Legal

Privacy policy

Last updated:

This policy describes how your personal and health data are processed when you use the private telemedicine service operated by the controller listed below. By booking a consultation, you consent to the processing of your data on the terms described.

Data controller

Dr. Gastón Vázquez. Spain (Barcelona) medical registration COMB № 47708, Irish Medical Council № 425386. Contact: medico@gpdoctorspain.com.

Data we collect

  • Identification: full name, date of birth, passport/ID number, email, country of residence.
  • Clinical data: reason for consultation, symptoms, medical history and current medication, as voluntarily disclosed in the pre-consultation form.
  • Payment data: processed directly by Stripe; we do not store full card numbers.

Purposes of processing

  • Provision of the requested medical care (WhatsApp call with the doctor, REMPE prescription, medical certificate when applicable).
  • Compliance with health and tax obligations under Spanish law.
  • Communication with the patient about their consultation (confirmation, reminder, documents).

Legal basis

GDPR Art. 6(1)(b) (performance of the medical service contract), Art. 9(2)(h) (provision of health care by a professional bound by professional secrecy), and Art. 6(1)(c) (compliance with legal obligations).

Sub-processors

We share strictly necessary data with the following providers, each under a signed DPA and accredited GDPR compliance:

  • Cal.com — appointment management (EU/EEA).
  • Stripe — payment processing (EU with SCCs).
  • Google Workspace — professional email and Calendar (EU with SCCs).
  • Meta Platforms (WhatsApp Business) — voice/video call between the doctor and the patient during the consultation (EU/US with SCCs).
  • Tally — pre-consultation and contact forms (Belgium, EU). Used solely as intake; no clinical records are stored in Tally.
  • Proton Drive — encrypted archive of the finalised clinical records of each consultation (Switzerland; end-to-end encrypted, GDPR-compliant via the EU–Switzerland adequacy decision).
  • Resend — transactional emails (EU/US with SCCs).
  • Cloudflare — web hosting and DNS (EU/US with SCCs).

Retention period

Medical records: 15 years from last contact, as required by Catalan healthcare regulations (Law 21/2000 and subsequent developments). Billing data: 6 years (Spanish Commercial Code). Marketing/contact data: until consent is withdrawn.

Cookies

This site does not use analytics, advertising or tracking cookies. Only strictly technical storage is used: your theme preference (light/dark) is kept in your browser’s local storage, and the embedded booking, form and payment services (Cal.com, Tally and Stripe) may set technical cookies essential for their operation. As no non-essential cookies are used, no consent banner is required.

Your rights

  • Access, rectification and erasure of your data.
  • Restriction of and objection to processing.
  • Portability of your data to another controller.
  • Withdraw consent at any time.
  • Lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) if you believe processing is not compliant.

How to exercise your rights

Send an email to medico@gpdoctorspain.com identifying yourself and specifying your request. We will respond within one month at the latest.

Updates

This policy may be updated to reflect legal or operational changes. The date of last revision appears at the top of the document.

Notice

This text is a working first draft. Pending review by legal counsel before launch (see SETUP.md §legal).