Privacy Policy

Last updated: 07/12/2025

1. Data controller
Luna Clinic (“we”, “us”, “Luna Clinic”) is the data controller for personal data collected via this website and our services. Contact: [email protected].

Address: Bosques de Reforma 1507.

2. Scope & applicability
This Privacy Policy explains how we collect, use, disclose and retain personal data relating to (i) people who contact us through the website (leads), (ii) patients/clients receiving clinical services, and (iii) visitors to our website. If you are a client receiving clinical services, additional clinical record and consent forms apply.

3. What personal data we collect
We collect the following categories of data:

-Identity & contact: full name, email, telephone, postal address.

-Clinical & health information: medical/psychological history, symptoms and other health data you provide during assessment and therapy (sensitive data).

-Payments & billing: payment and billing information processed via Stripe (we do not store full card numbers in our systems; Stripe handles card data securely).

-Technical & usage data: IP address, device and browser identifiers, analytics, cookies and server logs (Google Analytics, Meta Pixel/CAPI).

-Communications: content of messages you send to us (email, chat, intake forms).

4. Legal basis & purposes for processing
We process personal data for the following purposes and legal bases:

-Provision of therapy and clinical services — necessary to perform the contract between you and Luna Clinic.

-Scheduling, confirmations, reminders and administrative communications — performance of contract / legitimate interest.

-Payments, billing and fraud prevention — legal obligation and contractual necessity.

-Analytics and site improvement — legitimate interest (aggregated/anonymous where possible).

-Marketing & newsletter — only with your explicit consent; you can withdraw consent at any time.

-Processing sensitive health data — only processed where necessary to provide clinical care and with your explicit consent (where required by law).

5. Sensitive data (health information)
Health and clinical data are treated as special-category/sensitive personal data. We process this information only when strictly necessary for provision of therapy, and only with patient consent where required. Access to clinical data is restricted to authorised clinical staff and processors under contract.

6. Third-party processors and data sharing
We share personal data only with trusted processors required to deliver our services. Key processors include:

-GoHighLevel (CRM, forms, email, SMS, workflows) — acts as a processor under DPA/Standard Contractual Clauses for transfers.

-Stripe (payments) — processes payment details and is PCI-certified; we do not hold raw card PANs.

-Zoom / Google Calendar (telehealth and scheduling integrations).

-Google & Meta for analytics and advertising (Pixel + CAPI; aggregated/event-level tracking).

All processors act under contract to provide appropriate technical and organisational safeguards.

7. Cross-border transfers
Personal data may be processed and stored in countries outside your residence (for example, the U.S.). When transfers occur from the EU/UK to other jurisdictions, we rely on appropriate safeguards such as Data Processing Agreements, Standard Contractual Clauses or relevant data-transfer frameworks provided by processors.

8. Data retention
We retain personal data only as long as necessary for the purposes described and to comply with legal, professional, accounting and clinical record requirements:

-Lead & contact data: retained up to 3 years unless you request deletion.

-Payment receipts & accounting records: 7 years (or per local accounting law).

-Clinical records: retained according to professional record-keeping guidelines and applicable local law; commonly 7 years after last contact for adults, and for minors, 3 years after they reach majority (or as required by local/state rules). You should confirm exact periods with local jurisdiction advice.

9. Your rights
Subject to local law, you may have the right to: access, correct, delete, restrict processing, object to processing, receive a portable copy of your data, and (where relevant) withdraw consent. To exercise your rights contact: [email protected] We will respond in accordance with applicable law.

10. Security measures
We implement technical and organisational measures to protect your data, including TLS/SSL encryption in transit, encryption of backups, access controls, role-based access to clinical records, and processor contractual obligations. For payments and card security we rely on Stripe’s PCI-compliant services.

11. Data breach
If a data breach affecting your personal data is discovered, we will notify relevant supervisory authorities and affected individuals as required by applicable law.

12. Cookie & tracking policy
We use cookies and tracking technologies (Google Analytics, Meta Pixel/CAPI). Non-essential cookies are enabled only with your consent. Visit our Cookie Policy page for granular controls and instructions to withdraw consent.

13. Telehealth, licensure & geographic limits
We provide online therapy to clients across the United States; however, telehealth licensure and practice rules vary by state. It is the client’s responsibility to confirm that online services with our clinician are permitted in their jurisdiction. For jurisdictions where licensure is required and not held, we will provide alternative referrals. See our Terms for more details. (See Telepsychology guidance from professional bodies.)

14. Minors
We do not provide therapy to minors under age 18 without parental/guardian consent. If you are a parent or guardian seeking services for a minor please contact us directly.

15. Changes to this Privacy Policy
We may update this Privacy Policy. We will publish the updated policy on this page with the “Last updated” date.