Privacy Policy

Privacy Policy PERSONAL DATA PROTECTION POLICY (GENERAL) This policy determines the general framework of the data processing activities of EDB TURİZM ORGANİZASYON VE DANISMANLIK HIZMETLERI LTD. STI. (hereinafter referred to as “EDB LTD STI”).

About the Applicable Law (Turkey). This Privacy Policy is provided by “EDB LTD STI” as the data controller. We primarily process personal data under TR Personal Data Protection Law No. 6698 (“KVKK”) and relevant secondary legislation. Where our activities bring us within the scope of other data protection laws, we also comply to the extent they apply—for example, GDPR/UK GDPR for individuals in the EU/UK, CCPA/CPRA for California residents, and LGPD for Brazil. This Policy should be read together with our service specific notices where applicable.

Controller: “EDB LTD STI”, (operating the “Flymeditrust Travel Agency”)
Data Controller Contact : info@flymeditrust.com

  1. Who We Are

We operate in two regulated verticals: (i) A-Group Travel Agency / Tour Operator services and International Health Tourism Service Provider (Facilitator). Depending on the activity, EDB LTD STI acts as a controller. Contracted healthcare providers, all tourism services (include tour operator services), airlines, hotels, ground services, insurance providers and other suppliers usually act as independent controllers for their own processing.

Role clarity. We do not provide medical/clinical services; such services are delivered by independent healthcare providers under their own responsibility. For bookings, carriage, accommodation, insurance or clinical treatment, you will also be subject to the respective provider’s privacy notice and terms. Typical independent controllers include airlines, hotels, insurers and healthcare providers.

  • Legal name: “EDB LTD STI”
  • Trade/Brand: Flymeditrust / Flymeditrust Travel Agency
 
  1. Scope

This Policy applies to websites under the Flymeditrust domain, official social media accounts, messaging channels (e.g., email, voice, web forms, instant messaging), and offline onboarding (e.g., call center, physical office). Where permitted by law and with notice, calls may be recorded for quality and compliance.

  1. Key Definitions
  • Personal data: any information relating to an identified or identifiable person.
  • Special category data / Sensitive personal data: includes health data (only if you choose to provide it for health tourism facilitation); we do not intentionally collect other special category data.
  • Processing: any operation performed on personal data.
  • Controller / Processor / Joint controller: roles per applicable law.
  • International transfer: moving personal data to a country/recipient outside the originating jurisdiction.
 
  1. What Data We Collect
  • Core identification & contact: name, nationality, contact details, document numbers (as allowed by law).
  • Travel booking data: itinerary, passenger details, PNR, ticketing, accommodation preferences, loyalty numbers, visa information (if provided by you).
  • Health tourism inquiry data (special category): symptoms, medical history, test results, photos, prescriptions, medical correspondence only if you choose to provide them. Note: Special category health data is normally processed only with your explicit consent; however, applicable law may allow processing under other conditions (e.g., direct transmission to healthcare professionals under secrecy obligations, compliance with legal duties, establishment/exercise/defense of legal claims, or vital interests). We prefer privacy by design flows that relay data directly to the provider where feasible.
  • Transaction & billing: order details, amounts, currency, tax identifiers permitted by law, payment method tokens (handled by payment service providers).
  • Communications: messages, call recordings (where lawful and notified), service feedback.
  • Technical data: IP, device, browser, cookie identifiers, consent signals, diagnostic logs (see Cookie Policy).
 
  1. Sources of Data
  • Directly from you via our all online/offline channels.
  • From your authorized representatives (e.g., family, referring physician, attorney, friend), subject to documented proof of authority (e.g., power of attorney or written authorization).
  • From suppliers we engage to complete your booking or coordinate care (e.g., airlines, hotels, hospitals) where necessary.
 
  1. Purposes & Legal Bases
  • Travel agency / tour operator services — to process bookings, issue vouchers/tickets, provide customer support, handle changes/cancellations, manage supplier relations; legal bases: performance of a contract; compliance with legal obligations (e.g., tax, accounting), and legitimate interests (service quality, fraud prevention).
  • Health Tourism Facilitation — to triage your inquiry and transmit your data to your chosen healthcare provider; legal bases: your explicit consent for special category data; where applicable processing under other lawful conditions (e.g., by healthcare professionals bound by secrecy; establishment/exercise/defense of legal claims; compliance with legal duties; vital interests in emergencies); and privacy by design via direct relay, encryption, and minimal logging.
  • Communications — to respond to messages, schedule, and provide status updates; legal bases: contract/legitimate interests; consent where required (e.g., certain marketing).
  • Analytics & improvement — to understand website performance with privacy preserving measurements; legal bases: consent where required; legitimate interests where permitted by law (see Cookie Policy).
  • Marketing — to send service updates and offers; legal bases: consent where required; opt out always available.
  • Security & fraud — logs and diagnostics to secure systems; legal bases: legitimate interests; legal obligations.

“We do not intentionally collect other special-category data unless strictly required by law and provided by you.”

Special category data (health): we process only with your explicit consent, or — where permitted — we transfer the information directly to healthcare professionals who are bound by professional secrecy. You may withdraw consent at any time; withdrawal does not affect processing already lawfully performed.

  1. Children

Children’s safety is very important to us. We encourage parents and guardians to monitor and participate in their children’s online activities.

We do not knowingly collect personal information from children under 13. If you believe your child has provided us with such information, please contact us immediately. We will take reasonable steps to promptly delete it from our records and will make reasonable efforts to respond within one month of your request. Where consent is the lawful basis, we require consent from a parent or legal guardian for minors.

  1. Sharing & Recipients
  • Healthcare providers you select (independent controllers).
  • Travel suppliers: airlines, hotels, insurers, ground services (independent controllers).
  • Payment service providers / banks for collections and refunds (processors or independent controllers per context).
  • IT/hosting, security, communications and support vendors (processors under our instructions).
  • Call center and customer experience providers (processors under our instructions).
  • Professional advisers (lawyers, accountants/auditors) under confidentiality.
  • Authorities and regulators where legally required (e.g., tax, law enforcement, health authorities).
  • Independent visa and insurance intermediaries, when you request such services.
  • Other third party suppliers in our sectors, including those we do not directly contract with but that you choose to use; their own notices apply.

We do not sell personal data for monetary compensation. Targeted advertising may constitute “sharing” under some U.S. laws; see Your Rights.

  1. International Transfers

We may transfer personal data across borders to support our global health tourism facilitation and travel agency/tour operator services—i.e., for the performance of a contract (or pre contractual steps at your request), to provide services we are legally authorized to offer, and, where necessary, to share data with third party suppliers and providers involved in fulfilling the services (e.g., airlines, hotels, ground services, payment partners, hospitals/clinics). We use appropriate safeguards depending on the origin of the data and the applicable law, including:

  • Türkiye KVKK: mechanisms under the amended law (e.g., standard contracts, undertakings, BCRs) or explicit consent when appropriate; and compliance with the Turkish DPA’s transfer guidance.
  • EU/EEA GDPR: Standard Contractual Clauses (SCCs) + transfer impact assessments; adequacy decisions where available.
  • UK GDPR: International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs; UK adequacy where available.
  • Brazil LGPD: mechanisms under ANPD rules (e.g., SCCs) and deadlines; adequacy where applicable.

Binding Corporate Rules (BCRs). Where BCRs are used, they incorporate data subject rights, company level responsibility for compliance, and obligations to document and report material changes.

Adequacy criteria (summary). Adequacy decisions generally consider elements such as reciprocity, legislation quality, competent supervisory authorities, and available redress mechanisms.

You may request information about our transfer mechanisms, if any, by contacting us. We will make reasonable efforts to respond within one month.

  1. Retention

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including compliance with legal, accounting, and reporting requirements.

Financial and Commercial Records. We retain data related to bookings, invoices, payments, and other commercial transactions (including passport copies kept solely for official documentation processes) for a minimum of 10 years, as required by Turkish commercial and tax laws, and for audit purposes by the Ministry of Health and other competent authorities.

Medical Inquiry Records. We retain data related to your medical inquiries and our intermediary services only for as long as needed to facilitate your treatment and our operational needs. All medical and clinical records are the responsibility of the medical facility or physician providing the service and are subject to their own retention policies. We aim to keep such records to the minimum necessary and apply secure erasure/anonymization when no longer needed, in accordance with applicable law.

Communications and Technical Logs. We retain communication records and technical logs for shorter periods necessary for operations and security, after which they are deleted or anonymized.

Specific retention periods may vary depending on the services you use and the legal obligations in your jurisdiction.

  1. Security

We apply industry standard technical and organizational measures (access controls, encryption in transit, role based access, vendor due diligence, staff training). No method is 100% secure; we continuously improve our safeguards.

  1. Your Rights

Depending on your location, you may have rights to access, correct, delete, port, restrict/objection, withdraw consent, and appeal decisions.

  • Türkiye: KVKK Art. 11 rights via our application process.
  • EU/EEA & UK: GDPR/UK GDPR rights; right to lodge a complaint with your supervisory authority (response timelines typically one month, extendable where permitted).
  • Türkiye: KVKK Art. 11 rights via our application process.
  • Brazil: LGPD rights incl. confirmation, access, correction, anonymization/blocking, portability, and information about shared use.
  • S. (incl. California and other state laws): rights to know/access, delete, correct, opt out of sale/”sharing”/targeted advertising, and limit use of sensitive data (where applicable).
 
  1. How to Exercise Your Rights

Please contact us using the details above. We may need to verify your identity (and the authority of a representative). Depending on your location and the applicable data protection law (e.g., Türkiye’s Law on the Protection of Personal Data (“KVKK”), GDPR/UK GDPR, Brazil’s LGPD), you may be entitled to specific rights and timelines.

Türkiye (KVKK) submission channels. You may apply in writing to our postal address or electronically via the privacy email listed in the Contact section using a secure electronic signature or other legally valid method, and we will respond within the statutory period. If you remain unsatisfied, you may lodge a complaint with the Turkish Data Protection Authority (KVKK).

EU/UK timelines. We aim to respond within one month under GDPR/UK GDPR (extendable where permitted).

  1. Cookies & Similar Technologies

We use cookies/SDKs for strictly necessary functions and — with your consent where required — for preferences, analytics, and advertising. Details, consent choices, and cookie lifetimes are provided in our Cookie Policy and the site banner. You can change preferences at any time via the floating icon/link. See: https://flymeditrust.com/cookie-policy/

  1. Automated Decision Making

We do not make decisions producing legal or similarly significant effects based solely on automated processing. We may use rule based or statistical scoring to route inquiries and detect fraud; you can request human review where applicable.

  1. Third Party Links and Services

Our website and services may contain links, integrations, and widgets from various third party platforms. These include platforms of our contracted partners in the tourism and health tourism sectors (such as airlines, hotels, hospitals, and other service providers). It also covers the links and platforms used by healthcare providers, facilities, organizations, and physicians to deliver their services. We also maintain official accounts on social media platforms like WhatsApp Business, Facebook Messenger, Instagram, LinkedIn, Pinterest, and TikTok.

We are not responsible for the privacy practices or content of these third party services. These platforms and our contracted partners operate under their own privacy policies and terms of use, which govern how they handle your personal data. Their privacy notices and policies will apply to any personal data you provide to them.

We strongly recommend that you review the privacy policies of any third party service you use, especially those of our contracted partners, to ensure your data is handled in a manner you approve.

  1. Changes to This Policy

If we decide to change this Privacy Policy, we will publish the changes on this page.

  1. Contact
  • Mail: info@flymeditrust.com
  • Address: Akat Mah. No: Yıldırım Oguz Goker Sk.2/4 Beşiktas ISTANBUL.
  • Phone: +90 543 960 4 111

 

 

California CCPA/CPRA Privacy Rights (Do Not Sell My Personal Information)

Under California law, residents may:

  • Request information about the categories and specific pieces of personal information we collect.
  • Ask us to delete personal information we hold about them (subject to legal exceptions).
  • Direct us not to sell or share their personal information.
  • We honor and respect the Global Privacy Control (GPC) signal where recognized. If your browser or extension sends a GPC signal, we will treat it as a valid opt out for sale/sharing and targeted advertising as required by law.

To exercise these rights, please contact us using the methods listed in this Policy. We aim to respond within one month of verifying your request. info@flymeditrust.com

Jurisdiction-Specific Rights & Disclosures 

  • Türkiye (KVKK): You may exercise rights under the Law on the Protection of Personal Data (KVKK). Turkish language instructions are available on our website.
  • EU/EEA (GDPR) & UK (UK GDPR): You may lodge a complaint with your supervisory authority and exercise rights including access, rectification, erasure, restriction/objection, and portability.
  • Brazil (LGPD): You may exercise rights including confirmation of processing, access, correction, anonymization/blocking, portability, and information about shared use.
  • United States (state laws): Depending on your state, you may have rights to know/access, delete, correct, opt out of sale/sharing/targeted advertising, and limit use of sensitive data.