SAMIA

Privacy Policy

Last modified:

Privacy Notice

Data Controller Identity: The controller responsible for processing your personal data is Bluemedtech S.L., with registered office in 08860 Barcelona (Spain), and CIF ES-B22608509. You may contact the controller through the contact form. This entity (hereinafter, "the Controller" or "we") is the developer and owner of the SAMIA application and determines the purposes and means of processing the personal data provided by professional users.

This Privacy Notice describes how we collect, use, store and protect your personal data in the context of the SAMIA App, in accordance with Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR), Organic Law 3/2018 on the Protection of Personal Data and guarantee of digital rights (LOPDGDD), and other regulations currently in force in Spain. By registering and using SAMIA, the User acknowledges this policy.

1. Personal Data Collected

Data we collect: The SAMIA App is aimed at healthcare professionals and only collects basic personal contact and registration data from the User, avoiding unnecessary data as much as possible. The data we may request includes: name and surname(s), professional registration number or professional identification (if applicable), medical specialty, professional email address, contact telephone number (optional) and the name of the healthcare organisation or workplace (optional). Access credentials (username and encrypted password) are also managed. We do not request or process patients' personal data or other special categories of health data through the App.

The App may automatically store certain technical usage information, such as activity logs within the application (e.g. last login) or technical device identifiers, which are necessary for operation and security. This technical information is not used to personally identify the User, but to maintain the session and prevent unauthorised access.

2. Purpose of Processing

We use your contact and registration data exclusively for the following explicit and legitimate purposes:

  • Provision of the App service: To register the healthcare professional as an authorised User, allow them to log in securely and use the CDSS functionalities. Your identification data allows us to verify that you meet the access criteria (registered healthcare professional) and provide you with personalised access to the App.
  • Operational communications: Using your email or other contact data to send you important notifications about the functioning of the App, for example: notices of updates, changes to the Terms of Use or Privacy Policy, security alerts or service-related reminders. These communications will not be commercial in nature, but informative and directly related to the use of SAMIA.
  • Technical support and user assistance: Managing queries or incidents that you raise through the support channels. If you contact us to resolve technical queries or problems, we will use your data to identify you as a User and assist you with your particular case, as well as to improve the App based on the most common incidents.
  • Legal compliance: Where necessary, to process your data to fulfil legal obligations applicable to the Controller, for example in tax matters (invoicing if there are paid services in the future), security (access log records) or requirements from competent authorities. Only the data strictly necessary for these legal purposes will be processed.

We will not use your data to send unsolicited advertising or commercial newsletters, nor for purposes of commercial profiling. Nor do we make automated decisions that produce legal effects on you or similarly affect you significantly, based on your personal data. Any additional purpose beyond those above, should it arise, will be communicated to you beforehand to obtain your express consent or relevant legal authorisation.

The legal basis that allows us to process your personal data in SAMIA is primarily the performance of the contract for the provision of services between the User and the Controller (Article 6.1.b GDPR). By registering and accepting the App's Terms of Use, a service relationship is established by which we need to process your contact data to create your account and provide you with access to SAMIA's functionalities. This processing is necessary to manage your registration as a User and provide you with the requested service (the use of the CDSS App).

Regarding operational or support communications, the legal basis may equally be the performance of the contract (informing you about aspects of the App you have subscribed to as a user) or, in certain cases, the legitimate interest of the Controller in keeping you informed about security or improvements to the App that affect the experience of all professional users. In any case, such communications will be kept to a minimum and will never be promotional in nature beyond the service.

When the processing of your data is in response to legal obligations of the Controller (for example, retention of certain information pursuant to applicable laws), the basis for legitimation will be compliance with a legal obligation (Art. 6.1.c GDPR). If at any point we were to request data for a purpose requiring your consent (for example, participation in voluntary satisfaction surveys), that consent would be requested from you clearly and may be subsequently withdrawn.

4. Data Retention Period

We will retain your personal data only for as long as is strictly necessary to fulfil the purposes described. In general, your account data will be kept while you are an active User of the App. If you request to cancel the service or stop using SAMIA, we will deactivate your account and delete or anonymise your personal data within a reasonable timeframe.

Specifically: data associated with your User profile (name, contact details, etc.) will be deleted when no longer necessary to manage the relationship, normally within 30 days of your request for definitive cancellation. Certain data may be retained in a blocked state for additional periods only to address potential legal liabilities or administrative/judicial requirements. For example, we may retain records of consents given or activity logs during the applicable statutory limitation periods (in Spain, up to 3 years under data protection regulations, Art. 13 LOPDGDD, and other regulations). After those periods, the data will be completely deleted.

5. Data Recipients

We will not transfer your personal data to third parties unless there is a legal obligation to do so. In other words, your contact and identification data will not be communicated to any external entity for their own commercial or advertising purposes. They may only be disclosed to government authorities, courts or administrative bodies if a legal rule so requires (for example, in the case of an official requirement or compliance with laws).

Currently, the servers that store SAMIA's data are located in data centres within the European Economic Area (EEA), so no international transfers of your personal data to countries outside the EU are made. Should we in the future need to use services located outside the EEA (for example, for cloud backup purposes), we will ensure that such services offer adequate guarantees (e.g. standard contractual clauses from the European Commission, recognised certifications, etc.) and will inform you in due course, in compliance with the provisions of Arts. 44-49 GDPR.

6. Data Subject Rights

As the data subject, you hold a number of rights that you may exercise at any time. In particular, you have the right to:

  • Access: To confirm whether we are processing your personal data and, if so, to obtain a copy of such data and detailed information about the processing.
  • Rectification: To request the correction of inaccurate or incomplete personal data concerning you.
  • Erasure (right to be forgotten): To request the deletion of your personal data when, among other reasons, it is no longer necessary for the purposes for which it was collected, or you withdraw your consent (where applicable) and there is no other legal basis for the processing.
  • Restriction of processing: To request that we temporarily restrict the use of your data (for example, while a request for rectification or a challenge to the lawfulness of processing is being resolved), retaining it only for the exercise or defence of claims.
  • Portability: To receive your personal data in a structured, commonly used and machine-readable format, and to transmit it or have us transmit it directly to another controller of your choice, where technically possible, in the cases provided for by law.
  • Objection: To object, on grounds relating to your particular situation, to some processing based on legitimate interests. We will cease to process that data unless there are compelling reasons or the exercise/defence of possible claims.
  • Not to be subject to automated decisions: We guarantee that you will not be subject to a decision based solely on automated processing (including profiling) that produces legal effects on you. In any case, you have the right to request human intervention, express your point of view and contest the automated decision if we were to apply one in the future.

Data protection regulations recognise data subjects all of the above rights of access, rectification, objection, erasure, restriction and portability, as well as the right not to be subject to individual automated decisions. Also, where applicable, you have the right to withdraw consent given for any purpose, at any time and free of charge, without retroactive effect. The withdrawal of your consent will not affect the lawfulness of processing carried out previously, but may mean that we cannot continue to provide you with a specific service (for example, if you withdraw consent to receive certain optional communications).

We also inform you that you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), the supervisory authority in Spain for data protection, if you consider that your rights have been infringed or that we have not adequately addressed the exercise of those rights. You may obtain further information on how to complain on the AEPD's official website (www.aepd.es). In the first instance, however, we encourage you to contact us directly to try to resolve any matter amicably and promptly.

7. Data Security

At SAMIA we take the security of your information very seriously. We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, accidental loss or unlawful destruction. These measures include, among others: encryption of user passwords, secure communications (HTTPS/SSL protocol) for data transmission, restricted access control systems for databases, pseudonymisation of data wherever possible, and internal compliance and privacy training programmes for our staff.

Although no security measure is 100% infallible, our team continually evaluates and improves security protocols to adapt to best practices and respond to possible new threats. Should a security breach occur that significantly compromises your personal data, we will follow the corresponding legal procedures: we will notify you, where required, of the measures taken and cooperate with the AEPD as required by Articles 33 and 34 of the GDPR.

The SAMIA App uses only technical cookies strictly necessary for its operation, and does not use cookies for analytical or advertising purposes. For more information, please consult our separate Cookie Policy, where we detail the use of these technologies.

Consult the Cookie Policy for details on the technical cookies used by SAMIA.

9. Updates to this Privacy Notice

This Privacy Notice may be updated periodically to reflect changes in our procedures or applicable regulations. Any changes will be published in the App (and/or you will be notified through the contact details provided, if significant). The date of the last update will appear at the beginning of the document. We recommend reviewing this Notice from time to time. Continued use of the App after the publication of changes will imply acceptance of the updated policy with respect to information collected after it comes into force.

Version: 1.0 -