bluemedtech.AI

< Back to home

Legal policies

Privacy policy

Last updated: 16 October 2025 

1) Who We Are (Controller)

Controller: Bluemedtech S.L. — Registered Address: 08860, Barcelona, Spain — Company ID/VAT: ES‑B22608509.

Contact (privacy): contact@bluemedtech.ai

2) Scope and audience

This Policy covers personal data processed via bluemedtech.ai and pages that link to it. Audience is B2B; no patient portal is provided.

3) Categories of Data We Collect

  • Contact & inquiry data (name, organization, role, email/phone, message).
  • Website usage & telemetry (IP, device/browser, pages visited, referrer/UTM, timestamps, language, error logs).
  • Cookies/analytics (if enabled): identifiers, session data, performance metrics (see Cookies Policy).
  • Marketing preferences (newsletter opt‑in/opt‑out, suppression).
  • AI input/output (if interactive tools are added later): prompts, feedback, derived metadata.

4) Sources of Data

  • You (forms/emails).
  • Automated collection (server logs, security tools, performance monitoring, cookies).
  • Third parties (hosting, CDN, analytics, email/CRM).
  • Public sources (business directories, LinkedIn where lawful).

5) Purposes & Legal Bases (GDPR mapping)

We process your data for the following purposes and legal bases:

  • Respond to inquiries / pre‑contract steps — Legal bases: Contract (Art. 6(1)(b)), Legitimate interests for B2B (Art. 6(1)(f)).
  • Operate, secure and debug the Website — Legal bases: Legitimate interests (security/quality), Legal obligation where applicable (logs).
  • Analytics and performance measurement — Legal bases: Consent (Art. 6(1)(a)) via cookie banner; disabled until consent.
  • Email updates/marketing — Legal bases: Consent (opt‑in) or legitimate interests for existing customers; opt‑out anytime (LSSI art. 21).
  • Compliance and record‑keeping — Legal bases: Legal obligation; Legitimate interests (defend claims).

6) AI‑Specific Processing

We may use aggregated, de‑identified, or pseudonymized technical data and feedback to evaluate and improve systems. No solely automated decisions producing legal or similarly significant effects.

7) Sharing & Recipients

We share data with service providers (hosting, CDN, security, analytics, email/CRM), professional advisors, authorities when required, and parties to a business transfer, under appropriate safeguards. Providers may not use your data for their own marketing.

8) International Transfers

Where data is transferred outside the EEA/UK (e.g., to the US), we use appropriate safeguards such as EU Standard Contractual Clauses and, where applicable, the UK Addendum, plus transfer impact assessments and technical measures (encryption, minimization). See Cookies Policy for vendor cookies.

9) Retention

  • Inquiries & pre‑contract: 24 months from last interaction (longer if legally required).
  • Security & logs: 12–24 months; aggregated/anonymized thereafter.
  • Analytics (non‑essential): 13–26 months (tool‑specific); disabled absent consent.
  • Marketing lists: until you unsubscribe; suppression list retained to honor opt‑out.
  • Legal/compliance records: as required by law (typically 5–10 years).

10) Security Measures

We implement technical and organizational measures including encryption in transit/at rest, least‑privilege access, MFA for admin, logging and monitoring, secure development, vendor due diligence, and incident response. No system is 100% secure.

11) Your Rights

EEA/UK: access, rectification, erasure, restriction, portability, objection; withdraw consent at any time without affecting prior processing. We respond within one (1) month of receipt of a verifiable request (extendable by two months for complex cases). We may request information to verify identity.

You may lodge a complaint with your supervisory authority. In Spain, this is the AEPD: https://www.aepd.es.

12) Children’s Data

In Spain, if you are under 14, please do not submit personal data. In other EEA countries, the age for consent may vary (13–16) as allowed by local law; when applicable, we will respect the local threshold.

13) California Notices (CPRA) (if applicable)

We do not sell or share personal information as defined by CPRA. If this changes, we will provide a ‘Do Not Sell or Share’ option and honor GPC as an opt‑out signal. (This section applies only to California users.)

14) Marketing & Electronic Communications (LSSI art. 21)

We will not send electronic commercial communications without prior consent or an existing customer relationship for similar products/services. Each message will include a simple opt‑out.

15) Do Not Track & Global Privacy Control

Do Not Track is not standardized; we do not respond to DNT. We honor GPC as a CPRA opt‑out where applicable; in the EU, cookie consent still requires banner interaction.

16) Contact & Complaints

To exercise rights or ask questions, email: contact@bluemedtech.ai; postal: 08860 Barcelona

17) Effective Date, Versioning & Changes

Effective Date: 16 October 2025 · Version: 1.1
We will post updates here and adjust the version/date accordingly.

Terms History

Effective Date: 16 October 2025· Version: 1.1