Last Updated: 22. Mai 2025

1. INFORMATION FOR THE USER

In accordance with the provisions of Regulation (EU) 2016/679 of April 27, 2016 (GDPR), and the Spanish Organic Law 3/2018 of December 5 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), the user is informed that any personal data provided through this website or within the framework of our professional relationship will be processed by:

Data Controller: GRANT FOSTER

NIF/CIF (Tax ID): X6213338A

Registered Address: urbanisation lorcirmar, fase4, blq5, apmt B-G, 29660 Marbella, Spain

Contact Email: [email protected]

Phone Number: +34 667 86 24 75

2. TYPES OF DATA COLLECTED AND PURPOSE OF THE PROCESSING

Depending on how you interact with our website and therapy services, we may collect and process the following types of data for these specific purposes:

Contact and Inquiry Management: To manage requests for information, consultation bookings, or general inquiries submitted through our web forms, email, or telephone. (Data collected: Name, email, phone number, and any details you choose to share regarding your therapy needs).

Special Category Data (Health/Wellbeing Details): If you voluntarily share information regarding your physical health, mental health, history, or symptoms via our intake forms or contact fields so that we can evaluate your case, we will treat this as highly confidential health data.

Provision of Professional Services: To manage our professional therapist-client relationship, execute treatment plans, track session progress, and issue invoices.

Commercial Communications (Marketing): Provided that you have given us your express consent, to send you automated follow-ups, updates, newsletters, or wellness advice regarding our practice. You can opt out at any absolute time.

Security and Website Optimization: To ensure network security and prevent fraudulent activity on our website.

3. LEGAL BASIS FOR PROCESSING

The legal framework allowing us to process your data depends on the nature of the information:

Consent of the Data Subject (Art. 6.1.a GDPR): For general inquiries, responding to contact forms, and sending marketing communications.

Explicit Consent for Health Data (Art. 9.2.a GDPR): Because therapy involves personal wellness information, we rely on your explicit consent to process any health-related details you provide before or during your consultation request.

Execution of a Contract or Pre-contractual Measures (Art. 6.1.b GDPR): Necessary for scheduling your therapy sessions, delivering treatment, and managing billing/invoices.

Compliance with Legal Obligations (Art. 6.1.c GDPR): For complying with Spanish tax and accounting obligations (retaining invoices).

4. DATA RETENTION CRITERIA

Personal data will be securely stored only for as long as necessary to fulfill the purposes for which it was collected, or to comply with statutory retention periods in Spain.

Client and Health Records: Stored securely for the duration of your treatment and thereafter for the minimum periods required by Spanish healthcare/professional record regulations.

Invoices and Financial Data: Retained for a minimum of 4 years to comply with Spanish tax laws.

General Inquiries / Marketing Leads: Retained until you request their erasure or withdraw your consent.

When data is no longer required, it will be permanently deleted or irreversibly anonymized using appropriate security measures.

5. RECIPIENTS OF THE DATA

We treat your personal data with strict professional confidentiality. Your personal or health details will never be sold or shared with unauthorized third parties.

However, to carry out our digital business operations and follow-ups effectively, we utilize external service providers who act as Data Processors (Encargados del Tratamiento). They are bound by strict contractual data protection agreements (Art. 28 GDPR). Our primary processor is:

Follow Up Spark (https://followupspark.com/): A Customer Relationship Management (CRM) and marketing automation platform used to securely store contact details, manage inquiry pipelines, and schedule automated communications.

International Data Transfers: Follow Up Spark is managed by an entity based in the United States. Consequently, data submitted through our website may be transferred to and stored on servers located outside the European Economic Area (EEA). We ensure these transfers are safeguarded under valid lawful mechanisms, such as the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives an equivalent level of protection as it does within the EU.

6. YOUR RIGHTS AS A DATA SUBJECT

Data protection regulations grant you full control over your personal information. You can exercise the following rights free of charge at any time:

• Right of Access: To know if we are processing your data and get a copy of the records we hold.

• Right to Rectification: To correct any inaccurate, outdated, or incomplete data.

• Right to Erasure ("Right to be forgotten"): To request the total deletion of your personal data when it is no longer legally required.

• Right to Object: To stop the processing of your data for specific purposes (such as opting out of marketing emails).

• Right to Restriction of Processing: To request that we temporarily restrict the processing of your data under specific legal disputes.

• Right to Data Portability: To receive your personal data in a structured, machine-readable format to transfer it to another provider.

• Right to Withdraw Consent: To revoke any consent you have previously given (such as processing your health details or sending emails) without affecting the lawfulness of processing based on consent before its withdrawal.

How to exercise your rights: You can send a written request, along with a photocopy or digital copy of your ID (DNI/NIE or passport) to verify your identity, directly to our privacy email address: [Your Professional Email Address], stating "Data Protection / Exercise of Rights" in the subject line.

If you believe your data has been handled incorrectly, you have the right to file a formal complaint with the Spanish Data Protection Authority: Agencia Española de Protección de Datos (AEPD) via their website (www.aepd.es) or at their headquarters (C/ Jorge Juan, 6, 28001 - Madrid).

7. SECURITY MEASURES

We implement appropriate administrative, technical, and organizational security measures to protect your data against unauthorized access, loss, alteration, or disclosure. When using platforms like Follow Up Spark, data transmissions are secured using encryption technologies (such as SSL/TLS protocols).

Disclaimer:

This document is provided as a general template for informational purposes and does not constitute formal legal advice. Since specific business setups and lead-capture methods vary, you may want to have a legal professional in Spain review your final compliance setup, especially concerning automated SMS workflows.