Privacy Policy
1. Identity of the Data Controller
IMAGINE APPS, S.L. (B-88114681)
Address: Paseo de la Dirección 161, 11.º – 1107, 28039 Madrid
Privacy contact: privacy@recallclinics.com
2. Key principles
The principles established in Article 5 GDPR apply: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
3. Purposes of the processing
| Category | Types of data | Purpose | Legal basis | Retention period |
| Website users / contacts | Identification data, professional data, browsing metadata | Responding to enquiries, managing user accounts and sending service-related communications | (i) Contract performance or pre-contractual measures (Art. 6.1.b GDPR); (ii) Consent (Art. 6.1.a) for marketing communications. | For the duration of the relationship and, afterwards, stored in a restricted manner for 5 years for potential liabilities. |
| Patients (if healthcare services are offered) | Identification data and health data | Provision of healthcare services and management of medical records | Art. 9.2.h GDPR and Spanish Patient Autonomy Act 41/2002 | 15 years from the date the medical record is closed (Art. 17 Act 41/2002) |
| Suppliers | Identification and banking data | Administrative and accounting management | Contract performance (Art. 6.1.b) and legal obligation (Art. 6.1.c) | 6 years (Spanish Commercial Code, Art. 30) |
| Job applicants | CV, academic and professional data | Management of recruitment processes | Consent (Art. 6.1.a) | 2 years from the last update |
4. Legal grounds
— Explicit and unambiguous consent of the data subject (Art. 6.1.a GDPR).
— Performance of a contract or pre-contractual measures (Art. 6.1.b).
— Compliance with legal obligations (Art. 6.1.c and healthcare, tax and commercial legislation).
— Legitimate interest of the Controller (Art. 6.1.f) for its own direct marketing, website security and fraud prevention, assessed through a balancing test.
5. Recipients and data processors
Data may be disclosed to:
- Public Administrations, Courts and Authorities where required by applicable law.
- Data processors providing services to Imagine Apps S.L. (web hosting, CRM, payment gateway, IT services, etc.), with whom the required agreements under Art. 28 GDPR have been signed.
6. International data transfers
As a general rule, no international transfers are made. If such transfers occur, an equivalent level of protection will be ensured through (i) adequacy decisions, (ii) Standard Contractual Clauses, or (iii) Binding Corporate Rules, in accordance with Arts. 44–50 GDPR.
7. Rights of data subjects
Data subjects may exercise the rights of access, rectification, erasure, restriction, objection and portability, as well as withdraw consent at any time, by sending a written request to privacy@recallclinics.com or to the above postal address, together with proof of identity.
They also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) if they believe their rights have been infringed.
8. Security measures
Imagine Apps S.L. has implemented the necessary technical and organisational measures to ensure a security level appropriate to the risk (Arts. 32–35 GDPR), including pseudonymisation, encryption and restricted-access policies. Measures are periodically reviewed according to the principle of continuous improvement.
9. Updates
This Privacy Policy may be updated to reflect legislative or jurisprudential developments. Users will be informed when changes are substantial.