Privacy Policy

Clinic Truth collects the minimum data needed to publish a news site and respond to readers. This page describes exactly what, why, for how long, and your rights under GDPR.

Effective: 22 April 2026 · Data controller: Clinic Truth, Rruga Panorama, Tirana

1. Who is the data controller

Clinic Truth, publishing under the trading name Clinic Truth, based at Rruga Panorama, Tirana, Albania. Reachable at info@clinictruth.com or via the contact page.

Clinic Truth is not a company, not a corporation, not an agency — it is one individual publishing investigative content. Your data controller is the person. That person is subject to both EU GDPR (where applicable via audience extraterritoriality) and Albanian data protection law.

2. Data we collect — and why

2.1 Analytics data

Every visit to clinictruth.com triggers an anonymised pageview event sent to Google Analytics 4 (property G-VY45HNJQ2B). The data logged:

• Pages you visited and the order in which you visited them
• Approximate geographic location (country + region — never street address)
• Browser type, operating system, device category (phone / tablet / desktop)
• Referring URL (where you came from)
• Session duration

IP address is anonymised by default. We never have your full IP address. We use this data to understand which investigations attract readers and which don't — it is not used to identify you individually.

Retention: 26 months, after which Google auto-deletes. You can opt out by disabling JavaScript or by installing the Google Analytics opt-out browser add-on.

2.2 Email correspondence

If you email info@clinictruth.com or use the WhatsApp number, the following is retained:

• Your email address or WhatsApp phone number
• The content of your message
• Any attachments you send
• Our responses and any follow-up correspondence

Used for: replying to you, continuing the conversation, and retaining a record if the exchange leads to a published investigation (tipster correspondence in particular).

Retention: maximum 24 months for general correspondence. Tipster correspondence that underpins a published investigation is retained indefinitely as a journalistic source record, with source identity protected per section 3.

2.3 Tipster data (sensitive category)

If you contact us as a tipster — reporting an issue with a clinic we may then investigate — your identity is held with additional protection:

• Identifying information is stored separately from the content of your tip.
• Your name is never published without written consent.
• If you request Signal-encrypted communication, we comply and the Signal thread is end-to-end encrypted with no server copy accessible to us or any third party beyond the local devices.
• We may ask for verification that you are who you say you are (for instance, confirming you were a patient at the clinic in question). This verification data is destroyed once the investigation is published or abandoned.

Under Albanian and EU journalism-exemption provisions, source-protection obligations can override GDPR subject-access requests in specific cases. If this applies to your data, we will tell you.

2.4 What we do not collect

• We do not have a newsletter signup form at this time. If we add one, we will publish an updated version of this policy first.
• We do not run Facebook Pixel, LinkedIn Insight Tag, Twitter / X tracking, or any retargeting technology.
• We do not sell, rent, or share reader data with advertising networks. Clinic Truth has no ad network on the site and does not intend to add one.
• We do not collect payment data. If you proceed to coordinate treatment via AlbaniaClinic, you will be subject to that site's privacy policy, which is a separate document on a separate site.

3. Legal basis (GDPR Article 6)

We process data under the following bases:

• Legitimate interest (Art. 6(1)(f)): running a news publication, understanding audience behaviour in aggregate, responding to correspondence, and investigating matters of public interest in medical tourism.
• Consent (Art. 6(1)(a)): placement of non-essential cookies if you have actively accepted them via a cookie banner. At present we do not use non-essential cookies, so no consent banner appears.
• Legal obligation (Art. 6(1)(c)): retention of correspondence as required by Albanian media and tax law.
• Journalism exemption (Art. 85 of GDPR, as implemented locally): certain processing of personal data necessary for journalistic investigation may proceed even where the data subject has not consented. This applies only to the subjects of investigation — clinicians, clinic executives, regulators — not to our readers or tipsters.

4. Who we share data with

Three categories of third party receive data:

• Google Analytics — anonymised pageview data only. Processed in EU/US data centres. Subject to Google's own data protection terms.
• Hostinger — our web host, based in the EU (Lithuania). They receive server-access logs as any web host does. They do not have access to tipster correspondence (which is held in Gmail / Signal, not on the web host).
• Google Workspace — our email provider. Emails you send us are stored in their infrastructure, subject to their data protection terms.

No other party receives reader or tipster data. We do not sell data. We do not share data with clinics we review. We do not share data with marketing partners — we have none.

5. International transfers

Google Analytics data may be processed in Google data centres outside the European Economic Area under Standard Contractual Clauses. Hostinger infrastructure is within the EU. No data is transferred to a country that does not offer GDPR-equivalent protection.

6. Your rights (GDPR Articles 15–22)

At any time, you may:

• Access the data we hold about you (Art. 15)
• Rectify data that is wrong (Art. 16)
• Erase your data ("right to be forgotten," Art. 17)
• Restrict processing (Art. 18)
• Port your data in a machine-readable format (Art. 20)
• Object to processing (Art. 21)
• Withdraw consent previously given, without affecting the lawfulness of processing before withdrawal
• Complain to a supervisory authority — the Albanian IDP (idp.al), the Italian Garante (garanteprivacy.it), the UK ICO (ico.org.uk), or the Spanish AEPD (aepd.es) depending on your residence.

To exercise any of these rights, email info@clinictruth.com with the subject GDPR Request and specify which right you are exercising. We respond within 30 days as required by law.

7. Cookies

The site currently uses:

• Strictly necessary cookies for basic site function (no tracking, no consent needed under GDPR Art. 5(3))
• Google Analytics cookies (anonymised, IP-masked) for aggregate audience understanding

We do not currently use advertising cookies, tracking pixels from social networks, or retargeting cookies. If that changes, a consent banner will appear first and this page will be updated.

8. Children

Clinic Truth is written for adults making medical treatment decisions. We do not knowingly collect data from anyone under 16. If you are a parent or guardian who believes a child has sent us data, email us and we will delete it.

9. Updates to this policy

This policy can change. When it does, the new version replaces the old and the "Effective" date at the top updates. If we make a material change — adding a newsletter, adding advertising, changing data retention periods — we flag it on the homepage for 30 days.

10. Contact the data controller

For any privacy-related question, email info@clinictruth.com. Subject line starting PRIVACY: helps us route quickly. We respond within 7 working days.

This policy is version 1.0, effective 22 April 2026. Legal questions about specific data-handling scenarios can be directed to info@clinictruth.com.