Refyn.Health
Home/Legal
Last updated: 25 April 2026

Privacy Policy

This policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over it. We process data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Plain-English summary: We collect what you put into our quiz, your messages, your photos, and your payment info. We share what's clinically relevant with the specific clinic you choose to engage with — and only that clinic. We don't sell your data, and we don't share it with anyone outside the clinic, our travel suppliers, and the few service providers required to run the platform.

1. Who we are (Data Controller)

Refyn Health Ltd, registered in England & Wales (company no. 15472301), is the data controller for the personal data described in this policy. Contact: privacy@refyn.health.

2. What we collect

We collect three categories of data:

2.1 Account & identity

  • Name, email, phone / WhatsApp number, age
  • Country of residence, time zone
  • Authentication tokens (we don't store passwords — login is via magic link)

2.2 Health-related information

  • Procedure(s) of interest, budget, timing, country preferences
  • Free-text comments you provide in the quiz or in messages (medical history, prior procedures, revision context, allergies, medications, accessibility needs)
  • Photos you upload (e.g. pre-procedure assessment photos for the clinic)
  • Consultation notes and clinic communications stored on your dashboard

2.3 Operational data

  • Booking history, deposit transactions, itinerary details
  • Standard server logs (IP address, browser, timestamps)
  • Cookie data (session, preferences — see section 7)

Health information is treated as special category data under UK GDPR. We rely on your explicit consent (Article 9(2)(a)) to process this data for the purpose of arranging your medical travel. You can withdraw consent at any time (see section 8).

3. How we use your data

  • To match you with clinics — our matching engine uses procedure, budget, country preference and timing to surface 3 best-fit clinics
  • To facilitate your treatment — sharing what's clinically necessary with the clinic you choose, scheduling consultations, organising travel, taking the deposit
  • To send service emails — magic-link sign-in, booking confirmations, aftercare follow-ups, dispute resolution
  • To improve our service — anonymous, aggregate analytics on what procedures are most-requested, which clinics convert best, common drop-off points in the quiz
  • To meet our legal obligations — anti-fraud, anti-money-laundering, tax, regulatory enquiries

Our legal bases under UK GDPR are: explicit consent (special category data), contract performance (delivering the service you signed up for), legitimate interests (improving the platform, fraud prevention), and legal obligations.

4. Who we share it with

4.1 The clinic you choose

Once you click Proceed on a matched clinic, we share with that clinic the information they need to assess and prepare your care: name, email, phone, age, procedure(s) of interest, comments, and any photos you've uploaded. This is shared solely with the clinic you select — never with the others in your match list.

Each clinic is an independent data controller for the data they receive. Their use of your data is governed by their own privacy policy and the data protection laws of the country where they operate. If you have data-protection concerns about a specific clinic, contact them directly.

4.2 Travel suppliers

Where you book travel through Refyn (flights, hotel, transfers), we share your name and trip details with the relevant supplier. We use reputable third-party booking systems and don't retain payment card data on our servers (see section 4.3).

4.3 Service providers

We use the following processors (each bound by data-processing agreements):

  • Neon — Postgres database (encrypted at rest, EU region)
  • Vercel — application hosting (EU edge)
  • Cloudinary — encrypted photo storage
  • Resend — transactional email delivery
  • Stripe — deposit processing (PCI-DSS Level 1; Refyn does not handle card data)

4.4 We do NOT share your data with:

  • Advertising networks or marketing list buyers — ever
  • Other clinics (only the one you chose to engage)
  • Anyone outside the parties listed above unless required by law

5. International transfers

Because medical tourism inherently involves clinics outside the UK, your data will be transferred to the country of the clinic you select (Turkey, Spain, Poland, Greece, India, Thailand, South Korea, UAE etc.). Where the country is not covered by a UK adequacy decision, we rely on the clinic's contractual commitment to handle your data in line with UK GDPR-equivalent standards (Standard Contractual Clauses or equivalent safeguards).

You should review the data-handling commitments of the specific clinic you select before confirming a booking. If you have concerns, raise them with us — we will not introduce you to a clinic that does not meet our minimum standards.

6. How long we keep your data

  • Active patients: for as long as your account is active
  • After a completed booking: 7 years (statutory medical-records retention)
  • If you don't book: we delete inactive enquiries after 24 months
  • Server logs & analytics: 90 days then anonymised
  • Marketing email lists: until you unsubscribe

7. Cookies

We use the minimum cookies needed to run the platform:

  • Essential cookies — session, authentication, CSRF protection. These cannot be disabled.
  • Analytics cookies — first-party only, no advertising. We use a privacy-first analytics provider that does not require an opt-in cookie banner under PECR.

We don't set advertising or third-party tracking cookies. If we add any in future, we will update this policy and request consent at that time.

8. Your rights under UK GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectify — correct inaccurate or incomplete data
  • Erase — request deletion (subject to legal retention obligations)
  • Restrict — pause processing while a dispute is resolved
  • Object — object to processing based on legitimate interests
  • Portability — receive your data in a machine-readable format
  • Withdraw consent — at any time, for any consent-based processing
  • Complain — to the Information Commissioner's Office (ico.org.uk) if you believe we've mishandled your data

To exercise any of these rights, email privacy@refyn.health. We'll respond within 30 days.

9. Security

We use industry-standard practices: encrypted database connections, encrypted file storage, access-controlled admin tools, hashed authentication tokens, audit logs of sensitive operations, and regular security reviews. Despite this, no internet service is 100% secure; if you suspect a breach affecting your data, contact us immediately.

10. Children's data

Our service is not for individuals under 18. We do not knowingly process data of minors. If you believe a minor has submitted data through our platform, contact us and we'll delete it.

11. Changes to this policy

We may update this policy. Material changes will be notified by email to active patients. The version that applies to your data is the version in force on the date the data was collected, unless a more permissive update is published.

12. Contact

Refyn Health Ltd · Company No. 15472301 · privacy@refyn.health

Need to talk to us about anything in this document? Email legal@refyn.health.

Refyn Health Ltd · Company No. 15472301 · Registered in England & Wales · Registered office available on request.