Privacy Policy
1. Introduction
Welcome to Expadus Health ("we", "us", "our"), operated by ELENA PERVA Ltd., a company registered in Bulgaria. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website expadushealth.com, our mobile application, and related services (collectively, the "Services").
We are committed to protecting your privacy and ensuring transparency in how we handle your personal information in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Bulgarian Personal Data Protection Act, and other applicable data protection laws.
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
ELENA PERVA Ltd.
Country: Bulgaria
Website: expadushealth.com
Email: privacy@expadushealth.com
For all data protection inquiries, please contact us at the email address above.
3. What Personal Data We Collect
3.1 Information You Provide Directly
| Category | Data Collected | When Collected |
|---|---|---|
| Account Registration | First name, last name, email address, phone number, password (encrypted), country, city | When you create an account |
| Company Registration | Company name, company email, company phone, in addition to personal data above | When registering as a facility/company partner |
| Contact & Inquiry Forms | First name, last name, email, phone, country, preferred contact method, medical condition category, travel period preference, message | When you submit a contact form or inquiry |
| Booking & Appointments | Guest name, email, phone, country, scheduled date/time, timezone, purpose of visit, disease/illness type, notes | When you book an appointment or consultation |
| Reviews | Review text, ratings (overall, facilities, staff, value, cleanliness, location) | When you submit a review |
| Newsletter Subscription | Email address, name (optional) | When you subscribe to our newsletter |
| Live Chat | Name, email, phone (all optional), chat messages, uploaded images | When you use our live chat feature |
| Video Consultations | Join/leave timestamps, video session duration, participation status | When you participate in a video consultation |
| Profile Updates | Avatar/profile photo, bio, language preference, notification preferences | When you update your account settings |
3.2 Information Collected Automatically
| Category | Data Collected | Purpose |
|---|---|---|
| Technical Data | IP address, browser type and version, user agent string, operating system, device type | Security, analytics, and service optimisation |
| Usage Data | Pages visited, referring URL, time spent on pages, navigation paths | Understanding how users interact with our Services |
| Cookie Data | Session identifiers, preference cookies, analytics cookies | See our Cookie Policy for full details |
| Device Data | Device model, OS version, app version, push notification tokens | Mobile app functionality and push notifications |
3.3 Sensitive / Special Category Data
Our Services relate to health, wellness, and medical SPA tourism. When you submit an inquiry or booking, you may voluntarily provide information about your medical conditions, health concerns, or treatment preferences. This constitutes special category data under GDPR Article 9.
We process this data only with your explicit consent, which you provide when submitting an inquiry form or booking request. This information is used solely to match you with appropriate facilities and treatments. You are never required to provide medical information to use our general Services.
4. How We Use Your Personal Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| To create and manage your account | Performance of contract (Art. 6(1)(b)) |
| To process your inquiries and connect you with facilities | Performance of contract (Art. 6(1)(b)) |
| To manage bookings and video consultations | Performance of contract (Art. 6(1)(b)) |
| To send transactional emails (booking confirmations, reminders) | Performance of contract (Art. 6(1)(b)) |
| To send newsletters and marketing communications | Consent (Art. 6(1)(a)) |
| To process medical condition information for facility matching | Explicit consent (Art. 9(2)(a)) |
| To provide live chat support and AI-assisted responses | Legitimate interest (Art. 6(1)(f)) |
| To analyse website traffic and improve our Services | Legitimate interest (Art. 6(1)(f)) |
| To prevent fraud, spam, and abuse | Legitimate interest (Art. 6(1)(f)) |
| To comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
| To send push notifications (mobile app) | Consent (Art. 6(1)(a)) |
5. AI-Powered Chat
Our live chat feature uses artificial intelligence to provide initial responses and assist with your inquiries. When you use the chat:
- Your messages are processed by AI systems to generate helpful responses
- If you upload images, these may be analysed by AI for relevant context
- Chat conversations are stored and may be reviewed by our team for quality assurance
- An admin team member may take over the conversation at any time
- Chat sessions are subject to spam detection and rate limiting for security
You can request deletion of your chat history at any time by contacting us.
6. How We Share Your Data
We do not sell your personal data. We may share your data with the following categories of recipients:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Partner Facilities & Sanatoriums | To process your inquiries and bookings with specific facilities | Only the data necessary for your inquiry/booking is shared |
| Email Service Providers | To deliver transactional and marketing emails | Data processing agreements in place; GDPR-compliant providers |
| Analytics Providers | Google Analytics, Facebook Pixel (with your consent) | Data anonymisation where possible; consent-based |
| Cloud Hosting | Server infrastructure and data storage | Servers located in the EU/EEA where possible |
| Push Notification Services | Firebase Cloud Messaging for mobile notifications | Google's data protection terms apply |
| Video Conference Provider | Jitsi for video consultations | Open-source, self-hostable platform |
| Legal Authorities | When required by law or to protect our legal rights | Only as legally required |
7. International Data Transfers
Some of our third-party service providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs)
- Adequacy decisions by the European Commission
- Binding Corporate Rules where applicable
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account, plus up to 30 days for backup removal |
| Inquiry and contact data | Up to 3 years after last interaction, or until you request deletion |
| Booking data | Up to 5 years for legal and tax compliance |
| Chat conversations | Up to 2 years, or until you request deletion |
| Newsletter subscription data | Until you unsubscribe |
| Analytics data | Up to 26 months (aggregated data may be retained indefinitely) |
| Email campaign engagement data | Up to 3 years |
| Password reset / verification tokens | Automatically expire and are deleted within 24 hours |
| Server logs | Up to 90 days |
9. Your Rights Under GDPR
As a data subject, you have the following rights:
| Right | Description |
|---|---|
| Right of Access (Art. 15) | Request a copy of all personal data we hold about you |
| Right to Rectification (Art. 16) | Request correction of inaccurate or incomplete data |
| Right to Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten") |
| Right to Restrict Processing (Art. 18) | Request limitation of how we process your data |
| Right to Data Portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Right to Object (Art. 21) | Object to processing based on legitimate interests or direct marketing |
| Right to Withdraw Consent (Art. 7(3)) | Withdraw consent at any time without affecting prior lawful processing |
| Right to Lodge a Complaint | File a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) or your local supervisory authority |
To exercise any of these rights, please contact us at privacy@expadushealth.com. We will respond within 30 days of receiving your request.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption: Passwords are hashed using bcrypt with salt rounds; data transmitted over HTTPS/TLS
- Access Controls: Role-based access (User, Company, Admin) with authentication required for sensitive operations
- Rate Limiting: Protection against brute-force attacks on registration, login, contact forms, and chat
- CAPTCHA: Bot protection on registration, contact, review, and newsletter forms
- Input Sanitisation: Protection against XSS and injection attacks
- Regular Updates: Security patches and dependency updates applied regularly
While we take every reasonable precaution, no method of transmission or storage is 100% secure. If you become aware of any security breach, please notify us immediately.
11. Children's Privacy
Our Services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16 without appropriate parental consent, we will take steps to delete that information promptly.
12. Third-Party Links
Our website may contain links to third-party websites, including partner facility websites, social media platforms, and external resources. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal data.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify registered users via email for significant changes
- Display a notice on our website
We encourage you to review this Privacy Policy periodically.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
ELENA PERVA Ltd.
Email: privacy@expadushealth.com
Website: expadushealth.com/contact
You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP):
Website: www.cpdp.bg
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Last Updated: March 31, 2026