Legal
Privacy Notice.
ONE.HEALTH — Physician-Led IV Therapy & Longevity Clinic, Nicosia, Cyprus
Version 1.0 · Effective 2026
This Privacy Notice explains how ONE.HEALTH ("we", "us", "our") collects, uses, stores and protects your personal data when you visit our website, join our waitlist, book a session, attend our clinic, or receive any of our services. We process your data lawfully under the General Data Protection Regulation (EU) 2016/679 ("GDPR") as implemented in Cyprus by Law 125(I)/2018.
1. Who We Are
Data Controller: THEODOROS KYPRIANOU DLC (trading as ONE.HEALTH), registered in Cyprus.
Trading address: 96 Andrea Avraamidi Str, Strovolos, Nicosia, Cyprus, 2024, First Floor.
Data Protection Officer: Stefanos Kyprianou.
DPO contact: info@onehealthclinics.org · +357 22 522 800.
2. What Personal Data We Collect
2.1 Website visitors and waitlist
When you submit a waitlist registration, we collect first and last name, email, optional phone/WhatsApp number, submission timestamp, and basic technical data (IP address, browser, pages visited).
Legal basis: Art. 6(1)(b) GDPR — steps prior to a contract; Art. 6(1)(f) — legitimate interest in managing our waitlist.
2.2 Appointment booking (Microsoft Bookings)
Name, email, phone, appointment details, voluntary allergy/condition disclosures, and pre-consultation preference.
Legal basis: Art. 6(1)(b), Art. 9(2)(h) — provision of health care; Art. 9(2)(a) — explicit consent for voluntary health disclosures.
2.3 Clinical records (in-clinic only)
Created and stored exclusively within our internal Microsoft 365 systems — never on our public website. Includes identity, contact details, medical history, treatment records, batch traceability, consent records, consultation notes, incident records, and follow-up communications.
Legal basis: Art. 6(1)(b), Art. 6(1)(c), Art. 9(2)(h) — provision of health care by health professionals under professional secrecy.
2.4 Payments
Processed by Stripe or Viva Wallet. We do not store card details — only a transaction reference and amount for accounting.
2.5 Communications
Emails, WhatsApp messages, and phone records retained to respond to you and maintain interaction history.
3. Sensitive (Special Category) Data
Health data is treated with the highest level of confidentiality. Access is restricted to clinical staff directly involved in your care. We never use health data for marketing or profiling.
4. Data We Do Not Collect
- No health data on our public website beyond the voluntary allergy field in Microsoft Bookings.
- No tracking pixels, advertising cookies, or third-party advertiser sharing.
- We never sell, rent, or trade your personal data.
- No automated decision-making or profiling with legal effects.
- No data collection from individuals under 18.
5. How Long We Keep Your Data
- Waitlist: up to 12 months from submission.
- Booking data: 3 years from appointment.
- Clinical records: 7 years from last visit.
- Consent records: for the duration of clinical record retention.
- Incident records: 10 years.
- Communications: 2 years.
6. Who We Share Your Data With
All third parties act as data processors under a data processing agreement with us:
- Microsoft Corporation (EU): Microsoft 365 stores clinical records, bookings, and communications. EU data centres.
- Microsoft Bookings: appointment calendar.
- Supabase Inc. (EU): stores waitlist submissions only — no clinical data.
- Stripe / Viva Wallet: payment processing.
- Twilio / 360dialog (WhatsApp Business API): appointment reminders.
We do not transfer data outside the EEA except under Standard Contractual Clauses or adequacy decisions.
7. Data Security
- All clinical records stored exclusively in Microsoft 365 (ISO 27001 certified, GDPR-compliant EU deployment).
- Role-based access controls and multi-factor authentication for all staff accounts.
- Full audit trails on all clinical record access.
- No clinical or health data on our public website.
- Personal data breaches notified to the Cyprus Commissioner within 72 hours where required.
8. Cookies
We use strictly necessary cookies and privacy-respecting analytics only. No advertising or marketing cookies. No tracking pixels.
9. Your Rights Under GDPR
To exercise any of these rights, contact our DPO at info@onehealthclinics.org. We will respond within one calendar month.
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17) — subject to clinical record retention obligations
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Right to withdraw consent at any time
You also have the right to lodge a complaint with the Cyprus Commissioner for the Protection of Personal Data, 1 Iasonos Street, 1082 Nicosia · commissioner@dataprotection.gov.cy · +357 22 818 456.
10. Children
Our services are not directed at individuals under 18. We do not knowingly collect data from children.
11. Changes to This Privacy Notice
We publish updates on our website with a revised effective date. Material changes affecting health data use are notified by email where contact details are held.
12. Contact Us
DPO: Stefanos Kyprianou
Email: info@onehealthclinics.org
Phone: +357 22 522 800
Address: 96 Andrea Avraamidi Str, Strovolos, Nicosia, Cyprus, 2024, First Floor
