naftalan.health logonaftalanhealth

naftalan.health | Privacy Policy

PRIVACY POLICY

Platform naftalan.health

Last updated: 06.06.2025 | Version: 1.0

Alexandr Umanet | naftalan.health

This Privacy Policy (the "Policy") sets out how Alexandr Umanet (the "Operator") collects, uses, stores, and protects the personal data of visitors and clients of the platform naftalan.health (the "Platform").

This Policy applies in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), as well as applicable data protection legislation in Israel (Protection of Privacy Law, 5741-1981) and Turkey (Law on Protection of Personal Data No. 6698, KVKK).

By accessing or using naftalan.health, you confirm that you have read, understood, and accepted this Policy. If you do not agree with its terms, please do not use the Platform.

1. Operator Identification

OperatorAlexandr Umanet
Platformnaftalan.health
Emailinfo@naftalan.health
LocationChișinău, Republic of Moldova
Supervisory Authority (EU)Your national data protection authority — edpb.europa.eu/about-edpb/board/members_en
Supervisory Authority (IL)Privacy Protection Authority — gov.il/en/departments/the_privacy_protection_authority
Supervisory Authority (TR)Personal Data Protection Authority (KVKK) — kvkk.gov.tr

2. Definitions

For the purposes of this Policy, the following terms have the meanings set out below:

  • "Personal data" — any information relating to an identified or identifiable natural person (name, date of birth, phone number, email address, passport data, health information, etc.);

  • "Operator" / "Data Controller" — Alexandr Umanet, the individual who determines the purposes and means of processing personal data;

  • "User" — any natural person who accesses or interacts with naftalan.health, whether or not they proceed to payment;

  • "Client" — a User who has paid the €150 service fee and entered into a Service Agreement with the Operator;

  • "Processing" — any operation performed on personal data: collection, recording, storage, modification, extraction, use, transmission, deletion, etc.;

  • "Sensitive data" — data relating to health status, which benefit from an elevated level of protection under GDPR Article 9;

  • "Cookie" — a small data file stored on the User's device when visiting the Platform.

3. Data Collected and Purpose of Collection

3.1. Data Provided Directly by the User

When using naftalan.health, the Operator may collect the following categories of personal data provided directly by the User:

  • Full name — for identification and service coordination purposes;

  • Date of birth — to assess eligibility and suitability for Naftalan oil therapy;

  • Contact phone number — for communication regarding coordination, scheduling, and on-the-ground support;

  • Email address — for sending booking confirmations, the Service Agreement, and relevant trip information;

  • Passport or identity document number, series, and expiry date — required for flight optimisation and sanatorium access arrangements;

  • Payment data — in the case of online payment via Stripe or PayPal; the Operator does not store card or payment account data;

  • Health background information — shared voluntarily by the Client during the personalised medical orientation consultation (verbally, by email, or via messaging), for the exclusive purpose of tailoring the sanatorium and treatment recommendation. This constitutes sensitive data under GDPR Article 9.

3.2. Data Shared During Coordination

Throughout the coordination process — conducted via email (Zoho Mail), WhatsApp, Telegram, and phone calls — the Client may share additional personal data relevant to their trip, including travel preferences, health updates, travel document details, and logistical information. All such data is treated with the same level of protection as data collected through the Platform's booking form.

The Client is advised not to share sensitive financial data (card numbers, banking passwords) through messaging platforms. Payment is processed exclusively through Stripe or PayPal.

3.3. Health Data — Special Category

Health information shared by the Client constitutes special category data under GDPR Article 9 and benefits from the highest level of protection. It is collected exclusively:

  • During the personalised medical orientation consultation, to assess suitability for Naftalan oil therapy and to recommend the most appropriate sanatorium and treatment programme;

  • When required by the sanatorium for the purposes of medical intake.

The legal basis for processing health data is the Client's explicit consent, given at the time of the medical orientation consultation. Health data is never shared with third parties beyond the booked sanatorium, and only to the extent necessary for medical intake.

3.4. Data Collected Automatically

When accessing naftalan.health, the system may automatically collect the following technical data, without directly identifying the User:

  • IP address of the device;

  • Browser type and version;

  • Operating system;

  • Pages visited and session duration;

  • Traffic source (how you arrived at the Platform);

  • General geolocation (country / city level), derived from IP address.

This data is collected via traffic analysis tools (Google Analytics) and cookies, described in detail in Section 9 of this Policy.

4. Legal Basis for Processing

The Operator processes personal data on the following legal bases under the GDPR:

Legal BasisScope of Application
Performance of a contract (Art. 6(1)(b))Processing necessary for the conclusion and performance of the Service Agreement: booking, coordination, sanatorium referral, trip documentation.
Explicit consent (Art. 6(1)(a) + Art. 9(2)(a))Processing of health data; activation of marketing/analytics cookies; use of messaging platforms for coordination.
Legal obligation (Art. 6(1)(c))Retention of financial and fiscal records in accordance with applicable law.
Legitimate interest (Art. 6(1)(f))Improvement of Platform services; fraud prevention; web traffic analysis.

5. Purposes of Processing

Personal data collected through naftalan.health is processed exclusively for the following purposes:

  • Processing and managing bookings for the Naftalan Health Navigator service;

  • Conducting the personalised medical orientation consultation and preparing the sanatorium recommendation;

  • Communicating with the Client regarding coordination, scheduling, documentation, and on-the-ground support;

  • Transmitting necessary data to the booked sanatorium and, where applicable, to airlines and transfer operators (see Section 6);

  • Issuing the Service Agreement and managing related documentation;

  • Processing payments via Stripe and PayPal;

  • Personalising Platform content and improving the user experience;

  • Analysing Platform traffic and user behaviour (Google Analytics);

  • Sending marketing communications and advertising retargeting, exclusively with prior consent;

  • Resolving disputes and managing complaints;

  • Fulfilling the Operator's legal obligations.

6. Transfer of Data to Third Parties

6.1. Booked Sanatorium

To finalise the Client's reservation and ensure access to contracted services, the Operator transmits to the booked sanatorium the minimum data necessary for medical intake and accommodation: full name, date of birth, contact phone number, and, where required by the sanatorium's medical protocol, relevant health background information (with Client consent).

Sanatoriums operating in Naftalan, Azerbaijan with which the Operator works include:

  • Sanatorium Sehirli (Волшебный Нафталан), Naftalan, Azerbaijan;

  • Sanatorium Karvan, Naftalan, Azerbaijan;

  • Sanatorium Nur Naftalan, Naftalan, Azerbaijan;

  • Sanatorium Nafta, Naftalan, Azerbaijan;

  • Sanatorium Sun City, Naftalan, Azerbaijan;

  • Sanatorium Park Naftalan, Naftalan, Azerbaijan;

  • Sanatorium Chinar Health, Naftalan, Azerbaijan.

Only the sanatorium confirmed for the Client's stay will receive their data. Transfer is made on the basis of contract performance and is limited to data strictly necessary for the provision of the booked services. Each sanatorium is contractually obliged to protect transmitted data and use it exclusively for the Client's intake and care.

Data transfers to the Republic of Azerbaijan (a third country under GDPR) are made on the basis of contract performance (GDPR Art. 49(1)(b)) and the Client's explicit consent where health data is involved.

6.2. Airlines and Transfer Operators

Where the Operator assists with flight optimisation or transfer arrangements as part of the coordination service, the Client's name and passport details may be shared with the relevant airline or transfer operator, solely for the purpose of booking or confirming the Client's reservation. The Client is informed of such sharing prior to data transmission.

6.3. Technical Service Providers

The Operator uses the following third-party technical service providers, who may process data as data processors:

  • Lovable — the hosting platform on which naftalan.health runs. Data may be stored on this provider's servers. Users are encouraged to consult Lovable's privacy policy for infrastructure details;

  • Zoho Corporation (Zoho Mail) — email service used for client communication. Data processed in accordance with Zoho's privacy policy: zoho.com/privacy.html. Zoho is GDPR-compliant and offers EU data residency options;

  • Meta Platforms Inc. (WhatsApp) — messaging platform used during coordination. Client data shared via WhatsApp is subject to Meta's privacy policy: whatsapp.com/legal/privacy-policy;

  • Telegram Messenger Inc. (Telegram) — messaging platform used during coordination. Subject to Telegram's privacy policy: telegram.org/privacy;

  • Google LLC (Google Analytics) — web traffic analysis tool. Data may be transferred to Google servers outside the EU under Standard Contractual Clauses. IP anonymisation is enabled. See: policies.google.com/privacy;

  • Stripe Payments Europe Ltd (Stripe) — payment processing. See: stripe.com/privacy;

  • PayPal (Europe) S.à r.l. et Cie, S.C.A. (PayPal) — payment processing. See: paypal.com/webapps/mpp/ua/privacy-full.

The Operator does not sell, rent, or otherwise commercially transfer Users' personal data to third parties for their own commercial purposes.

6.4. Public Authorities

The Operator may disclose personal data to competent authorities (law enforcement bodies, courts, supervisory authorities) in the following situations:

  • In response to lawful requests (subpoenas, court orders, regulatory requests);

  • Where disclosure is necessary to protect the legitimate rights and interests of the Operator;

  • Where there are reasonable grounds to suspect fraud or illegal activities.

7. Data Retention Periods

The Operator retains personal data for the periods indicated below, after which it is deleted or irreversibly anonymised:

Data CategoryRetention Period
Booking form data and Service Agreement2 years from the date of the Client's return from the sanatorium
Payment records and fiscal documentsAs required by applicable law (minimum 5 years)
Health data shared during consultation2 years from the date of the consultation, then deleted
Coordination correspondence (email, messaging)2 years from the date of the Client's return
Technical data (logs, IP, analytics)Max. 26 months (per Google Analytics policy)
Marketing consent recordsUntil consent is withdrawn, then deleted within 30 days

Upon expiry of the retention period, data is deleted or anonymised, unless a longer retention period is required by applicable law.

8. Rights of Users

In accordance with the GDPR (and equivalent provisions under Israeli and Turkish law), Users have the following rights regarding their personal data:

  • Right of access — the right to obtain confirmation of processing and to receive a copy of their data;

  • Right to rectification — the right to request correction of inaccurate or incomplete data;

  • Right to erasure ("right to be forgotten") — the right to request deletion of data when it is no longer necessary for the purpose for which it was collected, or when consent is withdrawn, subject to legal retention obligations;

  • Right to restriction of processing — the right to request limitation of processing in certain circumstances;

  • Right to data portability — the right to receive data in a structured, commonly used, machine-readable format;

  • Right to object — the right to object to processing for direct marketing purposes or on the basis of the Operator's legitimate interest;

  • Right to withdraw consent — at any time, without affecting the lawfulness of processing carried out prior to withdrawal;

  • Right to lodge a complaint — with the competent supervisory authority in your country of residence (see Section 1 for authority contacts).

To exercise any of these rights, submit a written request to: info@naftalan.health. The Operator will respond within 30 calendar days of receipt.

9. Cookies and Tracking Technologies

9.1. What Are Cookies

Cookies are small data files stored on the User's device when visiting naftalan.health. They allow the Platform to remember preferences, analyse traffic, and optimise the browsing experience.

9.2. Types of Cookies Used

  • Strictly necessary cookies — essential for basic Platform functionality (session, security, consent storage). Cannot be disabled;

  • Analytics cookies (Google Analytics) — collect anonymised information about how Users interact with the Platform. Processed by Google LLC as a data processor;

  • Marketing and retargeting cookies (Meta/Facebook Pixel) — used to display relevant ads to Users who have previously visited the Platform. Activated exclusively with User consent;

  • Payment cookies (Stripe, PayPal) — set during the payment process for fraud prevention and secure transaction management. Required for contract performance.

Full details of all cookies used, their providers, duration, and legal basis are provided in the separate Cookies Policy at: naftalan.health/cookies-policy.

9.3. Managing Cookies

Users may manage their cookie preferences through:

  • The cookie consent banner shown on first visit to naftalan.health;

  • The "Cookie Settings" link in the website footer;

  • Browser security or privacy settings.

Note: disabling strictly necessary cookies may affect the correct functioning of naftalan.health, including the ability to complete bookings and payments.

10. Data Security

The Operator implements appropriate technical and organisational measures to protect personal data against loss, unauthorised access, disclosure, modification, or destruction. Measures in place include:

  • Encrypted connections via HTTPS/SSL (active SSL certificate on naftalan.health);

  • Access to personal data is limited exclusively to the Operator and, where necessary, to contracted service providers acting under data processing obligations;

  • Payment card data is not stored by the Operator — all transactions are processed through Stripe and PayPal's secure infrastructure;

  • Health data shared during coordination is stored in Zoho Mail with access restricted to the Operator;

  • Coordination correspondence on WhatsApp and Telegram is subject to end-to-end encryption provided by those platforms.

While no digital platform can guarantee absolute security, the Operator takes all reasonable steps to minimise risks. In the event of a personal data breach affecting Users, the Operator will notify the competent supervisory authority and affected Users in accordance with GDPR Article 33 and applicable law.

11. Links to Third-Party Websites

naftalan.health may contain hyperlinks to third-party websites (airlines, sanatoriums, travel authorities, etc.), provided for informational purposes only. This Privacy Policy does not apply to third-party sites. The Operator assumes no responsibility for their privacy practices. Users are encouraged to consult the privacy policies of any third-party site they visit.

12. Data Relating to Minors

naftalan.health is not directed at persons under 18 years of age. The Operator does not knowingly collect personal data from minors. Where a booking involves a minor travelling with a Client, the Client (as parent or legal guardian) provides the minor's identification data strictly for trip configuration and coordination purposes. The Operator does not process minors' data for any other purpose.

13. Updates to This Privacy Policy

The Operator reserves the right to update this Privacy Policy at any time, in response to legislative, technical, or operational changes. The updated version will be published at naftalan.health/privacy-policy with the effective date indicated.

For material changes affecting Users' rights, the Operator will make reasonable efforts to notify Users via the Platform or by email where an address is available. Continued use of naftalan.health after publication of changes constitutes acceptance of the revised Policy.

14. Contact Details

For any questions, requests, or complaints regarding the processing of personal data, Users may contact the Operator as follows:

OperatorAlexandr Umanet
Emailinfo@naftalan.health
Platformnaftalan.health
Privacy Policynaftalan.health/privacy-policy
Cookies Policynaftalan.health/cookies-policy
Supervisory Authority (EU)edpb.europa.eu/about-edpb/board/members_en
Supervisory Authority (IL)gov.il/en/departments/the_privacy_protection_authority
Supervisory Authority (TR)kvkk.gov.tr

This Privacy Policy is effective from 06.06.2025 — Version 1.0

© 2025 Alexandr Umanet. All rights reserved.

© 2025 Alexandr Umanet | naftalan.health | All rights reserved.