Privacy and Cookie Policy
Saint Nicholas Medical Center respects the privacy of patients, website visitors and client account users. This policy explains what personal data we process on the website, why we need it, which cookies are used and how you can exercise your rights.
Data controller
Medical Center Saint Nicholas / Saint Nicholas Medical Center
Sunny Beach, Burgas, Bulgaria 8240
Email: info@stnicholas.com
Phone: +359 87 627 1234
Supervisory authority
The Bulgarian supervisory authority is the Commission for Personal Data Protection (CPDP). You may contact or complain to it through cpdp.bg.
Data we process
- Contact data: name, phone, email and message text when you submit a form.
- Clinic appointment data: preferred date, department, type of visit, city, hotel or address if you provide them.
- Client account data: user account, linked patient profile, visits, payments and laboratory requests.
- Health data is processed only where necessary to provide medical care, keep medical records and communicate with the patient, insurer or assistance company.
- Technical data: hashed IP for internal analytics after consent, user-agent, referrer, landing URL and UTM parameters.
Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Responding to enquiries, appointment booking and patient communication. | GDPR Art. 6(1)(b), Art. 6(1)(f). |
| Medical care, medical records, communication with insurers and assistance companies. | GDPR Art. 6(1)(b), 6(1)(c), 9(2)(h), 9(3), applicable Bulgarian medical and accounting law. |
| Website security, sessions, CSRF form protection and spam protection. | GDPR Art. 6(1)(f), Art. 32; strictly necessary cookies do not require consent. |
| Internal analytics for visits and enquiry sources. | Your consent: GDPR Art. 6(1)(a), ePrivacy Art. 5(3). |
| Marketing cookies and advertising pixels. | Not currently used on the public website. If connected later, they will run only after separate consent. |
Cookies and similar technologies
| Name | Category | Purpose | Duration |
|---|---|---|---|
| laravel-session | Necessary | Website and client account session. | Until session end or inactivity expiry. |
| XSRF-TOKEN | Necessary | CSRF protection for forms. | Session duration. |
| frontend_locale | Functional | Stores selected website language. | Up to 12 months. |
| site_cookie_consent | Necessary | Stores your cookie decision. | 180 days. |
| traffic_visitor_uuid | Analytics | Random UUID for internal visit analytics after consent. | Up to 12 months. |
| traffic_attr_source_id | Analytics | Links an enquiry to its source after consent. | Up to 90 days. |
As of the last update, Google reCAPTCHA v3 is disabled in the site settings. If enabled later, the Google script will load only when a protected form is used, not immediately on every page.
Recipients
Access is limited to staff and service providers who need the data for website operation, enquiry handling, medical services, accounting, IT support and legal protection. Data may be disclosed to insurers or assistance companies, laboratories, payment/mail providers and public authorities where required by law or necessary for the service.
Retention
Cookies are kept for the periods listed above. Enquiries and correspondence are kept as long as necessary to handle the request and protect legitimate interests. Medical, financial and accounting records are kept for the periods required by Bulgarian law and healthcare practice.
Your rights
- access to your personal data;
- rectification of inaccurate data;
- erasure where no legal ground requires further storage;
- restriction of processing;
- objection to processing based on legitimate interests;
- data portability where applicable;
- withdrawal of consent for optional cookies and marketing;
- complaint to the CPDP.