Book An Appointment
Book An Appointment
BOOK AN APPOINTMENT

Privacy Policy

This policy is written in plain English. It explains exactly what data this website collects, why, and what your rights are under UAE law. If you have any questions, contact info@spinesurgeondubai.com.

1. Who We Are

This website, spinesurgeondubai.com, is operated by Dr Sherief Elsayed, Consultant Spine and Orthopaedic Surgeon, practising at OrthoPro Clinic, Dubai Science Park, Dubai Healthcare City (DHCC), and Jumeirah, United Arab Emirates.

Data Controller

Dr Sherief Elsayed
OrthoPro Clinic, Dubai Science Park, Dubai, UAE
Email: info@spinesurgeondubai.com
Phone: +971 4 835 9000
Dr Sherief Elsayed is the data controller responsible for your personal data as defined under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL).

2. Applicable Law

This policy is governed by and complies with:

  • UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and its implementing regulations
  • Dubai Health Authority (DHA) data protection guidelines applicable to healthcare providers
  • General Data Protection Regulation (GDPR) – applied as best-practice standard for patients who are EU/EEA nationals or residents

Where GDPR provides stronger protections than UAE PDPL, we apply the higher standard. This is particularly relevant for patients travelling from Europe for treatment.

3. What Personal Data We Collect

3.1 Data you provide directly – booking and contact form

When you complete the appointment request or contact form on this website, we collect:

  • Full name
  • Phone number
  • Email address
  • Message content (which may include details about your symptoms or medical condition)

We do not ask for, and you should not submit, sensitive medical records, identification documents, or payment information through this form. If your message voluntarily includes health-related information, that information is treated as special category data under the PDPL and is subject to additional protections described in Section 5.

3.2 Data collected automatically – analytics

We use Google Analytics 4 (GA4) to understand how visitors use this website. GA4 collects:

  • Pages visited and time spent on each page
  • General geographic location (country and city level – not your precise address)
  • Device type, browser, and operating system
  • How you arrived at the site (search engine, direct, social media, referral)
  • Anonymised IP address

GA4 data is aggregated and anonymised. We cannot use it to identify you personally. Google acts as a data processor on our behalf. See Section 7 for more on third-party processors.

3.3 Data collected automatically – cookies

This website uses cookies. See Section 9 (Cookie Policy) for the full list of cookies used, what they do, and how to control them.

3.4 reCAPTCHA

This website uses Google reCAPTCHA v3 on the contact form to prevent automated spam submissions. reCAPTCHA collects hardware and software information, including device and application data, and sends it to Google for analysis. This processing is necessary to protect the integrity of the form and is covered by Google’s Privacy Policy (policies.google.com/privacy).

4. Why We Process Your Data and Our Legal Basis

We only process your personal data for specific, legitimate purposes. The table below sets out each purpose, the data used, and the legal basis under UAE PDPL.

Purpose: Responding to your appointment or enquiry

Data used: Name, phone number, email address, message content.

Legal basis: Consent – you provide this data voluntarily by submitting the form, and you tick the consent box confirming you agree to us using it to respond to your enquiry.

Purpose: Providing medical consultation and treatment

Data used: All data you provide during consultations, which is held in the clinic’s medical records system (separate from this website).

Legal basis: Performance of a contract (medical services); legal obligation (DHA medical records requirements).

Purpose: Website analytics and performance improvement

Data used: Anonymised usage data via Google Analytics 4.

Legal basis: Legitimate interests – understanding how the website is used helps us improve it for patients. This data is anonymised and cannot identify you.

Purpose: Spam and fraud prevention

Data used: Technical data processed by Google reCAPTCHA.

Legal basis: Legitimate interests – preventing abuse of the contact form.

We do not use your data for marketing without your explicit and separate consent. We do not sell, rent, or trade your personal data to any third party.

5. Health and Medical Information

Information about your health condition is classified as special category data under UAE PDPL and requires explicit consent before processing. By submitting a message through our contact form that describes your symptoms or medical history, you are providing explicit consent for us to use that information solely for the purpose of responding to your medical enquiry.

We apply the following additional protections to any health-related information you submit:

  • It is accessible only by Dr Sherief Elsayed and authorised clinical staff directly involved in your care
  • It is not shared with any third party without your explicit written consent, except where required by law or DHA regulation
  • It is stored securely and separately from website analytics data
  • It is retained only for as long as is necessary for your care and as required by DHA medical records guidelines (minimum 10 years for adult patient records under UAE healthcare law)

6. How Long We Keep Your Data

Contact form enquiries (name, phone, email, message)

Retained for 24 months from the date of your last contact with us. If your enquiry leads to a clinical appointment, the data becomes part of your medical record and is subject to the DHA medical records retention period.

Medical records

Retained for a minimum of 10 years from the date of last treatment, in accordance with Dubai Health Authority regulations for adult patient records. Records for patients who were minors at the time of treatment are retained until the patient’s 28th birthday or 10 years from the date of last treatment, whichever is longer.

Analytics data (Google Analytics 4)

Aggregated and anonymised. Retained in GA4 for 14 months, after which it is automatically deleted by Google.

Cookie data

Varies by cookie type. See Section 9.

When your data is no longer required for the purpose it was collected, we delete it securely or anonymise it so it can no longer be linked to you.

7. Third-Party Data Processors

We use the following third-party services that process data on our behalf. Each is bound by a data processing agreement and is required to protect your data in accordance with applicable law.

Google Analytics 4 – website analytics

Provider: Google LLC, USA. Purpose: Anonymised website usage analytics. Data transferred: Anonymised usage data. Safeguard: EU Standard Contractual Clauses; Google Ads Data Processing Terms. Privacy policy: policies.google.com/privacy

Google reCAPTCHA v3 – spam prevention

Provider: Google LLC, USA. Purpose: Distinguishing human users from automated bots on the contact form. Data transferred: Device and browser information. Safeguard: EU Standard Contractual Clauses. Privacy policy: policies.google.com/privacy

Hostinger – website hosting

Provider: Hostinger International Ltd, Cyprus/Lithuania. Purpose: Hosting the website and storing form submissions. Data transferred: Form submission data and server logs. Safeguard: GDPR-compliant hosting infrastructure. Privacy policy: hostinger.com/privacy-policy

Rank Math SEO – structured data

Provider: MyThemeShop LLC, USA. Purpose: Generating structured data and sitemaps. Processes no personal data from users.

We do not transfer your personal data to any country outside the UAE or EU/EEA without ensuring adequate safeguards are in place. All third-party processors listed above either operate within adequacy-recognised jurisdictions or are covered by Standard Contractual Clauses approved under GDPR, which we apply as the higher standard.

8. Your Rights Under UAE PDPL

UAE Federal Decree-Law No. 45 of 2021 gives you the following rights regarding your personal data. You can exercise any of these rights by contacting us at info@spinesurgeondubai.com. We will respond within 30 days.

Right of access

You have the right to request a copy of the personal data we hold about you and information about how we use it.

Right to correction

You have the right to ask us to correct any inaccurate or incomplete personal data we hold about you.

Right to erasure

You have the right to ask us to delete your personal data where there is no legitimate reason for us to continue processing it. Note: we cannot delete data that we are legally required to retain under DHA medical records law.

Right to restrict processing

You have the right to ask us to restrict how we use your data while a dispute about its accuracy or use is resolved.

Right to data portability

You have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and to request that we transmit it to another data controller where technically feasible.

Right to withdraw consent

Where we process your data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of any processing carried out before you withdrew it. To withdraw consent, email info@spinesurgeondubai.com with your name and the specific consent you wish to withdraw.

Right to object

You have the right to object to us processing your data on the basis of legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to complain

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the UAE Data Office (dataoffice.ae) or, for EU/EEA nationals, your national data protection authority.

9. Cookie Policy

Cookies are small text files placed on your device when you visit a website. This website uses the following categories of cookies.

Strictly necessary cookies

These cookies are required for the website to function. They cannot be switched off. They include cookies that remember your cookie consent preference and session cookies that maintain your browsing session. No personal data is stored in these cookies.

Analytics cookies – Google Analytics 4

Cookie names: _ga, _ga_[MEASUREMENT_ID], _gid. Purpose: Counting visits and analysing how visitors use the site. Duration: _ga persists for 2 years; _gid expires after 24 hours. Data stored: Anonymised client ID. Your IP address is anonymised before storage. You can opt out of Google Analytics across all websites by installing the Google Analytics Opt-out Browser Add-on (tools.google.com/dlpage/gaoptout).

Security cookies – Google reCAPTCHA

Cookie names: _GRECAPTCHA, rc::a, rc::b, rc::c. Purpose: Identifying whether form submissions are from humans or automated bots. Duration: Session or up to 6 months depending on the specific cookie. These cookies are set by Google and are governed by Google’s Privacy Policy.

How to control cookies

You can control and delete cookies through your browser settings. The following links explain how to do this in the most common browsers:

  • Chrome: support.google.com/chrome/answer/95647
  • Safari: support.apple.com/en-gb/guide/safari/sfri11471
  • Firefox: support.mozilla.org/en-US/kb/enable-and-disable-cookies
  • Edge: support.microsoft.com/en-us/microsoft-edge/delete-cookies

Note that disabling cookies may affect the functionality of some parts of this website, including the contact form’s spam protection.

10. How We Protect Your Data

We take appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, or disclosure. These measures include:

  • HTTPS encryption on all pages of this website (data transmitted between your browser and our server is encrypted)
  • HTTP Strict Transport Security (HSTS) preventing downgrade attacks
  • Security headers including X-Content-Type-Options, X-Frame-Options, and Referrer-Policy
  • Access to form submission data restricted to authorised clinic staff only
  • Regular security reviews of the website platform and hosting environment

No method of electronic transmission or storage is 100% secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security. If you believe your data has been compromised, please contact us immediately at info@spinesurgeondubai.com.

11. Children and Minors

This website is not directed at children under the age of 18. We do not knowingly collect personal data from children under 18 through this website without verifiable parental or guardian consent. If you are the parent or guardian of a minor who has submitted personal data to us without your consent, please contact us at info@spinesurgeondubai.com and we will delete it.

If you are enquiring about treatment for a child, please include the child’s relationship to you in your message. All personal data relating to a minor patient is treated as special category data and subject to additional safeguards.

12. Links to Other Websites

This website may contain links to third-party websites including Doctify, Google Maps, YouTube, and social media platforms. Once you leave our website, this Privacy Policy no longer applies. We are not responsible for the privacy practices of any third-party website. We recommend you read the privacy policy of any website you visit.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, our data practices, or the services we use. When we make material changes, we will update the effective date at the top of this page. We encourage you to review this policy periodically.

Your continued use of this website after any changes to this policy constitutes your acceptance of the updated policy.

14. Contact and Data Requests

To exercise any of your rights, ask a question about this policy, or raise a concern about how we handle your data, please contact:

Data Controller

Dr Sherief Elsayed

OrthoPro Clinic

Dubai Science Park, Dubai, UAE

Email: info@spinesurgeondubai.com

Phone: +971 4 835 9000

We will acknowledge your request within 5 business days and respond in full within 30 days. If your request is complex, we may extend this period by a further 30 days and will notify you if this is the case.

If you are not satisfied with our response, you have the right to escalate your complaint to the UAE Data Office at dataoffice.ae.