PRIVACY POLICY AND DATA PROTECTION
Last updated: 5 December 2025
CANARYmedic โ CANARYmedtech S.L.U.
Notice: This English translation is provided solely for convenience. Only the Spanish version is legally binding: https://www.canarymedic.es/es/page/privacy-policy
1. INTRODUCTION AND SCOPE
This Privacy Policy describes how CANARYmedtech S.L.U. (โCANARYmedicโ or โthe Controllerโ) processes personal data when providing its services through the CANARYmedic digital platform (available at canarymedic.es and via mobile application), including appointment booking, video consultations, payment processing, and related functionalities.
CANARYmedic complies with the General Data Protection Regulation (EU) 2016/679 โ GDPR, the Spanish Organic Law 3/2018 (LOPDGDD), the LSSI-CE, and โ for health-related data โ the Spanish Patient Autonomy Law (Law 41/2002).
2. IDENTITY OF THE DATA CONTROLLER
CANARYmedtech S.L.U.
NIF: B22917884
Registered address: Calle Los Dragos 3, Vivienda 11,
35508 Costa Teguise, Teguise (Lanzarote), Las Palmas, Spain
Email: privacy@canarymedic.es
Phone: +34 828 124 990
Website: www.canarymedic.es
Data Protection Officer (DPO):
dpo@canarymedic.es
3. ROLES AND RESPONSIBILITIES IN DATA PROCESSING
3.1. CANARYmedic as a technological facilitator
CANARYmedic acts solely as a technical facilitator of the doctorโpatient interaction. It does not access or store medical records or clinical documentation beyond what is strictly required to manage appointments (user identification, date, time, service type).
All clinical, ethical, and legal responsibility for diagnosis, treatment, and preservation of medical information lies exclusively with the healthcare professional, in accordance with Spanish Law 41/2002.
3.2. Healthcare professionals as independent data controllers
Healthcare professionals operating on CANARYmedic act as independent data controllers (Articles 4.7 and 26 GDPR) with respect to clinical and health data generated during medical consultations.
Each professional is responsible for:
- Obtaining informed consent from the patient.
- Complying with legal and professional obligations.
- Ensuring confidentiality and security of clinical data.
CANARYmedic assumes no responsibility for medical acts, diagnoses, treatments, or clinical decisions.
4. PERSONAL DATA COLLECTED
4.1. Identification and contact data
- Full name
- DNI/NIE/Passport
- Date of birth
- Email address
- Mobile phone number
- Postal address (optional)
4.2. User account data
- Username
- Password (irreversibly encrypted)
- Profile picture (optional)
- History of booked and cancelled appointments
4.3. Health-related data (Art. 9 GDPR)
CANARYmedic does NOT collect or store clinical data (diagnoses, treatments, tests, prescriptions, etc.).
However, the type of appointment or the medical specialty may indirectly reveal health information โ therefore explicit consent is required.
4.4. Payment data
Processed by PCI-DSSโcertified payment providers. CANARYmedic only stores:
- Last 4 digits of the card
- Expiry date
- Card type
- Transaction ID
Full card details are handled exclusively by the payment provider.
4.5. Browsing and technical data
- IP address
- Browser and operating system
- Approximate geolocation
- Necessary technical cookies
- Access logs and platform usage
4.6. Video consultation metadata
- Session identifiers
- Start and end time
- Duration
- Device and app version
- Connection test results
No audiovisual content is recorded except in the exceptional cases described in 5.6.
5. PURPOSES AND LEGAL BASIS OF PROCESSING
5.1. User account management
Purpose: Creation and maintenance of the user account.
Legal basis: Art. 6(1)(b) GDPR.
5.2. Appointment booking and management
Purpose: Booking, modifying, and cancelling appointments; sending reminders.
Legal basis:- Contract performance (6(1)(b))
- Health data: explicit consent (9(2)(a))
- Healthcare provider: 9(2)(h) GDPR + Law 41/2002
5.3. Video consultation service
Purpose: Enabling audiovisual communication between patient and professional.
Legal basis: 6(1)(b) GDPR.
5.4. Payments and billing
- 6(1)(b) โ contract performance
- 6(1)(c) โ legal obligations (tax, accounting)
5.5. Customer service and technical support
Legal basis: Legitimate interest (6(1)(f) GDPR).
5.6. Recording of video consultations (exceptional)
For data protection reasons, medical consultations cannot be recorded.
Recordings are only permitted for administrative or informational purposes and only with prior, explicit, written consent of both parties.
Legal basis: Art. 6(1)(a) and, if applicable, 9(2)(a) GDPR.
5.7. Platform improvement and analytics
Analytics for service improvement โ legitimate interest.
5.8. Commercial communications
Only with explicit consent.
5.9. Compliance with legal obligations
Tax, accounting, AML/KYC obligations.
6. DATA RECIPIENTS
6.1. Healthcare professionals
Receive only the data required to deliver the booked service.
6.2. Data processors
- XPERTyme GmbH (Germany): Technology infrastructure, EU-based servers.
- PCI-DSS payment gateways: Secure payment processing.
- EU-based hosting providers
- Email and messaging services
6.3. Public authorities
Only when legally required:
- Tax authorities (AEAT)
- Courts
- Law enforcement
- Spanish Data Protection Authority (AEPD)
7. INTERNATIONAL DATA TRANSFERS
CANARYmedic does not transfer personal data outside the European Economic Area.
If necessary in the future:
- Users will be informed in advance.
- Appropriate safeguards under Art. 46 GDPR will be applied.
- A transfer impact assessment will be performed.
8. DATA RETENTION PERIODS
| Data category | Retention period |
|---|---|
| Active account | As long as account remains active |
| Inactive account | Up to 2 years after last login |
| Appointment history | Up to 5 years |
| Billing data | 6 years |
| Video consultation metadata | 30 days |
| Recordings (exceptional) | Until deletion or max. 1 year |
| Commercial communications data | Until consent is withdrawn |
| Security logs | 2 years |
9. SECURITY MEASURES
- HTTPS/TLS encryption
- Secure password hashing (bcrypt/Argon2)
- Access control & optional 2FA
- Penetration tests & security audits
- Encrypted backups (30 days)
- Staff training on data protection
- Regular DPIAs (Art. 35 GDPR)
- Incident response and breach notification procedures
10. USER RIGHTS
Users may exercise the rights granted by the GDPR:
- Right of access
- Right to rectification
- Right to erasure (โright to be forgottenโ)
- Right to restriction of processing
- Right to data portability
- Right to object
- Right not to be subject to automated decisions
- Right to withdraw consent
How to exercise rights:
Email: privacy@canarymedic.com
Postal address: Calle Los Dragos 3, 11 โ 35508 Costa Teguise, Lanzarote, Spain
Supervisory authority:
Spanish Data Protection Authority (AEPD)
www.aepd.es
11. MINORS
The CANARYmedic service is not intended for users under 14 years old. Data provided without parental consent will be deleted immediately.
For users aged 14โ18, parental or guardian consent is required, especially for processing health-related data.
12. COOKIES AND SIMILAR TECHNOLOGIES
See our Cookie Policy for details.
13. CHANGES TO THIS POLICY
CANARYmedic may update this Privacy Policy to reflect legal or functional changes.
Changes will be communicated via:
- Prominent notice on the platform
- Email to registered users
14. APPLICABLE LAW AND JURISDICTION
This Policy is governed by Spanish and European data protection law. Any disputes shall be submitted to the Courts of Las Palmas de Gran Canaria.
15. CONTACT
CANARYmedtech S.L.U.
Calle Los Dragos 3, 11
35508 Costa Teguise, Lanzarote, Spain
Email: privacy@canarymedic.com
Data Protection Officer: dpo@canarymedic.com
Phone: +34 828 124 990
16. ADDITIONAL INFORMATION
Downloadable version: A PDF copy is available upon request at privacy@canarymedic.es.
Binding language: Only the Spanish version is legally binding. All translations are for convenience only.
Last updated: 5 December 2025
CANARYmedtech S.L.U. โ CANARYmedic
