Legal

Privacy Statement

Last updated: April 2026

🔒 This site uses no tracking cookies. Our analytics are cookieless and collect no personal data. We handle your medical information under strict confidentiality in accordance with GDPR.

At Prevscan, we handle your personal and medical data with the utmost care and in accordance with applicable law, including the EU General Data Protection Regulation (GDPR). We ask for your consent where required and keep you informed about how your data is used.

Data Controller

The data controller responsible for your personal data is:
Prevscan SL (CIF: B75931840)
Calle Tadorna 50, 03730 Jávea, Spain
contact@prevscan.es · +34 675 64 95 20

Categories of Personal Data

Depending on the services you use, we may collect:

  • Personal identification details (name, address, date of birth)
  • Contact details (email address, phone number)
  • Medical history and health information
  • Pre-scan biometric measurements
  • Laboratory and radiology results
  • Payment details

Health data is classified as special category data under GDPR Article 9. We process this data only with your explicit consent and solely for the purpose of providing our preventive health screening services.

Legal Basis for Processing

  • Contract performance — to deliver the services you have booked
  • Legal obligation — to comply with applicable medical and financial record-keeping requirements
  • Explicit consent — for the processing of health data (Article 9 GDPR)
  • Legitimate interest — to improve our services and communicate relevant changes

Purposes of Data Processing

Your personal data is used for:

  • Maintaining your medical records
  • Scheduling and managing appointments
  • Providing and improving our services
  • Invoicing and payment processing
  • Compliance with legal obligations

Analytics & Cookies

This website uses Umami, a privacy-first, cookieless analytics tool. It collects no personal data, sets no cookies, and stores no identifying information. We use it only to understand overall traffic patterns (e.g. page visits, referral sources). No consent banner is required because no personal data is collected.

We do not use Google Analytics or any client-side advertising or tracking scripts.

The only cookies this site may set are strictly necessary functional cookies (e.g. session state). These are exempt from consent requirements under GDPR.

WhatsApp Service & Meta Conversions API

Prevscan offers a WhatsApp-based GP consultation service. When you communicate with us via WhatsApp, your messages — including any health information shared — are transmitted via WhatsApp, a service operated by Meta Platforms Ireland Ltd. Meta processes message metadata in accordance with their own privacy policy. We recommend you review Meta's privacy policy at whatsapp.com/legal/privacy-policy. Medical advice exchanged via WhatsApp is documented and retained as part of your medical record in accordance with the retention periods set out in this statement. We obtain your explicit consent to use this channel when you subscribe to the WhatsApp service.

Separately, we use Meta's Conversions API (CAPI) across all enquiry, booking, and registration forms on this site to measure the effectiveness of our advertising campaigns. When any form is submitted, hashed (anonymised) contact details — such as email address and phone number — may be transmitted to Meta Platforms Ireland Ltd. solely for the purpose of attributing conversions to ad campaigns. No raw personal data is transmitted; all data is irreversibly hashed using SHA-256 before leaving our servers. Meta acts as a data processor for this purpose under a Data Processing Agreement.

Disclosure to Third Parties

Your data is only shared with third parties where there is a legal basis or with your explicit consent. This includes:

  • Partner medical facilities (HCB Denia) — for the performance of your scan
  • Payment processors — solely to process your payment securely
  • Cloud infrastructure: Vercel Inc. — hosts the Prevscan website and application. Data Processing Agreement in place.
  • Email delivery: Resend Inc. — sends booking confirmations and service communications. Data Processing Agreement in place.
  • Advertising measurement: Meta Platforms Ireland Ltd. — receives hashed conversion data via Conversions API for ad campaign measurement only. Data Processing Agreement in place.

We do not sell, rent, or share your data for marketing purposes.

Retention Periods

We retain your data only for as long as necessary:

  • Medical records: minimum 5 years, in accordance with Spanish healthcare legislation
  • Financial records: 5 years

Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. Access to medical records is restricted to authorised clinical staff only.

Your Rights

Under GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your data (subject to legal retention obligations)
  • Restriction — request that we limit how we process your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interest
  • Withdrawal of consent — withdraw consent at any time, without affecting prior processing

To exercise any of these rights, contact us at contact@prevscan.es.

Supervisory Authority

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the Spanish Data Protection Authority:

Agencia Española de Protección de Datos (AEPD)
www.aepd.es

Changes to This Statement

We reserve the right to update this privacy statement. The date at the top of this page reflects the most recent revision. We recommend checking back periodically.

Terms & Conditions →Back to homepage →