Privacy Policy
How Orthodata Labs, S.L. processes the personal data of those who visit orthodata.es, contact us or use the BioTrack platform.
Last updated: 3 May 2026
Orthodata Labs, S.L. (hereinafter, «Orthodata») is fully committed to protecting the personal data of the users of its website, of those who contact the company and of the healthcare professionals and entities that use the BioTrack platform.
This Privacy Policy describes how we collect, use and protect personal data, in compliance with Regulation (EU) 2016/679 (GDPR), Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD), and other applicable regulations.
1. Data controller
Company name: Orthodata Labs, S.L.
Tax ID (NIF): B-44218905
Address: Calle Velázquez, 78, 4.º izq. — 28006 Madrid (Spain).
Contact email: hola@orthodata.es
Data Protection Officer (DPO): dpd@orthodata.es
2. Categories of data processed
Depending on the channel of interaction with Orthodata, we may process:
- Identification and contact data: first name, surname, email, phone, organization or professional role.
- Request or message data: the content of the message sent through the contact form.
- Website usage data: IP address, device type, browser, pages visited and technical metrics (when the use of analytics cookies is authorized).
- Data of healthcare professionals using BioTrack: access credentials, associated centre, specialty and activity logs.
- Pseudonymized clinical data: treatment records, PROMs scales and clinical results uploaded to BioTrack by professionals as part of their clinical practice. Orthodata acts as Data Processor for this data on behalf of the responsible centre or professional.
We do not request special category data through the website. Clinical data is only processed within the framework of the service contracts signed with clinics, hospitals and healthcare professionals.
3. Purposes and legal bases
| Purpose | Legal basis (GDPR) | Retention period |
|---|---|---|
| Handle requests received through the contact form. | Art. 6.1.b — pre-contractual measures requested by the data subject. | 1 year from the last contact, unless a legal retention obligation applies. |
| Manage the commercial relationship and perform signed contracts. | Art. 6.1.b — performance of a contract. | Duration of the relationship + legal periods (commercial, tax). |
| Comply with legal obligations (tax, accounting, health). | Art. 6.1.c — legal obligation. | Up to 6 years (Spanish LGT, Commercial Code) or the applicable period. |
| Send communications about products, events or publications. | Art. 6.1.a — consent (revocable at any time). | Until consent is withdrawn. |
| Maintain site security and prevent fraud (Cloudflare Turnstile, logs). | Art. 6.1.f — legitimate interest in protecting the Services. | Maximum 12 months. |
| Provision of the BioTrack service to clinics and professionals. | Data processing on behalf of the controller under art. 28 GDPR. | As agreed with the controller and health regulations. |
4. Recipients and data processors
Orthodata does not transfer personal data to third parties except by legal obligation. To provide the Services, we may share data with the following data processors, all bound by contract under art. 28 GDPR:
- Mailjet (Sinch Email): transactional sending and management of the contact form.
- Cloudflare, Inc.: abuse protection (Turnstile), CDN and attack mitigation.
- EU cloud hosting providers: hosting of the website and the BioTrack platform.
- Web analytics tools (where applicable) configured with IP anonymization.
- Professional advisors (legal, tax, labour) bound by a duty of confidentiality.
In the event of international data transfers outside the European Economic Area, Orthodata ensures the adoption of appropriate safeguards (adequacy decisions, the European Commission's Standard Contractual Clauses or equivalent guarantees).
5. Retention periods
Data will be kept for the time strictly necessary to fulfil the purposes for which it was collected, as well as to address possible legal liabilities. The detailed periods are indicated in the table in section 3.
6. Rights of data subjects
Under the GDPR, the data subject may exercise the following rights:
- Access to their personal data.
- Rectification of inaccurate or incomplete data.
- Erasure when, among other reasons, the data is no longer necessary.
- Objection to processing on grounds relating to their particular situation.
- Restriction of processing in the cases provided by law.
- Portability of the data in a structured, commonly used format.
- Withdrawal of consent given, without retroactive effect.
- Not to be subject to automated decisions with significant legal effects.
To exercise any of these rights, you may write to dpd@orthodata.es, indicating «Data Protection» in the subject and enclosing a copy of a document proving your identity.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) if you consider that the processing does not comply with the regulations in force.
7. Security measures
Orthodata applies appropriate technical and organizational measures to ensure a level of security adequate to the risk, in accordance with art. 32 GDPR. Among others: encryption in transit (TLS), encryption at rest, role-based access control, environment segregation, activity logging, periodic backups, continuous provider assessment and staff training.
8. Minors
The Services are aimed exclusively at professionals and entities. Orthodata does not collect data of minors under 14 through the website. If we detect such processing, we will proceed to delete it immediately.
9. Changes to this Policy
Orthodata may update this Privacy Policy to adapt it to legislative or case-law changes or to the evolution of the Services. Updated versions will be published on this same page, indicating the date of the last revision.