TFP Fertility Privacy Policy

At TFP, we value your trust and confidence. This Privacy Policy explains what types of personal information are collected when you visit the TFP website, how we keep it secure, and how this information is used. We are committed to full transparency and to ensuring the highest level of protection for your privacy.

General Information

This Privacy Policy describes how TFP Fertility Group Ltd and its affiliates and partners (“TFP,” “we,” or “us”) collect and process your personal information when you visit our website, use our digital applications, and interact with us via our clinics, live chats, email communications, and social media channels (together, the “Services”).

This policy applies to all company web pages under www.tfp-fertility.com.

In some cases, TFP Fertility Group Ltd and the local clinic responsible for your care may act as joint controllers of your personal data. This means we jointly determine how and why your data is processed. We have agreements in place to ensure that your rights are protected and that responsibilities for GDPR compliance are clearly defined between the parties.

In Poland, joint controllers for patient-care activities include TFP Fertility Vitrolive Sp. z o.o. (ul. Wojska Polskiego 103, 70-483 Szczecin) and Centrum Medyczne Macierzyństwo Sp. z o.o. Sp. k. (ul. Białoprądnicka 7A, 31-221 Kraków).

What data do we collect?

You directly provide most of the information we collect. We collect and process the data you provide in three main ways:

Information that you provide to us:

• Contact Information: Your name, email address, mailing address, and phone number when you register for TFP services, subscribe to TFP marketing, communicate with us, or make an enquiry.

• Patient Registration Information: Information provided in connection with your TFP “Patient Profile,” including contact information, username, medical history, weight, height, age, gender, and other relevant details that you consent to provide.

• Communications Information: Details of your interactions with our clinical or support teams, including certain phone calls (for training and monitoring purposes), emails, live chats, video calls, and social media interactions.

• Survey and Review Information: Information you provide in surveys or testimonials about TFP goods and/or services.

• Other User Information: Any other data you provide related to your use of TFP treatments or services, such as event bookings, appointment scheduling, or personal experience feedback.

Information we collect automatically

We also collect information that is generated automatically through your use of our services - such as events attended, appointments booked, classes attended, and phone enquiries made to TFP.

We may also collect patient feedback provided through Patient Experience surveys.

When someone visits our website, we use Google Analytics, which collects standard internet log information in an anonymised form to help us understand website usage patterns. We do not attempt to identify individual visitors using this data.

If you visit our website, we also collect the following technical data, which are necessary to display the site correctly and to ensure its stability and security:

• IP address

• Date and time of your request

• Time zone difference to Greenwich Mean Time (GMT)

• Content of the request (the page requested)

• Access status / HTTP status code

• Amount of data transferred

• Referring website (the page from which the request originated)

• Browser type and version

• Operating system and its interface

• Language and version of the browser software

You can prevent your data from being used by Google Analytics by installing the official Google Analytics Opt-Out Browser Add-on.

Monitoring and Security Measures

To protect our patients, staff, and facilities, we may use the following tools:

CCTV Monitoring:
Our clinics may operate CCTV cameras in non-sensitive areas (for example, entrances and waiting rooms) for safety and security purposes.

Retention: Footage is normally retained for up to 3 months, and only kept longer where required for a specific investigation, legal obligation, or legal proceedings.
Legal basis: Legitimate interests (Article 6(1)(f) GDPR).

Phone Call Recordings:
Inbound calls to our main clinic lines may be recorded for training, quality, or safety purposes.

Retention: Recordings are retained for 30 days.
Legal basis: Legitimate interests or consent, depending on the context.

Portal Documents:
Documents uploaded to patient portals are stored within the portal for a maximum of 60 days.
After this period, the documents can be reinstated on the portal upon request.

Information We Collect from Third Parties

We may collect personal data about you from third parties where permitted by law. This may include:

• Third-party applications: Information shared via app stores or social networking sites, depending on your privacy settings. This may include public profile information or interaction history.

• Other third-party sources: Information provided by partners or service providers to help us improve our services, support your care journey, or respond to enquiries more effectively.

• Banks and payment providers: Data such as account or transaction details to verify payments, manage refunds, and resolve any billing issues.

• Credit reference agencies (e.g. National Debt Register BIG S.A.): Where appropriate, we may check financial standing before entering into a contract or agreement.

• Healthcare platforms and referring providers: If you are referred to us, or use an external system connected to our services, we may receive relevant information such as your name, contact details, medical history, or test results to ensure continuity of care.

We process this information only where necessary to provide healthcare services, support administrative processes, verify payment details, or fulfil our legal and regulatory obligations.

Providing your personal data is voluntary, but necessary for us to provide healthcare services. Without this data, we may not be able to enter into or perform our contractual obligations.

Analytics and Third-Party Tools

We use the following analytics and tracking tools to improve user experience and website performance:

1. Google Analytics: Collects anonymous internet tracking information to help us understand usage patterns. We do not attempt to identify individual visitors through this data. You may opt out by installing the Google Analytics Opt-Out Browser Add-on.

2. Microsoft Clarity and Microsoft Advertising: Captures behavioural metrics, heatmaps, and session replays to improve our products and services. Cookies and tracking technologies help determine product popularity and online activity. For more information, visit the Microsoft Privacy Statement.

3. VWO (Visual Website Optimizer, Wingify Software Pvt. Ltd.): We use VWO for A/B testing and website optimisation. It collects anonymised interaction data (e.g., click paths, scroll behaviour) to help improve usability. While Wingify is based in India, VWO processes all visitor data in data centres located within the EEA. For more information, see their Privacy Policy.

4. Meta Pixel (Facebook/Instagram): for measuring ad conversions and optimising campaign performance across Meta platforms. For more information, see their Privacy Policy.

5. LinkedIn Insight Tag: for measuring the impact of LinkedIn ads and enabling remarketing. For more information, see their Privacy Policy.

6. Call360 (Esale): We use Call360 to track calls made via dynamic phone numbers in order to understand marketing attribution and improve service performance. These dynamic numbers are only displayed when users have consented to targeting cookies via our cookie banner (OneTrust). This ensures full compliance with the EU ePrivacy Directive and GDPR. For more information, see their Privacy Policy.

7. Hotjar: for collecting anonymised session recordings and heatmaps that help us understand how visitors interact with our website content and improve usability. For more information, see their Privacy Policy.

8. Edudip (Webinar Registration Platform): We use Edudip to host webinars and manage registrations. When you sign up for a webinar, you may be redirected to an Edudip-hosted registration page. Edudip collects personal information (such as name and email) on our behalf to manage attendance and follow-up communications. We do not embed Edudip forms directly on our website. For more details, see Edudip’s Privacy Policy.

9. Storyblok (Website Content Delivery): We use Storyblok to manage and deliver the content displayed on our website, including the structure of forms. However, Storyblok does not process or store any form submission data. When you fill in a contact or enquiry form, your data is securely transmitted directly to TFP via email and is not retained on the website or by Storyblok. For more details, see Storyblok’s privacy policy.

How we use your personal data

User-provided information:

• Personal information you provide to TFP will only be used for the stated purposes, such as providing information about our treatments and requesting feedback from you.

• Personal information will not be sold to third parties or provided to direct marketing companies without your explicit permission.

• When contacting TFP for treatment, we ask for your active and freely given consent under Article 6(1)(a) GDPR (EU 2016/679) to participate in our patient feedback surveys. Based on this consent, you will receive emails asking about your experience during the different stages of your treatment. The controller responsible for sending these emails is your clinic.
  For these surveys, we need your first and last name, email address, and your responses to the survey questions.
  Please note that the survey results are personal and could — theoretically — be associated with your patient record within the clinic. It is possible that a member of the clinic team may contact you after the survey to discuss what you may need for complete treatment or how to improve any negative aspects.

• We use third-party tools such as VWO (Visual Website Optimizer) to improve website functionality and user experience. VWO helps us conduct A/B testing, track user engagement, and visualise browsing patterns to enhance site usability. The data collected is anonymised and does not contain any personally identifiable information (PII).

Automatic demographic and statistical information:

• Information collected through Google Analytics is used to evaluate the effectiveness of the TFP website and improve content relevance and marketing campaigns.

• Any disclosure of this information will always be anonymised and will not identify individual users.

How we store your data

We are dedicated to safeguarding your data by applying the following measures:

• Regular review of information collection, storage, and processing practices to protect against unauthorised access.

• Restricted access to personal information for authorised TFP/Clinic employees, contractors, and agents, all of whom are subject to strict confidentiality obligations.

• Administrative, technical, and physical safeguards that are commercially reasonable and designed to protect against unauthorised access, disclosure, or misuse of personal information.

Personal information is stored on secure servers hosted by Vercel in the EEA and the United States, with appropriate safeguards under the EU GDPR (including European Commission Standard Contractual Clauses) and, where applicable, the EU–US Data Privacy Framework (DPF).

For surveys, we use AskNicely, and all data transfers between TFP companies are governed by Data Protection Agreements (DPAs).

Patient data are primarily stored and processed at your registered clinic in Poland.

In certain cases, TFP may cooperate with partner healthcare organisations or diagnostic providers (for example, laboratories or imaging centres) to deliver specific elements of your care. Where this occurs, those partners act as independent data controllers or data processors under Polish law and are bound by their own privacy and data-protection policies.

All partners engaged by TFP are required to process data securely and in compliance with the EU General Data Protection Regulation (GDPR) and applicable Polish healthcare legislation, including the Act on Patient Rights and the Patient Ombudsman (2008) and the Act on Therapeutic Activities (2011).

Data retention period

We retain your personal data for as long as necessary to fulfil the purposes set out in this Privacy Policy and to meet applicable legal and regulatory obligations.

In Poland, the retention of medical records is governed by national healthcare legislation, including:

• the Act on Patient Rights and the Patient Ombudsman (2008),

• the Act on Therapeutic Activities (2011),

• the Act on Infertility Treatment (2015), and

• the Regulation of the Minister of Health of 9 November 2015 on the types, scope, and models of medical documentation and the manner of its processing.

Depending on the type of record, the statutory retention periods are as follows:

• Standard medical documentation – retained for 20 years from the end of the calendar year in which the last entry was made.

• In the event of death caused by injury or poisoning – retained for 30 years from the end of the calendar year in which the death occurred.

• X-ray images – retained for 10 years from the end of the calendar year in which the image was taken (if stored separately from the medical record).

• Referrals and prescriptions – retained for 5 years from the end of the calendar year in which the service was provided.

• Medical records for children under the age of 2 – retained for 22 years.

• Assisted Reproductive Technology (ART) records, including documentation of donated or stored reproductive cells or embryos, are retained for 90 years from the date of creation.

These retention periods are mandatory under Polish healthcare law and take precedence over general data retention rules.

We regularly review our data retention practices to ensure they remain compliant with Polish healthcare regulations and data protection laws. Retention periods may be extended in cases involving legal claims, investigations, or other specific obligations.

Marketing

We may send you information about our products and services, as well as those of our affiliates or partners, with your consent. You can unsubscribe from marketing communications at any time.

Our direct electronic marketing is based on your consent in accordance with Article 6(1)(a) GDPR and the Polish Telecommunications Law (Prawo telekomunikacyjne). You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

If you withdraw your consent, we will stop sending you marketing communications, but we may continue to contact you regarding administrative or service-related matters that are necessary to perform our contractual or legal obligations.

Cookie Technology

Our website uses cookies to improve your browsing experience. You can disable cookies at any time through your browser settings.

We use a Cookie Consent Centre (OneTrust) to manage your cookie preferences in full compliance with the EU ePrivacy Directive, the General Data Protection Regulation (GDPR), and the Polish Telecommunications Law (Prawo telekomunikacyjne).

Non-essential cookies — such as those used for analytics, advertising, and social media integration — are only activated after you provide explicit, informed consent. These cookies will remain disabled unless and until you choose to accept them.

You can update or withdraw your cookie preferences at any time by clicking “Cookie Settings” at the bottom of any page.

For more information about the types of cookies we use, their purpose, and how we manage consent, please refer to our Cookie Policy.

Who we share your personal information with

We may disclose your personal information to the following categories of recipients:

• Group Companies, Third-Party Service Providers, and Business Partners:
  Information may be shared to provide IT, analytics, payment processing, technical support, and marketing services.
  Data Protection Agreements (DPAs) are in place with all such partners to ensure compliance with data protection laws.

• Competent Law Enforcement Bodies, Regulators, Government Agencies, Courts, or other Third Parties:
  When required to comply with the law, establish legal rights, protect vital interests, or detect and prevent security or fraud issues.

Privacy policy for other websites

Our Privacy Policy applies only to our own website.
If you follow a link to another website, please review that website’s own Privacy Policy.

International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United Kingdom, the United States, and India, where providers such as Google, Meta, Microsoft, Hotjar, LinkedIn, Call360, and VWO operate.

Whenever data are transferred outside the EEA, TFP ensures appropriate safeguards under the EU General Data Protection Regulation (GDPR), including European Commission adequacy decisions, Standard Contractual Clauses (SCCs), and — where applicable — participation in the EU–US Data Privacy Framework (DPF).

Copies of the relevant safeguards may be requested by contacting anna.janicka@tfp-fertility.com.

Legal basis for processing

TFP Fertility Group Ltd collects information from individuals for various purposes related to providing fertility-related services, ensuring effective care, complying with legal requirements, and safeguarding the vital interests of individuals. The legal bases for processing data are as follows:

Contractual Performance:
TFP collects and processes personal information where it is necessary to fulfil the contractual obligations between TFP and the individuals providing the data. This includes data required for scheduling appointments, providing fertility treatments, managing patient records, and processing payments for the services rendered.

Legitimate Interests:
TFP processes personal data on the basis of legitimate interests pursued by TFP or third parties. For example, these legitimate interests may include improving the quality of fertility treatments, conducting research to enhance fertility outcomes, or optimising internal processes to ensure better patient care.
TFP will always ensure that these legitimate interests are balanced with the rights and freedoms of the individuals whose data is being processed.

Consent:
TFP seeks explicit consent from patients or individuals for specific data-processing activities. This may include obtaining consent for fertility-related research studies, sharing medical information with other healthcare providers, or using personal data for marketing purposes.
Consent must be freely given, informed, and easily revocable by the individual at any time.

Legal Obligations:
TFP is subject to various legal requirements and regulatory obligations. Data processing may be necessary to comply with these obligations, such as maintaining accurate medical records, reporting certain medical conditions to health authorities, and adhering to data-protection and healthcare laws.

Protecting Vital Interests:
In certain critical situations where an individual’s life or health is at risk, TFP may process personal data based on the vital interests of the individual. For example, during emergency medical situations, TFP may access relevant medical information to provide timely and appropriate medical care.

Special Categories of Data:
For special categories of personal data processed in the context of care (for example, health data), we rely on Article 9(2)(h) GDPR in conjunction with applicable Polish healthcare legislation.

Sector-Specific Polish Laws:
In Poland, our processing is also subject to sector-specific legislation, including:

• the Act on Patient Rights and the Patient Ombudsman (2008),

• the Act on Therapeutic Activities (2011),

• the Act on Infertility Treatment (2015), and

• the Regulation of the Minister of Health of 9 November 2015 on medical documentation.

Changes to our privacy policy

We regularly review our compliance with this Privacy Policy. Any changes will be posted on our website and, where appropriate, notified to you by email.

Last updated on 8 October 2025.

Exercising Your Data Protection Rights

If you would like to access, correct, delete, or restrict the use of your personal data, or if you wish to object to certain types of processing or request a copy of your data (data portability), you can submit a request at any time.

To do this, please contact us using the details provided in the How to contact us section. You may be asked to confirm your identity so that we can protect your information and prevent unauthorised access.

We aim to respond to all valid requests within one calendar month, in line with the General Data Protection Regulation (GDPR). If your request is particularly complex or involves a large volume of data, we may need additional time. If so, we will let you know.

If you are not satisfied with how we handle your request, you also have the right to lodge a complaint with the relevant supervisory authority. For contact details, please see the Your rights section below.

Your rights

Under the GDPR, you have the right to access, rectify, erase, restrict processing, object to processing, and data portability. However, please bear in mind the exemptions that apply to health records:

Retention of Health Records

Under applicable laws and regulations, we are required to retain health records for a specified period, even if you request their deletion. Health records are critical for ensuring continuity of care, meeting legal obligations, and maintaining an accurate medical history.

Why Health Records Cannot Be Deleted on Request

• Legal Compliance: Healthcare providers are legally mandated to retain medical records for a minimum period to comply with laws and regulations.

• Continuity of Care: Your health records provide a comprehensive history that ensures safe and effective treatment in the future.

• Public Interest: Retaining health records is necessary to fulfil public health responsibilities, facilitate medical research (where applicable), and address potential legal claims or inquiries.

While we cannot delete your health records on request, we are committed to ensuring that your data is handled securely and used only for appropriate purposes.

If you are located in Poland, you have the right to lodge a complaint with the Polish Data Protection Authority (UODO) if you believe your data is being processed in violation of applicable laws.

Supervisory Authority:
President of the Personal Data Protection Office (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
https://uodo.gov.pl

How to contact us

If you have any questions or concerns about this Privacy Policy or how we process your personal data, please contact us using the details below:

United Kingdom - Contact Section (Data Protection Inquiries)

Data Protection Officer: Michelle Wild

Post: TFP Fertility Ltd, Institute of Reproductive Sciences, Oxford Business Park North, Alec Issigonis Way, Oxford, OX4 2HW, United Kingdom
Phone: 0808 164 5341
Email: dpo@tfp-fertility.com

European Union – GDPR Article 27 Representative

In accordance with Article 27 of the EU and UK GDPR, we have appointed an authorised representative within the European Union to act on our behalf regarding GDPR compliance for individuals located in the EU/EEA.

Netherlands - Contact Section (Data Protection Inquiries)

Data Protection Officer: Bianca Bloem

Post: TFP Fertility Netherlands B.V., Simon Smitweg 16, 2353 GA Leiderdorp, The Netherlands
Phone: +31 71 581 23 00
Email: fg_mckinderwens@tfp-fertility.com

Poland - Contact Section (Data Protection Inquiries)

Data Protection Officer: Dr Anna Janicka

Address: ul. Wojska Polskiego 103, 70-483 Szczecin
Phone: +48 91 486 43 45 / +48 691 676 305
Email: anna.janicka@tfp-fertility.com

Vitrolive Limited liability company with registered office in Szczecin
Post: TFP Fertility Vitrolive, Vitrolive Sp. z o.o., ul. Wojska Polskiego 103, 70-483 Szczecin
KRS: 0000252423 | REGON: 320166514 | NIP: PL8512959483
Phone: +48 91 48 64 345
Email: vitrolive@tfp-fertility.com

Macierzyństwo Medical Center Limited liability company Limited partnership with its registered office in Kraków
Post: TFP Fertility Macierzyństwo, Centrum Medyczne Macierzyństwo Sp. z o.o. Sp. k., ul. Białoprądnicka 7A, 31-221 Kraków
KRS: 0000343047 | REGON: 356524003 | NIP: PL6782853606
Phone: +48 124 158 800
Email: motherhood@tfp-fertility.com