Privacy Policy

1. Data Controller

The owner and data controller of this website and app is IKI Health Group S.L. (hereinafter the "Service"), with address at Plaza Progrés, number 8, CP 07570, Artá, Balearic Islands, Spain.

Email: hello@iki.health

NIF: B72819360

1.1 Definitions

For greater clarity in this policy, we make the following distinction:

• Visitor: A person who browses our website without registering. Visitors are only subject to provisions related to browsing data, cookies, and information they voluntarily provide through contact forms.
• User: A person who has registered on our platform or application and uses our services. Users are subject to all provisions of this privacy policy, including those relating to the processing of health data and other special categories of data.

Simply accessing the website attributes the condition of "Visitor", while registering on our platform or application attributes the condition of "User". By registering, you fully accept these Terms of Use and Privacy and our Cookie Policy.

1.2 Acceptance

The acceptance of the Terms of Use and Privacy of the Service is a necessary condition for the use of our website.

These Terms of Use and Privacy regulate the collection, processing and use of your personal and non-personal information as a user of the Service, as of the effective date that appears in the header. Likewise, the conditions of use of the website and its functions are indicated.

To process your personal data, the Service complies with current European legislation, particularly the General Data Protection Regulation (GDPR) (EU) 2016/679, as well as the Spanish Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights and other applicable regulations.

2. Description and Use of the Service

The Service is a tool aimed at improving the efficiency of therapists in their daily consultations through technology. Through the Service you will be able to manage your clients with the tools and monitoring system designed by our team of professionals.

Currently, the Service primarily operates via our website. While we reference mobile applications in this policy, some features or collection methods mentioned may not be fully implemented at this time. This policy describes both current practices and anticipated functionality as we continue to develop our service.

The Service can be used by anyone who accesses it directly as a professional or through the recommendation of a healthcare professional, if you are a patient. In these cases, users who use the Service through a link provided by their therapist must accept that their data is shared only with their therapist so that they can monitor the evolution of the user.

In any case, the user knows and accepts that the Service and all the content and information contained in it are for informational purposes only and do not constitute professional or personalized medical diagnosis or treatment.

The Service only allows registered users to access global and general exercise and habit recommendations (for example, recipes) that may be compatible with their needs based on the answers that have been provided, as well as on the available health literature.

Accordingly, the user understands and accepts that if he needs healthcare, only his doctor or other healthcare provider can help him. You should not change your treatment or care plan, medication or therapy based on information, advice or materials you receive through the Service or from our employees.

3. External Links

The website may link to other websites.

However, we do not exercise any control over these sites or their contents, which are actually subject to their own terms and conditions. Nor do we assume any association or responsibility for them, nor do we guarantee their technical availability, quality, reliability, accuracy or veracity.

4. Intellectual and Industrial Property

The content and information on the Service (including, but not limited to, trademarks, logos, data, text, images, or computer code), as well as any hardware or software used to provide such content and information, are owned by the Service or used by it with the corresponding authorizations.

For this reason and by virtue of the provisions of national and European regulations on intellectual property, the modification, reproduction, duplication, copying, distribution, sale, resale and other forms of exploitation for commercial or equivalent purposes of the Service and its content are prohibited.

For any other use of the content of the Service you need, prior and in writing, our consent or, as the case may be, that of the authors of the content.

5. User Content

You can contribute to the Service by sending us a message to our email address and through the contact forms available on the website or app (hereinafter "Content").

We can use your Content in different ways, such as: display it on the website, reformat it, translate it into other languages, edit it for clarity, correct errors, promote it or distribute it, according to the license indicated in the previous section.

This means that the content remains yours, but the Service, thanks to that use license, can: a) use, reproduce, modify, adapt, translate, distribute and publish the Content, create derivative works from it, display it and show it throughout the world, by any known means and for any legitimate purpose; and b) use the name you submit in connection with that Content.

However, the Service reserves the right not to publish content or information that is false or contrary to the rights of third parties.

5.1 For Therapists

• You must provide us with the necessary information for your registration on the platform and its intranet, accessible through our site, making sure that the information is accurate and up-to-date. You must not impersonate another company or otherwise mislead users as to the nature of your activity.
• If you provide us with information, documents, images, logos or brands to be included on our website or the intranet of the Service, you declare that you have ownership of said elements and you consent to their use by us for inclusion on our website.
• You must honor all requests (both on and off the Service) that people make to block, interrupt, or otherwise unsubscribe from communications you send to them through the Service, including removing that person from your mailing list or contacts.
• You must use the Service and its intranet, accessible through our website, in a reasonable and legal way.

6. Age

Regarding the use of the web, you declare that you are of legal age and that you have the necessary legal capacity to be bound by this agreement and use the Service in accordance with its terms and conditions, which you fully understand and acknowledge.

In addition, you affirm that you have the consent and/or legal authorization of the third parties whose data and photographs you share through the web, especially in the case of minors.

You declare that all the information you provide to access the Service, before and during use, is true, complete and accurate.

7. Data Protection

7.1 Information Collected

The personal and non-personal information collected will change depending on whether you are a Visitor or User, and based on your use of the website and its features.

The personal and non-personal information collected will reach us in four ways:

1. The one automatically collected
2. The one voluntarily provided to us
3. The one provided by third parties
4. Application-specific data

7.1.1 Data Collected Automatically (applicable to Visitors and Users)

This information will consist of:

• Information collected through cookies or similar mechanisms stored on your device, always with your consent. Consult our Cookie Policy for more information.
• The IP from which the connection is made, the type of device used and its characteristics, the version of the operating system, the type of browser, the language, the date, the country, the time of the request, the referring URL or the mobile network used, among others.
• Data on the use of the site and the chatbot in the communication channels in which it is located, possible errors detected during its use, such as pages not found or erroneous displays.
• In addition, the Service uses Google Analytics, an analytical service provided by Google LLC domiciled in the United States with headquarters at 1600 Amphitheater Parkway, Mountain View, California 94043. To provide these services, they use cookies that collect information, including the user's IP address, which will be transmitted, processed and stored by Google under the terms set out on the website www.google.com. Including the possible transmission of said information to third parties for reasons of legal requirement or when said third parties process the information on behalf of Google.
• In any case, you can disable Google Analytics cookies from here.

7.1.2 Data Provided Voluntarily

For Visitors, this information will consist of:

• Information you may provide through contact forms or newsletter subscriptions
• Information included in blog comments
• Information provided when downloading content or guides

For Users (in addition to the above), it will also include:

• Registration and profile information on the platform
• Health and wellness information provided during service use
• Health and plans data
• Information about physical activity, health metrics, and symptom evolution
• The personal information or not that the messages sent through the contact channels established by the Service may contain, for example your name, email, telephone number and comment, as a Professional or Patient.
• The information, personal or not, that you provide us when you download one of our content or guides, for example your email.
• The information, personal or not, that the comments to any of the blog articles may contain, for example your name, email, website and message.
• Personal information or information not required for your registration as a user in the app, such as your email, name, and password (which is stored in encrypted form).
• The information requested to fill out the advice form on good habits as a Patient and your registration as a User by your health Professional in the app, for example your name and surname, date of birth, gender, email, telephone number, weight, height, country, province, city, level of studies, profession, data related to your health, possible pain and its frequency and intensity, life habits, diet, physical exercise and rest.
• The information requested to fill out the registration form as a therapist, for example your name and surname, date of birth, gender, email, telephone number, your weight, height, country, province, city, profession or number of patients.
• The personal information required to subscribe to the newsletter, such as your email.
• Health history data, plans, and therapy progress that you may enter into the system.
• Evaluation metrics and feedback you provide about plans and app usage.

7.1.3 Those Provided by Third Parties

This information will consist of:

• The one provided by messaging channels, chatbots or similar services, such as Chatfuel. In this case, Chatfuel may collect the messages you send in some cases. In addition, if you click on buttons or links on the chatbot, it is possible to collect the IP address in the event that it registers the web link to which it directs you. You can consult more information about how Chatfuel treats your data in the Messenger Privacy Policies.
• The one provided by social networks or similar services that use the Service.
• Data shared by healthcare providers who have registered you as a patient in the system, which may include basic health information and therapy requirements.

7.1.4 Application-Specific Data (applicable only to Users)

When using our applications, we collect and process health-related data including:

• General health metrics
• Exercise and physical activity information
• Pain levels and symptoms
• Sleep quality data
• Weight, glucose, and other biometric measurements
• Health data synchronized from third-party services like Google Fit or Apple Health

This health data is collected with the primary purpose of displaying it back to you and your healthcare providers through our user interface. We store this information securely in our database to enable historical tracking and progress monitoring.

Special note regarding health data: As health data is considered a special category of personal data under GDPR, we take additional measures to protect this information. By using our service, you explicitly consent to our collection and processing of your health data for the specific purposes outlined in this policy. We are working to implement more granular consent mechanisms in future updates of our application.

7.2 Rights

Both Visitors and Users have the rights detailed below, although the scope of these may vary depending on the volume and type of data processed:

We inform you that the completion of the forms is voluntary. However, if you do not fill in the required fields (marked with a required or asterisk) the use of some functions of the site will not be possible or will be limited.

The personal data that you provide us will be incorporated and will be processed in the files owned by the Service, in order to be able to attend to your requests.

In accordance with the GDPR and Spanish data protection regulations, you can exercise the following rights:

• Right of access: You have the right to obtain confirmation of whether we are processing your personal data and, if so, to access it.
• Right to rectification: You have the right to request the rectification of inaccurate data or to complete incomplete data.
• Right to erasure (right to be forgotten): You have the right to request the deletion of your personal data when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
• Right to restriction of processing: You have the right to request the limitation of the processing of your data in certain circumstances.
• Right to data portability: You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit it to another controller.
• Right to object: You have the right to object to the processing of your data in certain circumstances and for reasons related to your particular situation.
• Right not to be subject to automated individual decisions: You have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you.

Important Note Regarding Consent: For Visitors, consent will primarily be requested for the use of non-essential cookies and sending commercial communications. For Users, additional explicit consent will be requested for the processing of special categories of data (such as health data) during the registration process. At present, acceptance of our Terms and Privacy Policy may be indicated through a single action (such as clicking "Sign Up" or similar buttons) on our platforms. We are working to implement more granular consent options, especially for processing special categories of data. Until such implementation is complete, by registering as a User, you acknowledge that you have read and agree to this Privacy Policy and the processing activities described herein.

You can exercise these rights at any time by email addressed to: hello@iki.health or to the postal address: Plaza Progrés, number 8, CP 07570, Artá, Balearic Islands, Spain.

In both cases you must identify yourself with your name and surname, and perhaps with a copy of your national ID or ID, if necessary.

In the event that you have granted consent for a specific purpose, you have the right to withdraw consent at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal.

In addition, if you consider that there is a problem with the way in which we are handling your data, you can direct your claims to the corresponding data protection authority, in this case the Spanish Data Protection Agency (www.aepd.es).

7.3 Use of Data

The Service will use the data collected for:

For Visitors:

• Enable browsing through the website
• Respond to information requests
• Send commercial communications (only with explicit consent)
• Generate anonymous usage statistics
• Ensure website security

For Users (in addition to the above):

• Provide access to the platform and its functionalities
• Manage your account and profile
• Process health data to offer you personalized recommendations
• Allow your healthcare provider to monitor your progress
• The other purposes detailed below:
• Manage and update the service (the legal basis being our legitimate interest in maintaining and keeping the service up to date and in good condition).
• Respond to your requests (the legal basis being our legitimate interest in answering and resolving the queries of our users).
• Send you our newsletter by email (the legal basis being your consent).
• You can unsubscribe from the email received or by contacting us. However, you will not be able to unsubscribe from certain correspondence from us, such as messages regarding the security of your data or the terms and conditions of the Service.
• Create, process, manage and update user accounts (the legal basis being your consent or the contractual relationship, depending on the case).
• Create, process, manage and update the accounts of the therapists (the legal basis being your consent or the contractual relationship, depending on the case).
• As a Patient, offer through our app personalized reports with exercise, eating and lifestyle guidelines with your personal guide, IKI, as well as music recommendations depending on the case (the legal basis being your consent).
• As a Patient, accessing our academy in the app to get access to new content and knowledge (the legal basis being your consent).
• Monitor the evolution of pain in users who have registered with the Service on the prescription of a therapist licensed in the Service, as well as your calendar of activities (consent being the legal basis).
• Maintain the security of the Service, investigate illegal activities, enforce our terms and conditions and help state security forces and bodies in the framework of their eventual investigations (the legal basis being our legitimate interest in guaranteeing and maintaining the security of the Service and its users).
• Process and store health-related information to provide personalized recommendations and enable your healthcare provider to monitor your progress (the legal basis being your explicit consent for this special category of data).
• Enable therapists to manage their patient information, advices, intake plans, and exercise plans (the legal basis being the contractual relationship with the therapist and consent from the patients).
• Analyze usage patterns to improve our services and user experience (the legal basis being our legitimate interest in improving our service).
• Likewise, the Service may use the personal and non-personal information of users in the form of aggregated and anonymous data to display it to third parties, for example for the preparation of a final report after the testing phase. You may also share statistics and demographic information about users and their use of the Service with third parties. None of this will allow those third parties to personally identify you. You accept and understand that some of this aggregated and anonymous data could be used in the future for the training of artificial intelligence models. The Service does not use automated individual decisions that produce legal effects on you or similarly significantly affect you.

7.3.1 In Emails and Contact Forms

The website has TLS encryption that allows the user to securely send their personal data through standard contact forms. The personal data collected will be subject to automated processing and incorporated into the corresponding record of processing activities of which the Service is the data controller.

In that sense:

• We will receive your IP, which will be used to verify the origin of the message in order to offer you appropriate recommendations (for example, present the information in the correct language) and to detect possible irregularities (for example, possible cyberattack attempts on the Service), as well as data related to your ISP.
• Likewise, you can provide us with your information via email.

7.3.2 On Social Networks

We have profiles on some of the main social networks on the Internet, the Service being responsible for the processing in relation to the data published on them (for example, photos uploaded by the Service in which people's faces appear).

This data will be processed according to the social network corporate profiles. Therefore, when the law does not prohibit it, we can inform our followers by any means that the social network allows about their activities or offers, as well as provide a personalized customer service.

In no case do we extract data from social networks, unless the user's consent to do so is obtained promptly and expressly.

When, due to the very nature of social networks, exercising your rights depends on modifying your profile, we will help and advise you to the best of our ability.

7.4 Conservation of Data

The following indicates how long the data processed by the Service is stored:

• Disaggregated and anonymous data: This will be stored without a specific deletion period, since being completely anonymized it does not allow the identification of natural persons and, therefore, is not subject to the temporal limitations of the GDPR.
• General personal user data: This will be stored for the minimum time necessary for the provision of the service and may be kept for up to 5 years after the relationship with the user has ended, according to art. 1964 of the Spanish Civil Code (limitation period for personal actions without special term), always subject to periodic reviews of necessity.
• Data on social networks: User data uploaded by the Service to pages and profiles on social networks will be stored from the moment the user offers their consent until they withdraw it, proceeding to its deletion within a maximum period of 30 days after withdrawal of consent.
• Job candidate data: The data of candidates for a job offer, if the candidate is not selected, will be stored for a maximum of two years to incorporate them into future calls, provided that the candidate has given their explicit consent for this purpose. After this period, the data will be deleted or anonymized.
• Health data: Health data and related information will be stored for the time necessary for the provision of the service and, subsequently, for an additional period of 5 years, in accordance with Spanish Law 41/2002 regulating patient autonomy and rights and obligations regarding information and clinical documentation, as amended by subsequent provisions up to 2025. These periods could be longer in case of ongoing health treatment or specific legal requirements.
• We implement periodic review processes of the stored data to ensure that it is not kept longer than necessary. We use automated tools to ensure the deletion or anonymization of data when the established deadlines are reached.

7.5 Security of Health Data

We implement specific security measures for health data including:

• End-to-end encryption during data transmission
• Encrypted storage in our database
• Strict access controls limiting who can access health information
• Regular security audits of our health data storage systems
• Data minimization practices to only collect what's necessary
• We do not use your health data for automated decision-making, profiling, or any secondary purposes beyond displaying it to you and your authorized healthcare providers.

7.6 International Data Transfers

Some of our service providers may be located outside the European Economic Area (EEE). We work to ensure that any international transfers comply with applicable data protection regulations. Currently, our data processing activities primarily take place within the European Union, with limited transfers outside this area.

Should our practices regarding international data transfers change significantly, we will update this policy accordingly.

8. Service Providers and Others

There are third parties that manage part of the Service.

The Service requires them to comply with these Terms of Use and Privacy in what is applicable to them and they must also have their own. However, the Service will not be responsible for compliance with such policy.

Under some circumstances, the Service may share, use, preserve or disclose personal information with third parties, in a non-aggregated way:

• To provide the Service:

  Current service providers that perform functions on our behalf include:

  • Web hosting providers
  • Analytics services
  • Email communication services
• These service providers may collect and have access to information that is necessary for them to perform their functions, but they are not permitted to share or use the information for any other purpose.
• The Service may be used upon the recommendation of a healthcare professional. In this case, users who use the Service through a link provided by their therapist understand and accept that their data is shared only with their therapist so that the latter can monitor the evolution of the user.
• To cooperate with the competent authorities: If we believe it is reasonably necessary to satisfy any law, legal process or legitimate interest. In any case, we will only provide the information strictly required.

9. Responsibility

To the extent permitted by law, the Service is not responsible for: a) errors or omissions in the content; b) the lack of availability of the web or; c) the transmission of malicious programs in the contents, despite having adopted all reasonable technological measures to avoid it or; d) the usefulness for your specific needs of the different recommendations that the Service can make regarding lifestyle and eating habits.

10. Modifications

The Service reserves the right to make the modifications it deems appropriate to its website and app without prior notice, being able to change, delete or add both the content and services provided through it and the way in which they appear presented. On the other hand, these terms and conditions may change at any time. The modifications will enter into force from the moment of their publication.

This privacy policy is effective as of May 7, 2025, and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page. We reserve the right to update or change our Privacy Policy at any time and you should check this Privacy Policy periodically.

11. Cookies

For information about how we use cookies, please refer to our separate Cookie Policy.

12. Security Measures

The Service adopts all the necessary technical and organizational measures to protect the security and integrity of personal and non-personal information collected. Both against unauthorized access and accidental alteration, loss or destruction.

These measures include, but are not limited to:

• Encryption of data in transit using TLS
• Encryption of sensitive data at rest
• Access controls and authentication mechanisms
• Regular security assessments and audits
• Employee training on data security practices
• Secure development practices for our applications
• In any case, the Service cannot guarantee the absolute security of the information collected, so you must collaborate and use common sense about the information shared at all times.

You understand and acknowledge that even after deletion, personal and non-personal information may remain visible in cache or if copied or stored by other users.

12.1 Data Breach Notification

In case of a personal data breach that may pose a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, as required by the GDPR.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, providing clear and plain information about the nature of the breach and the measures being taken to address it.

13. Contact

If you have questions about these Terms of Use and Privacy, or wish to exercise your data protection rights, contact us at:

Email: hello@iki.health

Address: Plaza Progrés, number 8, CP 07570, Artá, Balearic Islands, Spain