Privacy Policy: Your Data, Your Control

We are committed to protecting your privacy and ensuring the security of your information.

Introduction

This Privacy Policy informs you about the processing and protection of personal data of users and clients that may be collected through browsing, contracting services through our website https://thesupper.co or through the use of any of the services, applications, and platforms used by Supper to offer its service.

Our Commitment

Supper guarantees compliance with current regulations on personal data protection, reflected in Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (LOPD GDD). We also comply with Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons (GDPR).

Supper has adopted the legally required protection levels and has installed all technical measures within its reach to prevent loss, misuse, alteration, unauthorized access by third parties, as set forth below. The use of the website implies acceptance of this Privacy Policy as well as the conditions included in the Legal Notice.

Data Controller

The organization responsible for the processing of your personal data is Supper, with contact email: support@thesupper.co, hereinafter "Supper".

Purposes & Legal Basis

This section explains why we process your data and the legal basis that allows us to do so in compliance with current regulations.

Purposes

We will process your personal data provided through our web forms for:

  • Attending to requests and incidents sent through our contact channels incorporated on the website.
  • Understanding the behavior of the browser within the web to detect possible computer attacks on our website.
  • Complying with legal obligations that are directly applicable to us and regulate our activity.
  • Protecting and exercising our rights or responding to claims of any kind.
  • Sending commercial communications related to the goods or services that make up our activity, and/or news or newsletters related to our sector.
  • Managing the commercial relationship.

Google API Services: Data Collection, Use, and Storage

Supper uses Google API Services to provide enhanced functionality to our users. This section describes how we collect, use, store, and share Google user data in compliance with the Google API Services User Data Policy, including the Limited Use requirements.

Google Data We Collect

When you authenticate with Supper using your Google account or connect your Google Calendar, we collect and process the following Google user data:

  • Google Account Authentication Data: Your email address, profile information (name, profile picture), and unique Google user identifier when you sign in using Google OAuth.
  • Google Calendar Data: When you explicitly connect your Google Calendar to Supper, we access your calendar events to enable appointment scheduling and calendar synchronization features. This includes event details such as title, description, date, time, and participants.
How We Use Google Data

We use the Google user data collected for the following specific purposes:

  • Authentication: To verify your identity and provide secure access to your Supper account.
  • Account Management: To create and maintain your user profile within our application.
  • Calendar Integration: To create, read, update, and delete calendar events on your behalf for managing appointments and scheduling within Supper's healthcare management platform.
  • Service Improvement: To improve our services and user experience, but only in an aggregated and anonymized manner that does not identify individual users.

Supper's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for any purposes other than those explicitly stated above.

How We Store Google Data

Google user data is stored securely in our systems with the following protections:

  • Encryption in Transit: All communications with Google APIs and data transfers use TLS 1.2+ encryption to protect data during transmission.
  • Access Controls: Access to Google user data is strictly limited to authorized personnel who require it to provide our services. All administrators use multi-factor authentication.
  • Secure Infrastructure: Data is stored on secure cloud servers within the European Union that comply with GDPR and international security standards.
  • Token Security: Google OAuth access and refresh tokens are stored securely in our database and are only used to access Google services on your behalf when you explicitly request calendar-related actions within Supper.
How Long We Retain Google Data

We retain Google user data only for as long as necessary to provide our services:

  • Active Accounts: While your Supper account remains active and you maintain the Google Calendar connection.
  • Account Deletion: When you delete your Supper account or disconnect your Google Calendar, all associated Google user data, including OAuth tokens and cached calendar information, is permanently deleted from our systems within 30 days.
  • Revoked Permissions: If you revoke Supper's access to your Google account through your Google Account settings, we will no longer be able to access your Google data, and you may disconnect the integration from within Supper.
Sharing of Google Data

We do not sell, rent, or share your Google user data with third parties, except in the following limited circumstances:

  • Google APIs: We share data with Google's APIs only as necessary to provide the calendar integration features you request.
  • Legal Requirements: When required by law, court order, or governmental authority.
  • Service Protection: To protect the rights, property, or safety of Supper, our users, or others when legally permitted.

We do not use or transfer Google user data for purposes unrelated to providing and improving Supper's core healthcare management functionality. We do not use Google user data for serving advertisements.

Your Control Over Google Data

You have full control over the Google data we collect and use:

  • Disconnect at Any Time: You can disconnect your Google Calendar integration from within your Supper account settings at any time.
  • Revoke Access: You can revoke Supper's access to your Google account at any time through your Google Account permissions page.
  • Data Deletion: You can request deletion of your Google data by contacting us at support@thesupper.co or by deleting your Supper account.
  • Limited Scope: Supper only requests the minimum necessary permissions (scopes) from Google to provide the features you use.

Legal Basis

The applicable legal basis complies with the requirements of the current legal framework on data processing and with Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

  • In the consent you have granted us to process your data for the indicated purposes.
  • To comply with legal obligations applicable to us. In this case, the interested party may not refuse the processing of their personal data.
  • In our legitimate interest to protect our image, business and trajectory by preventing attacks on our website. In this case, the interested party may not refuse the processing of their personal data, but may exercise, where appropriate, the rights recognized in section eight of this policy.
  • Execution of a contract in which you are a party or application of pre-contractual measures.
  • In the consent you have granted us for the processing of your data for purposes unrelated to the development or execution of the existing contract.

The refusal to provide your personal data will make it impossible to process them for the purposes mentioned above.

Data Retention & Recipients

Learn about how long we keep your data and who may have access to it in compliance with legal requirements.

Data Retention

The personal data provided will be retained for the time necessary to fulfill the purposes for which they were initially collected. Once the data are no longer necessary for the processing in question, they will be securely blocked so that, where appropriate, they can be made available to the competent Public Administrations and Bodies, Judges and Courts or Public Prosecutor's Office, in accordance with the limitation periods for actions that may arise from the relationship maintained with the client and/or the legally provided retention periods.

Data blocking periods:

  • Civil Code: Between 5 or 15 years depending on the cases, in accordance with the provisions of article 1964.2 of said legal body.
  • Commercial Code: For 6 years, in accordance with the provisions of article 30 of said legal body. Applies to commercial information related to (invoices issued and received, tickets, corrective invoices, bank documents, etc.).
  • General Tax Legislation: For 4 years in accordance with the provisions of articles 66 to 70 of said law. Applies to information related to tax obligations.

Recipients

We do not transfer your personal data to anyone, except for those public or private entities to which we are obliged to provide your personal data to comply with some law.

During the period of processing of your personal data, the organization may transfer your data to the following recipients:

  • Judges and Courts.
  • State Security Forces and Corps.
  • Other competent authorities or public bodies, when the data controller has the legal obligation to provide personal data.

We guarantee that access, inspection, processing and supply of personal data will be carried out only in accordance with the principle of need to know, that is, information will only be provided to those people who require personal data for their work in relation to the provision of Services.

International Transfers

The Supper application is hosted exclusively on EU servers. However, we use some analysis, hosting and internal communication services to support our business. All our data processors comply with GDPR requirements and are located within the European Economic Area or have adequate safeguards in place.

Security & Your Rights

Discover the security measures we implement and learn about your rights regarding your personal data.

Security

To protect your personal data, Supper takes all reasonable precautions and follows industry best practices to prevent loss, misuse, unauthorized access, disclosure, alteration or destruction of your personal data.

We maintain internal policies and procedures designed to:

  • Protect any User Personal Data processed by us against accidental or unlawful loss, accidental or unlawful access or disclosure.
  • Identify internal and reasonably foreseeable risks to the security and unauthorized access to user personal data processed by us.
  • Minimize security risks, including through risk assessment and periodic testing.

We will conduct periodic reviews of our network security and the adequacy of our information security program with respect to industry security standards and our policies and procedures.

The website is hosted on secure cloud infrastructure. The security of your data is guaranteed, as these services take all necessary security measures. Most of the security, encryption, etc. is managed by their systems.

Here is a summary of the data protection policies we apply:

  • All communications use SSL and TLS 1.2 to communicate with all systems.
  • All data is stored encrypted following industry standards.
  • All Supper administrators have multi-factor authentication (MFA) to access our systems.
  • All administrator actions performed on production systems are logged.

Your Rights

Interested parties may exercise at any time and free of charge their rights of access, rectification and deletion, as well as request the limitation of the processing of their personal data, object to the processing, request the portability of their personal data (whenever technically possible) or withdraw the consent given, and, where appropriate, when applicable, not to be subject to a decision based solely on automated processing, including profiling.

To do this, you can use the forms provided by the organization, or send a letter to the postal address or email address indicated above. In any case, your request must be accompanied by a photocopy of your ID or equivalent document, in order to prove your identity.

If you consider that your rights regarding the protection of your personal data have been violated, especially when you have not obtained satisfaction in the exercise of your rights, you may file a claim with the competent Data Protection Control Authority (Spanish Data Protection Agency), through its website: www.agpd.es.

In compliance with the provisions of article 21 of Law 34/2002 on information society services and electronic commerce, if you do not wish to receive more information about our services, you can unsubscribe by sending an email to the address support@thesupper.co, with the subject "UNSUBSCRIBE".

Accuracy of Data

The interested party guarantees that the data provided are true, accurate, complete and up-to-date; committing to communicate any modification regarding the data provided, through the channels provided for this purpose and indicated in the first point of this policy. The user will be responsible for any damage or harm, direct or indirect, that may be caused as a result of non-compliance with this obligation. In the event that the user provides data from third parties, they declare that they have the consent of the interested parties and commit to transfer the information contained in this clause, exempting the organization from any responsibility derived from non-compliance with this obligation.