Skip to main content

Privacy policy

Rubenhair Latvia Hair Transplant Clinic

1. Introduction and general information

The Rubenhair Latvia hair transplant clinic (hereinafter "Rubenhair", "we", "us" or "the clinic") processes your personal data in accordance with the applicable data protection legislation, including Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation, hereinafter the "GDPR"), the Personal Data Processing Law, the Patients' Rights Law, the Medical Treatment Law and other applicable legal acts.

Data privacy protection is important to us and to our employees, clients, patients, suppliers and cooperation partners. The purpose of this privacy policy is to explain transparently what personal data we collect, for what purposes and on what legal basis we process it, with whom we share it, how long we retain it and what your rights are as a data subject.

Because Rubenhair provides medical treatment (medical) services, we also process special categories of personal data — data concerning your health. We apply enhanced security and confidentiality requirements to the processing of such data (see Section 6).

If any provision of this policy conflicts with mandatory provisions of national legislation, the relevant mandatory provisions shall prevail.

2. Controller and contact information

The controller responsible for the processing of your personal data is:

For questions regarding the processing of personal data and the exercise of your rights, you may contact us using the contact information provided above.

3. Definitions

  • Personal data — any information relating to an identified or identifiable natural person (data subject).
  • Special categories of (sensitive) personal data — data revealing health status, genetic or biometric data and other information referred to in Article 9 of the GDPR.
  • Processing — any operation performed on personal data, such as collection, recording, storage, use, transfer or erasure.
  • Controller — the person who determines the purposes and means of the processing of personal data (in this case, Rubenhair).
  • Processor — the person who processes personal data on behalf of the controller (for example, an IT or cloud service provider).

4. What personal data we process

Depending on your relationship with us (website visitor, prospective client, patient), we may process the following categories of personal data:

  • Identification data: first name, surname, date of birth, personal identity number (where it is necessary for maintaining medical records).
  • Contact information: email address, telephone number, postal address.
  • Health (special category) data: medical history, anamnesis, diagnoses, information on allergies and medications taken, data on procedures performed, as well as before-and-after photographs used for treatment and documentation purposes.
  • Service and transaction data: information about applications, consultations, services ordered, invoices and payments.
  • Communication data: correspondence with us (email, messages, calls) and the feedback you provide.
  • Technical and usage data: IP address, device and browser data, cookie identifiers, data on website visits and email clicks.
  • Marketing preferences: the consents and choices you provide regarding the receipt of news and offers.

5. Purposes and legal basis of processing

We process personal data only where there is a lawful basis for doing so. Depending on the situation, we rely on the following legal bases (Article 6 of the GDPR and, for health data, Article 9):

5.1. Provision of medical treatment services

To provide hair and eyebrow transplants, hair treatment and other medical services, to carry out consultations and to ensure patient care.

Legal basis: performance of a contract (Article 6(1)(b) of the GDPR); with regard to health data — processing for the purposes of the provision of health care (Article 9(2)(h) of the GDPR) in conjunction with the Patients' Rights Law and the Medical Treatment Law.

5.2. Maintenance of medical records

To create and store the medical records required by law.

Legal basis: compliance with a legal obligation (Article 6(1)(c) of the GDPR) and Article 9(2)(h) of the GDPR.

5.3. Communication, processing of applications and requests

To respond to your questions, prepare offers and book you for a consultation or procedure.

Legal basis: taking steps at your request prior to entering into a contract / performance of a contract (Article 6(1)(b) of the GDPR) or our legitimate interests (Article 6(1)(f) of the GDPR).

5.4. Marketing (email and SMS)

To send news, special offers and information about our services and products by email and text message (SMS).

Legal basis: your consent (Article 6(1)(a) of the GDPR), which you may withdraw at any time (see Sections 11 and 16).

5.5. Website operation, cookies and analytics

To ensure the functionality of the website, analyse its use and, where applicable, display advertising.

Legal basis: for technically necessary cookies — legitimate interests (Article 6(1)(f) of the GDPR); for analytics and marketing cookies — your consent (Article 6(1)(a) of the GDPR). For more details, see Sections 14 and 15.

5.6. Accounting and compliance with legal obligations

To issue invoices, keep accounts and fulfil tax and other obligations laid down by law.

Legal basis: compliance with a legal obligation (Article 6(1)(c) of the GDPR).

5.7. Handling of claims and disputes

To protect our legal interests, prove the fact that a service was provided and handle any potential claims.

Legal basis: our legitimate interests (Article 6(1)(f) of the GDPR) and, where applicable, the establishment or defence of legal claims (Article 9(2)(f) of the GDPR).

6. Processing of special categories of (health) data

Because Rubenhair is a medical institution, we process data concerning your health. Such data is processed primarily for the purposes of the provision of health care in accordance with Article 9(2)(h) of the GDPR, by professionals subject to an obligation of professional secrecy (medical confidentiality).

We apply enhanced protection to health data: we restrict access to it to only those doctors and medical personnel who need it for your care, and we do not use health data for marketing purposes without your separate, explicit consent.

7. Sources of personal data

We obtain most personal data directly from you — when you contact us, complete an application or consultation form, visit the clinic or use our website. Some technical data we obtain automatically when you use the website (for example, by means of cookies). In certain cases, we may receive data from other medical specialists or from persons authorised by you, where this is necessary for the provision of the service.

8. Recipients of personal data

We restrict access to personal data and grant it only to persons and cooperation partners who reasonably need it. Personal data may be received by:

  • the clinic's doctors, medical personnel and authorised employees who need the data to perform their duties;
  • processors who provide us with services, such as IT, cloud storage, email and text message dispatch, customer relationship management, accounting and payment service providers;
  • marketing and web analytics service providers (for example, Google), insofar as this concerns technical and usage data and in accordance with your consent;
  • state and local government authorities, courts or other persons, if and to the extent required by law.

We conclude contracts with processors that ensure the protection of your data in accordance with the requirements of the GDPR. We do not sell your personal data.

9. Transfer of personal data outside the EU/EEA

Some of the service providers we use (for example, certain technology or marketing services) may process data outside the European Union or the European Economic Area. In such cases, we ensure that the transfer of data takes place on the basis of a European Commission adequacy decision or by using appropriate safeguards, such as the standard contractual clauses approved by the European Commission. Upon request, we can provide information about the safeguards applied.

10. Retention period of personal data

We retain personal data for no longer than is necessary to achieve the relevant processing purpose or for as long as is required by law. The main retention principles are:

  • Medical records are retained for the period specified by the legislation on the management of medical documents. Medical records (the patient's outpatient card) are retained for 40 years after the last entry made, or 15 years after the patient's death, in accordance with Cabinet Regulation No. 265 of 4 April 2006 "Procedures for the Management of Medical Records".
  • Accounting and transaction data are retained for the period specified by the legislation on accounting (usually 5 years or longer).
  • Marketing data are retained for as long as your consent remains valid and are deleted after it is withdrawn.
  • Communication data and applications are retained for as long as is necessary to handle the request and to protect our legitimate interests.

When personal data are no longer necessary and there is no other legal basis for retaining them, we delete or anonymise them.

11. Your rights as a data subject

Under the GDPR, you have the following rights in relation to your personal data:

  • Right of access — to obtain confirmation as to whether we process your data and to access it.
  • Right to rectification — to request the correction of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — to request the deletion of data where it is no longer necessary to retain it and no other legal basis exists.
  • Right to restriction of processing — to request the restriction of processing in certain cases.
  • Right to data portability — to receive your data in a structured, commonly used format or to transfer it to another controller.
  • Right to object — to object to processing based on legitimate interests, as well as to the use of data for direct marketing purposes.
  • Right to withdraw consent — where processing is based on consent, it may be withdrawn at any time, without affecting the lawfulness of processing carried out before the withdrawal.

To exercise these rights, please contact us using the contact information provided in Section 2. We respond to a request without undue delay and no later than within one month. For the purpose of verifying your identity, we may request additional information.

12. Right to lodge a complaint with the supervisory authority

If you consider that the processing of your personal data infringes data protection rules, you have the right to lodge a complaint with the supervisory authority. In Latvia, this is:

Before lodging a complaint with the authority, we encourage you to contact us so that we can find a solution together.

13. Data security

We implement appropriate technical and organisational measures to protect personal data against loss, unauthorised access, disclosure, alteration or destruction. We systematically assess the risks associated with data processing and require our processors to ensure the level of protection set out in this policy.

14. Cookies

This website uses cookies. Cookies are small text files that are stored on your device. They are used to ensure the functionality of the website, to measure and study the use of the website, and for marketing purposes, including list-based and remarketing. The aim of such marketing is to provide information about relevant services to users who have previously visited the website.

We use analytics and marketing cookies on the basis of your consent, which you may give or withdraw in the cookie notice. Cookies do not provide access to the content of your device's data storage. You can block or delete cookies at any time by changing your browser settings; however, this may reduce the functionality of the website.

List-based marketing also uses Google Inc.'s "Interest-Based Advertising Policy". You can manage your advertising preferences on the Your Online Choices website and in Google's advertising settings.

15. Website analysis

This website uses web analysis tools, such as Google Analytics — a service provided by Google Inc. ("Google"). Analysis services use cookies to analyse website traffic. The information collected by these cookies (for example, IP addresses) is transferred to service providers, who use it to provide reports on website usage and other related services. Service providers may transfer data to third parties where required by law or where third parties process the information on their behalf. You can disable analytics cookies using the cookie notice or your browser settings.

16. Marketing communications

If you have given your consent, we process your email address and telephone number in order to send you news, special offers and information about our services and products by email and text message (SMS). Giving consent is voluntary and does not affect your ability to use our services.

You have the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before the withdrawal. You can opt out of marketing communications as follows:

  • Email communications: by clicking the unsubscribe link ("Unsubscribe") at the bottom of each email.
  • Text messages (SMS): by replying to the message received with the word STOP or UNSUBSCRIBE.
  • By contacting us: info@rubenhair.eu or by calling +371 26777776.

Upon receiving your request, we will stop sending marketing communications without undue delay.

17. Automated decision-making and profiling

We do not make decisions that would produce legal effects concerning you or similarly significantly affect you based solely on automated processing, including profiling. The web behaviour analysis used for direct marketing purposes does not produce such effects, and you have the right to object to it.

18. Changes to the privacy policy

Rubenhair may amend this policy from time to time. If material changes are made regarding the collection or processing of personal data, we will publish a notice of the changes on this website or inform you in another appropriate manner.

19. Contact information

If you have any questions about this privacy policy or the processing of personal data, please contact us:

Last updated: 04.06.2026