PRIVACY POLICY
(https://www.ephion.health)


EPHION HEALTH SL is committed to protecting the privacy of users who access this website and/or any of its services. The use of the website and/or any of the services offered by EPHION HEALTH SL, implies the acceptance by the user of the provisions contained in this Privacy Policy and that their personal data will be treated as stipulated. Please note that although there may be links from our website to other websites, this Privacy Policy does not apply to other companies or organizations to which the website is redirected. EPHION HEALTH SL does not control the content of third-party websites and does not accept any responsibility for the content or privacy policies of these websites.

1) OWNER INFORMATION
In compliance with article 10 of Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce, the identification data of the Owner is set out below:
Web: https://www.ephion.health
Holder: EPHION HEALTH SL
Domicile: Av. Universitat Autònoma nº 23. Vallès Technology Park,. 08290-CERDANYOLA DEL VALLES
C.I.F.: B16776411
Telephone: 634270335
Email: info@ephion.health
Registry data: Barcelona Mercantile Registry. Volume 47968, Folio 43, Page 567805, Inscription 1  

2) APPLICABLE LAWS
This privacy policy is based on current Spanish and European regulations on the protection of personal data on the Internet. Specifically, it respects the following rules:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
- Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD).
- Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE).  

3) PRIVACY ISSUES
In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and Organic Law 3/2018 of 5 December 2018 on the Protection of Personal Data and Guarantee of Digital Rights, we provide you with the following information on the processing of personal data that you may provide to us:
Responsible for the File
EPHION HEALTH SL
Our details can be found at the top of this legal notice.
Registration of Personal Data
In compliance with the provisions of the GDPR and the LOPD-GDD, we inform you that the personal data collected by EPHION HEALTH SL, through the forms extended on its pages, will be incorporated and processed in our file in order to facilitate, speed up and comply with the commitments established between EPHION HEALTH SL and the User or the maintenance of the relationship established in the forms that the User fills in.  or to respond to a request or query from the same. Likewise, in accordance with the provisions of the GDPR and the LOPD-GDD, unless the exception provided for in article 30.5 of the GDPR applies, a register of processing activities is kept that specifies, according to their purposes, the processing activities carried out and the other circumstances established in the GDPR.
Legal Basis for Processing
The legal basis for the processing of personal data is consent. EPHION HEALTH SL undertakes to obtain the express and verifiable consent of the User for the processing of their personal data for one or more specific purposes. The User shall have the right to withdraw his/her consent at any time. It will be as easy to withdraw consent as it is to give it. As a general rule, the withdrawal of consent will not condition the use of the Website. On those occasions in which the User must or can provide their data through forms to make queries, request information or for reasons related to the content of the Website, they will be informed in the event that the completion of any of them is mandatory because they are essential for the correct development of the operation carried out.
Other Bases of Legitimation: Compliance with legal obligations.
Legitimate interest: sending our own advertising.
Categories of data
The categories of data processed at EPHION HEALTH SL are only identifying data. Under no circumstances will special categories of personal data be processed within the meaning of Article 9 of the GDPR.
Origin of your data
Data provided by the customers receiving the services, by any means.
Data provided by users through the different services offered on the website.  
Data included in the forms on the website.
Data collected through cookies to improve the browsing experience as reported in the Cookies policy.
Data collected by cookies to carry out profiling and usability analysis to improve the user experience on our portal.  
Period of Retention of Personal Data
Personal data will only be retained for the minimum time necessary for the purposes of their processing and, in any case, only for the following period: The data will be kept for as long as strictly necessary to carry out the planned processing, which in no case will be longer than what is legally established, or until the User requests their right to cancellation or opposition, or restriction of processing. However, we will keep certain personal identification and traffic data for a maximum period of 2 years in the event that it is required by the Judges and Courts or to initiate internal actions derived from the improper use of the website.
At the time the personal data is obtained, the User will be informed about the period for which the personal data will be kept or, where this is not possible, the criteria used to determine this period.
Likewise, we inform you that our information retention policies are adjusted to the deadlines set by the different legal responsibilities for the purposes of prescription:
(a) General Rule:
By virtue of the provisions of Article 30 of the Commercial Code, and except for other criteria, all documents and/or information of the company will be kept for 6 years. This applies to all accounting, tax, labor or commercial documentation, including correspondence.
(b) Specific time limits: Our company must also set minimum deadlines depending on the type of data being processed and taking into account the different limitation periods, which each of the departments must be aware of.
You will not be subject to decisions based on automated processing that produces effects on your data.
Purposes of processing
The purposes of the data processing carried out are detailed below:
CUSTOMER MANAGEMENT: To be able to provide the contracted services within the natural activity of each company and invoice them. The data provided will be kept for as long as the business relationship is maintained or for the years necessary to comply with legal obligations.  
MANAGEMENT OF POTENTIAL CUSTOMERS: To be able to send information related to our products and services to people with a legitimate interest by any means available, and to invite them to events of interest to them. The data provided will be kept as long as you do not request the cessation of such processing and will be collected with prior express consent.  
Recipients of the data
The User's personal data will not be shared with third parties.  
In any case, at the time the personal data is obtained, the User will be informed about the recipients or categories of recipients of the personal data.
Children's Personal Data
In compliance with the provisions of articles 8 of the GDPR and 7 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights, only those over 14 years of age may give their consent for the processing of their personal data in a lawful manner by EPHION HEALTH SL. In the case of a minor under 14 years of age, the consent of the parents or guardians will be required for the processing, and this will only be considered lawful to the extent that they have authorized it. If this is not the case, the legal representative must inform you as soon as possible.
Rights arising from the processing of personal data
The User may exercise the following rights vis-à-vis the Data Controller recognized in the GDPR and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights:
Right of access: This is the User's right to obtain confirmation as to whether or not EPHION HEALTH SL is processing their personal data and, if so, to obtain information about their specific personal data and the processing that EPHION HEALTH SL has carried out or is carrying out, as well as, among others, the information available on the origin of said data and the recipients of the communications made or planned to be made.
Right to rectification: This is the User's right to have their personal data modified if they turn out to be inaccurate or, taking into account the purposes of the processing, incomplete.
Right to erasure ("the right to be forgotten"): This is the right of the User, provided that current legislation does not establish otherwise, to obtain the deletion of their personal data when they are no longer necessary for the purposes for which they were collected or processed; the User has withdrawn his/her consent to the processing and this does not have another legal basis; the User opposes the processing and there is no other legitimate reason to continue with it; the personal data has been processed unlawfully; personal data must be erased in compliance with a legal obligation; or the personal data has been obtained as a result of a direct offer of information society services to a child under 14 years of age. In addition to erasing the data, the Data Controller, taking into account the available technology and the cost of its implementation, shall take reasonable steps to inform the controllers who are processing the personal data of the data subject's request for the deletion of any link to that personal data.
Right to restriction of processing: This is the User's right to restrict the processing of their personal data. The User has the right to obtain the restriction of processing when contesting the accuracy of his/her personal data; the processing is unlawful; the Data Controller no longer needs the personal data, but the User needs it to make complaints; and when the User has objected to the processing.
Right to data portability: In the event that the processing is carried out by automated means, the User shall have the right to receive from the Data Controller his/her personal data in a structured, commonly used and machine-readable format, and to transmit them to another Data Controller. Whenever technically feasible, the Data Controller will transmit the data directly to that other controller.
Right to object: This is the User's right not to have their personal data processed or to cease their processing by EPHION HEALTH SL.
Right not to be subject to a decision based solely on automated processing, including profiling: This is the User's right not to be subject to an individualized decision based solely on the automated processing of their personal data, including profiling, existing unless otherwise established by current legislation.
Finally, the interested parties have the right to file a complaint with the competent Supervisory Authority (AEPD) in the event that the User considers that there is a problem or infringement of current regulations in the way in which their personal data is being processed.
You can exercise the above rights by sending us a letter attaching a copy of a document that identifies you to our address or email address (which appear at the beginning of this text).  

4) PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
The processing of the user's personal data will be subject to the following principles set out in Article 5 of the GDPR and Article 4 et seq. of the LOPDGDD:
Principle of lawfulness, fairness and transparency:
The user's consent will be required at all times after fully transparent information on the purposes for which the personal data is collected.
Principle of purpose limitation:
Personal data will be collected for specific, explicit and legitimate purposes.
Data Minimization Principle:
The personal data collected will only be strictly necessary in relation to the purposes for which they are processed.
Principle of Accuracy:
Personal data must be accurate and always up-to-date.
Principle of limitation of the retention period:
Personal data will only be kept in such a way as to allow the identification of the user for the time necessary for the purposes of the processing.
Principle of Integrity and Confidentiality:
Personal data will be processed in such a way as to guarantee its security and confidentiality.
Principle of Proactive Responsibility:
The person responsible for the Website will maintain and regulate the necessary technical and logistical means sufficient to ensure that all the principles applicable to the processing are complied with.  

5) WHAT SECURITY MEASURES DO WE APPLY?
We apply the security measures established in article 32 of the GDPR, therefore, we have adopted the necessary security measures to guarantee a level of security appropriate to the risk of the processing of the data we carry out, with mechanisms that allow us to guarantee the confidentiality, integrity, availability and permanent resilience of the processing systems and services. Some of these measures are:
- Information on the data processing policies for staff.
- Regular backups.
- Data access control.
- Regular verification, evaluation and assessment processes.  

6) SECRECY AND SECURITY OF PERSONAL DATA
EPHION HEALTH SL undertakes to adopt the necessary technical and organizational measures, according to the level of security appropriate to the risk of the data collected, in order to guarantee the security of personal data and avoid the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed.  or unauthorized disclosure of or access to such data.
The Website has an SSL (Secure Socket Layer) certificate, which ensures that personal data is transmitted in a secure and confidential manner, as the transmission of data between the server and the User, and in feedback, is fully encrypted or encrypted.
However, due to the fact that EPHION HEALTH SL cannot guarantee the impregnability of the internet or the total absence of hackers or others who fraudulently access personal data, the Data Controller undertakes to inform the User without undue delay when a breach of the security of personal data occurs that is likely to entail a high risk to the rights and freedoms of natural persons. In accordance with Article 4 of the GDPR, a personal data breach is defined as any breach of security resulting in the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized disclosure of or access to such data.
Personal data will be treated as confidential by the Data Controller, who undertakes to inform and guarantee by means of a legal or contractual obligation that such confidentiality is respected by its employees, associates, and any person to whom the information is made accessible.  

7) LINKS TO THIRD PARTY WEBSITES
EPHION HEALTH SL incorporates social network plugins, which allow access to them from the Website. For this reason, social media cookies may be stored in the User's browser. The owners of these social networks have their own data protection and cookie policies, and in each case, they are responsible for their own files and their own privacy practices. The User must refer to them in order to be informed about these cookies and, where appropriate, the processing of their personal data. For information purposes only, the following links are indicated in which this privacy and/or cookie policies can be consulted:
https://twitter.com/en/privacy
https://www.linkedin.com/legal/privacy-policy
https://www.youtube.com/howyoutubeworks/our-commitments/protecting-user-data/  

8) ACCEPTANCE AND CHANGES TO THIS PRIVACY POLICY
It is necessary that the User has read and agrees with the conditions on the protection of personal data contained in this Privacy Policy, as well as that they accept the processing of their personal data so that the Data Controller can proceed with it in the manner, during the periods and for the purposes indicated. By using the Website, you agree to be bound by the Website's Privacy Policy.
EPHION HEALTH SL reserves the right to modify its Privacy Policy, according to its own criteria, or motivated by a legislative, jurisprudential or doctrinal change of the Spanish Data Protection Agency. Changes or updates to this Privacy Policy will not be explicitly notified to the User. The User is advised to check this page periodically to be aware of the latest changes or updates.  

Last updated: 12/03/2024