Privacy Policy
Last Updated: April 21, 2026
This Privacy Policy explains how Dr. Maxim Ivanchuk Clinic collects, uses, and shares your personal data. If you do not agree with our practices, please do not use our website.
Table of Contents
- Introduction & Who We Are
- Data We Collect
- How We Collect Data
- Legal Basis for Processing (GDPR)
- How We Use Your Data
- Meta Business Tools & Facebook Pixel
- Other Third-Party Services & Processors
- Cookies & Consent Management
- Data Retention
- International Data Transfers
- Your Rights
- Special Category Data (Health & Medical)
- Children’s Privacy
- Data Security
- Changes to This Policy
- Contact Us
1. Introduction & Who We Are
In Short: We are Dr. Maxim Ivanchuk Clinic, based in Dubai, UAE. This policy covers all data processing on our website ivanchuk.com.
Dr. Maxim Ivanchuk (“we,” “our,” or “us”) operates the website ivanchuk.com (the “Site”). We provide plastic and aesthetic surgery services and are committed to protecting your personal data. We comply with the EU General Data Protection Regulation (GDPR), the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL), Meta’s Business Tools Terms, and other applicable data protection and healthcare regulations.
Data Controller:
Dr. Maxim Ivanchuk Clinic | Dubai, United Arab Emirates | https://www.ivanchuk.com
2. Data We Collect
In Short: We collect data you provide directly (forms, bookings, messages), data collected automatically (analytics, advertising pixels), and health information you choose to share.
2.1 Information You Provide Directly
| Data Category | Examples |
|---|---|
| Contact & inquiry data | Name, email, phone number, message content from contact or consultation forms |
| Booking data | Name, contact details, appointment date/time, pre-consultation notes |
| Communication data | Messages exchanged via WhatsApp or Telegram |
| Transaction data | Name, billing address, email, payment information (processed via our payment processor) |
| Marketing preferences | Email subscription status, communication preferences |
| Health & medical information | Health details voluntarily shared in consultation requests (special category data — see Section 12) |
2.2 Data Collected Automatically
| Data Category | Examples |
|---|---|
| Usage & analytics data | Pages visited, time on page, clicks, scroll depth, referral source, device type, browser, OS, city/country-level location |
| Advertising & pixel data | Page views, button clicks, form interactions, and conversion events tracked via Meta Pixel and Google Ads — see Section 6 |
| Cookie data | See Section 8 for full cookie details |
| Server log data | IP address, access timestamps, HTTP request headers |
| Messaging metadata | Phone number, timestamps when you initiate WhatsApp or Telegram conversations |
3. How We Collect Data
In Short: Directly from you, automatically via tracking technologies, and through third-party advertising platforms.
- Direct interactions: Forms, bookings, purchases, WhatsApp, Telegram, and email
- Automated tracking: Cookies, web beacons, pixels (including the Meta Pixel), and JavaScript tags
- Third-party advertising platforms: Meta and Google may share data about interactions with our ads per their own terms
- Messaging apps: When you contact us via WhatsApp or Telegram
4. Legal Basis for Processing (GDPR)
In Short: Consent for advertising and analytics; contract for bookings and payments; legitimate interest for security and communications.
| Processing Activity | Legal Basis |
|---|---|
| Consultation and contact requests | Legitimate interest (Art. 6(1)(f)) / Pre-contractual steps (Art. 6(1)(b)) |
| Bookings and appointments | Contract performance (Art. 6(1)(b)) |
| Payment processing | Contract + Legal obligation (Art. 6(1)(b)(c)) |
| Google Analytics 4 | Consent (Art. 6(1)(a)) |
| Meta Pixel, Custom Audiences, Advanced Matching | Consent (Art. 6(1)(a)) |
| Google Ads conversion tracking | Consent (Art. 6(1)(a)) |
| Email marketing | Consent (Art. 6(1)(a)) |
| WhatsApp / Telegram communications | Legitimate interest / Consent (Art. 6(1)(a)(f)) |
| Health and medical data | Explicit consent (Art. 9(2)(a)) |
| Fraud prevention & security | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
5. How We Use Your Data
In Short: To deliver our services, communicate with you, improve our website, and run targeted advertising campaigns.
- Provide and manage services: Process consultation requests, schedule appointments, respond to inquiries
- Process transactions: Handle purchases including payment processing and order management
- Communicate with you: Send appointment confirmations, pre- and post-operative instructions, and respond to queries via email, WhatsApp, or Telegram
- Send marketing communications: With your consent, send newsletters, promotions, and information about our procedures
- Website analytics: Understand visitor behaviour via Google Analytics to improve performance and content
- Targeted advertising: Deliver and optimize ads on Meta (Facebook/Instagram) and Google, including remarketing to past visitors and lookalike audiences
- Conversion measurement: Track which ad campaigns lead to bookings or inquiries
- Audience building: Create Custom Audiences on Meta’s platform based on website visitors or customer data (where consent has been obtained)
- Behavioral analysis: Analyze engagement patterns to improve patient acquisition and experience
- Legal compliance: Meet UAE law, GDPR, and healthcare record-keeping requirements
- Security: Protect the integrity of our website and patient data
6. Meta Business Tools & Facebook Pixel
In Short: We use the Meta Pixel, Conversions API, and Custom Audiences to measure ad performance and retarget visitors. Where required by law, we obtain your consent before activating these tools. Data is shared with Meta Platforms, Inc. as a joint data controller.
6.1 What Are Meta Business Tools?
We use the following tools provided by Meta Platforms, Inc. (1601 Willow Road, Menlo Park, CA 94025, USA):
- Meta Pixel (Facebook Pixel): JavaScript code on our website that tracks visitor actions and sends this data to Meta
- Conversions API (CAPI): A server-side integration that sends conversion events directly from our server to Meta for more accurate measurement
- Custom Audiences: Enables us to target advertising to people who have previously visited our website
- Lookalike Audiences: Allows Meta to identify new users who share characteristics with our website visitors or customers
- Advanced Matching: Where you have provided contact information to our website, this data may be hashed (SHA-256) and sent to Meta to improve attribution accuracy
6.2 Data the Meta Pixel Collects
When the Meta Pixel is active, it automatically collects: HTTP headers (IP address, browser, page location, referring URL); the Facebook cookie (if present); button click data and form field names; and page URLs and the actions taken on those pages.
6.3 Standard Events We Track
| Event Name | When It Fires |
|---|---|
| PageView | Every time a page on our Site loads |
| ViewContent | When a visitor views a key procedure or service page |
| Lead | When a visitor submits a consultation or contact form |
| Contact | When a visitor clicks a phone, WhatsApp, or Telegram link |
| CompleteRegistration | When a visitor completes a booking or appointment request |
| InitiateCheckout | When a visitor begins the checkout process in our online store |
| Purchase | When a transaction is completed in our online store |
6.4 Purpose of Data Sharing with Meta
We share the above data with Meta Platforms, Inc. to: measure the effectiveness of our Facebook and Instagram advertising campaigns; deliver ads to people likely to be interested in our services; retarget past website visitors; build Custom Audiences and Lookalike Audiences; optimize ad delivery using Meta’s machine learning; and verify conversions from Meta ad campaigns.
6.5 Meta as a Joint Data Controller
In respect of the Meta Pixel and Business Tools, Meta Platforms, Inc. acts as a joint data controller alongside us. Meta processes the collected data for its own purposes as described in its Data Policy, in addition to the purposes described above.
- Meta’s Data Policy: https://www.facebook.com/policy.php
- Meta’s Business Tools data processing information: https://www.facebook.com/legal/controller_addendum
6.6 Consent for Meta Pixel (EEA & Other Jurisdictions)
Where required by law — including for visitors from the European Economic Area and UK — the Meta Pixel and Conversions API are not activated until you give explicit consent via our cookie consent banner. This is implemented through Meta’s Consent Mode integration. You can withdraw consent at any time by:
- Clicking the cookie preferences link on our website and deselecting “Marketing” cookies
- Visiting Facebook Ad Preferences: https://www.facebook.com/ads/preferences
- Using the DAA opt-out tool: https://optout.aboutads.info
- Using the EDAA opt-out (EU): https://www.youronlinechoices.eu
6.7 Advanced Matching Disclosure
We may use Meta’s Advanced Matching feature, which hashes personal data such as your email address or phone number using SHA-256 before transmission to Meta. This improves conversion attribution accuracy. Only data you have already provided to us is used, and your raw data is never transmitted in plain text.
7. Other Third-Party Services & Processors
In Short: We use Google for analytics and advertising, WhatsApp and Telegram for communications, and WooCommerce for our store. All are bound by data processing agreements.
Analytics & Advertising
| Service | Provider | Purpose | Transfer Safeguard |
|---|---|---|---|
| Google Analytics 4 | Google LLC (USA) | Website traffic analytics | SCCs / EU-US Data Privacy Framework |
| Google Ads & Tag Manager | Google LLC (USA) | Advertising and conversion tracking | SCCs / EU-US Data Privacy Framework |
| Meta Pixel & Conversions API | Meta Platforms Inc. (USA) | See Section 6 for full details | SCCs / EU-US Data Privacy Framework |
Communications
| Service | Provider | Purpose |
|---|---|---|
| WhatsApp Business | Meta Platforms Inc. (USA) | Patient communications and inquiries |
| Telegram | Telegram FZ-LLC (UAE) | Patient communications and inquiries |
Website & eCommerce
| Service | Provider | Purpose |
|---|---|---|
| WooCommerce | Automattic Inc. (USA) | Online store and payment processing |
| WordPress | Automattic Inc. (USA) | Content management and website infrastructure |
8. Cookies & Consent Management
In Short: Necessary cookies always run. Analytics and advertising cookies only activate with your consent.
| Category | Description | Consent Required? |
|---|---|---|
| Strictly Necessary | Session cookies, security tokens, shopping cart. Essential for the website to function. | No |
| Functional | Language preferences, form inputs, user settings. | Optional |
| Analytics | Google Analytics 4 — anonymized data about how visitors use the Site. | Yes |
| Marketing & Advertising | Meta Pixel, Conversions API, Google Ads — ad targeting, remarketing, conversion measurement. See Section 6. | Yes |
On your first visit, a cookie consent banner will appear allowing you to accept or reject non-essential cookies by category. Manage your preferences anytime via: Google Analytics Opt-out | Google Ad Settings | Meta Ad Preferences | Your Online Choices (EU)
9. Data Retention
In Short: We keep your data only as long as necessary for the purpose it was collected, or as required by law.
| Data Type | Retention Period |
|---|---|
| Medical consultation and patient records | 10 years (UAE healthcare regulatory requirement) |
| Booking and appointment data | 5 years |
| Transaction and payment data | 7 years (legal obligation) |
| Contact form inquiries (non-patients) | 2 years |
| Marketing email lists | Until unsubscription + 1 year |
| Google Analytics data | 26 months (GA4 configuration) |
| Meta Pixel / Custom Audience data | Up to 180 days (Meta platform retention) |
| Google Ads audience data | Up to 540 days |
| WhatsApp / Telegram messages | 2 years or until deletion requested |
| Website server log data | 12 months |
10. International Data Transfers
In Short: Our clinic is in the UAE. Some tools transfer data to the USA. For EEA visitors we rely on Standard Contractual Clauses and the EU-US Data Privacy Framework.
Our clinic is based in the United Arab Emirates. Third-party services including Google and Meta may transfer your data to the USA. For EEA data we rely on EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework. For UAE-to-international transfers, we ensure adequate data protection per the UAE PDPL. Meta’s international transfer mechanisms: https://www.facebook.com/legal/EU_data_transfer_addendum
11. Your Rights
In Short: You have rights to access, correct, delete, or restrict use of your data. We respond within 30 days.
Rights Under GDPR (EEA Residents)
- Right of access: Receive a copy of your personal data
- Right to rectification: Correct inaccurate or incomplete data
- Right to erasure: Request deletion where there is no longer a legitimate reason to retain it
- Right to restrict processing: Pause processing in certain circumstances
- Right to data portability: Receive your data in a machine-readable format
- Right to object: Object to processing based on legitimate interests or direct marketing
- Right to withdraw consent: Withdraw at any time without affecting prior lawful processing
To exercise any right, contact us at the details in Section 16. Response within 30 days. You may also lodge a complaint with your local EU supervisory authority.
Rights Under UAE PDPL
Under UAE Federal Decree-Law No. 45 of 2021, you have the right to access, correct, or delete your personal data; object to or restrict processing; and withdraw consent at any time.
12. Special Category Data (Health & Medical Information)
In Short: We treat health data with the highest level of protection — only processed with your explicit consent for delivering medical services.
We only process health data you voluntarily provide: with your explicit consent; for the purpose of providing medical and surgical care; and where required by UAE healthcare law. Access is limited to authorized clinical staff only.
13. Children’s Privacy
Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from children under 18 without verifiable parental or guardian consent. Contact us immediately if you believe we hold data relating to a minor.
14. Data Security
We implement SSL/TLS encryption, secure access controls, regular security assessments, and staff training. While we take all reasonable precautions, no internet transmission is 100% secure.
15. Changes to This Privacy Policy
We may update this policy periodically. Material changes will be posted here with a revised “Last Updated” date. Continued use of our Site after changes are posted constitutes acceptance of the revised policy.
16. Contact Us
For questions, requests, or concerns about this Privacy Policy or your personal data:
Dr. Maxim Ivanchuk Clinic
Dubai, United Arab Emirates
Website: https://www.ivanchuk.com
We will acknowledge your request within 5 business days and respond in full within 30 days.
For Meta-related data requests, you may also contact Meta directly via their Data Subject Request portal.