+1 505 520 3983

Legal

Privacy Policy

Last updated: 27 June 2026

This Privacy Policy explains how Limitless Sky and Sea LLC ("we", "us", "our"), trading as Medical Evacuation, processes personal data — including health-related data — when you visit https://medical-evacuation.com, request a quote, or book an air ambulance, medical repatriation or medical charter flight through us.

1. Data Controller

Limitless Sky and Sea LLC
8206 Louisiana Blvd NE, Ste A #9612, Albuquerque, NM 87113, United States of America
Email: info@medical-evacuation.com
Responsible person: Dr. Christoph Lymbersky

2. Personal data we collect

  • Contact details: name, email, phone, country, company or organisation, role.
  • Mission details: origin and destination airports/hospitals, dates, passenger and escort counts, insurance or payer information, billing details.
  • Patient data (special-category / health data): age, weight, diagnosis, current clinical status, medications, equipment requirements, sending and receiving physician contacts, medical reports and imaging — only when you (or an authorised representative) submit them in order to obtain a quote or arrange a flight.
  • Identity documents: passport copies, visas, ID cards where required by an operator, ground handler or border authority.
  • Technical data: IP address, device, browser, referrer, pages viewed and timestamps via standard server logs and privacy-respecting analytics.

3. Purposes and legal bases

  • Quoting and coordinating flights — performance of a contract (Art. 6(1)(b) GDPR) and, for health data, explicit consent or vital interests (Art. 9(2)(a) / (c) GDPR).
  • Operator, hospital and ground-handler coordination — performance of a contract and our legitimate interest in delivering the requested transport safely.
  • Regulatory, AML/KYC, sanctions and aviation compliance — legal obligation (Art. 6(1)(c)).
  • Website operation, security and fraud prevention — legitimate interests (Art. 6(1)(f)).
  • Marketing communications — only with your consent (Art. 6(1)(a)); you may withdraw at any time.

4. Who we share data with

We share the minimum data necessary with: accredited air carriers (FAR Part 135, EASA or equivalent), medical providers and escorting clinicians, ground ambulance and hospital admissions teams, FBOs and ground handlers, insurers, assistance companies and payers you have nominated, border and customs authorities where legally required, and our hosting, email, payment, CRM and analytics processors. Processors act only on our instructions under written agreements.

5. International transfers

Because medevac is global, data may be transferred outside the EU/EEA, UK or Switzerland — for example to a hospital, operator or handler in the destination country. Where required we rely on adequacy decisions, Standard Contractual Clauses, or your explicit informed consent, and we transfer only the data needed for the mission.

6. Retention

Inquiry data is kept up to 24 months. Booked-mission records and related medical documentation are retained for up to 10 years to meet aviation, insurance and tax obligations, then deleted or anonymised. Marketing data is kept until you opt out.

7. Your rights

Subject to applicable law you have the right to access, rectify, erase, restrict or object to processing, to data portability, and to withdraw consent. EU/EEA, UK and Swiss residents may lodge a complaint with their supervisory authority. California residents have additional CCPA/CPRA rights including the right to know, delete, correct, and opt out of "sharing". To exercise any right email info@medical-evacuation.com.

8. Cookies

We use strictly-necessary cookies to operate the site and, with your consent, limited analytics cookies to understand usage. You can control cookies through your browser settings.

9. Security

We apply technical and organisational measures appropriate to the sensitivity of the data — including TLS in transit, encrypted storage, role-based access, and confidentiality obligations on staff and partners. No system is 100% secure; we cannot guarantee absolute security.

10. GDPR notice for EU / EEA / UK / Swiss enquirers

This section applies in addition to the rest of this policy when you are located in the European Economic Area, the United Kingdom or Switzerland, or when we otherwise process your personal data under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR and Data Protection Act 2018, or the Swiss FADP.

10.1 Controller and contact

The controller of your personal data is Limitless Sky and Sea LLC, 8206 Louisiana Blvd NE, Ste A #9612, Albuquerque, NM 87113, United States of America. For any GDPR request, contact info@medical-evacuation.com with the subject line "GDPR request". We do not currently maintain an Article 27 EU representative; EU/EEA and UK data subjects may contact us directly at that address.

10.2 Categories of data and legal bases

  • Identification and contact data — Art. 6(1)(b) GDPR (steps prior to entering a contract) and Art. 6(1)(f) (legitimate interest in responding to your enquiry).
  • Mission, billing and payer data — Art. 6(1)(b) (performance of the transport arrangement) and Art. 6(1)(c) (legal obligations including tax, aviation, sanctions and AML/KYC).
  • Health data (special category, Art. 9 GDPR) — processed on the basis of your explicit consent (Art. 9(2)(a)) when you submit it to obtain a quote; vital interests (Art. 9(2)(c)) where the patient is physically or legally incapable of giving consent; or health-care provision (Art. 9(2)(h)) where applicable.
  • Identity documents — Art. 6(1)(c) (legal obligation imposed by carriers, handlers and border authorities).
  • Website, log and security data — Art. 6(1)(f) (legitimate interest in operating and securing the site). Analytics and non-essential cookies are set only with your consent under Art. 6(1)(a) and the ePrivacy Directive as implemented locally.
  • Marketing communications — Art. 6(1)(a) consent, withdrawable at any time without affecting prior lawful processing.

10.3 Recipients and processors

We disclose the minimum data needed to: accredited operators and their flight crew and medical teams; sending and receiving hospitals and physicians; ground ambulance services, FBOs and handlers; insurers, assistance companies and payers you have nominated; competent border, customs, immigration and aviation authorities; and our hosting, email, CRM, payment and analytics processors. All processors act under Art. 28 GDPR data-processing agreements and only on documented instructions.

10.4 International transfers

We are established in the United States. Personal data of EU/EEA, UK and Swiss enquirers is therefore transferred to, and stored in, the United States, and is further transferred to operators, hospitals, handlers and authorities in the country of origin and destination of each mission, which may be outside the EEA, UK or Switzerland and may not benefit from an adequacy decision. We rely on: (i) the EU Standard Contractual Clauses (Commission Decision 2021/914), the UK International Data Transfer Addendum and the Swiss-recognised SCCs; (ii) the EU-US, UK-US and Swiss-US Data Privacy Framework where the recipient is self-certified; or (iii) the explicit informed consent of the data subject under Art. 49(1)(a) GDPR and, for transfers necessary to protect the vital interests of the patient, Art. 49(1)(f). A copy of the safeguards in place for a specific transfer can be requested at the address above.

10.5 Retention

Unbooked enquiry records: deleted or anonymised within 24 months of last contact. Booked-mission records and supporting medical documentation: retained for up to 10 years from completion of the mission to meet aviation, insurance, tax and limitation- period obligations, after which they are deleted or anonymised. Marketing data: until consent is withdrawn. Server and security logs: up to 12 months.

10.6 Your GDPR rights

You have the right to (i) access your personal data (Art. 15), (ii) rectification (Art. 16), (iii) erasure (Art. 17), (iv) restriction of processing (Art. 18), (v) data portability (Art. 20), (vi) object to processing based on legitimate interests or to direct marketing (Art. 21), and (vii) withdraw consent at any time without affecting prior lawful processing (Art. 7(3)). We do not use solely automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR. To exercise any right, email info@medical-evacuation.com. We respond within one month, extendable by two further months for complex requests.

10.7 Right to lodge a complaint

You may lodge a complaint with the data-protection supervisory authority in your EU/EEA Member State of residence, place of work or place of the alleged infringement; with the UK Information Commissioner's Office (ICO) for UK residents; or with the Swiss Federal Data Protection and Information Commissioner (FDPIC) for residents of Switzerland. We would appreciate the opportunity to address your concern directly first.

10.8 Provision of data

Providing contact, mission and — where relevant — health data is necessary to quote and arrange medical air transport. Without it we cannot obtain operator and hospital confirmations, and the requested service cannot be delivered.

11. Changes

We may update this policy. Material changes will be posted on this page with a new "Last updated" date.