Privacy policy
General information about the Data Controller
DEVICARE, SL.
VAT Number ES B-65663122
Av. Generalitat, 163-167
Sant Cugat Green Building.
08174 Sant Cugat del Vallès
Tel: +34 664 264 374
Email: info@devicare.com
Contact details of the DPO (Data Protection Officer): dpo@devicare.com
Protection of personal data
In accordance with article 13 of European Regulation 679/2016, on Personal Data Protection (hereinafter GDPR), we inform you that the personal data obtained through the website www.devicare.com will be processed by its owner Devicare SL, as the data controller.
Data collected through the website
What data will we request from you?
Data collected from user registration:
• Identification data such as first and last name
• Contact data such as address, email, and telephone, for sending user status confirmations, informing you of any changes and incidents related to Devicare, and sending and managing product purchases.
• Data related to date of birth and gender, for statistical purposes.
• Data related to the healthcare professional or pharmacy that recommended Devicare products to you, so that they can provide more personalized follow-up.
Data collected from the acquisition and management of products and services:
• Identification data such as Name, surname, NIF (Tax Identification Number), and address. The purpose of data collection is to send the purchased product.
• Contact data such as Email and telephone, for sending communications related to the shipment, as well as commercial communications about Devicare products and services that may be of interest to you.
• Economic data, for billing the sale.
• Health data
Data collected when requesting newsletter subscription:
• Contact data such as email, for sending Devicare communications that may be of interest to the applicant.
Data collected when downloading promotional materials (guides, books, recommendations, coupons, etc.):
• Contact data such as name and email, for downloading materials and for sending Devicare communications that may be of interest to the applicant.
Data collected from "Contact" information request forms or through the various contact methods on the website:
• Name, email, and any other data derived from your request, in order to respond correctly to it.
• Email for sending commercial communications that may be of interest to you when authorized.
When completing any of the forms, mandatory personal data fields will be indicated with (*), while the remaining fields are voluntary. If you do not provide the mandatory data, your request cannot be processed. The necessity is determined by each of the described purposes.
You will be solely responsible for the accuracy of the data provided, and for any damages caused by the lack of veracity, as well as for keeping them updated.
Purposes and Lawfulness
Your personal data may be processed for the following purposes:
Users requesting registration:
• User access to their private area where they can consult product orders placed, subscriptions, and personal data provided.
The processing of your data for this purpose is legitimate as it is necessary for the performance of services (art 6 b) GDPR).
• Sending information about Devicare products and services.
The processing of your data is legitimate based on your consent (art. 6 a) GDPR).
Users who purchase products or services:
• Management derived from the acquisition of the product or service and its shipment.
• Collection for services.
• Sending information related to the acquired product.
The processing of your data for these purposes is legitimate as it is necessary for the performance of a contract to which the user is a party (art. 6 b) GDPR).
• Sending advertising communications via electronic means related to Devicare about products or services similar to those contracted.
The sending of this type of communication is based on the legitimate interest of Devicare, protected by art. 21.2 of the Law on Information Society Services and Electronic Commerce (LSSICE).
• Medical History Management.
The processing of your data for this purpose is legitimate based on legal compliance (art. 6 c) GDPR).
The processing of your data will not involve automated decision-making. In any case, the User may object to the processing of their data for this purpose, without affecting their rights regarding the previous purposes.
Users who have requested information:
To respond to all information requests we may receive from the User. The legitimate basis for processing your data will be established by your consent and your own interest (art. 6 a) GDPR).
Users who have subscribed to the Newsletter:
Sending information about Devicare products and services, as well as news or industry information that may be of interest to the User. The legitimate basis is the purpose of the User's request itself (art. 6 b) GDPR).
Data collected when downloading promotional materials (guides, books, recommendations, coupons, etc.):
• Sending or downloading information requested by the User. The legitimate basis is the purpose of the User's request itself (art. 6 b) GDPR).
• Sending advertising communications about Devicare products and services, as well as news or industry information that may be of interest to the User. The legitimate basis is the User's consent (art. 6 a) GDPR).
Minors
The Services offered by Devicare are designed for an adult audience and are not directed at children under 18 years of age. Devicare does not intentionally collect or solicit personal information from children under 18 years of age. If we discover that we have collected personal information from a child under 18, we will immediately delete that information from our records. However, Devicare is not responsible for the consequences arising from the consultation, registration, and/or acquisition of products by minors, with their guardians being solely responsible for their supervision.
Transfers
The information provided by the User will not be transferred to third parties without prior consent, with the exception of those communications necessary for the management of the described purposes, such as:
Banking entities responsible for collecting payment for services, collaborating management entities responsible for accounting and taxation, entities responsible for sending authorized advertising information, collaborating professionals in the provision of certain services, and carriers in case of product shipment.
In the management of services acquired by the user, such as consultations with clinical nutrition specialists, consultations with stoma nurses, kidney stone analysis, pathological anatomy, and all those offered by Devicare, where Devicare may have access to your health data, these will be communicated to intervening third parties such as health professionals, clinical analysis laboratories, universities, etc., a communication necessary for the provision of the service and with whom Devicare has signed the corresponding personal data processing agreements.
Devicare is not responsible for the statements and actions of the intervening professional, who acts independently, with Devicare being merely an intermediary.
In the pathological anatomy services for kidney stone analysis, this will be carried out by the Kidney Stone Research Laboratory (LILR) of the University of the Balearic Islands, to whom we will send your sample and the consents requested by them. The laboratory will use your information both for the analysis of the submitted sample (a purpose relevant to Devicare) and for scientific research, processing the data for this latter purpose according to its own standards and privacy policies regarding data. Samples submitted by the user, once the service has begun, will not be returned to them. In any case, it will be subject to the provisions of Devicare's contracting policy and the laboratory's consents.
In any case, the data that Devicare communicates to third parties will comply with the principle of minimization.
Administrations, public or private organizations and entities that by legal reason must access them will also have access to your data.
International data transfers
Your data may be processed through Microsoft Services platforms, the processing of which involves the possible international transfer of data, which has the necessary authorization from the Spanish Data Protection Agency and the European Data Protection Commission. Microsoft has long applied the standard contractual clauses provided by the European Commission (also known as model clauses) as a basis for the appropriate transfer of data outside the European Economic Area.
The data collected in the online sale of products will be processed through the Sendcloud management platform, based in the Netherlands (EU). However, when the shipment occurs outside the European Economic Area, international data transfers may occur to third parties located in countries that do not have information protection policies. Such international transfer is necessary for the timely execution of the contract and for the product to reach its recipient (arts. 41 and 49.1 GDPR).
Regarding the data collected for advertising purposes to send communications about Devicare products and services, these will be carried out through the Brevo platform, with servers located in the EU, as well as via WhatsApp Business. In both cases, no international data transfers will occur, and these will be processed in accordance with the requirements established by the General Data Protection Regulation (GDPR).
Devicare has strict security procedures regarding data storage and disclosure to prevent any unauthorized access to them.
In any other case, Devicare informs you that your data will not be transferred to third countries outside the European Union or those not part of the protection shield, without your prior consent or without such transmission being legitimate for the fulfillment of the purpose, such as the international shipment of purchased products.
Data retention
Your data will be processed for the indispensable time and will be deleted after the retention periods have ended:
Data derived from the business relationship between both parties: Your data will be kept for the time necessary for the execution of the purpose and, in any case, as long as legal responsibilities may arise.
Data derived from economic transactions: During the mandatory retention periods established by current Spanish tax regulations.
Contact data for electronic communications: Your contact data such as email will be kept indefinitely for the purpose of communicating goods and services until you object or revoke consent.
Data provided through the completion of the "Contact" form or any means of requesting information: Your data will be kept solely to process your information request.
Health data processed by Devicare: Your data, forming part of your medical history, will be kept for the time provided in the current sectoral regional legislation. In this case, LAW 21/2000, of December 29, on the rights of information concerning health and patient autonomy, and clinical documentation.
Health data processed by external professionals will be kept in accordance with their respective privacy policies, data retention, and applicable legislation.
At the end of each retention period, your data will be duly deleted.
Information Security. Security Breaches
Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the appropriate supervisory authority within 72 hours of becoming aware of it. This information can be provided in different phases to facilitate quick and efficient reporting.
In cases where a breach may result in a high risk to the rights and freedoms of Users, we will notify the affected parties directly.
Advertising communications of Devicare products and services. Consent
Users are informed that, provided they give their consent by checking the corresponding box, their data may be processed for advertising purposes and, consequently, receive communications about Devicare products and services.
Specific consent for this purpose will be free and voluntary, not affecting the possibility of submitting the corresponding form.
This communication may be carried out through the channels provided by the User, who is solely responsible for ensuring that they are personal and do not belong to third parties.
In the event that a User is a Devicare customer, having purchased products and services from them, they may receive electronic advertising communications about similar products and services that may be of interest to them, without the need for their prior consent, in accordance with art. 21.2 of Law 34/2002, of July 11, on information society services and electronic commerce. The exemption from consent will not prevent the User from objecting to receiving communications from Devicare.
Users may revoke, totally or partially and at any time, the given consent, when it has been mandatory, or object to receiving advertising communications, without retroactive effects, by writing to the email dpo@devicare.com, indicating "unsubscribe" or through the links that Devicare makes available in each communication.
User Rights
As the owner of the information provided, you can exercise the rights of access, rectification, and cancellation of your data, object to their processing for sending commercial communications or the publication of images when this is mandatory for the specific purpose, limit the processing of your data, or request their portability in the foreseen cases, and not be subject to automated decisions through the following means:
The exercise of rights must be carried out by the owner of the information or legal representative, by means of a reasoned writing indicating the data that allow their identification in our records.
In case your rights are not satisfied, you may file a complaint with the corresponding supervisory authority in your country of residence or with the AEPD - Spanish Data Protection Agency, Calle Jorge Juan, 6, 28001 Madrid-Spain.
For more information about the processing of your personal data, you can contact us through the provided communication channels.
Use of passwords to access certain services
To use certain services through the website, the User must register with a login ID ("USER") and an access key ID ("PASSWORD"). Both the User and the password constitute the User's online identity. The User is responsible for the security and correct use of their access key and password, and must take the necessary measures to ensure that they are strictly confidential and not known by any other person. If at any time the User has reason to believe that their access key or password is or may be known by any unauthorized person, they must immediately inform Devicare and assign a new identification.
The User will be responsible for assigning a secure password that, at a minimum, is alphanumeric and 8 digits long.
The User, by accessing with their access key and password, will be able to manage all available operations in their profile through their User Account.
For any questions or additional information, you can contact us via email info@devicare.com.
