Privacy Policy

1. Data Controller Identification

In accordance with Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee (LOPDGDD), the data controller is:

2. Purpose and Scope

This Policy governs the processing of personal data of users when using the medical document translation service through the Mislab website. Use of the service implies acceptance of this Policy.

3. Categories of Data Processed

We may process the following categories of data:

• Identification data: name, email address, credentials
• Documents: medical documents uploaded by the user (may contain health data classified as special category data under Art. 9 GDPR)
• Technical data: IP address, device type, browser, access logs
• Usage data: information about interaction with the service

4. Legal Bases for Processing

Processing is carried out on the following bases:

• Performance of a contract (Art. 6.1.b GDPR) — provision of the translation service
• Explicit consent of the user (Art. 6.1.a and Art. 9.2.a GDPR) — for processing medical data
• Legitimate interests (Art. 6.1.f GDPR) — ensuring security, preventing abuse, improving the service

5. Purposes of Processing

Data is used for:

• Providing translation services
• Processing and storing uploaded documents
• Ensuring security and preventing fraud
• Improving service quality and user experience
• Fulfilling legal obligations

6. Processing of Medical Data

Medical documents are classified as a special category of personal data. Their processing is carried out:

• Only to the extent necessary for the provision of the service
• Based on the explicit consent of the user
• With enhanced protection measures
• With automatic anonymization: during document recognition, the system automatically removes or masks personal identifying data, including names and contact information of patients, if this does not hinder the performance of the translation service

7. Data Retention

Data is stored:

• For the time necessary to provide the service
• Until deleted by the user or upon their request
• For the periods required by law

After the retention period expires, data is deleted or anonymized.

8. Data Transfers to Third Parties

Data is not sold or transferred to third parties for marketing purposes. Transfers are only possible:

• To service providers (hosting, cloud services, AI processing) under Data Processing Agreements (DPA)
• When necessary to fulfill legal obligations
• When protecting the rights and security of the service

When transferring outside the European Economic Area, appropriate safeguards are applied (EU standard contractual clauses or other GDPR-compliant mechanisms).

9. Data Security

We apply technical and organizational security measures:

• Encryption of data in transit and at rest
• Access restriction based on the need-to-know principle
• Access control and authentication
• Monitoring and prevention of unauthorized access

10. User Rights

The user has the right:

• To access their data
• To correct inaccurate data
• To delete data ("right to be forgotten")
• To restrict processing
• To data portability
• To object to processing

Requests should be sent to the contact email provided.

11. Withdrawal of Consent

The user may at any time withdraw consent to the processing of data, including medical data, without affecting the lawfulness of processing prior to withdrawal.

12. Complaints

The user has the right to lodge a complaint with the Spanish supervisory authority:

13. Policy Changes

We may update this Policy. The current version is always available on the website.

14. Contact Information

For questions regarding data processing:

Email: info@mislab.es