only INSERT operations. No lead data is ever readable from the public website. Dashboard access (for clinic operations) uses a separate service-role key that lives only on an operator's machine, never in the browser.

9 · Children

This website and the services described on it are intended for adults 18 years or older. We do not knowingly collect personal information from minors.

10 · Changes to this policy

We may update this policy from time to time. The "Last updated" date above will reflect any change. Material changes will be communicated via the website.

11 · Contact

Questions, requests, or complaints about this policy or how your data is handled:

Privacy contact: dan@drkopeliovich.com
Clinic phone (WhatsApp): [phone-to-fill-in]
Postal address: [clinic-address-to-fill-in], Cancún, Quintana Roo, Mexico