On this page
01Who we are
Morpho Health (“we”, “us”, “our”) is a patient-coordination service based in Istanbul, Türkiye. We facilitate access to independent, internationally-accredited clinical partners.
For the purposes of the UK GDPR, EU GDPR, and the Turkish Personal Data Protection Law (KVKK), Morpho Health is the data controller for personal data collected via morphoturkiye.com and through our consultation process.
Questions about this policy or your data? Email contact@morphoturkiye.com.
02What data we collect
Information you provide
- Identification: first and last name, country of residence.
- Contact: email, phone or WhatsApp number.
- Enquiry details: treatment interest, free-text clinical context you choose to share.
- Consent preferences.
- If you proceed to treatment planning: relevant medical history, imaging (MRI, X-ray, ultrasound), relevant lab results, and other clinical documentation you or your physician shares with us.
Information collected automatically
- IP address, browser type, device type, operating system.
- Pages viewed, session duration, referring source.
- Anonymised analytics events via Google Analytics 4 (measurement ID G-XYMEY924DC).
- Advertising identifiers via Google Ads (tag AW-18101053311) where you have accepted advertising cookies.
Information we receive from partners
Where you give consent to proceed, our clinical partners may share consultation notes, eligibility assessments, and treatment reports with us for aftercare coordination purposes.
03Why we process your data
- To respond to your enquiry and arrange a clinical consultation, treatment plan, and logistics.
- To coordinate care with partner clinicians, including sharing relevant medical records only with your explicit consent.
- To provide aftercare for the 12-week post-treatment period.
- To comply with medical record-keeping obligations under Turkish law.
- To improve our website and service through aggregated analytics.
- To send follow-up communications where you have opted in.
- To defend legal claims or respond to lawful requests from regulators or courts.
04Legal basis for processing
- Contract / pre-contractual steps
- For processing needed to respond to your enquiry and deliver the service you have requested.
- Consent
- For sharing medical data with clinical partners, for marketing communications, and for non-essential cookies. You may withdraw consent at any time.
- Legitimate interests
- For website analytics, service improvement, fraud prevention, and defending legal claims — where these interests are not overridden by your rights and freedoms.
- Legal obligation
- For medical record retention and for responding to lawful regulatory requests.
05Who we share data with
We share your data only when necessary, and only with:
- Treating clinical partners in Türkiye, and only the clinical data relevant to your care.
- Travel and accommodation providers — typically only your name, arrival/departure dates, and companion details if relevant — strictly to arrange your stay.
- Service providers such as our email host, website analytics provider, hosting provider, and CRM platform, each bound by a written data-processing agreement.
- Regulatory bodies or courts where required by law.
We do not sell your personal data. We do not use your data for third-party advertising beyond our own retargeting campaigns, which use Google Ads identifiers (where you accept advertising cookies).
06International data transfers
Your data may be transferred to and processed in:
- Türkiye, for the purposes of coordinating your treatment and storing medical records in line with Turkish regulatory obligations.
- The United States, for analytics and advertising services (Google LLC).
Where we transfer data outside the UK or EEA, we rely on appropriate safeguards including the UK-US Data Bridge, EU Standard Contractual Clauses, and your explicit consent where required.
07How long we keep your data
- Enquiry data (no plan agreed)
- Retained for up to 12 months, then deleted.
- Active patient records
- Retained for 10 years following your last treatment, in line with Turkish medical record obligations. Then deleted or pseudonymised.
- Financial and invoicing data
- Retained as required by Turkish and UK accounting obligations (typically 7–10 years).
- Analytics data
- Retained for the period configured in Google Analytics 4 (currently 14 months for user-level data).
- Marketing preferences
- Retained until you withdraw consent.
08Your rights
Under UK GDPR, EU GDPR, and Turkish KVKK, you have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate or incomplete data.
- Request erasure (the “right to be forgotten”), subject to legal retention obligations.
- Restrict or object to processing.
- Receive your data in a portable format.
- Withdraw consent at any time (this does not affect processing before withdrawal).
- Lodge a complaint with a supervisory authority — the UK Information Commissioner's Office, your local EU DPA, or the Turkish KVKK.
How to exercise your rights
Email contact@morphoturkiye.com with your request. We aim to respond within one calendar month. For requests that require identity verification, we may ask for proof of identity before disclosing personal data.
09Cookies and analytics
We use three categories of cookies and similar technologies:
- Strictly necessary
- Required for site operation — e.g. maintaining form state during submission. Cannot be disabled.
- Analytics (Google Analytics 4)
- Tracks aggregated, anonymised usage so we can improve the site. Measurement ID: G-XYMEY924DC.
- Advertising (Google Ads)
- Used for retargeting and conversion measurement. Tag ID: AW-18101053311.
You can manage cookies via your browser settings. Disabling non-essential cookies does not affect your ability to use the site or submit an enquiry.
10Security
We protect your data using:
- Encryption in transit (TLS/HTTPS) across the site and all communications.
- Access controls, with clinical records accessible only to staff and clinicians involved in your care.
- Audit logging for sensitive data access.
- Minimum-necessary retention principles.
No system is perfectly secure. In the unlikely event of a breach affecting your rights or freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR, and notify affected individuals without undue delay.
11Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in law, our services, or our operations. The “Last updated” date at the top of this page reflects the date of the most recent change. Material changes affecting active patients will be communicated directly.
12Contact
Questions, complaints, or requests about this policy or your personal data:
Email: contact@morphoturkiye.com
Subject line: Data request — [your name]
If you are based in the UK or EEA and are unhappy with our response, you have the right to complain to your local data protection authority.