Privacy Policy

Introduction

INNOVATIVE CODE CRAFTERS SL ('Mise Health', 'we', 'us', or 'our') operates Mise Health as a beta product under the Mise Health brand. We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the EU General Data Protection Regulation (GDPR) 2016/679 and Spanish Organic Law 3/2018 on Personal Data Protection and digital rights.

Mise Health is a personal health history application that allows individuals and families to scan, upload, and manage medical records. We are a data management tool - we do not provide medical advice, diagnoses, or treatment recommendations.

This policy applies to all users of the Mise Health application and website. References to Mise Health, we, us, or our mean INNOVATIVE CODE CRAFTERS SL unless and until this policy is updated to identify a successor legal entity.

Data Controller Information

The data controller responsible for your personal data is INNOVATIVE CODE CRAFTERS SL, a company registered in Spain with NIF B26911891 and registered office at Calle Alejandro Dumas, num. 17, 29004 Malaga, Spain. You can contact us regarding any data protection matter at: dpo@misehealth.com

Mise Health is the product and brand operated by INNOVATIVE CODE CRAFTERS SL during the beta. We intend to incorporate an Irish company for Mise Health in the future. If that entity assumes operation of the service or becomes the controller or contracting party, we will update this policy and provide notice where required before the change takes effect.

Our supervisory authority is the Agencia Espanola de Proteccion de Datos (AEPD), C/ Jorge Juan, 6, 28001 Madrid, Spain. Website: www.aepd.es. Phone: +34 900 293 183.

What Data We Collect

Identity Data: Name, date of birth, gender, profile photo, and family relationships.

Contact Data: Email address, phone number, and postal address.

Health Data (Special Category): Medical records, prescriptions, lab results, doctor's notes, vaccination records, allergies, chronic conditions, and other health-related documents you upload.

Usage Data: Information about how you interact with our app, including settings, preferences, appointment logs, and activity timestamps.

Technical Data: IP address, browser type, device information, operating system, and app version.

Financial Data: Payment information for subscription services (processed by our payment provider).

Legal Basis for Processing (Article 6 & 9 GDPR)

We process your personal data based on the following legal grounds:

Consent (Article 6(1)(a) and Article 9(2)(a)): For health data and special categories of data, we rely on your explicit consent. You can withdraw consent at any time.

Contract Performance (Article 6(1)(b)): Processing necessary to provide our services to you under our Terms of Use.

Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable laws and regulations.

Legitimate Interest (Article 6(1)(f)): For improving our services and ensuring security, where these interests are not overridden by your rights.

For health data specifically, we rely on your explicit consent under Article 9(2)(a) of the GDPR. You have the right to withdraw this consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

How We Use Your Data

Service Delivery: To provide you with our health data management services, including storing your medical records, generating health summaries, and managing appointments.

Account Management: To create and maintain your user account, authenticate your identity, and manage your subscription.

Communication: To send you important service updates, respond to your inquiries, and provide customer support.

Service Improvement: Using anonymized and aggregated data to improve our platform and develop new features.

Legal Compliance: To comply with applicable laws, regulations, and legal processes.

Data Sharing and Third Parties

We do not sell your personal data. We may share your data only in the following circumstances:

With Your Consent: When you explicitly authorize sharing with healthcare providers, family members, or other parties.

Service Providers and Sub-processors (subprocessors): With carefully selected third-party providers and sub-processors who help us operate our services (e.g., cloud hosting, analytics, email delivery, security, and payment processing). These providers are bound by a data-processing agreement (DPA) and can only use your data for specified purposes.

Legal Requirements: When required by law, court order, or governmental authority.

Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.

All our service providers and subprocessors are vetted for GDPR compliance and are bound by appropriate data processing agreements, including data-processing agreement (DPA) terms where required.

International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) approved by the European Commission.

Adequacy decisions by the European Commission recognizing the destination country provides adequate data protection.

Other approved mechanisms under GDPR Article 46.

You may request a copy of the safeguards we use by contacting our Data Protection Officer.

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

Account Data: Retained while your account is active and for a reasonable period thereafter to comply with legal obligations.

Health Records: Retained until you request deletion or close your account.

Transaction Records: Retained for 6 years or any longer period required by applicable Spanish tax and accounting laws.

Usage Logs: Retained for up to 2 years for security and service improvement purposes.

You may request deletion of your data at any time, subject to our legal retention obligations.

Your Rights Under GDPR

Under the GDPR and Spanish Organic Law 3/2018, you have the following rights:

Right of Access (Article 15): You can request a copy of all personal data we hold about you.

Right to Rectification (Article 16): You can request correction of inaccurate or incomplete data.

Right to Erasure (Article 17): You can request deletion of your data ('right to be forgotten'), subject to legal retention requirements.

Right to Restriction (Article 18): You can request that we limit how we process your data in certain circumstances.

Right to Data Portability (Article 20): You can request your data in a structured, commonly used, machine-readable format.

Right to Object (Article 21): You can object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that significantly affect you.

To exercise any of these rights, contact us at dpo@misehealth.com. We will respond within one month as required by law.

Data Security (Article 32 GDPR)

We implement appropriate technical and organizational measures to protect your personal data:

Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).

Access Controls: Strict role-based access controls limit who can access your data.

Security Monitoring: Continuous monitoring for unauthorized access or security incidents.

Regular Audits: Periodic security assessments and penetration testing.

Employee Training: All staff receive data protection and security training.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Agencia Espanola de Proteccion de Datos (AEPD) within 72 hours as required by Article 33 GDPR.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who can be contacted for any questions regarding this policy or our data protection practices:

Email: dpo@misehealth.com

Post: Data Protection Officer, INNOVATIVE CODE CRAFTERS SL, Calle Alejandro Dumas, num. 17, 29004 Malaga, Spain

Complaints and Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Agencia Espanola de Proteccion de Datos (AEPD):

Agencia Espanola de Proteccion de Datos, C/ Jorge Juan, 6, 28001 Madrid, Spain

Website: www.aepd.es

Phone: +34 900 293 183

Complaints are preferably submitted through the AEPD electronic office using the official complaint form.

We encourage you to contact us first at dpo@misehealth.com so we can address your concerns directly.

Children's Privacy

Our services are intended for users who are at least 16 years old as a product eligibility rule.

Under Spanish data protection law, consent-based processing of personal data of children under 14 requires consent from a parent or legal guardian.

Parents or legal guardians may create and manage accounts for children under 16, providing appropriate consent on their behalf.

If we learn that we have collected personal data from a child without appropriate parental consent where required, we will take steps to delete that information.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

We will notify you of any material changes by email and/or a prominent notice in our app before the changes take effect.

Your continued use of our services after any changes indicates your acceptance of the updated policy.