Privacy Policy – Blue Longevity

Last Updated: April 1, 2026

1. Introduction

Blue Longevity Clinic (“BLC,” “we,” “our,” or “us”) is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect information about you when you visit our website at blue-longevity.com (the “Website”) or use our services.

We process personal data in accordance with:

Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR)
The Bulgarian Personal Data Protection Act (PDPA)
Applicable Bulgarian and EU healthcare data protection requirements

Please read this Policy carefully. By using our Website or services, you acknowledge that you have read and understood this Policy.

2. Data Controller

The data controller responsible for your personal data is:

Блу Лонджевити Клиник Медицински Център EOOD
Trading as: Blue Longevity Clinic
EIK (Bulgarian UIC): 208322293
Registered address: bul. “Cherni Vrah” 51D, Sofia, Bulgaria
Email: contact@blue-longevity.com
Phone: +359 892 022 025
Website: https://blue-longevity.com

3. What Personal Data We Collect

3.1 Data You Provide Directly

Contact information: name, email address, phone number
Appointment booking data: preferred date and time, reason for visit
Health information: medical history, symptoms, test results, and other health-related data provided in connection with our medical services
Identity documents: where required for medical consultation purposes
Communication content: messages submitted via contact forms, email, or WhatsApp

3.2 Data Collected Automatically

Technical data: IP address, browser type and version, operating system, device identifiers
Usage data: pages visited, time spent, links clicked, referral source
Cookie data: as described in our Cookie Policy (Section 10)

3.3 Data from Third Parties

Analytics providers: Google Analytics 4 (aggregated, anonymised browsing behaviour)
Advertising platforms: Meta Ads and Google Ads conversion signals (pseudonymised)
Booking system: appointment data processed via our Amelia booking plugin on WordPress
CRM: lead and contact data stored in ActiveCampaign

4. Purposes and Legal Bases for Processing

We process your personal data only where we have a valid legal basis under GDPR Article 6 (and Article 9 for health data):

Performance of a contract (Art. 6(1)(b)): processing your booking and delivering medical services you request.
Legal obligation (Art. 6(1)(c)): maintaining medical records as required by Bulgarian healthcare law.
Legitimate interests (Art. 6(1)(f)): website analytics, fraud prevention, and improving our services, where these interests are not overridden by your rights.
Consent (Art. 6(1)(a) and Art. 9(2)(a)): marketing communications, non-essential cookies, and processing of special-category health data outside direct medical care. You may withdraw consent at any time.
Vital interests (Art. 6(1)(d) / Art. 9(2)(c)): where necessary to protect the life of the data subject or another person.

5. Special Category Health Data

As a medical clinic, we process health data (a special category under GDPR Art. 9). This is processed exclusively:

For the purposes of preventive medicine, medical diagnosis, and the provision of health care services;
By or under the responsibility of our licensed medical professionals, who are subject to professional confidentiality obligations under Bulgarian law;
Where you have provided explicit written consent prior to processing (outside of the direct treatment relationship).

Health data is stored in secure, access-controlled systems and is never sold to third parties.

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We share data only with trusted third-party service providers acting as data processors on our behalf, under written data processing agreements:

Service providers include (non-exhaustive list):

ActiveCampaign, Inc. — CRM and email marketing automation (USA; EU Standard Contractual Clauses apply)
Google LLC — Google Analytics 4, Google Ads, Google Tag Manager (USA; EU SCCs apply; data minimisation and IP anonymisation enabled)
Meta Platforms, Inc. — Meta Ads Manager, Meta Pixel (USA; EU SCCs apply; event data is hashed)
ManyChat, Inc. — Instagram DM automation (USA; EU SCCs apply)
Metricool — social media scheduling (Spain; EU-based)
WP Hosting / WordPress — website infrastructure (hosting provider subject to our DPA)
Amelia (TMS Plugins) — appointment booking (hosted on our WordPress server)

We may also disclose data where required by law, court order, or to protect the rights, property, or safety of BLC, its staff, or others.

7. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

EU Standard Contractual Clauses (SCCs) approved by the European Commission;
The EU-U.S. Data Privacy Framework, where applicable;
Adequacy decisions by the European Commission.

You may request a copy of the relevant transfer mechanism by contacting us at contact@blue-longevity.com.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy or as required by law:

Medical records: minimum 10 years from the date of last treatment, as required by Bulgarian healthcare legislation
Marketing contact data: until you unsubscribe or request deletion, subject to a maximum of 3 years from last engagement
Website analytics data: 14 months (Google Analytics 4 default retention period)
Booking and inquiry data: 2 years from last interaction
Financial/invoicing records: 5 years as required by Bulgarian accounting law

After the applicable retention period, data is securely deleted or anonymised.

9. Your Rights Under GDPR

You have the following rights with respect to your personal data:

Right of access (Art. 15): request a copy of the personal data we hold about you
Right to rectification (Art. 16): request correction of inaccurate or incomplete data
Right to erasure (Art. 17): request deletion of your data, subject to legal retention obligations
Right to restriction of processing (Art. 18): request that we limit how we process your data
Right to data portability (Art. 20): receive your data in a structured, machine-readable format
Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing purposes
Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
Right not to be subject to automated decision-making (Art. 22): we do not make solely automated decisions with significant legal or similar effects

To exercise any of these rights, please contact us at: contact@blue-longevity.com

We will respond within 30 days. We do not charge a fee for reasonable requests, but may charge for manifestly unfounded or excessive requests.

You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP):

Website: https://www.cpdp.bg
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Phone: +359 2 915 3580

10. Cookies and Tracking Technologies

Our Website uses cookies and similar technologies. By category:

Strictly necessary cookies:
Required for basic website functionality (e.g., session management, booking system). Cannot be disabled.

Analytics cookies:
Google Analytics 4 with IP anonymisation enabled. Used to understand aggregate website usage patterns. Activated only with your consent.

Marketing cookies:
Meta Pixel and Google Ads conversion tracking. Used to measure advertising effectiveness and serve relevant ads. Activated only with your consent.

You can manage your cookie preferences at any time via our cookie banner, or by adjusting your browser settings. Note that disabling certain cookies may affect website functionality.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

SSL/TLS encryption for all data in transit
Access controls limiting staff access to data on a need-to-know basis
Regular security assessments of our systems and third-party processors
Staff training on data protection obligations
Incident response procedures compliant with GDPR Art. 33-34 breach notification requirements

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Bulgarian CPDP within 72 hours and affected individuals without undue delay where required.

12. Children’s Privacy

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe we have inadvertently collected such data, please contact us immediately at contact@blue-longevity.com so we can delete it.

13. Third-Party Websites

Our Website may contain links to third-party websites (e.g., social media platforms, partner organisations). This Privacy Policy applies solely to blue-longevity.com. We are not responsible for the privacy practices of third-party websites and encourage you to review their privacy policies.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The “Last updated” date at the top of this page indicates when the Policy was most recently revised. We encourage you to review this Policy periodically. Where required by law, we will notify you of material changes.

15. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices, please contact:

Blue Longevity Clinic — Data Protection Contact
Email: contact@blue-longevity.com
Phone: +359 892 022 025
Address: bul. “Cherni Vrah” 51D, Sofia, Bulgaria

Our team endeavors to respond to all inquiries within 2 business days.