Zatay Medical

Privacy & GDPR

ZATAY MEDICAL CONSULTANCY LTD (Company No. 13584142) is the data controller for personal data processed through this portal. We take the privacy of your family's health information seriously.

Data we process

We process the information you provide for an educational review — including your contact details, your child's details, and any medical records, imaging, or videos you upload. Health data is special-category data under the UK GDPR and is handled with additional safeguards.

Lawful basis

We process your data to deliver the service you request (Article 6(1)(b) — contract) and with your explicit consent for special-category health data (Article 9(2)(a)). Consent is captured on the intake form and can be withdrawn at any time.

Storage & security

Data is stored on EU/EEA-region infrastructure (Supabase, hosted in the EU) with encryption in transit (TLS) and at rest. Medical files live in a private storage bucket and are only served via short-lived signed URLs. Access is limited to the specialists and coordination staff involved in your review.

Staff sign-ins use magic-link authentication and optionally a second-factor authenticator. Privileged actions (case assignment, report finalisation, role changes, refunds) are recorded in an internal audit log.

How long we keep your data

We retain personal data for 8 years from the date of submission, in line with common UK paediatric clinical-record practice. After this period your case is reviewed by an administrator and permanently deleted from the portal. A minimal accounting record (case reference, package, amount paid) is kept for six years as required by the UK Companies Act 2006 — it contains no medical or contact information beyond what Stripe also holds independently.

Your rights under UK GDPR

You have the right to:

  • Accessa copy of the personal data we hold about you (Article 15).
  • Receive your data in a portable format(Article 20). You can download it yourself any time from the family panel.
  • Rectification— ask us to correct inaccurate information (Article 16).
  • Erasure— ask us to delete your personal data (Article 17). You can also do this yourself from the family panel.
  • Restrict or object toour processing (Articles 18 & 21).
  • Withdraw consent at any time, without affecting processing carried out before withdrawal.
  • Complainto the UK Information Commissioner's Office (ICO) at ico.org.ukif you're not satisfied with how we've handled your data.

How to exercise your rights

Two of these rights are available directly in the secure family panel: Your data & privacy — "Download my data" and "Delete my account". For any other request, or if you don't use the portal, email us at profdrburaktatli@gmail.com. We respond within 30 days, as required by the UK GDPR.

Cookies & analytics

We use a minimal set of strictly necessary cookies for sign-in and language preferences. Privacy-friendly analytics (e.g. Cloudflare Web Analytics) may also be used; these do not set cookies or collect personal identifiers. You can manage your cookie preferences from the banner at the bottom of the page.

International transfers

Personal data is stored in the EU. Some processors (e.g. Stripe for payments, Resend for email) may transfer limited data to the United States under their standard contractual clauses and supplementary safeguards.

This policy summarises our current practices. The final wording should be reviewed by a UK data-protection adviser before publication and updated whenever our processing changes.