Privacy Policy

Forge Marketing's Privacy Policy
‍

This Privacy Policy outlines how Forge Marketing, a healthcare marketing agency operating in France and Cyprus with clients worldwide (including the USA, Europe, UAE/Dubai, and other regions), collects, uses, discloses, and protects your personal data. We comply with the General Data Protection Regulation (GDPR) (EU) 2016/679, the French Data Protection Act (as amended), Cyprus Law 125(I)/2018, and other applicable international laws, including but not limited to:

• USA: California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and the Health Insurance Portability and Accountability Act (HIPAA) where we process Protected Health Information (PHI) for US-based healthcare clients.
• UAE (including Dubai): Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL), which mirrors GDPR principles for data processed in the UAE.
• Other Regions: Relevant local laws, such as those in other European countries, and global standards for cross-border data transfers.

As a healthcare-focused agency serving global clients, we handle sensitive health-related data with the utmost care, adhering to strict requirements for special category data under GDPR Article 9, HIPAA (for US PHI), and equivalent protections under UAE PDPL. We are committed to transparency, accountability, and respecting your data protection rights across jurisdictions. This policy applies to all personal data processed through our website, services, and interactions.

If you are located in the EU (including France and Cyprus), your data is primarily protected under GDPR. For US residents (e.g., California), additional CCPA/CPRA rights apply. For UAE residents, PDPL protections are enforced.

This policy was last modified on January 24, 2026.

‍

1. Data Controller and Contact Information

‍

Forge Marketing acts as the data controller for personal data collected via our website and services. Our registered office is in PARIS, France, with operations extending to Cyprus and serving clients globally.

‍

• Data Protection Officer (DPO): We have appointed a DPO to oversee compliance. Contact: dpo@forge-marketing.com.
• Supervisory Authorities: For complaints or inquiries:
  • France: Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France. Website: www.cnil.fr.
  • Cyprus: Office of the Commissioner for Personal Data Protection, 1 Iasonos Street, 1082 Nicosia, Cyprus. Website: www.dataprotection.gov.cy.
  • USA (California): California Privacy Protection Agency (CPPA). Website: www.cppa.ca.gov.
  • UAE: UAE Data Office or relevant authority under PDPL. Website: www.u.ae/en/information-and-services/business/data-protection.

General Contact: info@forge-marketing.com.

‍

If you have any questions about this policy or our data practices, please contact us.

‍

2. What Personal Data Do We Collect?

‍

We collect personal data when you interact with our website, inquire about our healthcare marketing services (e.g., SEO, paid ads, content creation for medical practices), fill out forms, or engage with our services. Categories include:

• Identifying Information: Name, email address, phone number, job title, or clinic details.
• Contact and Inquiry Data: Information provided in forms, emails, or calls, such as details about your healthcare practice.
• Technical Data: IP address, browser type, device information, and usage data (e.g., pages visited, time spent) collected automatically via logs or analytics tools.
• Special Category Data (Health-Related): In the context of healthcare marketing, we may process limited health data (e.g., from patient endorsements or content creation) only with explicit consent or where necessary for service delivery. This is treated as sensitive under GDPR Article 9, HIPAA (for US PHI), and UAE PDPL Article 4.
• Marketing Data: Preferences for receiving communications about our services.

You may visit our site anonymously, but certain features require data submission. We do not collect data from children under 16 (or 13 in some jurisdictions like COPPA in the USA) without verifiable parental consent, in line with GDPR, COPPA, and equivalent laws.

We only collect data that is necessary, adequate, and relevant for the purposes outlined below, tailored to your location and applicable laws.

‍

3. Legal Basis for Processing Your Personal Data

‍

We process personal data only where there is a valid legal basis, harmonized across jurisdictions:

• Consent: Under GDPR Article 6(1)(a) and Article 9(2)(a), CCPA/CPRA (for opt-in where required), HIPAA (explicit authorization for PHI), and UAE PDPL Article 5 (for sensitive data). Consent must be freely given, specific, informed, and unambiguous (e.g., via checkboxes). You can withdraw consent at any time without affecting prior processing.
• Contractual Necessity: Under GDPR Article 6(1)(b), to provide requested services, such as healthcare marketing consultations or campaigns.
• Legitimate Interests: Under GDPR Article 6(1)(f) and UAE PDPL, for improving our website, analyzing usage, or fraud prevention, after balancing our interests against your rights (via a Legitimate Interests Assessment or equivalent).
• Legal Obligation: Under GDPR Article 6(1)(c), HIPAA (for compliance reporting), CCPA/CPRA (for disclosures), and UAE PDPL, to comply with laws, such as reporting data breaches.
• Vital Interests: Rarely, under GDPR Article 6(1)(d), HIPAA, and UAE PDPL, for protecting vital interests in health emergencies.

For special category health data in marketing contexts, we rely on explicit consent or where processing is necessary for healthcare purposes (e.g., under professional secrecy obligations in France/Cyprus or HIPAA Business Associate Agreements for US clients). We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, as required by GDPR Article 35, CNIL recommendations, UAE PDPL, and similar assessments under CCPA/CPRA.

‍

4. How Do We Use Your Personal Data?

‍

We use your data in a lawful, fair, and transparent manner for the following purposes, compliant with global standards:

• To Provide and Improve Services: Respond to inquiries, deliver healthcare marketing services (e.g., SEO for medical practices, ad campaigns), and customize consultations.
• Customer Support: Handle requests, feedback, or complaints effectively.
• Marketing and Communications: Send updates on healthcare marketing trends or services, only with consent (opt-in under CCPA/CPRA and UAE PDPL). You can opt out via unsubscribe links.
• Website Analytics: Improve user experience and site functionality using aggregated, anonymized data.
• Compliance and Security: Detect fraud, ensure data security, and meet legal requirements (e.g., HIPAA audits for US PHI).
• Research and Development: Anonymized data for internal analysis to enhance healthcare marketing strategies.

Data is not used for automated decision-making or profiling that produces legal effects without human oversight, unless consented to and allowed under applicable laws (e.g., GDPR Article 22, UAE PDPL).

‍

5. Data Sharing and Disclosure

‍

We do not sell or trade your personal data (as defined under CCPA/CPRA, where "sale" includes sharing for monetary value). Sharing occurs only when necessary:

• Service Providers (Processors): Trusted third parties (e.g., analytics tools like Google Analytics, ad platforms) bound by GDPR-compliant Data Processing Agreements (DPAs) under Article 28, HIPAA Business Associate Agreements (for US PHI), and UAE PDPL equivalents. We conduct due diligence to ensure their compliance.
• Healthcare Partners: For collaborative marketing (e.g., directories like Healthgrades), with your consent.
• Legal Requirements: To authorities if required by law (e.g., data breach notifications to CNIL or Cyprus Commissioner within 72 hours under GDPR Article 33; to CPPA under CCPA/CPRA; to UAE authorities under PDPL).
• Business Transfers: In mergers or acquisitions, with safeguards.

6. International Data Transfers

‍

As a global agency, we may transfer data across borders. Transfers from the EEA (EU) to non-adequate countries (e.g., USA, UAE) use Standard Contractual Clauses (SCCs) approved by the European Commission, or other GDPR Chapter V mechanisms. For US transfers, we comply with post-Schrems II requirements. For UAE, transfers align with PDPL reciprocity rules. HIPAA-covered data for US clients remains protected via Business Associate Agreements. We ensure equivalent protection levels and conduct Transfer Impact Assessments where required.

‍

7. How Do We Protect Your Data?

‍

We implement appropriate technical and organizational measures to secure data against unauthorized access, loss, or breach, in line with GDPR Article 32, HIPAA Security Rule, CCPA/CPRA safeguards, UAE PDPL Article 20, and national standards:

• Encryption for data in transit and at rest.
• Access controls, firewalls, and regular security audits.
• Employee training on data protection.
• Pseudonymization or anonymization where possible.
• For health data: Additional safeguards like restricted access, logging, and HIPAA-compliant measures.

In France, we follow CNIL security guidelines. In Cyprus and UAE, we adhere to local commissioner recommendations. For US data, we align with HIPAA if applicable.

If a breach occurs, we notify affected individuals and authorities as required (e.g., within 72 hours to regulators under GDPR/PDPL; 60 days under HIPAA for large breaches; promptly under CCPA/CPRA if high risk).

‍

8. Data Retention

‍

We retain data only as long as necessary for the purposes collected, or as required by law (e.g., up to 3 years for marketing data under GDPR/CNIL; 10 years for HIPAA audit logs; aligned with UAE PDPL limitation principles):

• Inquiry data: Up to 3 years after last contact.
• Marketing consent: Until withdrawn.
• Health data: As needed for services, then deleted or anonymized.

Retention periods comply with GDPR, CCPA/CPRA, HIPAA, UAE PDPL, and other laws.

‍

9. Your Data Protection Rights

‍

Your rights vary by location, but we honor the most protective standards:

• Global/GDPR Rights (EU, including France/Cyprus): Access, rectification, erasure, restriction, portability, objection, withdraw consent (as in Section 8 of previous policy).
• CCPA/CPRA Rights (California/US Residents): Know/Access data, delete, correct, opt-out of sale/sharing, limit sensitive data use, non-discrimination. Requests via dpo@forge-marketing.com; we respond within 45 days (extendable).
• HIPAA Rights (US PHI): Access PHI, amend, accounting of disclosures, request restrictions/confidential communications.
• UAE PDPL Rights: Similar to GDPR: Access, correction, deletion, restriction, objection, portability.

Contact us to exercise rights (free, unless unfounded). We respond within one month (GDPR/PDPL) or 45 days (CCPA). Lodge complaints with relevant authorities.

‍

10. Cookies and Tracking Technologies

‍

We do not use cookies for tracking. If implemented, we will obtain consent via a banner, compliant with GDPR/ePrivacy, CCPA/CPRA (opt-out signals), and UAE PDPL. Technical data is collected via server logs without persistent identifiers.

‍

11. Third-Party Links

‍

Our site may link to third-party sites (e.g., ad platforms). These have independent policies; we are not responsible. Review them separately.

‍

12. Children's Privacy

‍

We do not target children under 16 (GDPR/PDPL) or 13 (COPPA in USA). If collected inadvertently, data is deleted. Processing requires parental consent.

‍

13. Changes to This Policy

‍

We may update this policy for changes in practices or laws. Changes posted here with date; significant ones notified via email.

‍

14. Consent and Applicable Law

‍

By using our site/services, you consent to this policy. Governed by EU law for EEA data, with jurisdiction in French/Cypriot courts; US disputes under California law if CCPA applies; UAE under PDPL.