PRIVACY POLICY AND DATA PROTECTION

Last updated: 5 December 2025

CANARYmedic – CANARYmedtech S.L.U.

Notice: This English translation is provided solely for convenience. Only the Spanish version is legally binding: https://www.canarymedic.es/es/page/privacy-policy

1. INTRODUCTION AND SCOPE

This Privacy Policy describes how CANARYmedtech S.L.U. (“CANARYmedic” or “the Controller”) processes personal data when providing its services through the CANARYmedic digital platform (available at canarymedic.es and via mobile application), including appointment booking, video consultations, payment processing, and related functionalities.

CANARYmedic complies with the General Data Protection Regulation (EU) 2016/679 – GDPR, the Spanish Organic Law 3/2018 (LOPDGDD), the LSSI-CE, and – for health-related data – the Spanish Patient Autonomy Law (Law 41/2002).

2. IDENTITY OF THE DATA CONTROLLER

CANARYmedtech S.L.U.
NIF: B22917884
Registered address: Calle Los Dragos 3, Vivienda 11,
35508 Costa Teguise, Teguise (Lanzarote), Las Palmas, Spain
Email: privacy@canarymedic.es
Phone: +34 828 124 990
Website: www.canarymedic.es

Data Protection Officer (DPO):
dpo@canarymedic.es

3. ROLES AND RESPONSIBILITIES IN DATA PROCESSING

3.1. CANARYmedic as a technological facilitator

CANARYmedic acts solely as a technical facilitator of the doctor–patient interaction. It does not access or store medical records or clinical documentation beyond what is strictly required to manage appointments (user identification, date, time, service type).

All clinical, ethical, and legal responsibility for diagnosis, treatment, and preservation of medical information lies exclusively with the healthcare professional, in accordance with Spanish Law 41/2002.

3.2. Healthcare professionals as independent data controllers

Healthcare professionals operating on CANARYmedic act as independent data controllers (Articles 4.7 and 26 GDPR) with respect to clinical and health data generated during medical consultations.

Each professional is responsible for:

• Obtaining informed consent from the patient.
• Complying with legal and professional obligations.
• Ensuring confidentiality and security of clinical data.

CANARYmedic assumes no responsibility for medical acts, diagnoses, treatments, or clinical decisions.

4. PERSONAL DATA COLLECTED

4.1. Identification and contact data

• Full name
• DNI/NIE/Passport
• Date of birth
• Email address
• Mobile phone number
• Postal address (optional)

4.2. User account data

• Username
• Password (irreversibly encrypted)
• Profile picture (optional)
• History of booked and cancelled appointments

4.3. Health-related data (Art. 9 GDPR)

CANARYmedic does NOT collect or store clinical data (diagnoses, treatments, tests, prescriptions, etc.).

However, the type of appointment or the medical specialty may indirectly reveal health information → therefore explicit consent is required.

4.4. Payment data

Processed by PCI-DSS–certified payment providers. CANARYmedic only stores:

• Last 4 digits of the card
• Expiry date
• Card type
• Transaction ID

Full card details are handled exclusively by the payment provider.

4.5. Browsing and technical data

• IP address
• Browser and operating system
• Approximate geolocation
• Necessary technical cookies
• Access logs and platform usage

4.6. Video consultation metadata

• Session identifiers
• Start and end time
• Duration
• Device and app version
• Connection test results

No audiovisual content is recorded except in the exceptional cases described in 5.6.

5. PURPOSES AND LEGAL BASIS OF PROCESSING

5.1. User account management

Purpose: Creation and maintenance of the user account.

Legal basis: Art. 6(1)(b) GDPR.

5.2. Appointment booking and management

Purpose: Booking, modifying, and cancelling appointments; sending reminders.

Legal basis:

• Contract performance (6(1)(b))
• Health data: explicit consent (9(2)(a))
• Healthcare provider: 9(2)(h) GDPR + Law 41/2002

5.3. Video consultation service

Purpose: Enabling audiovisual communication between patient and professional.

Legal basis: 6(1)(b) GDPR.

5.4. Payments and billing

• 6(1)(b) – contract performance
• 6(1)(c) – legal obligations (tax, accounting)

5.5. Customer service and technical support

Legal basis: Legitimate interest (6(1)(f) GDPR).

5.6. Recording of video consultations (exceptional)

For data protection reasons, medical consultations cannot be recorded.

Recordings are only permitted for administrative or informational purposes and only with prior, explicit, written consent of both parties.

Legal basis: Art. 6(1)(a) and, if applicable, 9(2)(a) GDPR.

5.7. Platform improvement and analytics

Analytics for service improvement — legitimate interest.

5.8. Commercial communications

Only with explicit consent.

5.9. Compliance with legal obligations

Tax, accounting, AML/KYC obligations.

6. DATA RECIPIENTS

6.1. Healthcare professionals

Receive only the data required to deliver the booked service.

6.2. Data processors

• XPERTyme GmbH (Germany): Technology infrastructure, EU-based servers.
• PCI-DSS payment gateways: Secure payment processing.
• EU-based hosting providers
• Email and messaging services

6.3. Public authorities

Only when legally required:

• Tax authorities (AEAT)
• Courts
• Law enforcement
• Spanish Data Protection Authority (AEPD)

7. INTERNATIONAL DATA TRANSFERS

CANARYmedic does not transfer personal data outside the European Economic Area.

If necessary in the future:

• Users will be informed in advance.
• Appropriate safeguards under Art. 46 GDPR will be applied.
• A transfer impact assessment will be performed.

8. DATA RETENTION PERIODS

Data category	Retention period
Active account	As long as account remains active
Inactive account	Up to 2 years after last login
Appointment history	Up to 5 years
Billing data	6 years
Video consultation metadata	30 days
Recordings (exceptional)	Until deletion or max. 1 year
Commercial communications data	Until consent is withdrawn
Security logs	2 years

9. SECURITY MEASURES

• HTTPS/TLS encryption
• Secure password hashing (bcrypt/Argon2)
• Access control & optional 2FA
• Penetration tests & security audits
• Encrypted backups (30 days)
• Staff training on data protection
• Regular DPIAs (Art. 35 GDPR)
• Incident response and breach notification procedures

10. USER RIGHTS

Users may exercise the rights granted by the GDPR:

• Right of access
• Right to rectification
• Right to erasure (“right to be forgotten”)
• Right to restriction of processing
• Right to data portability
• Right to object
• Right not to be subject to automated decisions
• Right to withdraw consent

How to exercise rights:

Email: privacy@canarymedic.com
Postal address: Calle Los Dragos 3, 11 – 35508 Costa Teguise, Lanzarote, Spain

Supervisory authority:
Spanish Data Protection Authority (AEPD)
www.aepd.es

11. MINORS

The CANARYmedic service is not intended for users under 14 years old. Data provided without parental consent will be deleted immediately.

For users aged 14–18, parental or guardian consent is required, especially for processing health-related data.

12. COOKIES AND SIMILAR TECHNOLOGIES

See our Cookie Policy for details.

13. CHANGES TO THIS POLICY

CANARYmedic may update this Privacy Policy to reflect legal or functional changes.

Changes will be communicated via:

• Prominent notice on the platform
• Email to registered users

14. APPLICABLE LAW AND JURISDICTION

This Policy is governed by Spanish and European data protection law. Any disputes shall be submitted to the Courts of Las Palmas de Gran Canaria.

15. CONTACT

CANARYmedtech S.L.U.
Calle Los Dragos 3, 11
35508 Costa Teguise, Lanzarote, Spain
Email: privacy@canarymedic.com
Data Protection Officer: dpo@canarymedic.com
Phone: +34 828 124 990

16. ADDITIONAL INFORMATION

Downloadable version: A PDF copy is available upon request at privacy@canarymedic.es.

Binding language: Only the Spanish version is legally binding. All translations are for convenience only.

Last updated: 5 December 2025

CANARYmedtech S.L.U. – CANARYmedic