Book Appointment Now
Data Protection Policy
Effective Date: January 5, 2026
Last Updated: January 5, 2026
Version: 1.0
PART A: UNIVERSAL PROVISIONS
1. Data Controller
MTP Consulting S.A., a Panamanian company commercially known as Medical Tourism Packages, registered under number 155756653 (“MTP,” “the Company,” “we,” “us,” or “our”), is the data controller responsible for personal data collected through this website and in connection with our coordination services.
Privacy Contact:
Email: privacy@medicaltourismpackages.com
Website: https://www.medicaltourismpackages.com
Important Distinction: MTP is a medical tourism facilitator that coordinates travel logistics and introduces clients to licensed medical professionals and healthcare institutions in Latin America. MTP is not a hospital, clinic, doctor, or healthcare provider and does not provide medical advice, diagnosis, or treatment.
2. Definitions
For the purposes of this Policy:
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Sensitive Data | Personal data revealing health conditions, medical history, biometric data, or genetic information |
| Processing | Any operation performed on personal data, including collection, storage, transmission, and deletion |
| Data Controller | The entity that determines the purposes and means of processing personal data |
| Data Processor | An entity that processes personal data on behalf of a controller |
| Healthcare Partners | Independent hospitals, clinics, physicians, and medical facilities to which MTP refers clients |
| Transient Processing | The temporary handling of health data solely for transmission to Healthcare Partners, followed by deletion |
| ARCO Rights | Rights of Access (Acceso), Rectification (Rectificación), Cancellation (Cancelación), and Opposition (Oposición) under Panama Law 81 |
| Client | Any individual who requests a quotation, engages our services, or submits personal data to MTP |
3. Scope and Applicability
This Data Protection Policy applies to:
- All visitors to our website at medicaltourismpackages.com
- All individuals who request quotations or information from MTP
- All clients who engage MTP’s coordination services
- All personal data processed by MTP, regardless of the data subject’s nationality or residence
Geographic Scope: This Policy applies worldwide. MTP coordinates medical tourism services across Latin America (Panama, Colombia, Costa Rica, Mexico) for international clients.
Relationship to Other Documents: This Policy supplements our general Privacy Policy. For data protection matters, this Policy prevails over the general Privacy Policy, subject always to the supremacy of any executed Service Agreements (including, but not limited to, Quotes, KYC Disclosures, and Waivers) as set forth in Section 19.1.
4. Data Categories
MTP processes two distinct tiers of personal data with different handling requirements:
Tier 1: Administrative and Compliance Data (Retained)
| Data Type | Examples | Purpose |
|---|---|---|
| Identity Information | Full name, passport number, nationality, date of birth, photograph | Identity verification, KYC compliance |
| Contact Information | Email address, phone number, physical address | Communication, coordination |
| Financial Information | Payment details, invoices, receipts, proof of payment | Payment processing, accounting |
| KYC/AML Documentation | Source of funds declarations, PEP screening results | Regulatory compliance, fraud prevention |
| Contracts and Agreements | Signed KYC disclosures, service agreements, quotation acceptances | Legal documentation |
| Coordination Records | Service requests, itineraries, communication logs | Service delivery, administrative monitoring |
Tier 2: Health Data (Transient)
| Data Type | Examples | Processing Approach |
|---|---|---|
| Medical History | Prior conditions, surgeries, current medications, allergies | Transient – deleted after transmission |
| Diagnostic Records | Laboratory results, pathology reports, medical notes | Transient – deleted after transmission |
| Medical Imaging | X-rays, MRI scans, CT scans, ultrasounds | Transient – deleted after transmission |
| Treatment Objectives | Desired procedures, treatment preferences, cosmetic goals | Transient – deleted after transmission |
Critical Distinction: Health-related data (Tier 2) is processed on a fundamentally different basis than administrative data (Tier 1). See Section 8 for the Transient Processing Model.
5. How We Collect Data
We collect personal data through the following channels:
(a) Website Forms
- Contact forms and quote request forms
- Newsletter subscription forms
- Online consultation booking forms
(b) Direct Communication
- Email correspondence
- Phone conversations
- Video consultations
- Messaging applications (WhatsApp, etc.)
(c) KYC Process
- Identity document submission
- Source of funds documentation
- Signed KYC Disclosure and Waiver of Liability
(d) Healthcare Partner Referrals
- Information provided by Healthcare Partners regarding coordination (limited to administrative matters only)
(e) Automated Collection
- Cookies and similar tracking technologies (see Section 15)
- Server logs recording IP addresses and browser information
We do not purchase, rent, or otherwise acquire personal data from third-party data brokers.
6. Purpose of Processing
We process personal data for the following purposes:
| Purpose | Data Categories Used | Legal Basis |
|---|---|---|
| Providing quotations | Contact, Health (transient) | Consent, Pre-contractual measures |
| Coordinating medical tourism services | All categories | Contract performance |
| Transmitting information to Healthcare Partners | Identity, Contact, Health (transient) | Explicit consent |
| Processing payments | Identity, Financial | Contract performance |
| KYC/AML compliance | Identity, KYC documentation | Legal obligation |
| Fraud prevention | Identity, Financial, KYC | Legal obligation, Legitimate interest |
| Communication and support | Contact, Coordination records | Contract performance, Legitimate interest |
| Website analytics and improvement | Technical data (anonymized) | Consent, Legitimate interest |
| Marketing communications | Contact | Consent (opt-in only) |
| Legal claims and disputes | All relevant categories | Legitimate interest, Legal obligation |
Purpose Limitation: We process personal data only for the purposes stated in this Policy. We do not use health data for marketing, profiling, or any purpose other than transmission to Healthcare Partners for coordination.
7. Legal Basis for Processing
Our processing activities are based on the following legal grounds:
For Administrative Data (Tier 1):
(a) Contractual Necessity
Processing necessary for the performance of our coordination services contract with you.
(b) Legal Obligation
Processing required by Panama Law 23 (AML), Panama Law 52 (commercial records), and other applicable regulations.
(c) Legitimate Interest
Processing necessary for fraud prevention, service improvement, and business administration, where such interests are not overridden by your rights.
For Health Data (Tier 2):
(a) Explicit Consent
Health data is classified as “sensitive data” (datos sensibles) under Panama Law 81. We process health data only with your explicit, informed, and unequivocal consent.
Your consent is:
- Specific: Limited to transmission to identified Healthcare Partners
- Informed: You are told exactly what data will be transmitted and to whom
- Freely given: Not a condition of receiving administrative services
- Withdrawable: You may withdraw consent at any time (see Section 12)
8. Transient Processing Model
This section describes MTP’s core data protection framework and is essential to understanding how we handle health data.
8.1 The Transient Processing Principle
Health-related data is processed solely on a transient basis for transmission to medical providers and is not retained in permanent files, except where retention is required to establish, exercise, or defend legal claims.
MTP operates as a conduit, not a repository, for health data. We collect health information solely for the purpose of transmitting it to Healthcare Partners to obtain quotations and coordinate your care. Once transmission is complete, health data is deleted from our systems.
8.2 How Transient Processing Works
| Stage | Action | Timeframe |
|---|---|---|
| Collection | Client submits medical records, imaging, or health questionnaire | Day 0 |
| Review | MTP reviews for completeness only (no clinical analysis) | Days 0-3 |
| Transmission | Data transmitted to Healthcare Partner(s) via secure channels | Days 1-7 |
| Confirmation | MTP confirms successful receipt by Healthcare Partner | Within 48 hours of transmission |
| Deletion | Health data permanently deleted from MTP systems | Without undue delay after confirmed transmission |
8.3 What “No Clinical Review” Means
MTP does not analyze, interpret, or provide medical opinions regarding any medical data transmitted.
MTP staff:
- DO verify that files are readable and complete
- DO organize documents for transmission
- DO NOT interpret medical results
- DO NOT evaluate whether treatment is appropriate
- DO NOT provide medical advice of any kind
8.4 Liability Protection Implications
The transient processing model means:
- MTP cannot produce health records in legal discovery — we do not possess them
- MTP cannot suffer a health data breach — we do not retain health data long-term
- MTP is not a medical records custodian — we bear no custodial liability
9. Data Retention Schedule
| Data Category | Retention Period | Legal Basis | Deletion Method |
|---|---|---|---|
| Health Data (Tier 2) | Transient (deleted without undue delay after transmission) | Purpose limitation (Law 81) | Secure permanent deletion |
| KYC/AML Documentation | 7 years from end of relationship | Panama Law 23 (AML), Law 52 | Secure destruction |
| Financial Records | 7 years | Panama Law 52, Tax Code | Secure destruction |
| Contracts and Agreements | 7 years | Commercial Code of Panama | Secure destruction |
| Coordination Records | 7 years | Legitimate interest, Legal claims | Secure deletion |
| Contact Information | Until consent withdrawal | Consent | Immediate deletion on request |
| Website Analytics | 14 months | Consent | Automatic expiration |
| Marketing Preferences | Until consent withdrawal | Consent | Immediate deletion on request |
“End of Relationship” means the later of: (a) completion of all coordinated services; or (b) resolution of any disputes or claims.
Exceptions: Data may be retained longer if required by law, court order, or ongoing legal proceedings.
10. Cross-Border Data Transfers
10.1 Destination Countries
Your personal data may be transferred to and processed in:
| Country | Purpose | Entity Types |
|---|---|---|
| Panama | MTP headquarters, primary processing | MTP Consulting S.A. |
| Colombia | Healthcare Partner coordination, local logistics | Hospitals, clinics, Viajes Plus SAGOC |
| Costa Rica | Healthcare Partner coordination | Hospitals, clinics |
| Mexico | Healthcare Partner coordination | Hospitals, clinics |
| United States | Payment processing, cloud infrastructure | Payment processors, hosting providers |
10.2 Transfer Safeguards
We ensure appropriate safeguards for international transfers:
(a) Explicit Consent
For health data transfers, we obtain your explicit consent acknowledging the destination countries.
(b) Contractual Protections
We require Healthcare Partners and service providers to maintain appropriate security measures.
(c) Adequacy Considerations
We assess the data protection environment of each destination and implement additional safeguards where necessary.
10.3 Your Acknowledgment
By authorizing data transmission to Healthcare Partners, you explicitly consent to cross-border transfers to the countries listed above.
11. Healthcare Partners as Independent Controllers
This section is critical for understanding liability allocation.
11.1 Controller-to-Controller Transfers
When MTP transmits your personal data to Healthcare Partners (hospitals, clinics, physicians), those Healthcare Partners become independent Data Controllers for all purposes under applicable data protection law.
| Role | Entity | Purpose | Responsibility |
|---|---|---|---|
| Controller 1 | MTP Consulting S.A. | Facilitation, quoting, coordination | MTP’s data handling only |
| Controller 2 | Healthcare Partner | Medical evaluation, diagnosis, treatment | Healthcare Partner’s data handling |
11.2 Not a Processor Relationship
This is NOT a controller-processor relationship. Healthcare Partners:
- Do not process data “on behalf of” MTP
- Receive data to perform their own independent medical services
- Operate under their own privacy policies
- Are subject to their own local data protection laws (e.g., Colombia’s Law 1581, Mexico’s LFPDPPP)
11.3 Liability Separation
MTP MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING THE CREDENTIALS, COMPETENCE, OR QUALITY OF ANY HEALTHCARE PARTNER.
Consequence: Once data is successfully transmitted to a Healthcare Partner:
- That Healthcare Partner assumes full and sole responsibility for their data handling
- MTP has no ability to control, access, modify, or delete data held by Healthcare Partners
- Data protection requests regarding data held by Healthcare Partners must be directed to those Partners
12. Consent Mechanism
12.1 Unbundled Consent Architecture
Panama Law 81 requires that consent be “prior, informed, and unequivocal” for sensitive data. MTP uses an unbundled consent mechanism with separate authorizations for different processing purposes:
| Consent Type | Required For | Can Be Withdrawn |
|---|---|---|
| Administrative Data Consent | Processing identity, contact, financial data for coordination | Yes, but may prevent service delivery |
| Health Data Transmission Consent | Collecting and transmitting medical records to Healthcare Partners | Yes, at any time |
| Marketing Communications Consent | Sending newsletters, promotions, service updates | Yes, at any time |
| Cookie Consent | Non-essential cookies and analytics | Yes, via cookie settings |
12.2 How Consent Is Obtained
(a) Client Agreement Process
For clients engaging our services, explicit consent is obtained through our Client Agreement, which includes separate acknowledgments for:
- Authorization to handle and transmit medical information for coordination purposes
- Acknowledgment that MTP performs no clinical review of medical data
- Consent to cross-border data transfers to Healthcare Partners
(b) Online Forms
Explicit consent is obtained through clear, affirmative mechanisms such as unticked checkboxes requiring active selection, with specific acknowledgments for:
- Processing contact information for inquiry response
- Health data transmission to Healthcare Partners (with transient deletion disclosure)
- Cross-border data transfers to specified destination countries
- Marketing communications (optional)
12.3 Affirmative Consent
For sensitive health data processing, consent checkboxes are not pre-ticked. Consent requires affirmative action by the data subject.
12.4 Withdrawing Consent
You may withdraw consent by emailing privacy@medicaltourismpackages.com. Withdrawal does not affect the lawfulness of processing before withdrawal.
13. Security Measures
We implement commercially reasonable security measures to protect your information.
The transient processing model provides inherent security protection: data that is not retained cannot be breached.
No method of electronic transmission or storage is 100% secure. You acknowledge that you provide personal information at your own risk.
14. Data Breach Notification
14.1 Our Commitment
In the event of a security incident involving unauthorized access to, disclosure of, or loss of personal data under MTP’s direct control, we will notify Panama authorities (ANTAI) without undue delay and in accordance with applicable statutory timeframes.
14.2 Scope Limitation
Our breach notification commitment applies only to incidents within MTP’s direct systems. Given our transient processing model for health data, breach exposure is limited to:
- Administrative and compliance data (Tier 1)
- Health data during the brief transmission window (Tier 2)
We are not responsible for security incidents at Healthcare Partners or other third parties. You should review each Healthcare Partner’s privacy policy for their breach notification procedures.
15. Cookies
Our website uses cookies. You can control cookies through your browser settings.
16. Children’s Data
Our Services are not directed to individuals under eighteen (18) years of age.
17. Contact Information
17.1 Privacy Contact
For all data protection inquiries, requests, or complaints:
Email: privacy@medicaltourismpackages.com
Subject Line: Include “Data Protection Request” or “Privacy Inquiry”
17.2 Response Timeframes
We will respond to data protection requests within the statutory timeframes established by Panama Law 81.
18. Governing Law and Dispute Resolution
18.1 Governing Law
This Data Protection Policy is governed exclusively by the laws of the Republic of Panama.
18.2 Dispute Resolution
Any dispute arising out of or relating to this Policy shall be resolved by binding arbitration before the Centro de Conciliación y Arbitraje de Panamá (CeCAP) in Panama City, Panama, conducted in English.
18.3 Limitation Period
Any claim related to data protection matters must be brought within twelve (12) months from the date you became aware of the circumstances giving rise to the claim.
19. Document Hierarchy, Liability Limitation, and Updates
19.1 Document Hierarchy
In the event of any conflict between this website content and any executed Service Agreement (including Quotes and Waivers) between you and MTP, the executed Service Agreement prevails.
19.2 Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:
(a) Third-Party Limitation
MTP IS NOT LIABLE FOR THE DATA PROTECTION PRACTICES, PRIVACY POLICIES, SECURITY MEASURES, OR DATA INCIDENTS OF HEALTHCARE PARTNERS OR OTHER THIRD PARTIES.
(b) Damages Limitation
MTP SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING FROM DATA PROTECTION MATTERS.
(c) Aggregate Liability Cap
MTP’S TOTAL AGGREGATE LIABILITY, IF ANY, SHALL NOT EXCEED THE FEES PAID BY YOU TO MTP FOR THE SERVICES GIVING RISE TO THE CLAIM.
(d) Jurisdictional Acknowledgment
You acknowledge that your data may be processed in multiple jurisdictions with varying protections. MTP’s liability is governed exclusively by Panama law.
Exception: Nothing in this Policy limits liability for fraud, willful misconduct, or gross negligence to the extent such limitation is prohibited by Panama law.
19.3 Policy Updates
We may update this Policy from time to time. Changes will be posted with a new “Last Updated” date.
Continued use of our Services after the effective date of changes constitutes acceptance of the updated Policy.
PART B: JURISDICTION-SPECIFIC PROVISIONS
B1. Panama Law 81 – ARCO Rights
If you are located in Panama or your data is processed under Panama law, you have the following rights under Law 81 of 2019 (Personal Data Protection):
| Right | Description | How to Exercise |
|---|---|---|
| Acceso (Access) | Right to obtain confirmation of whether we process your data and a copy of that data | Email privacy@medicaltourismpackages.com |
| Rectificación (Rectification) | Right to correct inaccurate or incomplete data | Email with specific corrections |
| Cancelación (Cancellation/Deletion) | Right to request deletion of your data | Email deletion request |
| Oposición (Opposition) | Right to object to certain processing activities | Email with objection and grounds |
Limitations under Panama Law:
- We cannot delete data required for legal compliance (KYC/AML records for 7 years)
- We cannot delete data necessary for legal claims or defense
- Health data already deleted under the transient model cannot be retrieved or provided
- We cannot delete or modify data held by Healthcare Partners (contact them directly)
Response Time: 10 business days from receipt of complete request
Regulatory Authority: Autoridad Nacional de Transparencia y Acceso a la Información (ANTAI)
ACKNOWLEDGMENT
By using our Services, submitting personal data, or signing our KYC Disclosure, you acknowledge that you have read and understood this Data Protection Policy.
MTP Consulting S.A.
Medical Tourism Packages
Panama Registration No. 155756653
This Policy is available in English. In case of conflict between translations, the English version prevails.