Gestalt Wellness Institute

Menu
Book An Appointment

Privacy Policy

 

Privacy Policy — Gestalt Wellness Institute Southeast Asia, Inc.

Effective Date: February 25, 2026

Last Updated: February 25, 2026

This Privacy Policy explains how Gestalt Wellness Institute Southeast Asia, Inc. (“GWI,” “we,” “us,” “our”) collects, uses, shares, and protects personal information when you visit or use our website and related online services (collectively, the “Services”).

Because this is a clinic website, information submitted through inquiries, appointment requests, or messages may incidentally reveal sensitive or health-related details. We handle such information with heightened care consistent with clinical confidentiality expectations and applicable privacy laws.

This Policy is designed to align with the Philippines Data Privacy Act of 2012 (Republic Act No. 10173) and its implementing rules and regulations (IRR). It also includes disclosures commonly required or expected under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), CalOPPA, and COPPAwhere these laws apply to a particular user, location, or interaction.

1) Who We Are (Controller/Business/Operator)

Controller/Business/Operator: Gestalt Wellness Institute Southeast Asia, Inc.

Address: 2928 VH Garces Street, Laray, San Roque, Talisay City, Cebu 6045

Website: gestaltwellness.com

 

Data Protection Officer (DPO): Ara May Real-Panoncia

Email: privacy@gestaltwellness.com

Phone: 032 3454610

You may also contact us via: www.gestaltwellness.com/privacy

2) Scope

This Policy applies to personal information collected through:

  • our website pages, forms, and online workflows;

  • appointment inquiries, confirmations, and operational communications; and

  • payment link delivery and payment confirmation communications; and

  • opt-in email communications (surveys, feedback, special offers).

This Policy does not cover third-party websites or services you may access via links on our site. Their privacy practices are governed by their own privacy policies.

3) Important Clinic Notice: Please Avoid Sending Detailed Clinical Information Through the Website

Our website is intended for inquiries, scheduling, and payment coordination. Please avoid submitting highly sensitive details (e.g., full clinical history, diagnoses, detailed trauma narratives, or other extensive health information) through public web forms or unsecured channels. If sensitive clinical details are necessary, we will guide you to appropriate clinical channels.

This Privacy Policy does not replace professional confidentiality obligations or any separate informed consent/clinic forms you may sign with us for clinical services.

4) Information We Collect

A. Information you provide directly

We may collect:

  • Name

  • Contact number

  • Email address

  • Address (when needed for billing/receipts or service logistics)

  • Social media profile/handle (only if you voluntarily provide it)

  • Messages and communications you submit (inquiries, feedback, survey responses, and other content)

B. Appointment and service coordination information

We may collect:

  • appointment date/time preferences and confirmation details

  • service type requested (e.g., consultation category)

  • coordination and operational notes you voluntarily provide (which may be sensitive by nature)

C. Minor/guardian referral information

If a client is a minor and is referred for consultation/treatment, we may collect:

  • parent/guardian contact details

  • information reasonably necessary to coordinate consultation and services

D. Payment and transaction information

 

If you pay through the Services:

  • Payments are processed through Hitpay (including Bank Transfer and QR Ph via Hitpay).

  • We generally receive and retain transaction-related records (e.g., payment status, amount, timestamp, and reference/receipt identifiers).

  • Payment credentials and sensitive payment processing details are generally handled by the payment provider under their own privacy and security controls.

E. Information collected automatically (cookies, analytics, ads)

When you use the Services, we may automatically collect:

  • IP address, browser type, device identifiers, operating system

  • website usage data (pages visited, time spent, navigation patterns)

  • referrer/exit pages

  • cookie and similar technology data

We use:

  • Google Analytics (to understand usage and improve the site), and

  • Google Ads (for advertising and conversion measurement; and depending on configuration, interest-based advertising).

5) How We Use Information (Purposes)

We use personal information to:

  1. respond to inquiries and provide clinic-related support;

  2. schedule, confirm, and manage appointments;

  3. send operational communications (appointment confirmations/reminders and service messages);

  4. send payment gateway links and confirm payment completion/records;

  5. send opt-in emails (surveys, feedback requests, special offers) to subscribers;

  6. operate, secure, and improve our website and Services (including analytics);

  7. measure advertising performance and conversions (where enabled); and

  8. comply with legal obligations and protect rights, safety, and security.

6) Marketing Emails (Opt-In)

If you opt in to receive emails from us, we may send surveys, feedback requests, and special offers. You may unsubscribe at any time by using the unsubscribe link in the email or by contacting our DPO.

Operational emails related to appointments and payments (e.g., confirmations, reminders, and payment links) are not “marketing” and may be sent as part of service delivery.

7) Legal Bases for Processing (GDPR/UK GDPR — where applicable)

Where GDPR/UK GDPR applies, we process personal data on the following lawful bases (as appropriate to the context):

  • Contractual necessity (e.g., providing requested services; appointment and payment processing)

  • Consent (e.g., opt-in marketing emails; non-essential cookies where required)

  • Legitimate interests (e.g., site security, service improvement, analytics/measurement—balanced against your rights)

  • Legal obligation (e.g., accounting, recordkeeping, regulatory compliance)

8) Cookies, Google Analytics, and Google Ads (Clinic Context)

We use cookies and similar technologies for:

  • Essential functions (basic site operation)

  • Analytics (Google Analytics)

  • Advertising/measurement (Google Ads and related tools)

Clinic-specific tracking minimization

We aim to minimize advertising-related tracking on pages or workflows that could reasonably indicate a person is seeking clinical or mental health services (for example: appointment booking/consultation request/payment flows). Where feasible, we limit advertising cookies on such pages and rely on consent controls where required.

Managing cookies

You can manage cookies via:

  • your browser settings; and

  • any cookie/consent tool we provide on the website (if enabled), including “Cookie Settings” in our footer where available.

CalOPPA “Do Not Track” disclosure

Some browsers offer a “Do Not Track” (DNT) signal. Because there is no universally adopted standard for how websites must respond to DNT, our Services may not respond uniformly to DNT signals. We will update this Policy if our practices change.

9) Sharing and Disclosure of Information

We may disclose personal information to:

  • Service providers that help operate the website and communications (e.g., hosting, email delivery, analytics, customer support tools)

  • Payment processors (Hitpay) to process payments and provide payment services

  • Advertising/analytics partners (e.g., Google) for analytics, ad delivery, conversion measurement, and related functions (depending on configuration)

  • Professional advisers (lawyers, accountants) as needed

  • Authorities / regulators when required by law or to protect rights, safety, and security

  • Business transfers (e.g., merger, acquisition, reorganization), with appropriate safeguards

No sale of personal information

We do not sell or share personal information for money.

CCPA/CPRA note: California law can define “sale” and “sharing” broadly, and “sharing” can include disclosures for cross-context behavioral advertising. If our advertising configuration involves such “sharing” as defined by law and the law applies to you, you may opt out as described in Section 13(C).

10) International Data Transfers

Your information may be processed in countries other than where you reside (for example, where our service providers operate). Where required by applicable law, we use appropriate safeguards for international transfers.

11) Data Retention

We retain personal information only as long as reasonably necessary for the purposes described in this Policy, including:

  • Inquiries/communications: retained for follow-up, service quality, and record continuity

  • Appointments and service coordination records: retained as needed for operational continuity and appropriate clinic administration

  • Payment/transaction records: retained for accounting, audit, and legal compliance

  • Analytics/advertising data: retained according to our configurations and reasonable operational needs

12) Security

 

We use reasonable administrative, technical, and organizational safeguards to protect personal information. No method of transmission or storage is 100% secure; however, we work to prevent unauthorized access, disclosure, alteration, or destruction.

13) Your Rights and Choices

A. Philippines (RA 10173)

We process personal information guided by the principles of transparency, legitimate purpose, and proportionality, and we recognize data subject rights under the Data Privacy Act and its IRR.

Subject to applicable requirements and exceptions, you may request:

  • access to personal information we hold about you

  • correction of inaccurate information

  • deletion/blocking or restriction (where appropriate)

  • withdrawal of consent (where processing is based on consent)

To exercise rights, contact our DPO using the details in Section 1 or visit www.gestaltwellness.com/privacy.

 

B. GDPR/UK GDPR (EEA/UK users — where applicable)

Subject to conditions and exceptions, you may have the right to:

  • access, rectify, erase

  • restrict or object to processing

  • data portability

  • withdraw consent (where applicable)

  • lodge a complaint with a supervisory authority

C. California (CCPA/CPRA — where applicable)

 

If the CCPA/CPRA applies to us for your interaction, California residents may have rights to:

  • Know/access categories and specific pieces of personal information collected and disclosed

  • Delete personal information (subject to legal exceptions)

  • Correct inaccurate personal information

  • Opt out of the sale or sharing of personal information (as defined by law)

  • Non-discrimination for exercising privacy rights

How to submit requests: Use www.gestaltwellness.com/privacy or email privacy@gestaltwellness.com. We may verify your identity before fulfilling requests.

Authorized agent: Where required, you may use an authorized agent to submit a request on your behalf, subject to verification.

 

Global Privacy Control (GPC): Where applicable and required for covered businesses, we will treat a valid GPC signal as a request to opt out of sale/sharing.

14) Children and Minors (Clinic Referrals) + COPPA (Where Applicable)

 

Our clinic may receive inquiries and referrals involving minors. Typically, a parent or legal guardian provides information necessary for scheduling and treatment coordination. We collect only what is reasonably necessary for clinic operations and appropriate care coordination.

 

COPPA (U.S.) context: Where COPPA applies (e.g., collection of personal information online from children under 13 within COPPA’s scope), we will seek verifiable parental consent before collecting, using, or disclosing personal information from children under 13, and provide parents appropriate rights to review/delete such information. If we learn that we collected such information without required consent, we will take steps to delete it.

15) HIPAA & HITECH (U.S.) — Clinic Context (When Applicable)

 

HIPAA and HITECH are U.S. health-privacy laws that apply to U.S. Covered Entities and their Business Associates under specific conditions.

 

GWI is based in the Philippines, and our baseline compliance framework is the Philippines Data Privacy Act (RA 10173). However, if a specific engagement legally places us in the role of a HIPAA Business Associate to a U.S. Covered Entity (for example, where we provide services on behalf of a Covered Entity involving Protected Health Information), we will implement HIPAA/HITECH-aligned controls for that engagement, including appropriate contractual safeguards (e.g., a Business Associate Agreement when required), access controls, and incident response procedures consistent with applicable requirements.

Practical clinic commitment: Even where HIPAA does not apply, we treat client-submitted information with heightened confidentiality controls consistent with clinical ethics and healthcare privacy expectations.

16) Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for their privacy practices. Please review their privacy policies.

17) Changes to This Policy

We may update this Policy from time to time. We will revise the “Last Updated” date and, where appropriate, provide additional notice for material changes.

18) Contact Us

For privacy questions or requests, contact our DPO:

Ara May Real-Panoncia (Data Protection Officer)

Email: privacy@gestaltwellness.com

Phone: 032 3454610

Address: 2928 VH Garces Street, Laray, San Roque, Talisay City, Cebu 6045

Or visit: www.gestaltwellness.com/privacy