LaMedBack to Home

Privacy Policy

Last updated: 14 February 2026

1. Introduction

LAMED FLY CENTER SRL (CUI: 45318315, Reg. No.: J20/21005925/123), operating as LaMed Aviation Medical Centre ("LaMed", "we", "us", or "our"), is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you visit our website or use our services, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Romanian data protection legislation.

This policy applies to all individuals who visit our website, submit forms, make bookings, or otherwise interact with our services. Please read this policy carefully to understand how we handle your personal data.

2. Data Controller

The data controller responsible for your personal data is:

  • Entity: LAMED FLY CENTER SRL (CUI: 45318315, Reg. No.: J20/21005925/123), operating as LaMed Aviation Medical Centre
  • Registered office: Str. Baia Mare 15, Cluj-Napoca 400171, Cluj County, Romania
  • Clinic address: Str. Nicolae G. Caramfil 87, Bucharest 014142, Romania
  • Email: office@clinicalamed.com
  • Phone: +40 723 577 452

For all data protection inquiries and requests to exercise your rights, please contact us using the details above.

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Booking Form Data

When you book a medical examination, we collect:

  • Full name
  • Telephone number (including country code)
  • Email address
  • Selected service type (type of medical examination)
  • Optional message or notes you provide

3.2 Contact Form Data

When you submit an inquiry or subscribe to updates, we collect:

  • Full name
  • Telephone number
  • Email address (optional)
  • Selected service interest
  • Optional message

3.3 Payment Data

Payment processing is handled entirely by our third-party payment processor, Stripe, Inc. We do not collect, process, store, or have access to your credit or debit card details at any time. The only payment-related data we store is:

  • Stripe session identifier (for transaction reference)
  • Payment intent identifier (for transaction tracking)
  • Payment amount and status (paid, pending, or failed)

3.4 Technical Data

For security and abuse prevention purposes, we temporarily collect your IP address when you submit forms on our website. This data is used exclusively for rate limiting (preventing excessive or automated form submissions) and is automatically deleted after 24 hours.

4. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

4.1 Performance of a Contract (Article 6(1)(b))

We process your booking data (name, email, phone, service type, appointment date) as necessary to perform the contract you enter into when reserving a medical examination. This includes creating your booking, processing your payment through Stripe, sending you a confirmation email, and managing your appointment.

4.2 Legitimate Interests (Article 6(1)(f))

We process certain data based on our legitimate interests, specifically:

  • Processing contact form submissions to respond to your inquiries and provide customer support.
  • Collecting IP addresses temporarily for rate limiting and security purposes, to protect our website and services from abuse.

4.3 Consent (Article 6(1)(a))

Before submitting any form on our website, you are required to provide explicit consent by checking the agreement checkbox, confirming that you have read and agree to our Terms of Service and this Privacy Policy. You may withdraw your consent at any time by contacting us, though this will not affect the lawfulness of processing carried out before withdrawal.

5. How We Use Your Data

We use your personal data for the following purposes:

  • Booking management: To process, confirm, and manage your medical examination reservation.
  • Transactional communications: To send you booking confirmation emails containing your appointment details, booking reference, preparation instructions, and clinic location.
  • Responding to inquiries: To respond to questions or requests submitted via the contact form.
  • Payment processing: To facilitate the payment of your reservation fee through Stripe.
  • Abuse prevention: To protect our website from spam, automated submissions, and abusive behaviour through rate limiting and form validation.
  • Legal compliance: To comply with applicable legal obligations, including tax and accounting requirements under Romanian law.

We do not use your personal data for marketing purposes, profiling, or automated decision-making unless you have explicitly opted in to receive updates from us.

6. Data Sharing and Third-Party Processors

We do not sell, trade, or rent your personal data to any third parties. We share your data only with the following trusted service providers who process data on our behalf:

6.1 Stripe, Inc. (United States)

Stripe processes all payment transactions on our behalf. When you make a payment, your email address, the payment amount, and service description are transmitted to Stripe to create a secure checkout session. Stripe is PCI-DSS Level 1 certified and adheres to the highest security standards for payment processing. Your card details are handled exclusively by Stripe and are never accessible to LaMed. For more information, see Stripe's Privacy Policy.

6.2 Resend, Inc. (EU — Ireland)

Resend is our transactional email service provider, configured to operate from servers located in Ireland (EU). When we send you a booking confirmation or process a contact form submission, your name and email address are transmitted to Resend to deliver the email. As the data is processed within the European Economic Area, no international data transfer mechanisms are required for this service. For more information, see Resend's Privacy Policy.

6.3 Vercel, Inc. (EU — Frankfurt)

Vercel hosts our website and server-side functions from its Frankfurt, Germany (EU) region. Vercel also provides anonymous, cookie-less analytics (Vercel Analytics and Vercel Speed Insights). These analytics services do not collect personally identifiable information and do not use cookies or similar tracking technologies. As our hosting infrastructure is located within the European Economic Area, your data is processed within the EU. For more information, see Vercel's Privacy Policy.

6.4 Neon, Inc. (EU — Frankfurt)

Neon provides our PostgreSQL database hosting infrastructure, operating from the Frankfurt, Germany (EU) region. Booking and contact form data is stored in a Neon-hosted database within the European Economic Area. For more information, see Neon's Privacy Policy.

7. International Data Transfers

We prioritise keeping your data within the European Economic Area (EEA). Our website hosting (Vercel, Frankfurt), email service (Resend, Ireland), and database (Neon, Frankfurt) all operate from EU-based infrastructure.

However, some of our service providers, particularly Stripe for payment processing, may transfer data to the United States as part of their operations. Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs): Our processors use EU-approved Standard Contractual Clauses to ensure an adequate level of data protection for transfers to countries outside the EEA.
  • EU-U.S. Data Privacy Framework: Where applicable, our processors participate in the EU-U.S. Data Privacy Framework, providing an adequate level of protection as recognised by the European Commission.
  • PCI-DSS Certification: Stripe additionally holds PCI-DSS Level 1 certification, the highest level of security certification for payment processing.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

  • Booking data: Retained for a minimum of 5 years from the date of the appointment, as required by Romanian fiscal and accounting regulations. After this period, data will be securely deleted or anonymised.
  • Contact form submissions: Retained for up to 2 years from the date of submission, or until the inquiry has been fully resolved, whichever is later. Data is then securely deleted.
  • Rate limiting data (IP addresses): Automatically deleted after 24 hours.
  • Payment transaction references: Retained alongside booking data for the same period (minimum 5 years) for accounting and audit purposes.

9. Your Rights Under the GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
  • Right to Rectification (Article 16): You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
  • Right to Erasure (Article 17): You have the right to request the deletion of your personal data, subject to legal retention obligations. Please note that we may be required to retain certain data for accounting and legal purposes even after an erasure request.
  • Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
  • Right to Data Portability (Article 20): You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to Object (Article 21): You have the right to object to the processing of your personal data based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
  • Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, please contact us at office@clinicalamed.com. We will respond to your request within 30 days. If your request is complex or we receive a large number of requests, we may extend this period by a further 60 days, in which case we will notify you of the extension and the reasons for the delay.

10. Cookies and Local Storage

10.1 Cookies

This website uses only one cookie: lamed_admin_session. This is a strictly necessary, functional cookie used exclusively for authenticating administrators of our internal management system. It has the following properties:

  • HttpOnly: Cannot be accessed by client-side JavaScript, protecting against cross-site scripting (XSS) attacks.
  • Secure: Only transmitted over encrypted HTTPS connections.
  • SameSite: Strict: Prevents the cookie from being sent with cross-site requests, protecting against cross-site request forgery (CSRF).
  • Expiry: 24 hours from the time of authentication.

This cookie is never set for regular website visitors. It is only created when an administrator logs into the internal management dashboard. If you are a regular visitor or customer, no cookies are placed on your device at any time.

10.2 Browser Session Storage

During the booking process, your form data (name, email, phone, message, and selected service) is temporarily stored in your browser's session storage to carry it between steps of the booking flow. Session storage is not a cookie — it is not sent to our servers automatically, is isolated to a single browser tab, and is cleared automatically when you close the tab.

10.3 Analytics

We use Vercel Analytics and Vercel Speed Insights to understand website performance and usage patterns. These tools are privacy-friendly and do not use cookies, local storage, or any other client-side tracking mechanisms. They do not collect personally identifiable information.

10.4 Cookie Consent

Since this website does not use any non-essential or tracking cookies, and the only cookie present is strictly necessary for internal administration (never set for regular visitors), no cookie consent mechanism is required under the ePrivacy Directive (2002/58/EC as amended by 2009/136/EC) or the GDPR.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit: All data transmitted between your browser and our website is encrypted using HTTPS/TLS.
  • PCI-DSS compliant payments: Payment processing is handled by Stripe (PCI-DSS Level 1 certified), ensuring the highest standard of payment security.
  • Secure cookies: Administrative cookies are HttpOnly, Secure, and SameSite Strict.
  • Rate limiting: Automated protection against brute-force attacks and abuse of our forms and API endpoints.
  • Input validation: All form submissions are validated server-side to prevent injection attacks and ensure data integrity.
  • Spam protection: Honeypot mechanisms to detect and prevent automated bot submissions.
  • Disposable email filtering: Submissions from known disposable or temporary email providers are rejected to maintain data quality.

While we take extensive measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously review and improve our security practices.

12. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at office@clinicalamed.com, and we will take steps to delete such data promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of our website and services after any changes constitutes your acceptance of the updated policy.

14. Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR or applicable data protection laws, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority in Romania is:

  • Authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
  • Address: Bd. G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
  • Website: www.dataprotection.ro

If you reside in another EU/EEA member state, you may also lodge a complaint with the supervisory authority in your country of residence.

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact us:

  • Email: office@clinicalamed.com
  • Phone: +40 723 577 452
  • Registered office: Str. Baia Mare 15, Cluj-Napoca 400171, Cluj County, Romania
  • Clinic address: Str. Nicolae G. Caramfil 87, Bucharest 014142, Romania