Privacy Policy

Effective: June 2026

1. Data Controller

TCM Acupuncture Studio ("we", "us") is the data controller for the purposes of the General Data Protection Regulation (GDPR). Our contact details are:

Jade Leaf Acupuncture / TCM Acupuncture Studio
[Your Address], Netherlands
Email: info@jadeleafacupuncture.nl
KvK: [Your KvK Number]

2. What Personal Data We Collect

We collect the following data when you use our services:

  • Booking data: name, email address, phone number, preferred appointment date and time, selected service type.
  • Health-related information: any notes you provide in the booking form (e.g., complaints, symptoms, treatment history). This is special category personal data under GDPR Article 9.
  • Medical history data: when you complete our medical history form (optional, before your first appointment), we collect: date of birth, gender, insurance details, chief complaint and its duration, pain scale and body locations, past medical conditions, current medications, allergies, pregnancy status, prior treatments received (acupuncture, physiotherapy, massage, etc.), and lifestyle information (sleep quality, stress level, exercise habits, energy level). This constitutes special category personal data under GDPR Article 9 and is processed only with your explicit consent.
  • Payment data: we do not store your credit card details. Payments are processed securely by Stripe. We receive only confirmation of payment and the amount paid.
  • Communication data: messages you send via our contact form, including your name and email address.
  • Website usage data: IP address, browser type, and pages visited (via Firebase Analytics, only when you consent).

3. Legal Basis for Processing

  • Performance of a contract (GDPR Art. 6(1)(b)): processing your booking and providing acupuncture treatment.
  • Legal obligation (GDPR Art. 6(1)(c)): maintaining treatment records as required by Dutch healthcare regulations (Wkkgz).
  • Explicit consent (GDPR Art. 9(2)(a)): for processing health-related information. You provide this consent when booking an appointment.
  • Legitimate interest (GDPR Art. 6(1)(f)): improving our website and services, preventing fraud.

When completing the medical history form, you provide explicit consent for processing the health-related data therein by checking three separate consent boxes: (1) confidentiality of your data, (2) acknowledgement of acupuncture treatment risks, and (3) permission to process your health data for treatment preparation purposes. All three must be confirmed before the form can be submitted.

4. How We Use Your Data

  • To schedule and confirm your appointment;
  • To prepare for your treatment (reviewing your health notes);
  • To send booking confirmation and reminders (via SendGrid);
  • To process payment (via Stripe);
  • To respond to your inquiries;
  • To comply with legal obligations (healthcare record-keeping).
  • To review your medical history before your first appointment, enabling us to tailor your treatment to your specific health condition and needs;

5. Data Retention

In accordance with Dutch healthcare law (Wkkgz) and professional standards for TCM practitioners, we retain treatment records for 20 years after your last appointment. Medical history data submitted via our online form is retained for 2 years if no appointment follows, or incorporated into your treatment record (retained for 20 years) if you become a patient. Booking and payment records are retained for 7 years for tax purposes (Belastingdienst requirements). Contact form submissions are deleted within 1 year if no appointment is made.

6. Sharing Your Data

We do not sell your data. We share data only with:

  • Stripe: for payment processing. Stripe is GDPR-compliant and certified under the EU-U.S. Data Privacy Framework.
  • SendGrid (Twilio): for sending booking confirmation emails. SendGrid processes data in accordance with GDPR.
  • Formspree: for receiving contact form messages. Formspree stores data on servers in the United States.
  • Google Firebase: for storing booking data and website analytics. Google is GDPR-compliant and certified under the EU-U.S. Data Privacy Framework.
  • Legal authorities: if required by Dutch law.

7. International Data Transfers

Some of our service providers (Stripe, SendGrid, Formspree, Google) may transfer data outside the European Economic Area (EEA), including to the United States. These transfers are protected by:

  • EU-U.S. Data Privacy Framework certification;
  • Standard Contractual Clauses approved by the European Commission;
  • Adequacy decisions where applicable.

8. Your Rights

Under GDPR, you have the right to:

  • Access your personal data (Art. 15);
  • Rectify inaccurate data (Art. 16);
  • Request erasure of your data ("right to be forgotten", Art. 17) — note: healthcare records cannot be deleted until the legal retention period expires;
  • Restrict processing (Art. 18);
  • Data portability (Art. 20);
  • Object to processing (Art. 21);
  • Withdraw consent at any time (Art. 7(3)).

To exercise these rights, contact us at info@jadeleafacupuncture.nl. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): www.autoriteitpersoonsgegevens.nl.

9. Cookies

Our website uses cookies only for essential functionality (e.g., remembering your language preference). We do not use tracking cookies or advertising cookies. Firebase Analytics is only activated if you explicitly consent via our cookie banner.

10. Changes to This Policy

We may update this policy from time to time. The latest version will always be posted on this page with an updated effective date.

11. Contact

For any questions about this privacy policy or how we process your data, contact:
Email: info@jadeleafacupuncture.nl

12. Contact Form & Formspree Data Processing

When you use our contact form (powered by Formspree), the following applies:

  • By submitting the form, you consent to the processing of your personal data (name, email, subject, message) according to this privacy policy.
  • Your data will be transmitted to Formspree (https://formspree.io), which stores data on servers in the United States.
  • Formspree processes your data solely to forward your message to us and enable us to respond to your inquiry. Data is not used for marketing purposes.
  • Formspree's data processing is governed by their Privacy Policy and Terms of Service.
  • Contact form submissions are retained for up to 1 year if no appointment is made, after which they are deleted.

13. Google Maps

We use Google Maps (Google LLC, USA) to display our clinic location on the contact page. When you view the map, your browser may send data to Google (e.g., IP address). This is covered under Google's Privacy Policy.