Privacy Policy

1. Introduction

Astramedica LLC ("Astramedica," "we," "us," or "our") operates the website astramedica.com (the "Platform"). We are a medical-tourism coordination company that connects prospective patients with vetted partner clinics and healthcare facilities in Turkey.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have regarding your data. By using the Platform you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.

2. Data Controller

The responsible data controller for processing carried out via this Platform is:

For any questions regarding data protection or to exercise your rights, please contact us at info@astramedica.com.

3. Our Services & Role

Astramedica is a medical-tourism coordination platform. We are not a hospital, clinic, or licensed healthcare provider. We do not provide medical advice, diagnosis, or program recommendations. We facilitate introductions between you and qualified partner clinics in Turkey and assist with logistics such as travel planning, scheduling, and concierge services.

Any medical decisions, programs, or procedures are between you and the partner clinic. Partner clinics operate under their own licenses, data-protection policies, and applicable Turkish healthcare regulations.

4. Age Restriction

Our services are intended exclusively for individuals aged 18 years and older. We do not knowingly collect personal data from anyone under the age of 18. If you are under 18, do not use this Platform, do not submit any forms, and do not interact with our AI assistant.

If we become aware that we have collected personal data from a person under 18, we will promptly delete that data and terminate the associated account or session. If you believe a minor has provided us with personal data, please contact us immediately at info@astramedica.com.

5. Protected Health Information (PHI) Disclaimer

6. Personal Data We Collect

We collect personal data that you voluntarily provide and data collected automatically when you use the Platform.

6.1 Data You Provide

• Consultation Request Form: First name, last name, email address, phone number, service of interest, and an optional free-text message. Some noindex landing pages may instead ask non-medical planning questions such as preferred timing, communication channel, contact window, timezone, and program priorities.
• AI Assistant (Chatbot): The text of your conversation, including any questions or details you choose to share. Before using the AI assistant, you must confirm that you are 18 or older and that you accept this Privacy Policy and our Terms & Conditions. Your consent acknowledgment is recorded.
• Consent Records: Records of your acceptance of this Privacy Policy, Terms & Conditions, age confirmation, health-data processing consent (VCDPA), cookie preferences, and communication consents that apply to your chosen contact channel (including SMS, WhatsApp, or phone consent where required).
• Email Communications: Any information you provide when you email us directly.

6.2 Data Collected Automatically

• Usage Analytics: Page views, referral sources, device type, browser type, operating system, country-level geolocation, and session duration (collected via Vercel Analytics and Speed Insights).
• Cookies & Browser Storage: Functional browser storage for cookie-consent preferences, and session-based chatbot identifiers and temporary chat continuity. See Section 12 for details.
• Server Logs: IP address, request timestamps, request path, and HTTP status codes retained by our hosting provider.

7. How We Use Your Data

We process your personal data for the following purposes:

• Consultation Processing: To receive, review, and respond to your consultation requests; to match you with appropriate partner clinics; and to facilitate scheduling, contact-window preferences, and logistics.
• Operations & Planning: To coordinate appointments, travel arrangements, cost estimates, and post-procedure follow-up with partner clinics on your behalf.
• AI Assistant: To power our AI-driven concierge chatbot that answers your questions and guides you through the consultation process.
• Communication: To respond to your inquiry, coordinate follow-up, and share relevant information you have requested.
• Fraud & Abuse Prevention: To detect and prevent fraudulent, abusive, or unauthorized use of the Platform, including chatbot abuse.
• Site Improvement: To analyze aggregated, anonymized usage data to improve Platform performance, user experience, and service offerings.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.

8. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, such as by submitting a consultation form, accepting cookies, or agreeing to our chatbot terms before initiating a conversation.
• Contract Performance (Art. 6(1)(b) GDPR): Where processing is necessary to fulfill a service you have requested, such as coordinating your medical-tourism consultation.
• Legitimate Interests (Art. 6(1)(f) GDPR): Where processing is necessary for our legitimate business interests (e.g., fraud prevention, platform security, service improvement), provided these interests are not overridden by your rights and freedoms.
• Legal Obligation (Art. 6(1)(c) GDPR): Where processing is required to comply with a legal obligation to which we are subject.

You may withdraw your consent at any time by contacting us at info@astramedica.com. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

9. Disclosure & Sharing of Personal Data

We may share your personal data with the following categories of recipients:

9.1 Partner Clinics

When you submit a consultation request, your name, contact details, service interest, and message may be shared with one or more partner clinics and healthcare facilities in Turkey that offer the services you are interested in. These clinics are independent entities and process your data under their own privacy policies and applicable Turkish law.

9.2 Service Providers & Processors

We engage trusted third-party service providers who process data on our behalf, under our instructions and subject to contractual obligations of confidentiality and security. These include, but are not limited to:

*AI chatbot functionality is powered through API services (currently via OpenRouter) that may route requests to various large-language-model providers (e.g., OpenAI, Anthropic, Google, Meta, Xiaomi, and others). The specific model and provider may change over time to improve quality and performance. All providers are bound by their respective data-processing agreements.

**We may use limited additional business tools for scheduling, invoicing, and internal operations. These tools process data under our instructions and their respective privacy policies.

9.3 Legal & Safety Disclosures

We may disclose personal data if required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect the rights, safety, or property of Astramedica, our users, or the public.

9.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will notify affected users before their data becomes subject to a different privacy policy.

10. AI-Powered Chatbot

Our Platform features an AI-powered assistant ("Astra AI") designed to answer general questions and guide you through the consultation process.

• Consent Required: Before you can use Astra AI, you must confirm that you are at least 18 years old and accept this Privacy Policy and our Terms & Conditions. Your consent acknowledgment, session identifier, and timestamp are stored in our database.
• Data Logged: Your conversation messages (both your inputs and the AI responses) are logged and stored for service improvement, quality assurance, fraud prevention, and potential follow-up.
• Temporary Browser Session Storage: To preserve continuity during your active visit, the chatbot may store a temporary session identifier, consent state, and recent message history in your browser's session storage. This temporary browser data is cleared when the browser tab or browser session is closed.
• Lead Extraction: If you voluntarily provide contact information (email or phone) within the chat, we may extract and store it to follow up on your inquiry.
• No Medical Advice: Astra AI does not provide medical advice, diagnosis, or program recommendations. Responses are for informational and navigation purposes only.
• PHI Prohibition: Do not share Protected Health Information, medical records, or sensitive health data through the chatbot. Astramedica disclaims liability for any such data voluntarily submitted.
• Third-Party Processing: Your chat messages are transmitted to third-party AI model providers for processing. These providers may temporarily process message content but are contractually prohibited from using your data to train their models (where such contractual provisions are available).

11. International Data Transfers

Astramedica is based in the United States. Your personal data may be transferred to, stored in, and processed in the United States and other countries where our service providers operate, including Turkey (for partner-clinic communications).

For transfers from the EEA/UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms under GDPR. By using the Platform, you acknowledge and consent to the transfer of your data to jurisdictions that may have different data-protection standards than your own.

12. Cookies & Tracking Technologies

We use a limited number of cookies and browser-storage items on the Platform:

Opting Out:When you first visit the Platform, a cookie-consent banner will appear. You may accept or decline non-essential cookies. If you decline, Vercel Analytics and Speed Insights scripts will not be loaded. You can change your cookie preference at any time by clearing your browser's local storage for this site. Temporary chatbot session data is cleared automatically when your browser tab or browser session is closed.

We do not use advertising cookies, retargeting pixels, social-media tracking plugins, or any other third-party marketing trackers.

13. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Upon expiration of the applicable retention period, personal data is securely deleted or anonymized. If you request deletion earlier, we will comply within 30 days, subject to any legal obligations to retain certain data.

14. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• TLS/SSL encryption for all data transmitted between your browser and our servers.
• Encrypted database connections and role-based access controls.
• Regular security reviews of our service providers and infrastructure.
• Content Security Policy (CSP) headers to mitigate cross-site scripting and injection attacks.

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot ensure absolute security.

15. Your Rights

15.1 Rights for All Users

Regardless of your location, you may:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Withdraw Consent: Withdraw previously given consent at any time.

To exercise any of these rights, email us at info@astramedica.com with your full name and email address associated with your inquiry. We may request additional information to verify your identity before processing your request. We will respond within 30 days.

15.2 Additional Rights for EEA/UK Residents (GDPR)

If you are located in the EEA or UK, you additionally have the right to:

• Restriction: Request restriction of processing under certain circumstances (Art. 18 GDPR).
• Data Portability: Receive your data in a structured, commonly used, machine-readable format (Art. 20 GDPR).
• Object: Object to processing based on legitimate interests or for direct marketing purposes (Art. 21 GDPR).
• Supervisory Authority: Lodge a complaint with your local data-protection supervisory authority (Art. 77 GDPR).

15.3 Additional Rights for Virginia Residents (VCDPA)

If you are a Virginia resident, you have the following rights under the Virginia Consumer Data Protection Act (VCDPA):

• Right to Know: Confirm whether we are processing your personal data and access that data.
• Right to Correct: Request correction of inaccuracies in your personal data.
• Right to Delete: Request deletion of personal data you have provided to us.
• Right to Data Portability: Obtain a copy of your personal data in a portable, readily usable format.
• Right to Opt Out: Opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling. Astramedica does not sell personal data, engage in targeted advertising, or profile users.
• Sensitive Data: Under the VCDPA, health-related information is classified as "sensitive data." We collect health-related data (such as your medical service interest) only with your explicit opt-in consent via the health-data consent checkbox on our consultation form.

To exercise your VCDPA rights, email info@astramedica.com with the subject line "VCDPA Request." We will verify your identity and respond within 45 days. If we decline your request, you may appeal by contacting us. If you are not satisfied with the outcome of an appeal, you may file a complaint with the Virginia Attorney General.

15.4 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: Request the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information or share it for cross-context behavioral advertising purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a CCPA/CPRA request, email info@astramedica.com with the subject line "CCPA Request." We will verify your identity and respond within 45 days.

Do Not Sell or Share My Personal Information: Astramedica does not sell personal information and does not share personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.

16. Third-Party Links

The Platform may contain links to third-party websites or services (e.g., partner-clinic websites). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal data.

17. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where required by law, notify you via email or a prominent notice on the Platform. Your continued use of the Platform after any changes constitutes acceptance of the updated Privacy Policy.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: