This Privacy Policy explains how Your Hair Center (“we”, “our”, “us”), operator of yourhaircenter.com, collects, uses, and protects information about visitors to this website and people who contact us through it. We are committed to safeguarding your privacy and complying with applicable data-protection laws, including the EU/UK General Data Protection Regulation (GDPR) where it applies.
Data Controller
- Operator: Your Hair Center
- Registered address: Akşemsettin, İstanbul, Türkiye
- Privacy contact: [email protected]
- Data Protection Officer: No DPO appointed — please use the privacy contact above.
For data-subject requests, use the privacy contact above or our contact page.
Information We Collect
When you visit our website or submit a form, we may collect:
- Information you provide: first name, surname, email address, phone number, and any free-text message you include with a consultation or contact request; or your email address when you subscribe to our newsletter. Forms also capture the form’s location on our website (e.g., footer, contact page) and your country, which is automatically determined from your IP address at the time of submission.
- Information collected automatically by our server: IP address, browser type and version, operating system, referring website, pages visited, and the date and time of your visit.
- Information collected by our analytics and advertising tools: see “Third-Party Services” below.
How We Use Your Information
- To respond to your consultation or contact request.
- To send the newsletter you signed up for and related service updates.
- To improve our website, services, and user experience.
- To measure the performance of our marketing and advertising.
- To comply with legal obligations.
Cookies & Tracking Technologies
Our website uses cookies and similar technologies to recognize visitors, remember preferences, measure traffic, and support advertising. The cookies set on or via our site include:
| Cookie | Set by | Purpose | Duration |
|---|---|---|---|
_ga, _ga_* |
Google Analytics 4 | Visitor distinction, session measurement | Up to 2 years |
_fbp |
Meta Pixel | Visitor distinction for advertising attribution | 3 months |
_fbc |
Meta Pixel | Last-click attribution from a Meta ad (set when you arrive via an fbclid link) |
2 years |
_onyx_visitor_id |
Our website (first-party) | Stable visitor identifier used to deduplicate browser-Pixel and server-side Meta events; sent to Meta in hashed form | 2 years |
You can clear or block these cookies through your browser settings. Disabling them may affect site functionality and our ability to measure performance.
Third-Party Services We Use
Google Analytics 4 (GA4) — provided by Google LLC (United States). GA4 receives your IP address, browser and device identifiers (including a client_id stored in the _ga cookie), the pages you view, the referring page, and a coarse approximation of your location derived from your IP. Google shortens the IP before storing it. Reports are aggregated, but the underlying data sent to Google identifies your device. Read more in the Google Privacy Policy. You can opt out by installing the Google Analytics Opt-out Browser Add-on.
Meta Pixel & Meta Conversions API — provided by Meta Platforms Inc. (United States). We use two complementary tools:
- The Meta Pixel — a JavaScript snippet that loads on every page of our site. On each page view it sends to Meta: the page URL, the referring page, your IP address, your browser’s user-agent string, and the
_fbp/_fbccookies described above. The Pixel runs on every page view. - The Meta Conversions API (server-side) — we use this to send Meta a corresponding server-side event in two situations:
- When you submit a form (contact, consultation, or newsletter). Submitting any of our forms requires you to tick the Privacy Policy consent checkbox first — without it, the form will not submit. When the event fires, we send Meta: hashed (SHA-256, one-way) identifiers — your email address, phone number, first name, last name, and country — together with your IP address, user-agent, the
_fbp/_fbccookies (if present), and a hashed first-party visitor identifier. Meta uses these to match the event to a Meta account and deduplicate it against the browser Pixel. - When you click a contact link on our site (phone, WhatsApp, or email). We send Meta your IP address, user-agent, the
_fbp/_fbccookies (if present), and a hashed visitor identifier. Because a link click does not collect any contact details, no personal identifiers are included in this event.
- When you submit a form (contact, consultation, or newsletter). Submitting any of our forms requires you to tick the Privacy Policy consent checkbox first — without it, the form will not submit. When the event fires, we send Meta: hashed (SHA-256, one-way) identifiers — your email address, phone number, first name, last name, and country — together with your IP address, user-agent, the
We never send the free-text message body of a contact form to Meta. Event labels are limited to generic placement codes (e.g., consultation, subscription, footer_phone) and never contain procedure names, medical conditions, or other sensitive descriptions.
Both tools are used to measure ad performance, understand actions taken on our website, and serve more relevant ads on Meta platforms (Facebook, Instagram, WhatsApp). Read more in Meta’s Privacy Policy. Manage how Meta uses your data at Facebook Ad Preferences and review off-Meta activity at Facebook Off-Meta Activity.
International Data Transfers
Both Google LLC and Meta Platforms Inc. are based in the United States. When you visit our website, personal data (including your IP address, browser identifiers, cookies, and — where applicable — the hashed identifiers described above) is transferred to the United States.
Where the GDPR applies, these transfers rely on the EU-US Data Privacy Framework (Google LLC and Meta Platforms Inc. are both self-certified participants) and, where applicable, the European Commission’s Standard Contractual Clauses (SCCs) as supplementary safeguards. You can verify recipient certifications at www.dataprivacyframework.gov.
Legal Basis for Processing (GDPR)
Where the GDPR applies, we process your personal data on the following legal bases:
- Consent — when you tick a consent box on a form (contact, consultation, or newsletter), or otherwise give an explicit affirmative action. Consent can be withdrawn at any time by contacting us.
- Contract — when processing is necessary to respond to your service or consultation request.
- Legitimate interest — for site security, fraud prevention, and aggregate measurement of how our site is used. You may object to processing on this basis at any time.
- Legal obligation — for record-keeping, tax, and similar statutory requirements.
If you are an EEA/UK visitor and prefer that the analytics and advertising cookies above not be set, please use the opt-out links in the Third-Party Services section or your browser’s cookie controls before browsing further. We will continue to honour any direct request to delete data already collected.
Health & Sensitive Information
We operate in the hair-restoration field, which means messages you send us through our website may contain information about your health (e.g., a description of hair loss). We treat any such information as a “special category” of personal data under GDPR Article 9 and process it only on the basis of your explicit consent, given when you tick the consent checkbox before submitting the form. Where you provide such information:
- It is used only to respond to your request and provide the consultation or service you asked for.
- It is not shared with our advertising or analytics providers. The free-text message field is never transmitted to Meta or Google.
- It is stored on our servers and shared only with our affiliated medical professionals responsible for handling your request.
If you do not wish to share health information, please limit your message to general contact details and we will follow up by phone or email.
Sharing Your Information
We do not sell your personal information. We share data with:
- Affiliated medical professionals, to fulfil your consultation or treatment request.
- Service providers that operate our website (hosting, email delivery, analytics, advertising measurement), all bound by data-processing agreements. Our principal sub-processors include:
- Hosting: Veridyen (Türkiye)
- Email and newsletter delivery: third-party transactional email provider (e.g., Resend, SendGrid)
- Web analytics: Google LLC (GA4)
- Advertising measurement: Meta Platforms Inc. (Pixel + Conversions API)
- Authorities, where required by law or to defend our legal rights.
Data Retention
- Inquiry submissions — kept for as long as needed to respond to you and for the duration of any subsequent relationship, plus any statutory retention period.
- Newsletter subscriptions — kept until you unsubscribe.
- Analytics data — retained according to Google’s defaults for GA4 (currently 14 months for event-level data).
- Meta advertising data — retained according to Meta’s own policy.
- Server access logs — kept for short-term security and diagnostic purposes (typically up to 30 days) and then deleted or rotated.
Your Rights
Subject to applicable law, and under the GDPR where it applies, you have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate or incomplete data.
- Request deletion of your data (“right to be forgotten”).
- Object to or restrict processing of your data.
- Receive your data in a portable format.
- Withdraw consent at any time (this does not affect the lawfulness of processing carried out before withdrawal).
- Lodge a complaint with a competent supervisory authority — for example, your national EEA data-protection authority, or the UK Information Commissioner’s Office (ICO).
To exercise these rights, contact us using the privacy contact in the Data Controller section above.
Children’s Privacy
Our services are intended for adults. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal data, please contact us so we can remove it.
Security
We implement reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the Internet is 100% secure.
Changes to This Privacy Policy
We may update this Privacy Policy periodically. The date below reflects the most recent revision. Material changes will be highlighted on this page. We encourage you to review this page regularly.
Contact
If you have questions about this Privacy Policy or your personal data, please reach us through our contact page or the privacy contact in the Data Controller section above.
Last updated: 26 May 2026.