Policy

Privacy Policy

How Tune Clinic Apgujeong collects, uses, and protects your information.

Last updated: 2026-05-20 · v1.1 (Google Ads advertising-data disclosure)

This Privacy Policy explains how Apgujeong Tune Clinic (“Tune Clinic,” “we,” “us”) collects, uses, discloses, and protects personal information processed through our website tuneclinic-global.com and our booking / messaging channels. It is written to comply with the Korean Personal Information Protection Act (PIPA), the EU General Data Protection Regulation (GDPR) for visitors in the EU/EEA/UK/Switzerland, and equivalent obligations in other jurisdictions our international patients travel from.

If you do not agree with this policy, please do not submit personal information through our forms. You may continue to browse the site under the cookie controls described in §5.

Contents

  1. Data controller and contact
  2. What we collect
  3. Why we use it (legal bases)
  4. Third-party processors
  5. Cookies, analytics & advertising
  6. Retention
  7. Sharing & international transfers
  8. Your rights
  9. Security
  10. Children
  11. Updates to this policy

1. Data controller and contact

The data controller is:

Apgujeong Tune Clinic

4th Floor, 825 Eonju-ro, Gangnam-gu, Seoul 06022, Republic of Korea

Director / Privacy Officer: Dr. Jee Hoon Ju

Tel: +82-507-1438-8022

WhatsApp: +82-10-7674-4128

Privacy enquiries: reception@tuneclinic-global.com

2. What we collect

a) Information you give us

  • Contact details: name, email address, phone number, preferred messaging channel (WhatsApp, Instagram, LINE, WeChat).
  • Booking details: travel dates in Seoul, treatment(s) of interest, prior treatment history you choose to share, and free-text questions in the booking form.
  • Health-related information: photographs you voluntarily attach for preliminary assessment, and any medical history relevant to safety screening (allergies, medications, prior aesthetic procedures, IV-sedation contraindications). This is treated as sensitive personal information under PIPA Art. 23 and as special-category data under GDPR Art. 9, and is processed only with your explicit consent and only for the purpose you submitted it.
  • In-clinic records: clinical notes, treatment plans, consent forms, before/after photographs taken during your visit. These are governed by the Korean Medical Service Act and our internal medical-records protocol.

b) Information collected automatically

  • Device & usage data: IP address, browser type, language, referring URL, pages viewed, approximate geographic region.
  • Cookies and similar technologies: see §5.
  • Session replays: aggregated, anonymised mouse-movement / scroll data collected by Microsoft Clarity to improve the website experience. Form-field content is masked by default.

3. Why we use it (legal bases)

  • To respond to your booking or consultation request — necessary for the performance of the requested service (GDPR Art. 6(1)(b); PIPA Art. 15(1)(4)).
  • To provide medical care during your visit — performance of a contract and compliance with the Korean Medical Service Act (GDPR Art. 6(1)(c) + 9(2)(h); PIPA Art. 23(1)(2)).
  • To send treatment-related follow-ups (aftercare instructions, photo follow-up reminders) — performance of the requested service.
  • To improve our website and services — our legitimate interest in operating the site, balanced against your rights (GDPR Art. 6(1)(f)). For EU/EEA/UK/Swiss visitors, analytics and marketing cookies are loaded only after explicit consent (see §5).
  • To measure advertising and operate remarketing audiences — we use Google Ads (incl. Enhanced Conversions, the Conversion API, remarketing, and Customer Match) and Meta Pixel to measure which campaigns lead to bookings and to show our advertising to people who have previously interacted with the site. This processing relies on your consent (GDPR Art. 6(1)(a); PIPA Art. 15(1)(1)) and is described in detail in §5.
  • To comply with legal obligations — including medical record retention (Korean Medical Service Act Art. 22, Enforcement Decree Art. 15).

4. Third-party processors

We rely on a small number of vetted processors. Each only receives the minimum information needed for its function and is bound by a written processing agreement where applicable.

Service Purpose Region
Supabase Booking-form database; messaging-channel records EU/US (encrypted at rest & in transit)
Netlify Static site hosting & edge functions Global CDN
Google Tag Manager Container service that loads the other Google tags listed below US (Standard Contractual Clauses)
Google Analytics 4 Aggregated website analytics US (Standard Contractual Clauses)
Google Ads Conversion measurement (incl. Enhanced Conversions and server-side Conversion API), remarketing audiences, and Customer Match. May receive one-way hashed (SHA-256) email addresses and phone numbers when you submit our booking form — only after your consent (see §5). Subject to Google’s Privacy Policy and Customer Match policy. US (Standard Contractual Clauses)
Microsoft Clarity Heatmaps & session replays (form-field content masked) US (Standard Contractual Clauses)
Meta (Facebook) Pixel Marketing attribution and remarketing audiences (loaded only on consent) US (Standard Contractual Clauses)
Cloudflare Turnstile Bot & spam protection on submission forms Global CDN
WhatsApp / Instagram / LINE / WeChat Direct messaging when you contact us via those channels Governed by each provider’s own policy

We do not sell personal information. We do not share it with brokers, “medical tourism” agencies, or third-party referral networks.

5. Cookies, analytics & advertising

a) Cookie categories

  • Strictly necessary — session, security, and bot-protection cookies required for the site and booking flow to work. Always on.
  • Analytics — Google Analytics 4 and Microsoft Clarity. Help us understand how the site is used so we can improve it.
  • Advertising — Google Ads tags (conversion measurement, remarketing) and Meta Pixel. Used only for measuring our advertising and showing it to people who have visited the site.

b) How consent works

For visitors in the EU, EEA, UK, and Switzerland, analytics and advertising cookies are blocked by default and load only after you click “Accept” on the consent banner. You can withdraw consent at any time by clearing site data in your browser; the banner will reappear on your next visit. We honour Global Privacy Control (GPC) signals where required.

For visitors elsewhere, analytics and advertising cookies are enabled by default in accordance with applicable local law. You can disable them at the browser level or by using widely-available browser extensions; if you would like us to delete analytics data already associated with you, contact us at the address in §1.

c) Google Ads conversion measurement & Customer Match

Where you have consented (or, outside the EU/EEA/UK/CH, where applicable local law permits), we use Google Ads to measure which advertising campaigns lead to bookings or consultations, and to build remarketing audiences so we can show our advertising to people who have previously visited the site. This may include:

  • Conversion tags — client-side tags fired when you reach the booking-confirmation page.
  • Enhanced Conversions / Conversion API — server-side transmission of conversion events to Google. When you submit a booking form, we may transmit a one-way SHA-256 hash of your email and/or phone number to Google so the conversion can be matched against the ad that brought you to us. The hash is irreversible; Google does not receive your raw email or phone number from us.
  • Customer Match — we may include the same one-way hashed identifier in an audience uploaded to Google Ads so we can show or suppress advertising to people who have already booked. Hashed identifiers are uploaded only for users who have consented (where consent is required) and only when we have a lawful basis to do so. We do not upload identifiers belonging to anyone who has opted out, and we delete identifiers from Customer Match audiences on request (see §8). Use of this feature is governed by Google’s Customer Match policy.

d) How to opt out of Google advertising

6. Retention

  • Booking-form submissions that do not result in a visit: retained up to 12 months, then deleted.
  • Medical records of patients who visit the clinic: retained for the periods required by the Korean Medical Service Act (Enforcement Decree Art. 15) — generally 5 to 10 years depending on record type.
  • Before/after photographs: retained for the duration of your patient relationship plus the statutory medical-record period, unless you withdraw consent for clinical photography earlier.
  • Analytics data: retained for the default period configured in each platform (Google Analytics 4: 14 months; Microsoft Clarity: 1 year; Meta Pixel: 2 years).

7. Sharing & international transfers

We do not share personal information for commercial purposes. We may disclose limited information when legally required (court order, regulatory request, public-health authority) or when necessary to protect the safety of patients or staff. Some of the processors listed in §4 are based outside Korea; transfers to those processors rely on Standard Contractual Clauses or the data-importer’s adequacy mechanism, as applicable.

8. Your rights

Subject to applicable law, you can ask us to:

  • Confirm what information we hold about you.
  • Correct inaccurate information.
  • Delete information we no longer have a legal basis to retain (subject to medical-record retention obligations).
  • Restrict or object to specific processing activities.
  • Receive a portable copy of the information you provided to us.
  • Withdraw consent to clinical photography, marketing cookies, or advertising-data uploads (Google Ads Customer Match / Enhanced Conversions, Meta Pixel) at any time. We will remove your hashed identifier from our Customer Match audiences within 7 days of receiving a request and propagate the removal to Google.

To exercise any of these rights, contact us at reception@tuneclinic-global.com. We respond within 30 days. You also have the right to lodge a complaint with the Korean Personal Information Protection Commission or, for EU/EEA/UK/Swiss residents, your local supervisory authority.

9. Security

We protect personal information with administrative, technical, and physical safeguards proportionate to its sensitivity. Booking and messaging traffic is encrypted in transit; sensitive records held in Supabase are encrypted at rest; physical medical records inside the clinic are stored in locked cabinets in a restricted-access area. Access is limited to the physician and trained reception staff bound by confidentiality obligations.

10. Children

Our services are intended for adults. We do not knowingly collect personal information from anyone under 16. If you believe we have collected information from a minor, please contact us and we will delete it.

11. Updates to this policy

We may update this policy from time to time. Substantive changes will be flagged on this page with a revised “Last updated” date. For changes that materially affect how we process your information, we will use reasonable means to notify you in advance.