(Draft for Legal Review – Prepared for Body Abroad)Last Updated: October 22, 2025 Provider: Body Abroad (“Body Abroad”, “we”, “us”, “our”, or the “Company”)Contact: info@bodyabroad.com / +1 (917) 947-0140 Website: bodyabroad.com## Plain Language Summary of This Privacy PolicyTo promote transparency and accessibility in accordance with EU data protection requirements (e.g., under the General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 and the Unfair Contract Terms Directive 93/13/EEC) and U.S. state privacy laws (e.g., the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)), we provide this simplified overview of key elements. This summary is not a substitute for the full Privacy Policy below—please review it thoroughly. If any aspect is unclear, contact us prior to using our Services.- **What We Do**: We collect and process personal data (including sensitive health-related information) solely to facilitate non-medical coordination for aesthetic and beauty tourism, such as connecting you with international clinics for procedures like hair transplants or cosmetic enhancements. We do not provide medical services or advice.- **Data We Collect**: Personal identifiers (e.g., name, email), health details (e.g., medical history for coordination), device info, and usage data. We collect this when you inquire, book, or browse our site.- **How We Use It**: For service delivery (e.g., clinic referrals), communications, analytics, and legal compliance. Legal bases under GDPR include consent, contract performance, and legitimate interests.- **Sharing**: With clinics (e.g., in Turkey or Colombia), service providers (e.g., payment processors), and as required by law. No sales of data under CCPA.- **International Transfers**: Data may go to non-EEA countries; we use safeguards like Standard Contractual Clauses (SCCs).- **Your Rights**: Under GDPR: access, rectification, erasure, etc. Under CCPA: know, delete, opt-out of sharing, correct, limit sensitive data use. No discrimination for exercising rights.- **Security**: We use encryption and controls, but no system is infallible.- **Retention**: As long as needed (e.g., 7 years for records), then deleted.- **Cookies**: For functionality and analytics; manage via browser.- **Changes**: Updated for legal or operational reasons—check regularly.- **Contact**: info@bodyabroad.com / +1 (917) 947-0140. For GDPR: Our Data Protection Officer (DPO). For CCPA: Submit verified requests.This Policy applies globally but respects your local laws if more protective.## Preamble and ScopeThis Privacy Policy (“Policy”) outlines how Body Abroad, an independent non-medical coordination and facilitation entity specializing in administrative support for medical tourism within the aesthetic and beauty sector (including, but not limited to, referrals for procedures such as hair transplants, cosmetic enhancements, and related logistical arrangements), collects, uses, discloses, stores, protects, and otherwise processes (“Processes”) your Personal Data and Sensitive Personal Data when you access, browse, or interact with our website at bodyabroad.com, digital platforms, mobile applications, email communications, telephonic services, or any ancillary features (collectively, the “Services” or “Platform”).Body Abroad operates exclusively as a non-medical intermediary, enabling connections between you (“Data Subject”, “User”, “you”, or “your”) and independent third-party clinics (“Clinics”) for informational and logistical purposes only. We do not provide medical advice, diagnoses, treatments, or clinical services. All references to health or aesthetic matters are illustrative and derived from third-party sources, without endorsement or guarantee.This Policy complies with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Austrian Data Protection Act, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable data protection laws worldwide. It incorporates principles of data minimization, transparency, and accountability. If you are a resident of the European Economic Area (EEA), United Kingdom, Switzerland, California, or other jurisdictions with similar laws, additional rights and protections apply as detailed herein.By accessing or using the Services, you acknowledge that you have read, understood, and consent to this Policy, including the Processing of your Personal Data as described. If you disagree, do not use the Services. This Policy supplements our Terms and Conditions and is incorporated therein by reference. In case of conflict, this Policy prevails regarding data protection matters.We reserve the right to amend this Policy for objective reasons, such as legal changes, security enhancements, or technological developments. Amendments are effective upon posting, with notice via email or Platform alert where feasible. Continued use constitutes acceptance.## DefinitionsFor clarity, the following terms have these meanings:- “Personal Data”: Any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1) or CCPA §1798.140(o), including identifiers, health information, and inferences.- “Sensitive Personal Data”: Special categories under GDPR Article 9 (e.g., health data) or sensitive under CCPA §1798.121 (e.g., health, precise geolocation).- “Processing”: Any operation on Personal Data, automated or not, as per GDPR Article 4(2).- “Controller”: Body Abroad, determining Processing purposes and means.- “Processor”: Third parties Processing on our behalf.- “Data Subject”: You, the individual whose Personal Data we Process.- “Sale”/“Sharing”: Under CCPA, disclosing for monetary value or cross-context behavioral advertising—we do neither.## 1. Information We CollectWe collect Personal Data only as necessary for the Services, adhering to data minimization.1.1. **Data You Provide Voluntarily**: - Identifiers: Name, email, phone, address, date of birth, nationality. - Health and Sensitive Data: Medical history summaries, allergies, procedure preferences (e.g., for hair transplants), body measurements—for coordination only, with explicit consent under GDPR Article 9(2)(a). - Financial Data: Payment details (processed via third-party gateways; we store minimal info). - Travel Data: Passport details, itineraries, visa info—for logistical referrals. - Other: Inquiries, feedback, preferences. Collected via forms, emails, calls, or registrations.1.2. **Data Collected Automatically**: - Device/IP Data: IP address, browser type, OS, device ID. - Usage Data: Pages viewed, time spent, clicks, referral sources. - Location Data: Inferred from IP (not precise geolocation). - Cookies/Trackers: See Section 5. Via server logs, analytics tools (e.g., Google Analytics, pseudonymized).1.3. **Data from Third Parties**: - From Clinics: Confirmation of bookings or health summaries (with your consent). - From Partners: Travel confirmations. - Public Sources: For verification.We do not collect data from children under 16 without verifiable parental consent (GDPR Article 8; COPPA).## 2. How We Use Your Personal DataWe Process Personal Data solely for specified, explicit purposes, with lawful bases under GDPR Article 6 and explicit consent for Sensitive Data under Article 9.2.1. **Purposes and Bases**: - Service Delivery (Contract Performance, GDPR Art. 6(1)(b)): Coordinate clinic referrals, schedule appointments, relay non-medical info. - Communications (Consent/Legitimate Interests, GDPR Art. 6(1)(a)/(f)): Send updates, confirmations, newsletters about aesthetic tourism. - Analytics/Improvement (Legitimate Interests, GDPR Art. 6(1)(f)): Analyze usage to enhance Platform (anonymized where possible). - Marketing (Consent, GDPR Art. 6(1)(a)): Personalized offers on beauty procedures (opt-out anytime). - Compliance/Legal (Legal Obligation, GDPR Art. 6(1)(c)): Respond to authorities, audits. - Security/Fraud (Legitimate Interests, GDPR Art. 6(1)(f)): Detect threats, protect data. - Under CCPA: Business purposes (e.g., servicing, auditing, research); no secondary uses without notice.We conduct Data Protection Impact Assessments (DPIAs) for high-risk Processing (e.g., health data).No automated decision-making or profiling with legal effects (GDPR Article 22).## 3. Sharing and Disclosure of Personal DataWe share Personal Data only as necessary, with safeguards.3.1. **Recipients**: - Processors: IT providers (e.g., hosting, analytics)—bound by DPAs (GDPR Article 28). - Clinics: Health/personal data for referrals (e.g., to Turkey/Colombia clinics)—with your consent, under SCCs for non-EEA transfers. - Partners: Travel agencies, payment processors—limited data. - Authorities: For legal compliance (e.g., subpoenas). - In Mergers: To successors, with notice.3.2. **No Sale/Sharing under CCPA**: We do not “sell” or “share” Personal Data for monetary value or advertising. Disclosures are for business purposes only.3.3. **International Transfers**: To non-EEA countries (e.g., Clinics in Turkey, Colombia), we use SCCs (GDPR Article 46), TIAs post-Schrems II, or adequacy decisions. For CCPA, notice and opt-out apply.## 4. Data SecurityWe implement technical/organizational measures (GDPR Article 32; CCPA §1798.150):- Encryption (TLS for transmission; at-rest for health data).- Access Controls: Role-based, audits.- Pseudonymization: For analytics.- Breach Response: Notify authorities/users per GDPR (72 hours) and CCPA.- Vendors: Audited for security.Despite measures, no system is impenetrable; we disclaim absolute security.## 5. Cookies and Tracking TechnologiesWe use cookies for functionality, analytics, marketing (see Cookie Policy at bodyabroad.com/cookies).- Essential: Session management.- Performance: Google Analytics (IP anonymized).- Targeting: For personalized ads (consent-based).Manage via browser or our consent banner (GDPR-compliant). Honor DNT/GPC signals under CCPA.## 6. Data RetentionRetention is minimized (GDPR Article 5(1)(e)):- Service Data: 7 years post-interaction (legal/tax reasons).- Health Data: Until coordination complete + 2 years (safety).- Marketing: Until consent withdrawn.- Deletion: Secure erasure; backups purged within 30 days.## 7. Your RightsExercise via info@bodyabroad.com (free, monthly limit if excessive).7.1. **GDPR Rights (Articles 15-22)**: - Access: Copy of data. - Rectification: Correct inaccuracies. - Erasure: “Right to be forgotten” (if no legal basis). - Restriction/Objection: Limit Processing. - Portability: Machine-readable format. - Withdraw Consent: Anytime, without affecting prior lawfulness. - No Automated Decisions: Not applicable.Response: 1 month (extendable).7.2. **CCPA/CPRA Rights (§1798.100 et seq.)**: - Know: Categories/sources/purposes of data collected/disclosed. - Delete: Erase (exceptions e.g., legal). - Correct: Inaccuracies. - Opt-Out: Of sale/sharing (none, but future-proof). - Limit Sensitive Data: Health data use restricted to Services. - Non-Discrimination: No penalties.Verified requests (ID proof); response: 45 days (extendable 45). Authorized agents accepted.Lodge complaints: EU supervisory authority (e.g., Austrian DSB); CCPA: California AG.## 8. Children's PrivacyNo collection from under-16s without consent (GDPR); under-13s per COPPA. Delete if discovered.## 9. Do Not Track and Opt-Out MechanismsHonor DNT/GPC/UOOM signals as opt-outs (CCPA). No behavioral ads without consent.## 10. Changes to This PolicyAmended for legal/security reasons; notified via email/Platform. Continued use = acceptance.## 11. Contact UsFor inquiries/rights: Body Abroad info@bodyabroad.com +1 (917) 947-0140 ## Disclaimer SummaryBody Abroad Processes Personal Data solely for non-medical aesthetic tourism coordination. We prioritize GDPR/CCPA compliance but disclaim perfection. Consult professionals for advice. Your use implies consent; withdraw anytime.