We are committed to protecting your personal data and your right to privacy. This policy explains exactly what we collect, why, and how we protect it.
ETERNAL Clinic International ("ETERNAL Clinic") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect information about you when you use our website, services, or purchase our products. We comply with the GDPR, Indonesian Personal Data Protection Law (UU PDP), and equivalent legislation in Spain, Italy, and Switzerland.
ETERNAL Clinic International is the data controller responsible for your personal data. We operate hair restoration clinics and provide related health services across four international locations:
If you have any questions about how we handle your data, please contact us at info@cliniceternal.com.
We collect different categories of personal data depending on how you interact with us:
We collect this data directly from you when you submit a form, book a consultation, undergo a procedure, make a purchase, or contact us by any channel. We also collect technical data automatically when you browse our website.
We use your personal data only for the purposes for which it was collected:
We will never use your data for purposes incompatible with those listed above without first informing you and, where required, obtaining your consent.
Under the GDPR and applicable data protection law, we process your personal data under the following legal bases:
Processing is necessary to fulfil the contract we have with you — for example, to perform your procedure, process your payment, or fulfil a product order.
We process certain data based on our legitimate business interests, including improving our services, preventing fraud, and maintaining the security of our systems. We ensure these interests are balanced against your rights.
We are required by law to retain medical records, financial records, and other data for specified periods. We process data to meet these obligations.
Where we rely on consent — such as for marketing emails or the processing of sensitive health data — you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
Health and medical information is classified as "special category data" under the GDPR and receives the highest level of protection. We process it only where strictly necessary for providing healthcare services and with your explicit consent.
Medical data we hold — including consultation notes, photographs, procedure records, and AI-generated assessments — is treated with the strictest confidentiality. Access is restricted to:
We will never share your medical data with third parties for commercial purposes, including advertisers, insurers, or employers, without your explicit written consent.
Before and after photographs are stored securely and may be used for internal quality review or educational purposes only with your explicit, separately-obtained consent. We will always ask before displaying any photographs on our website or marketing materials.
We do not sell your personal data. We may share it only in the following limited circumstances:
We work with carefully selected third-party providers who process data on our behalf under strict data processing agreements. These include: payment processors (Stripe, PayPal), email delivery services, and our secure cloud hosting provider. They are permitted to use your data only for the specific purpose we instruct and cannot use it for their own purposes.
Your data may be shared between ETERNAL Clinic locations (e.g., if you transfer care between our Bali and Madrid clinics) for continuity of care purposes only.
We may disclose your data if required by law, court order, or regulatory authority, or if we believe disclosure is necessary to protect the rights, property, or safety of ETERNAL Clinic, our patients, or others.
If ETERNAL Clinic undergoes a merger, acquisition, or sale of assets, your data may be transferred to the new entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.
Our website uses cookies and similar tracking technologies to improve your experience and analyse how the site is used.
Required for the website to function. These cannot be disabled. They include session cookies that keep you logged in and security tokens that protect forms against abuse.
Help us understand how visitors interact with our website (e.g., pages visited, time spent). We use anonymised data and do not share individual tracking data with third parties.
Used only with your consent to serve relevant advertising about our services on third-party platforms. You can opt out at any time through your browser settings or our cookie preferences panel.
Most browsers allow you to control cookies through settings. You can also use browser extensions to block tracking. Please note that disabling non-essential cookies will not affect your ability to access our services. For more information, visit aboutcookies.org.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.
When data is no longer required, it is securely deleted or anonymised so it can no longer be associated with you.
Because ETERNAL Clinic operates internationally, your personal data may be transferred between our clinic locations in Indonesia, Spain, Italy, and Switzerland for continuity of care purposes.
For transfers of personal data from the European Economic Area (EEA) to Indonesia or other countries that the European Commission has not deemed to provide an adequate level of data protection, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, which impose equivalent data protection obligations on the recipient.
Our third-party service providers may also process data in countries outside your own. In all such cases, we ensure that appropriate safeguards are in place in accordance with applicable law, and that the transfer is subject to a binding Data Processing Agreement.
Depending on your location, you have a number of rights regarding your personal data. EU/EEA residents have all GDPR rights. Indonesian residents have rights under UU PDP. We honour these rights for all our patients globally:
To exercise any of these rights, contact us at info@cliniceternal.com. We will respond within 30 days. We may ask you to verify your identity before processing your request. If you are dissatisfied with our response, EU/EEA residents have the right to lodge a complaint with their national data protection supervisory authority.
Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it without delay.
Patients aged 16–17 may be considered for consultation in limited circumstances, in which case we require verifiable parental or guardian consent before collecting any personal or medical data and before providing any services.
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. Our security measures include:
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.
Our website may contain links to third-party websites, including social media platforms (Instagram, Facebook, TikTok), review platforms (Google), and payment providers. These sites have their own privacy policies and we have no responsibility or liability for their content or practices.
We encourage you to read the privacy policy of any third-party website you visit. The presence of a link on our site does not constitute our endorsement of that site's privacy practices.
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. The "Last Updated" date at the top of this page shows when the policy was last revised.
Where changes are material, we will notify you by email (if you are a registered patient or have made a purchase) or by displaying a prominent notice on our website before the changes take effect. We encourage you to review this page periodically.
Your continued use of our services after the effective date of any changes constitutes your acceptance of the revised policy.
For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact us:
We aim to respond to all data-related enquiries within 30 days.