Skip to content
Balm Oyster MEDICAL

Legal

Privacy Policy

Last updated: June 21, 2026

1. Scope of This Policy

This Privacy Policy describes how Balm Oyster Medical ("we," "us," "our") collects, uses, discloses, and protects personal information and personal health information in connection with the care we provide and your use of this website, across all of our locations in Canada, the United Kingdom, the United Arab Emirates, Switzerland, and Germany.

Because health-privacy law varies meaningfully by country, the specific protections that apply to you depend on the location where you receive care. Where local law provides a stronger right than described generally in this policy, the local right governs. The frameworks most relevant to our locations include the Personal Health Information Protection Act (PHIPA) and Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, UK GDPR and the Data Protection Act 2018 in the United Kingdom, the UAE's Federal Decree-Law on the Protection of Personal Data, Switzerland's Federal Act on Data Protection (FADP), and Germany's Federal Data Protection Act (BDSG) alongside the EU GDPR.

2. Information We Collect

We collect several categories of information, depending on your relationship with us:

  • Identifying information — name, date of birth, contact details, government identification or passport information where required for care or billing.
  • Health information — medical history, diagnoses, treatment records, medications, laboratory and imaging results, and other clinical documentation.
  • Financial information — billing details, insurance information, and payment records.
  • Next-of-kin and emergency contact information, where provided.
  • Appointment request information — the name, contact details, preferred location, specialty, and message you submit through our website's appointment request form.
  • Website usage information — pages visited and general technical data such as browser type, collected when you use this website.

3. How We Use Your Information

We use the information described above to:

  • Provide, coordinate, and follow up on your medical care across departments and, where relevant, across our locations.
  • Respond to appointment requests and other inquiries submitted through this website.
  • Process billing, insurance claims, and payment.
  • Meet legal, regulatory, and accreditation obligations, including mandatory reporting where required by law.
  • Conduct internal quality assurance, patient safety review, and accreditation activities.
  • Operate and improve this website.

We do not sell personal or health information, and we do not use your health information for marketing purposes without your explicit, separate consent.

4. Our Legal Basis for Processing

In jurisdictions that require a documented legal basis for processing personal data (including the UK, Switzerland, and Germany), we rely primarily on: your consent; the necessity of processing to provide care you have requested; our legal obligations as a healthcare provider; and, in limited circumstances, the vital interests of a patient who is unable to provide consent — for example, in an emergency. Where we rely on consent, you may withdraw it at any time as described in Section 8.

5. Who We Share Information With

We limit access to your information to those who need it. We may share information with:

  • Clinicians and staff directly involved in your care, at the location where you are treated.
  • Another Balm Oyster Medical location, where your care is being coordinated across borders.
  • External parties you have asked us to share information with — for example, a funeral home, consulate, or another hospital — with your consent or that of your legal representative.
  • Regulators, coroners, or public health authorities, where required by law.
  • Insurers and billing intermediaries, to the extent necessary to process payment.
  • Service providers who process appointment request submissions on our behalf, solely to deliver your message to the relevant location's care team.

6. International Data Transfers

Because we operate across Canada, the United Kingdom, the UAE, Switzerland, and Germany, your information may be transferred between locations as part of coordinating your care — for example, if you are treated at more than one of our sites, or if records are requested by a receiving provider in your home country. We apply the following safeguards depending on the jurisdiction of origin:

  • Transfers originating in the United Kingdom rely on the UK International Data Transfer Agreement (IDTA) or an adequacy decision recognized by the UK Information Commissioner's Office.
  • Transfers originating in Switzerland rely on adequacy mechanisms recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC), or Swiss-law-adapted standard contractual clauses.
  • Transfers originating in Germany and the EU/EEA rely on European Commission Standard Contractual Clauses or an applicable adequacy decision.
  • Transfers originating in Canada and the UAE are conducted under data-sharing agreements consistent with PHIPA, PIPEDA, and the UAE's federal data protection law, respectively.

In every case, we limit the information transferred to what is necessary for your care and apply the same standard of protection regardless of where it is processed.

7. Data Retention

We retain medical records for the period required by law in the jurisdiction where care was provided:

  • Canada — a minimum of 10 years from the date of the last entry, or until 10 years after a minor patient reaches the age of majority.
  • United Kingdom — a minimum of 8 years after the conclusion of treatment for adults; 25 years for maternity records; and until a patient's 25th birthday (26th if they were 17 at the conclusion of treatment) for children and young people.
  • UAE — a minimum of 10 years from the date of the last entry.
  • Switzerland — a minimum of 20 years following the conclusion of treatment.
  • Germany — a minimum of 10 years following the conclusion of treatment, or longer where specific record types (such as radiology or surgical records) are subject to extended statutory periods.

Billing and financial records are retained for at least 7 years for tax and audit purposes, or longer where local law requires. Appointment request submissions that do not result in a care relationship are retained for no longer than 24 months.

8. Your Rights

Depending on where you receive care, you may have the right to:

  • Access a copy of your personal and health information.
  • Request correction of inaccurate information.
  • Request erasure or restriction of processing, where applicable law permits and subject to our legal obligation to retain medical records.
  • Object to certain processing, including for direct marketing.
  • Withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.
  • Lodge a complaint with the relevant data protection authority in your jurisdiction.

To exercise any of these rights, contact us using the details in Section 14. We will respond within 30 days, or inform you if more time is needed due to the complexity of your request. We may need to verify your identity before processing a request involving health information. See our Patient Rights & Privacy page for further detail.

9. Marketing Communications

With your explicit, opt-in consent, we may send appointment reminders, follow-up care surveys, or general wellness communications. You can withdraw this consent at any time using the unsubscribe link included in any such communication, or by contacting us directly. Withdrawing consent will not affect the medical care you receive or your ability to use our services.

10. Information About Minors

Where we provide care to a child or adolescent, information is collected and used as described in this policy, with consent obtained from a parent or legal guardian except where law permits a minor to consent independently (for example, certain emergency or sensitive-care contexts). Parents or legal guardians may exercise the rights described in Section 8 on behalf of a minor in their care, subject to applicable law.

11. Cookies & Website Technologies

This website does not set cookies of any kind, and does not use advertising or third-party tracking technologies. Interactive elements such as the mobile navigation menu and FAQ accordion are controlled entirely by client-side JavaScript running in your browser, which does not store or transmit any information. If we introduce analytics, functional, or marketing cookies in the future, this section will be updated in advance, and a consent mechanism will be put in place wherever required by law before any such cookie is set.

12. How We Protect Your Information

We maintain administrative, technical, and physical safeguards designed to protect personal and health information against unauthorized access, disclosure, alteration, or loss, including access controls limiting record access to staff directly involved in your care, encryption of data in transit, and regular review of who holds access to clinical systems. In the event of a data breach affecting your personal or health information, we will notify you and the relevant supervisory authority within the timeframe required by applicable law — for example, within 72 hours of becoming aware of a breach under UK GDPR and the EU GDPR. No system is perfectly secure; we review and update our safeguards on an ongoing basis.

13. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or applicable law. The "Last updated" date at the top of this page indicates when it was last revised. Material changes will be communicated through this website.

14. Contact & Data Protection Officer

Questions, requests, or concerns about this policy or how your information is handled can be directed to contact@balmoystermedical.com, or directly to our Group Data Protection Officer, Helena Marsh, at privacy@balmoystermedical.com. If you believe your concern has not been adequately addressed, you may also lodge a complaint with the data protection authority in your jurisdiction — for example, the UK Information Commissioner's Office (ico.org.uk) or the Swiss Federal Data Protection and Information Commissioner (edoeb.admin.ch).