Privacy Policy

  1. PRIVACY POLICY

    Last update: February 2026

    1. Who is responsible for the treatment?

    MIVI GLOBAL INVESTMENT, S.L. (hereinafter, “MIVI” or “MIVI Salud”) is the owner of the website https://www.mivisalud.com and acts as co-responsible for the processing together with certain group companies/care centers (see Appendix I) for the purposes described in this Policy.

    Identification data

    • Company name: MIVI GLOBAL INVESTMENT, S.L.
    • VAT NUMBER: B72670466
    • Address: Av. Camino Viejo de Velez, 10, bajos, 29700 Velez-Malaga (Malaga), Spain.
    • General contact e-mail: info@mivisalud.com
    • Mail to exercise rights (privacy): dpo@mivisalud.com

    Data Protection Delegate (DPD/DPO): MIVI has a DPD, his contact details are: AURIS CONSULTORIA LEGAL I TRIBUTARIA SLP (xavi@auris.legal)

    MIVI GLOBAL INVESTMENT, S.L. and each of the companies/centers listed in Annex I act as co-responsible only with respect to the processing related to the collection and management of requests/applications and, if applicable, the management of communications related to the services of the selected center (for example: confirmations, reminders, administrative management and informative communications).

    Pursuant to art. 26 RGPD, a co-responsibility agreement has been signed, reflecting the roles and relationships of the parties, the essential aspects of which are made available to the interested parties upon request to the privacy mail indicated in paragraph 1.

    MIVI GLOBAL INVESTMENT S.L. administers the web environment, forms and corporate systems; establishes corporate security and privacy standards; centralizes rights management; manages technology providers (hosting, analytics, CRM, messaging, etc.) when applicable.

    Company/Annex I center: manages the care and provision of the assistance service or management of the request/appointment within the scope of the selected center; attends, in coordination with MIVI, to the reporting obligations related to its activity.

    Important: regardless of the internal agreement, interested parties may exercise their rights against any of the co-responsible parties by sending an e-mail to dpo@mivisalud.com.

    1. What data do we process?

    Depending on the channel and interaction, MIVI can treat:

    • Identification and contact information: name, surname, email, telephone, city/province.
    • Request/appointment management data: chosen center, general reason for request, preferred time slot, comments.
    • Professional data (HR): CV, professional/educational history, contact details and any information that the candidate includes.
    • Technical and browsing data: IP address, device/browser identifiers, cookies and browsing events (according to configuration and consent).
    • Communications: content of messages sent by the user through forms, email, telephone or messaging (WhatsApp or other enabled channels).

    Health data: MIVI does not request health data in the general contact forms. However, if the user voluntarily provides health-related information (e.g., when requesting an appointment or by messaging), such data may be processed only to process the request and/or provide the service, applying enhanced confidentiality and security measures in accordance with health and data protection regulations.

    1. For what purposes do we process the data and what is the legal basis?

    The main purposes are described below (they may vary according to specific forms):

    4.1. Contact / information request forms

    Purpose: to respond to inquiries, requests for information, complaints or general requests.

    Legal basis: consent (Art. 6.1.a) and/or pre-contractual measures (Art. 6.1.b) when the request refers to specific services.

    Retention: until resolution of the request and, thereafter, blocking during the applicable statute of limitations (in general, 5 years for contractual personal actions).

    4.2. Online appointment request and management

    Purpose: to process and manage the requested appointment, operational communications (confirmation, changes, reminders).

    Legal basis: pre-contractual/contractual measures (art. 6.1.b).

    Storage: during processing and for a reasonable period thereafter (e.g., 3 months) and, if applicable, the periods required by health/administrative regulations when applicable.

    If after the appointment the user becomes a patient, the care and medical history treatments will be governed by the applicable health regulations of the corresponding center and will be reported at the center itself.

    4.3. Commercial communications (email, SMS, WhatsApp or other electronic means).

    Purpose: to send newsletters and promotional communications about services, campaigns and news of MIVI/selected center. If there is a previous contractual relationship, the sending of communications regarding similar services may be based on article 21.2 of the LSSI.

    Legal basis: consent (art. 6.1.a RGPD and art. 21 LSSI for electronic media).

    Retention: until the data subject withdraws consent or opposes its processing and, thereafter, blocking by prescription periods.

    Unsubscription: the user may unsubscribe from the link included in each communication or by writing to dpo@mivisalud.com.

    SMS: in addition, the terms and conditions of the mobile messaging service published in the Legal Notice apply (registration, cancellation “STOP”, operator costs, etc.).

    4.4. Selection Processes (HR)

    Purpose: to manage current and future applications; to contact the candidate and assess his or her suitability.

    Legal basis: Pre-contractual measures (Art. 6.1.b) and/or consent when the candidate spontaneously submits his or her CV (Art. 6.1.a).

    Conservation: 24 months from the last interaction, unless the candidate requests its deletion beforehand.

    4.5. Security, fraud prevention and compliance

    Purpose: to ensure the security of the website, prevent misuse, respond to legal requirements and exercise/defend claims.

    Legal basis: legitimate interest (art. 6.1.f) and compliance with legal obligations (art. 6.1.c).

    Conservation: for the time necessary to fulfill the purpose and the applicable legal terms.

    4.6. Provision of health care services

    Purpose: When the user becomes a patient of any of the health centers integrated in the MIVI Group, your personal data will be processed for the purpose of:

    • Manage the provision of health care services.
    • Preparation and custody of medical records.
    • Perform diagnostic tests and treatments.
    • Manage successive appointments, medical follow-up and continuity of care.
    • Comply with legal obligations in health matters.
    • Manage billing and collection of services rendered.
    • To attend to possible claims or liabilities arising from the healthcare activity.

    Legal basis of the processing: The processing is based on:

    • The execution of the contractual assistance relationship (art. 6.1.b RGPD).
    • Compliance with legal obligations in health matters (art. 6.1.c RGPD).
    • The processing of health data necessary for the purposes of preventive medicine, medical diagnosis, provision of health care or treatment (art. 9.2.h RGPD).

    Retention: Clinical data will be kept for the periods established in the applicable health regulations, which generally establish a minimum of five years from the date of discharge from each health care process, without prejudice to other longer periods that may be required by regional or sectorial regulations.

    1. Recipients and processors: to whom do we communicate data?

    Data may be communicated only to:

    1. Company/center of the Annex I selected by the user (management of the request/appointment/service).
    2. Public authorities and/or third parties when there is a legal obligation, administrative/judicial requirement or it is necessary for the formulation, exercise or defense of claims.
    3. Data processors: External providers who provide services to MIVI and who, in the exercise of their activity, may access personal data on behalf of MIVI, such as: Web hosting and technical maintenance providers, email marketing and electronic messaging services, administrative consultancies and administrative agencies. All of them act under contract in accordance with article 28 of the RGPD, exclusively following MIVI’s instructions and with the appropriate guarantees in terms of security and confidentiality.

    6. International Transfers

    In the context of the processing described in this Policy, MIVI does not carry out international transfers of data outside the European Economic Area.

    Should suppliers involving international transfers be used in the future, these would be carried out with appropriate safeguards in accordance with Regulation (EU) 2016/679.

    1. Social networks

    MIVI has a presence on social networks (e.g. Instagram, LinkedIn, Meta/Facebook, YouTube). The data processing carried out by these platforms is governed by their own privacy policies. However, when the user interacts with MIVI corporate profiles, MIVI may process minimal data (e.g. username, messages sent) to manage the interaction and, if applicable, to answer queries or requests.

    1. Conservation periods

    Personal data will be kept for the time strictly necessary to fulfill the purpose for which they were collected and, subsequently, will be kept duly blocked during the legally established statute of limitations for the attention of possible liabilities arising from the processing, in accordance with the provisions of Article 32 of the Organic Law 3/2018.

    The blocking implies that the data will remain at the exclusive disposal of judges and courts, the Public Prosecutor’s Office or competent Public Administrations, in particular the data protection authorities, for the enforcement of possible liabilities, and may not be processed for any other purpose.

    Depending on each treatment, the applicable deadlines will be as follows:

    9.1. Contact forms and general inquiries

    The data will be kept until the complete management and resolution of the query raised.
    Once the management is completed, they will be kept blocked during the generally applicable statute of limitations period for civil actions (up to five years, according to article 1964 of the Civil Code), unless another specific period is applicable.

    9.2. Online appointment request and management

    The data will be kept for the time necessary to process the requested appointment and, where appropriate, up to a maximum of three months after the appointment when no healthcare relationship arises.

    In the event that the user becomes a patient of one of the health centers, the subsequent processing of his/her data will be governed by the applicable health regulations and by the specific policy of the corresponding center.

    After the end of the processing linked to the appointment, the data may be blocked for the applicable statutory limitation periods.

    9.3. Electronic commercial communications (email, SMS, WhatsApp or other equivalent means).

    The data will be kept as long as the data subject does not withdraw his consent or does not object to the processing.

    Once the consent has been revoked or the right of opposition has been exercised, the data may be kept blocked for the period necessary to meet possible liabilities arising from the sending of commercial communications (up to five years in general).

    9.4. Personnel Selection Processes (HR)

    Curricular data will be kept for a maximum of twenty-four (24) months from the last interaction with the candidate, unless the candidate requests its deletion before that time.

    At the end of this period, the data will be deleted or anonymized, and will only be kept blocked when necessary for the attention of possible legal responsibilities.

    9.5. Website security and fraud prevention

    The technical data associated with navigation, access logs and security systems will be kept for the time necessary to ensure the security of the system and prevent unauthorized access.

    In case of security incidents, the data may be retained for the time necessary for the investigation of the facts and the eventual clarification of responsibilities.

    9.6. Compliance with legal obligations

    When the processing derives from the fulfillment of legal obligations, the data will be kept for the period required by the specific regulations applicable in each case (tax, commercial, health or other sectorial regulations).

    9.7. Provision of health care services

    When the user becomes a patient of one of the MIVI Group’s healthcare centers, his/her personal data, including the data related to his/her health that are included in the medical record, will be kept for the periods established in the applicable health regulations.

    In general, clinical documentation shall be kept for a minimum of five (5) years from the date of discharge from each care process, in accordance with the provisions of Law 41/2002, without prejudice to:

    • Longer deadlines that may be required by regional or sectorial regulations.
    • The need for conservation for the formulation, exercise or defense of claims.
    • Legal obligations in tax, accounting or administrative matters.

    After these deadlines, the information will be deleted or, if necessary, securely anonymized, unless it must be kept blocked to meet legal responsibilities.

    General conservation criteria

    After the deadlines indicated, the data will be securely deleted or anonymized in such a way that it is no longer possible to identify the data subject.

    1. What rights does the user have?

    At any time, the user may exercise the rights recognized by current legislation on data protection, in particular the following:

    10.1. Right of access

    To obtain confirmation as to whether MIVI is processing personal data concerning him/her and, if so, to access such data, as well as to obtain information on the purposes of the processing, categories of data processed, recipients, storage period and other legally required information.

    10.2. Right of rectification

    Request the modification of inaccurate or incomplete personal data.

    10.3. Right to suppression

    Request the deletion of your data when, among other reasons:

    • are no longer needed for the purposes for which they were collected,
    • has withdrawn its consent,
    • you object to the processing and no other legitimate reasons prevail,
    • the data have been unlawfully processed.

    The deletion may be limited when the processing is necessary for compliance with legal obligations or for the formulation, exercise or defense of claims.

    10.4. Right to limitation of processing

    Request the limitation of the processing of your data when:

    • challenge the accuracy of the data,
    • the processing is unlawful and you object to the deletion,
    • MIVI does not need the data but the interested party requires them for the formulation, exercise or defense of claims,
    • has objected to the processing while it is being verified whether the legitimate reasons prevail.

    10.5. Right to portability

    Receive the personal data you have provided in a structured, commonly used and machine-readable format and transmit it to another controller, where the processing is based on consent or a contract and is carried out by automated means.

    10.6. Right of opposition

    Oppose the processing of your data when this is based on the legitimate interest of MIVI.
    You may also object at any time to the sending of commercial communications.

    10.7. Right to withdraw consent

    Where processing is based on consent, you may withdraw your consent at any time, without affecting the lawfulness of the processing carried out prior to your withdrawal.

    How to exercise your rights

    The exercise of rights is free of charge.

    The data subject may exercise his or her rights by sending a written request to dpo@mivisalud.com or directly to the Data Protection Officer at xavi@auris.legal.

    The application should indicate:

    • First and last name.
    • Right you wish to exercise.
    • Address for notification purposes (if you do not use your own e-mail address).

    MIVI may request additional information when necessary to confirm the identity of the data subject, especially in case of reasonable doubt.

    MIVI will respond to requests within one month of receipt.
    This deadline may be extended by up to two additional months when necessary, taking into account the complexity and number of requests. In such a case, the interested party will be informed of the extension within the first month.

    If the data subject considers that his or her rights have not been duly addressed, he or she may lodge a complaint with the competent supervisory authority.

    In Spain, the competent authority is:

    Spanish Data Protection Agency (AEPD)
    www.aepd.es

    1. Safety measures

    MIVI implements appropriate technical and organizational measures to protect data and reduce risks (access control, activity logging, encryption where appropriate, internal procedures and incident management). When a security incident occurs that involves a high risk to the rights and freedoms of individuals, MIVI will report the incident in accordance with applicable regulations.

    1. Commercial communications

    MIVI will not send electronic commercial communications without a legitimate basis. In any commercial communication, a simple mechanism to unsubscribe will be provided, and the user may revoke his/her consent at any time by writing to dpo@mivisalud.com or by using the link provided.

    1. Changes in the Privacy Policy

    MIVI may update this Policy to adapt it to regulatory or treatment changes. The current version will be published on the website indicating the date of the last update.

    ANNEX I – COMPANIES/ENTITIES CO-RESPONSIBLE WITH MIVI

    • MIVI MADRID, S.L. – B21802228
    • MIVI FUENSANTA, S.L. – B21900469
    • MIVI CORP, S.L. – B56714496
    • MIVI MARBELLA, S.L. – B70620554
    • MIVI TENERIFE, S.L. – B72552276
    • INSTITUTO ALIAGA, S.L. – B64707011
    • INSTITUTO DEL DOLOR SANT CUGAT, S.L. – B66442252
    • FISIOTERAPIA Y REHABILITACIÓN ALAMEDA 16, S.L. – B93004109
    • MIVI HOSPITALS MURCIA, S.L. – B75605881
    • IWO SALUD, S.L. – B44638385
    • MIVI BARCELONA, S.L. – B75515361
    • MIVI VALENCIA, S.L. – B16974909
    • MIVI LLEIDA, S.L. – B70624168
    • MIVI COSTA SOL, S.L. – B70624440
    • MIVI SALUD, S.L. – B02747756
    • INSTITUT DOLOR VALLÈS, S.L. – B67562272
    • MIVI SEVILLA, S.L. – B09915786
    • MIVI GRANADA, S.L. – B13856505
    • MIVI CARE, S.L. – B13817812
    • DELTA MEDICS SIGMA, S.L. – B13664669
    • ALTERSALUS CONSULTING, S.L. – B66428038
    • MIVI MANRESA, S.L. – B70620281
    • INSTITUTO DEL DOLOR EL PILAR, S.L. – B66260084
    • MIVI BENIDORM, S.L. – B56995517
    • MIVI CÁCERES, S.L. – B75253112
    • MIVI HOSPITALES DÉNIA, S.L. – B56995442
    • MIVI MASPALOMAS, S.L. – B55379283
    • OMEGA SALUD INVERSIONES, S.L. – B75669275
    • MIVI TORREVIEJA, S.L. – B56244528
    • MIVI ESTEPONA, S.L.U. – B55378194
    • CASANTEGRA MÈDICS, S.L. – B65969727
    • MIVI TOLEDO, S.L. – B21900188
    • MIVI SEGOVIA, S.L. – B21900436
    • MIVI COSTA DAURADA, S.L. – B19934272
    • IDE BARCELONA – B70623681
    • TIVANA GLOBAL, S.L. – B23994684
    • MIVI ESPLUGUES, S.L.U. – B75664151
    • MIVI HUELVA, S.L.U. – B75605741
    • MIVI NERVIÓN S.L.U – B75663864