Legal

Privacy Policy

Vibrant Consulting Ltd t/a Surgeon Shortlist  ·  Last updated: April 2025  ·  Effective date: April 2025

Surgeon Shortlist is a trading name of Vibrant Consulting Ltd, a company incorporated in Ireland (Company No. 718751), and is subject to the EU General Data Protection Regulation (GDPR). This Policy explains what personal information we collect, why we collect it, how we use it, and what rights you have — wherever in the world you are using our service.

1. Who We Are

Surgeon Shortlist ("we", "us", "our") is a trading name of Vibrant Consulting Ltd, a private company incorporated in Ireland (Company No. 718751). We operate the platform at surgeonshortlist.com, through which we provide credential-based surgeon research reports to patients seeking plastic and reconstructive surgery.

Vibrant Consulting Ltd is the data controller for all personal information processed in connection with the Surgeon Shortlist service.

Registered company: Vibrant Consulting Ltd, Ireland (Company No. 718751)
Contact: [email protected]

2. What Personal Information We Collect

Information you provide directly

When you submit our patient intake questionnaire (hosted by Typeform) or contact us directly, we may collect:

  • Your name, email address, and country of residence
  • The surgical procedure(s) you are researching
  • General health background relevant to surgical suitability (e.g. BMI range, smoking status, existing conditions)
  • Your geographic location or city preferences for surgeon proximity
  • Budget range, timeline, and other preferences you disclose
  • Communication and consultation preferences

Information we collect automatically

When you visit our website, we and our analytics provider may automatically collect:

  • IP address and approximate geographic location (country/region level)
  • Browser type and operating system
  • Pages visited, time on site, and referral source
  • Cookie identifiers (see Section 7)

Payment information

Payments for our reports are processed by a third-party payment provider (Stripe). We do not store your credit card number or full payment details. We retain only transaction records (amount, date, report purchased) for accounting purposes.

3. Health and Sensitive Information

Some information you share with us — such as details about your health status, surgical history, or body characteristics — may constitute special category data under GDPR (Article 9) or sensitive information under applicable national law.

We collect this information only where you provide it voluntarily, and only to the extent necessary to match you with surgeons whose expertise is relevant to your circumstances. Before submitting health information through our intake form, you will be asked to give your explicit, affirmative consent via a dedicated consent checkbox. You may withdraw this consent at any time by contacting us at hello@surgeonshortlist.com — withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We apply heightened security standards to all health-related data. We never sell or commercially share health information.

4. How We Use Your Information

Purpose Legal Basis (GDPR)
Preparing and delivering your personalised surgeon shortlist report Performance of contract (Art. 6(1)(b))
Processing your payment and issuing receipts Performance of contract (Art. 6(1)(b))
Processing health and personal sensitivity information included in your intake Explicit consent (Art. 9(2)(a))
Responding to your enquiries and providing customer support Legitimate interests (Art. 6(1)(f))
Improving our matching methodology and service quality (anonymised, aggregated) Legitimate interests (Art. 6(1)(f))
Website analytics and performance monitoring Consent via cookie settings (Art. 6(1)(a))
Complying with legal obligations Legal obligation (Art. 6(1)(c))

We do not make solely automated decisions about individuals that produce legal or similarly significant effects within the meaning of Article 22 GDPR. Our reports involve human research and editorial judgement applied to credentialling data.

5. Who We Share Your Information With

We do not sell your personal information. We do not share your identity with surgeons or any third party for commercial purposes. We engage the following trusted service providers who process data on our behalf, under data processing agreements:

  • Typeform, S.L. — intake form and data collection platform (servers in the EU)
  • Stripe, Inc. — payment processing (PCI-DSS compliant)
  • Google LLC — website analytics (Google Analytics)
  • [YOUR WEB HOST NAME] — website hosting and file storage (⚠ insert your hosting provider name before publishing)

We may disclose personal information if required by law, court order, or regulatory authority in any jurisdiction in which we operate.

6. International Data Transfers

We are based in Ireland and operate globally. Your personal information may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States and Australia. Where such transfers occur, we rely on appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable

7. Cookies and Analytics

Our website uses cookies and similar tracking technologies. Cookies are small text files placed on your device that help us understand how visitors use the site.

Types of cookies we use

  • Essential cookies: Required for the website to function. No consent needed.
  • Analytics cookies: Help us measure traffic and user behaviour (e.g. Google Analytics). These are only set with your consent.

You can manage or withdraw your cookie consent at any time by adjusting your browser settings or using the cookie preference control on our website. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

8. How Long We Keep Your Data

  • Report and intake data: Retained for 2 years from the date your report is delivered, then securely deleted, unless you request earlier deletion.
  • Payment records: Retained for 7 years for accounting and tax compliance.
  • Correspondence and support: Retained for 3 years from last contact.
  • Analytics data: Retained in anonymised/aggregated form; individual identifiers expire per our analytics provider's standard retention settings.

9. Your Rights

Depending on your location, you have the following rights in relation to your personal information. We honour these rights regardless of which country you are in.

Access

Request a copy of the personal data we hold about you.

Rectification

Ask us to correct inaccurate or incomplete information.

Erasure

Request deletion of your data, subject to legal retention obligations.

Restriction

Ask us to limit processing while a dispute is resolved.

Portability

Receive your data in a structured, machine-readable format.

Objection

Object to processing based on legitimate interests.

Withdraw Consent

Withdraw consent for health data or analytics at any time.

Complaint

Lodge a complaint with your local data protection authority.

Market-specific rights

Market Governing Law Supervisory Authority
Ireland / EU GDPR (Regulation 2016/679) Data Protection Commission (DPC) — dataprotection.ie
Australia Privacy Act 1988 (Cth) and Australian Privacy Principles Office of the Australian Information Commissioner — oaic.gov.au
United Kingdom UK GDPR and Data Protection Act 2018 Information Commissioner's Office — ico.org.uk
United States State privacy laws (incl. CCPA/CPRA for California residents) California Privacy Protection Agency (for CA residents)
Canada PIPEDA / provincial privacy legislation Office of the Privacy Commissioner of Canada — priv.gc.ca
New Zealand Privacy Act 2020 Office of the Privacy Commissioner — privacy.org.nz

10. Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, or loss. These measures include encryption in transit (TLS), access controls, and regular review of our data handling practices.

No method of transmission over the internet is completely secure. If you become aware of any security concern related to your data, please contact us immediately at [email protected].

11. Children's Privacy

Our service is intended for adults aged 18 and over who are researching elective surgical procedures. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that a minor has submitted information through our platform, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the effective date at the top of this page. We encourage you to review this Policy periodically.

Contact Us

To exercise any of your rights, or if you have questions about how we handle your personal information, please contact us:

Email: hello@surgeonshortlist.com

Company: Vibrant Consulting Ltd t/a Surgeon Shortlist, Ireland (Company No. 718751)

Please include your full name, the email address used when submitting your report request, and a description of the right you wish to exercise. We may ask for proof of identity before processing your request.

We will respond to all legitimate requests within 30 days. For complex requests, we may extend this period by a further two months and will notify you accordingly.