How we handle your personal and health information

Allure RT MX coordinates concierge medical care between US, Canadian, and international patients and our partner specialists in Tijuana, Mexico. This page explains exactly what we collect, why, who can see it, how long we keep it, and how to ask us to change or delete it.

1. Who we are

This site (allurert.com) is operated by Allure RT MX, a concierge medical tourism agency. We are the data controller for information you submit through this website. Our partner clinics are separate entities that act as data processors when we hand off your case to them for consultation or treatment.

Questions about this policy or any data we hold about you: [email protected]. We respond within five business days.

2. Information we collect

Information you give us directly

• Quick consultation request (lead form, first step): your full name, phone number, and the condition or procedure you're asking about.
• Patient intake (lead form, second step, optional but recommended): date of birth, gender, email address, mailing address, emergency contact name and phone, occupation, weight, height. We use these to prepare your case file before your consultation so the call goes faster.
• Free-text messages you send via our contact page or in reply to our emails. Treat these the way you would an email to a doctor's office: only include health information you're comfortable sharing.

Information collected automatically when you visit

• Standard server logs: IP address, browser type, device type, timestamps, the pages you viewed, and the page that referred you. We use these for security, fraud prevention, and to understand how the site is used.
• Cookies and similar technologies: a small set used for site function and for advertising measurement. See section 6 below.
• Ad-click identifiers: when you arrive from a Meta or Google ad, the URL often includes fbclid, gclid, or utm_* parameters. We capture these so we can measure which ad campaigns deliver patients and improve our marketing.

Information we receive from third parties

• Meta (Facebook/Instagram): when you interact with our ads or our pixel fires on this site, Meta shares back aggregate audience and conversion data so we can measure ad performance.
• Our partner clinics: if you've already been seen by one of our partner clinics, they may share treatment notes back to our coordination team with your consent so we can support your follow-up care.

3. How we use your information

• To deliver the service you asked for. We send your case to a coordinator who calls you, prepares a written estimate, books your consultation, and coordinates logistics if you proceed.
• To share your case with the appropriate partner clinic after you've confirmed you want a consultation with that clinic. Your medical intake is shared only after you opt in to that specific consultation.
• To send transactional emails: appointment confirmations, intake receipts, pre- and post-trip instructions.
• To send occasional follow-up messages about your case. You can opt out of non-essential follow-ups any time by replying STOP or by emailing us.
• To measure and improve our advertising: we use aggregated ad-performance data to decide which ads to keep running. This is in our legitimate interest (and yours, since better targeting means fewer irrelevant ads).
• To comply with legal obligations, defend our legal rights, or respond to lawful requests from regulators.

4. Who we share your information with

We do not sell your personal or health information to anyone, ever. We share only when we need to, only the minimum required, and only with these categories of recipients:

• Our internal coordination team: Natalia (lead patient coordinator) and the small team that supports her.
• The specific partner clinic you're consulting with: once you confirm a clinic, your medical intake and contact details are forwarded so they can prepare. If you decide not to proceed, no further information is shared.
• Service providers we use to operate the site and the service:
  • Cloudflare — hosts this website and routes form submissions. Standard server logs sit here for up to 30 days.
  • Resend — delivers our transactional and notification emails.
  • Google (Google Sheets via Apps Script) — the internal spreadsheet our coordination team uses as a CRM to track who has been called back.
  • Meta (Facebook/Instagram) — advertising measurement via the Meta Pixel and the Meta Conversions API. Personal identifiers sent to Meta for measurement (email and phone) are hashed using SHA-256 before they leave our server; Meta uses them only to match your event to an account, not to receive your raw information.
• Professional advisors (accountants, lawyers, insurance) on a strict need-to-know basis.
• Regulators or law enforcement when required by valid legal process.
• A buyer or successor if we are ever acquired, merged, or restructured. The buyer would be subject to this same policy.

5. How long we keep your information

• Lead-only data (Stage 1: name, phone, condition, ad-click identifiers): kept for up to 24 months from your last interaction so we can respond to follow-up questions, then deleted on our next quarterly cleanup.
• Patient intake data (Stage 2: DOB, gender, address, emergency contact, weight/height, etc.): kept for as long as we have an active care-coordination relationship plus 5 years to honor medical-record continuity expectations, then deleted unless required by applicable law to keep longer.
• Server logs: up to 30 days at the Cloudflare layer, longer only if required for an active security investigation.
• Advertising measurement data with Meta: governed by Meta's data retention policy; we cannot extend or shorten that on Meta's side.

You can ask us to delete your information earlier (see section 8).

6. Cookies and tracking

We use a small set of cookies and similar technologies:

• Strictly necessary — required for the site to load, the form to submit, and security to work. Cannot be disabled.
• Advertising measurement — the Meta Pixel sets a small first-party cookie so Meta can attribute conversions back to the ad you clicked. You can block this category by enabling Do Not Track in your browser, by using an ad blocker, or by adjusting your Meta ad preferences.

We do not use cross-site tracking pixels other than Meta's. We do not use Google Analytics on this site.

7. Children's information

This site and our service are intended for adults aged 18 and older. We do not knowingly collect information from anyone under 18. If you believe we have collected information from a minor, please email [email protected] and we will delete it.

8. Your rights and how to use them

Wherever you live, you can ask us to:

• See what we have. A copy of your information in a portable format.
• Correct anything that's wrong, including outdated phone numbers, addresses, or medical intake details.
• Delete it. We will delete personal information unless we are legally required to keep it (for example, financial records for tax purposes).
• Stop us from using it for marketing. You can opt out of marketing email any time. Reply STOP to any text-message follow-up.
• Withdraw consent you previously gave for a specific use.

To exercise any of these rights, email [email protected] with the email address or phone number we have on file. We respond within five business days and complete the requested action within 30 days unless we tell you we need longer (we will explain why).

If you live in California

The California Consumer Privacy Act gives you the rights above plus the right to not be discriminated against for exercising them (we will not change your service in retaliation). We do not sell or "share" personal information for cross-context behavioral advertising as those terms are defined in California law.

If you live in the EU, the UK, or Switzerland

The GDPR / UK GDPR gives you all of the rights above plus the right to lodge a complaint with your local data-protection authority if you are not satisfied with how we have handled your request. We rely on the following legal bases:

• Consent for marketing communications and for the Meta Pixel.
• Contract for the consultation coordination service you asked us to perform.
• Legitimate interests for security, fraud prevention, and aggregate advertising measurement, balanced against your rights and freedoms.
• Legal obligation where a law requires us to keep records.

If you live in Mexico

This site complies with the Mexican Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP). You may exercise your ARCO rights (acceso, rectificación, cancelación, oposición) by emailing the address above. Our designated privacy point of contact is the Allure RT MX coordination team.

9. Data security

We protect your information with industry-standard controls:

• All form submissions travel over HTTPS and are encrypted in transit.
• Access to our coordination CRM is limited to named team members and requires individual login credentials.
• Identifiers we send to Meta for advertising measurement are SHA-256 hashed before they leave our server.
• We do not store payment information on our own servers; payments, when they occur, go through standard PCI-DSS compliant processors at the partner clinic or travel layer.

No security program eliminates risk entirely. If we ever experience a breach that affects your information, we will notify you and the relevant regulators in line with applicable law.

10. International transfers

Allure RT MX coordinates care between countries by design, so your information will cross borders. Specifically, data may be processed in:

• The United States, where most of our service providers (Cloudflare, Resend, Google, Meta) operate.
• Mexico, where our coordination team and partner clinics are located.
• The European Union, if you submitted information from there.

Where required, transfers are made under appropriate safeguards (Standard Contractual Clauses, equivalent mechanisms, or your explicit consent for the consultation you requested).

11. Changes to this policy

We update this policy when our practices change. The "Last reviewed" date at the top reflects the most recent substantive update. If we make a change that materially affects your rights, we will notify active patients by email before the change takes effect.

12. Contact

For privacy questions, requests, or complaints:

Allure RT MX — Privacy
Email: [email protected]
Phone: +1 (949) 630-2619
Address: David Alfaro Siqueiros 2643, Int 401, Zona Urbana Río, Tijuana, BC, Mexico