Privacy Policy

Last updated: November 4, 2025

At Sanamen (hereinafter, "we", "our" or "the Platform"), we take the protection of your personal data very seriously. This Privacy Policy explains how we collect, use, store and protect your information in accordance with the General Data Protection Regulation (GDPR) and the Spanish Organic Law on Data Protection and Digital Rights Guarantee (LOPD-GDD).

Data Controller Information

Sanamen Health S.L.

Tax ID (NIF): B-87654321

Address: Calle de Serrano 45, 3º Derecha, 28001 Madrid, Spain

legal@sanamen.com

Data Protection Officer (DPO):

dpo@sanamen.com

1. Data We Collect

1.1. Registration Data

When you register on Sanamen, we collect:

  • Full name
  • Email address
  • Password (stored encrypted)
  • Date of birth
  • Gender (optional)
  • Phone number (optional)

1.2. Clinical and Health Data

During the use of our psychological therapy, nutrition and wellness services, we may collect especially sensitive data:

  • Responses to psychological questionnaires (PHQ-9, GAD-7, etc.)
  • Clinical notes from therapy sessions (encrypted)
  • Appointment and treatment history
  • Nutritional data and meal plans
  • Exercise records and body measurements
  • Mental health and wellness goals

Important note: This data is protected by GDPR as "special categories of data" and requires your explicit consent. Clinical notes are encrypted with AES-256 encryption and are only accessible by the assigned professional.

1.3. Payment Data

To process payments, we collect:

  • Credit/debit card information (processed by Stripe, not stored by us)
  • SEPA Direct Debit information (for EUR payments)
  • Transaction history and invoices
  • Tax data (Tax ID if needed for invoicing)

1.4. Usage and Technical Data

We automatically collect:

  • IP address and approximate geographic location
  • Browser type and device
  • Pages visited and session duration
  • Cookies (see our Cookie Policy)
  • Video call logs (metadata, no recordings without consent)

2. How We Use Your Data

We use your personal data for the following legitimate purposes:

Service Provision (Legal basis: Contract execution)

  • Facilitate psychological therapy, nutrition and fitness sessions
  • Connect you with verified professionals
  • Manage appointments and reminders
  • Provide access to secure video calls (Daily.co, EU servers)
  • Process payments and issue invoices with VAT (21%)

Service Improvement (Legal basis: Legitimate interest)

  • Analyze usage patterns to improve the platform
  • Conduct anonymous statistical analysis
  • Personalize professional recommendations
  • Develop new features

Communications (Legal basis: Consent)

  • Send notifications about appointments and messages
  • Send follow-up questionnaire reminders
  • Marketing communications (only with your explicit consent)
  • Important platform updates

Legal Compliance (Legal basis: Legal obligation)

  • Retain clinical data for 7 years (Spanish legal requirement)
  • Respond to requests from competent authorities
  • Comply with tax obligations (VAT, invoicing)
  • Prevent fraud and protect platform security

3. Data Sharing

We do not sell your personal data to third parties.

We share your data only in the following cases:

Healthcare Professionals

Verified psychologists, nutritionists and trainers have access to your relevant clinical data to provide you with services. All professionals are subject to strict confidentiality obligations.

Service Providers (Third Parties)

  • Stripe: Payment processing (GDPR compliant)
  • Daily.co: Video call infrastructure (EU servers)
  • SendGrid: Transactional email sending
  • Railway/Hetzner: Data hosting (EU servers)

All providers sign Data Processing Agreements (DPAs) and comply with GDPR.

Legal Authorities

We may disclose data if required by law or in response to valid court orders.

4. Security and Encryption

We implement advanced technical and organizational security measures:

  • AES-256 Encryption: All clinical notes are encrypted at rest
  • TLS 1.3: All connections use HTTPS with SSL certificates
  • JWT Authentication: Secure tokens with 7-day expiration
  • Bcrypt Hashing: Passwords protected with 10 rounds of hashing
  • Rate limiting: Protection against brute force attacks (100 req/min)
  • Security audits: Regular reviews of OWASP Top 10 vulnerabilities
  • Encrypted backups: Daily backups with rotation

5. Data Retention

Retention Periods

  • Clinical data: 7 years from last session (Spanish legal requirement)
  • Account data: While account is active + 30 days after deletion
  • Payment data: 6 years (tax obligations)
  • Audit logs: 3 years
  • Cookies: Maximum 13 months

After these periods expire, data is securely deleted or irreversibly anonymized.

6. Your Rights (GDPR)

Under GDPR and LOPD-GDD, you have the following rights:

✓ Right of Access

Request a copy of all your personal data in JSON or CSV format.

✓ Right to Rectification

Correct inaccurate or incomplete data from your profile.

✓ Right to Erasure ("Right to be Forgotten")

Request deletion of your account with a 30-day grace period.

✓ Right to Data Portability

Export your data in a structured, machine-readable format.

✓ Right to Object

Object to the processing of your data for direct marketing.

✓ Right to Restriction

Restrict the processing of your data in certain circumstances.

How to Exercise Your Rights

You can exercise these rights in the following ways:

Response time: We will respond to your request within a maximum of 30 days.

7. International Transfers

All our data is stored on servers located in the European Union (EU). We do not make international data transfers outside the European Economic Area (EEA).

In case a service provider requires access to data from outside the EU, we ensure that appropriate safeguards are in place (EU Standard Contractual Clauses).

8. Minors

Sanamen is not directed at children under 14 years of age. If you are between 14 and 18 years old, you need the consent of your parents or legal guardians to use our services.

If we discover that we have collected data from a minor without proper consent, we will delete that data immediately.

9. Changes to this Policy

We may update this Privacy Policy occasionally. We will notify you of material changes by email or through a prominent notice on the platform.

Last update: November 4, 2025

10. Complaints and Contact

Supervisory Authority

If you believe that the processing of your data violates current regulations, you have the right to file a complaint with the Spanish Data Protection Agency (AEPD):

  • Website: www.aepd.es
  • Address: C/ Jorge Juan, 6, 28001 Madrid
  • Phone: 901 100 099 / 912 663 517

Contact Sanamen

For any privacy inquiries:

Cookie Policy · Terms of Service · Ver en Español · Back to Dashboard