Privacy Policy
This Privacy Policy document replaces any previous policy and has been designed to comply with the Federal Law for the Protection of Personal Data Held by Private Parties (LFPDPPP), while also adhering to international standards such as HIPAA, CPRA, and PIPEDA.
I. Identity and Addresses of the Data Controllers
Due to our cross-border medical tourism operation, your data is processed by two legal entities that act jointly as Data Controllers and Co-Controllers/Processors. Joint responsibility is governed by a Business Associate Agreement (BAA) and/or a Data Processing Agreement (DPA).
- Primary Controller (Web Platform):
- Entity/Owner: MedStar, LLC (Owner and Operator of the website www.elaen.com).
- Registered Address: 427 N Tatnall St. Wilmington, Delaware, 19801, USA.
- Primary Jurisdiction: United States of America.
- Co-Controller/Processor (Medical Service):
- Entity/Owner: Dr. Alejandro Enríquez de Rivera Campero (Owner of the Registered Trademark “elaen” Instituto Mexicano de la Propiedad Industrial File 1620824 Register 1581167 Class 44.
- License/Permit: COFEPRIS Permit 05-036 #2518025036X00239.
- Registered Address: Paseo de los Cocoteros 55 interior 3317, Colonia Náutico Turístico, Nuevo Nayarit CP 63735, México.
- Primary Jurisdiction: Mexico.
II. Personal Data Collected and Consent Requirements
Data is collected both directly (forms, WhatsApp) and indirectly (tracking technologies like cookies).
| Data Category | Examples | Consent Requirement |
|---|---|---|
| Identification and Contact Data | Full name, email address, mobile phone number, country of residence. | Implicit or clearly provided. |
| Navigation Data | IP address, browser information, operating system, time spent on site, pages visited, data obtained via Cookies. | Acceptance through a Cookie Banner (CMP). |
| Sensitive Personal Data (SPD) / Protected Health Information (PHI) | Description of the medical condition, reason for consultation, relevant medical history, health information shared for medical evaluation and referral. | Requires Express and Written Consent (LFPDPPP). Obtained through a specific checkbox or digital form upon entering health information (record is auditable). |
III. Purposes of Data Processing
Your data is used exclusively for the following purposes, divided into primary (essential) and secondary (optional).
A. Primary Purposes (Essential for Service Delivery)
- Medical Referral and Evaluation: To transfer your SPD to the Mexican entity (Dr. Alejandro Enríquez de Rivera Campero) to evaluate your case, issue a medical referral, and prepare an initial treatment plan.
- Contact and Appointment Management: To use your contact information for individualized follow-up on your request.
- Legal Compliance and Security: To address legal requirements from health or data protection authorities (INAI, COFEPRIS, CPRA, OPC) and to diagnose server problems.
B. Secondary Purposes (Optional, Require Explicit Consent)
- Marketing and Promotion: Sending brand information, newsletters, and promotions for elaen.com or associated services, excluding the use of Sensitive Personal Data (SPD) for personalization.Requirement: Requires express and revocable consent.
- Audience Segmentation (Meta): To use non-sensitive navigation data (IP address, pages viewed) via the Meta pixel to measure advertising performance, create Custom Audiences or Retargeting lists, and generate Lookalike Audiences. Segmentation is based solely on technical and web behavior data, reaffirming that it does not use health data (SPD/PHI).
IV. Transparency in the Use of Meta Platforms and Transfers
1. Compliance with the WhatsApp Business Platform Policy:
- Explicit Opt-in: If you choose to contact us or receive recurring communications via WhatsApp, your explicit and verifiable Opt-in is required before any marketing or recurring notification conversation can begin.
- Revocability (Opt-out): You can revoke your consent for recurring messages at any time by replying with the exclusion keyword “STOP” or by notifying our Privacy Officer.
- Legal Disclosure: You understand that WhatsApp (Meta) may share your information or conversation content if legally required by authorities.
2. Use of Data for Advertising (Meta) – Absolute SPD Prohibition:
- Sensitive Data Prohibition: Sensitive health information (SPD/PHI) is never shared, transmitted, or used for advertising purposes, optimization, or segmentation on the Meta platform.
- Ad Content: We maintain consistency between our ad content and the website to prevent ad rejection due to misleading information or unsubstantiated health claims, complying with Meta’s Advertising Content Policy.
3. Cross-Border Data Transfers and Processing:
- Essential Transfer: The transfer of your data, including SPD, from the website (MedStar, LLC in the USA) to the clinic in Mexico (Dr Alejandro Enríquez de Rivera Campero) is indispensable for the Primary Purpose of medical referral.
- Canadian Patients (PIPEDA): For patients in Canada, the transfer is considered a “use,” not a disclosure. MedStar, LLC maintains continuing responsibility for the protection of that data.
- Legal Agreements: The transfer is covered by a formal BAA/DPA that guarantees the security and confidentiality of the information.
V. Mechanisms for Exercising Rights (ARCO and Exclusion)
You have the legal right to control your personal data. We provide mechanisms for exercising ARCO Rights (LFPDPPP) and access/deletion rights (CPRA/PIPEDA).
Data Subject Rights:
- Access (A)
- To know what personal data we hold, why we use it, and the conditions of its use.
- Rectification (R)
- To request the correction of your personal information.
- Cancellation (C)
- To request the deletion of your data from our records.
- Opposition (O)
- To object to the use of your personal data for specific purposes (e.g., marketing).
- Right to Exclusion (CPRA)
- To exercise your right to request that your personal data not be sold or “shared” with third parties for advertising purposes (Do Not Sell or Share My Personal Information).
Procedure and Response Timelines:
- Request: You must send a written request to the Privacy Officer (see Section VI) containing: the data subject’s full name, a document proving your identity or legal representation, a clear and precise description of the ARCO right you wish to exercise, and any element that facilitates locating your data.
- Response Deadline: Maximum of twenty (20) business days from the receipt of the request.
- Effectiveness: If the request proceeds, the right will be made effective within fifteen (15) business days following the communication of the response.
VI. Privacy Officer Contact
The Privacy Officer acts as the central point of contact for both responsible entities.
- Privacy Officer:
- Dr. Alejandro Enríquez de Rivera Campero
- Email Address:
- contact@elaen.com
- Mailing Address (Mexico):
- Paseo de los Cocoteros 55 interior 3317, Colonia Náutico Turístico, Nuevo Nayarit CP 63735.
VII. Use of Cookies and Tracking Technologies
We use cookies and other technologies to track your interactions on our site. You can configure your browser to notify you when a cookie is set or to reject all cookies. However, by rejecting all cookies, some site functions may not be available.
VIII. Modifications to the Privacy Notice
This Privacy Notice may be modified. Changes will take effect upon publication of the new version on our website, indicating the “Last Updated Date.” If the changes are substantial (especially those affecting the purposes or the processing of SPD), you will be notified via email.
Last updated: October 17, 2025
