Privacy Policy (Alevy SAS / AlevyMed)

Website: www.alevymed.com
Effective date: December 10, 2025
Contact: [email protected]

This Privacy Policy explains how Alevy SAS (“Alevy,” “we,” “us”) collects, uses, shares, and protects personal information when you visit our website, contact us, create an account, or receive (or inquire about) regenerative medicine and advanced therapy treatments.

Because we may handle health/medical information and identification documents (e.g., passport number), please read this carefully.

1) Who this applies to

This policy applies to personal information we process about:

• Website visitors and people who contact us

• Prospective patients and patients

• Users with an account/login to access medical records or related services

It applies to information collected through our website (www.alevymed.com), forms, phone/email communications, and any patient onboarding and treatment coordination processes.

2) What information we collect

We collect information in three main ways: (a) you provide it, (b) it’s collected automatically from your device, and (c) we receive it from others (with your permission or as needed to provide services).

A. Information you provide

Depending on your interaction with us, we may collect:

• Contact information: name, email, phone number, address

• Account information: username/login credentials and related account security information (for access to medical records or patient portals)

• Identity / travel documentation: passport number (typically once you decide to move forward with treatment and for coordination/administration)

• Health and medical information (sensitive): medical condition, medical history, medical records (including documents you upload or send us), and treatment-related information

• Billing and payment-related information: billing details and payment/transaction details (note: if you pay through a payment processor, that provider may collect payment card details directly)

• Communications: messages you send us, consultation notes, and customer support interactions

B. Information collected automatically (website & device data)

When you use our website, we may collect:

• IP address, device type, browser type, operating system

• Approximate location (derived from IP)

• Pages viewed, links clicked, timestamps, and referring URLs

• Cookies and similar technologies (see “Cookies” below)

C. Information from other sources

We may receive information from:

• Healthcare providers, labs, or referral partners when you authorize or request us to coordinate care

• Service providers that help us run our operations (e.g., scheduling, CRM, secure document tools)

3) How we use your information

We use personal information for purposes such as:

• Responding to inquiries and providing consultations or eligibility screening

• Coordinating and delivering services, including treatment planning and patient support

• Account management, authentication, and enabling access to medical records (where applicable)

• Administrative and billing purposes

• Safety and quality: improving our services, internal reporting, and operational analytics

• Security and fraud prevention

• Legal compliance and enforcing our terms and policies

• Marketing communications (where permitted by law and/or with your consent). You can opt out anytime.

4) Legal bases (important for EU/EEA/UK visitors)

If you are in the EU/EEA/UK, we process personal data under legal bases such as:

• To take steps at your request / perform a contract (e.g., consultation, patient services)

• Your consent (especially relevant for certain marketing and processing of sensitive health data in some contexts)

• Legitimate interests (e.g., security, improving services) where not overridden by your rights

• Legal obligations (e.g., recordkeeping)

Health data is generally considered a “special category” of data under GDPR and receives extra protection. (GDPR)

5) How we share information (and when)

We do not sell your medical records or personal information.

We may share personal information only as needed and appropriate, including:

• Service providers (processors) who support our operations (e.g., IT hosting, secure storage, patient communication tools, scheduling, billing support). They are required to protect your information and use it only for contracted services.

• Professional advisors (lawyers, accountants) under confidentiality obligations.

• Legal and safety disclosures if required by law, court order, or to protect rights, safety, and security.

• With your authorization, such as sharing relevant health information with providers or support persons you identify.

6) International data transfers

Alevy is based in Colombia, but we serve patients in Colombia, the United States, Canada, and the EU.

Your information may be transferred to, stored in, or processed in countries where our service providers operate. We take steps designed to ensure appropriate safeguards are in place (for example, contractual protections and access controls), especially for cross-border transfers referenced in applicable Colombian rules and related regulations. (dlapiperdataprotection.com

7) Cookies and tracking technologies

We may use cookies and similar technologies to:

• Make the website function properly

• Remember preferences

• Understand traffic and usage to improve the site

• Support marketing/advertising where used (if applicable)

You can control cookies through your browser settings. If we use optional cookies (like certain analytics/advertising cookies), we may provide consent options depending on your location and legal requirements

8) Data retention

We keep personal information only as long as reasonably necessary for the purposes described above, including:

• Maintaining patient records and treatment documentation

• Resolving disputes and enforcing agreements

• Complying with legal, tax, accounting, and regulatory obligations

Retention periods can vary based on the type of information and applicable legal requirements

9) Security

We use administrative, technical, and physical safeguards designed to protect personal information, such as:

• Access controls (limiting access to authorized personnel)

• Account authentication measures for portals/logins

• Secure systems and monitoring where appropriate

• Staff confidentiality expectations and training practices

No method of transmission or storage is 100% secure; however, we work to reduce risk and respond appropriately to security incidents.

10) Your privacy rights (how to exercise them)

To request access, correction, deletion, or other rights, email [email protected]. We may need to verify your identity (especially for requests involving medical records).

A. Colombia

Colombian data protection rules provide rights such as access, correction, and updating of personal data, among others, and require organizations to have privacy policies and procedures. (Función Pública)

B. European Union / EEA / United Kingdom (GDPR)

You may have rights to:

• Access, correct, or delete your personal data

• Restrict or object to processing

• Data portability (in some cases)

• Withdraw consent (where processing is based on consent)

• Lodge a complaint with your data protection authority

C. United States (including California)

If you are a California resident, you may have additional rights such as the right to know, delete, and opt out of the “sale” or “sharing” of personal information (as those terms are defined by law), plus non-discrimination for exercising rights. (California DOJ)
(Note: Alevy states it does not sell personal information.)

D. Canada (PIPEDA)

For Canadian individuals, PIPEDA sets rules for how private-sector organizations handle personal information in commercial activities. (priv.gc.ca)

11) Children’s privacy

Children’s Privacy (Minors)

Our services are not directed to children and we do not knowingly collect personal information directly from children for marketing purposes. However, we may provide medical services to minors where appropriate and permitted by law.

When a minor receives services, a parent or legal guardian must provide consent and typically provides the minor’s personal information and medical history on the minor’s behalf (for example: name, date of birth, contact information, medical condition, medical records, and other health information necessary for care). We process this information only as needed to evaluate eligibility, coordinate care, deliver services, and comply with legal and clinical obligations.

If you are a parent or guardian and believe we have collected a child’s personal information without appropriate consent, please contact us at [email protected]

and we will take appropriate steps, which may include deleting information where legally and clinically permissible.

12) Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on our website and update the “Effective date” above.

13) Contact us

For questions, requests, or complaints about privacy, contact:
Alevy SAS
Email: [email protected]