Privacy Policy

Last updated: 24 September 2025

This Privacy Policy explains how MED IVD HEALTHTECH S.L. (the “Company”) processes personal data through this website (the “Site”) and in the context of our activities as a clinical research organization (CRO) and medtech/IVD consultancy. It complements the Legal Notice and the Cookies Policy.

1) Data Controller (Responsable del tratamiento)

  • Controller: MED IVD HEALTHTECH S.L.
  • Registered address: Calle Alejandro Casona 2, Portal 6-3B, San Sebastian de Los Reyes Spain
  • Tax ID (CIF): B67776807
  • Email:  contact@mdxcro.com
  • Data Protection Officer (DPO): David Tome Lozano, david.tome@mdxcro.com

2) Scope and who this policy applies to 

This policy applies to: (i) visitors and users of the Site; (ii) individuals who contact us by any channel; (iii) clients, prospective clients, vendors, and partners; and (iv) job candidates. Where our services involve clinical research or regulatory projects, additional privacy information and documentation may apply (for example, study‑specific participant information sheets and informed consent forms provided by sponsors or investigators). In case of conflict, the study‑specific documentation shall prevail for the processing covered by it.

3) Purposes, legal bases, and retention 

We process personal data only for specified, explicit, and legitimate purposes, and we will not process it in a manner incompatible with those purposes. The table below summarises our main processing activities for the Site and our general operations.

Processing activityCategories of dataPurposeLegal basisRetention
Website browsingIP address, device/identifier, logs, pages viewed, time stamps, basic geolocationProvide and secure the Site; prevent abuse and fraud; produce aggregated metricsLegitimate interests (Site operation, security, service quality)Short‑term logs (e.g., 12 months) unless extended for security or legal needs
Contact/Enquiry formsIdentification data, contact details, message content, company, roleHandle enquiries, provide information or quotes, pre‑contractual stepsPre‑contractual steps; Legitimate interests (responding to requests)For the time necessary to resolve the enquiry; if it leads to a contract, retained with client file
Newsletter / marketingIdentification data, contact details, preferences, engagementSend newsletters, updates, invitations, or similar communicationsConsent (opt‑in); or Legitimate interests for B2B communications, where permittedUntil withdrawal of consent or objection; we maintain suppression lists to honour opt‑outs
Client relationshipIdentification/billing data, professional data, transaction data, correspondenceProvide services, manage projects, billing and accounting, complianceContract performance; Legal obligation (tax/accounting); Legitimate interests (service management)During the contract and statutory limitation periods (e.g., 6–10 years for tax/accounting)
Vendor/partner managementIdentification/professional data, contact details, financial dataSelection and management of suppliers and partners; due diligenceContract performance; Legitimate interests (business management); Legal obligationsDuring the relationship and legal limitation periods
Recruitment (candidates)Identification, contact details, CV/resume data, professional/education data, notes from interviewsEvaluate applications and manage recruitment processesPre‑contractual steps; Consent where required by local lawUp to 24 months with consent for future opportunities; otherwise until end of process
Events / trainingIdentification, contact details, preferences, images/audio (if recorded)Organise events, webinars, and training; attendance certificatesContract; Legitimate interests; Consent when required (e.g., image rights/recordings)For the event lifecycle and legal limitation periods
Compliance and securityLogs, access records, audit trails, communications metadataDetect incidents, ensure network and information security, respond to legal requestsLegal obligation; Legitimate interests (security, fraud prevention)As required by law and security best practice

Note on special categories of data: We do not intentionally collect special categories of personal data through the Site. In clinical research or specific consulting engagements, special categories may be processed under separate protocols, contracts, and ethical approvals. In those cases, participants will receive dedicated information and consent documentation.

4) Sources of data

We collect data directly from you (for example, when you submit a form, send an email, or sign a contract) and automatically through cookies and similar technologies (see Cookies Policy). We may also receive data from third parties, such as clients (for project delivery), partners, public sources, or recruitment platforms, always in accordance with applicable law.

5) Recipients and international transfers 

We share data only when necessary and with appropriate safeguards:

  • Service providers (processors): IT hosting, CRM, email, analytics, communication tools, events and webinar platforms, and other vendors under contracts that include confidentiality and data‑processing terms.
  • Professional advisers and auditors: For legal, tax, or regulatory advice and compliance.
  • Public authorities and courts: When required to comply with legal obligations or lawful requests.
  • Group companies/partners: Where necessary for project execution, with appropriate agreements.

International transfers: If personal data is transferred outside the European Economic Area (EEA), we will ensure an adequate level of protection by using one or more of the following: an adequacy decision, the EU Standard Contractual Clauses, binding corporate rules, or another lawful mechanism. Copies or information about these safeguards can be requested via the contact channels provided in Section 1.

6) Cookies and similar technologies 

We use cookies as described in our Cookies Policy, which forms part of this Privacy Policy. On your first visit, and whenever settings change, our consent banner will allow you to accept, reject, or configure non‑essential cookies, and to withdraw consent at any time.

7) Your rights 

You may exercise the following rights, subject to legal conditions and exceptions: access, rectification, erasure, restriction, objection, and data portability, as well as the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you.

  • How to exercise: Send a request to contact@mdxcro.com or to the postal address listed in Section 1, indicating “Data Protection” and specifying the right you wish to exercise. We may ask for information necessary to verify your identity. If we process your data based on consent, you may withdraw it at any time, without affecting the lawfulness of processing prior to withdrawal. You also have the right to object to processing based on legitimate interests, including profiling for direct marketing.
  • Supervisory authority: You have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) (www.aepd.es) or your local supervisory authority.

8) Automated decision‑making and profiling

We do not make decisions based solely on automated processing that produce legal effects on you or similarly significantly affect you. If this changes, we will provide meaningful information about the logic involved and the envisaged consequences, and, where required, we will obtain your consent or provide an opt‑out mechanism.

9) Minors 

The Site is not intended for children under 14 years of age. If you are the parent or guardian of a minor and believe that your child has provided us with personal data, please contact us to request deletion or appropriate action.

10) Security measures 

We implement appropriate technical and organisational measures to protect personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of individuals. However, no online service can be completely secure; users should use caution when sharing information.

11) Social media and third‑party links 

Our profiles on social networks are governed by this policy and by the terms and policies of each platform. Please review their privacy settings and notices. The Site may link to third‑party websites. We are not responsible for their privacy practices.

12) Changes to this Policy 

We may update this Privacy Policy to reflect legal, technical, or business changes. The updated version will be indicated by the “Last updated” date and will be effective upon publication. If changes materially affect your rights, we will provide additional notice where appropriate.

13) Contact 

For any questions or to exercise your rights, contact us at contact@mdxcro.com or write to our registered address indicated in Section 1. If applicable, you may also contact our DPO at the address provided above.

Annex — Detailed processing records 

The following outlines typical processing activities relevant to the Site and our operations. Full internal records are maintained in accordance with Article 30 GDPR.

  1. Website operation and security
    • Data: IP, device identifiers, logs.
    • Basis: Legitimate interests (ensure availability, security, fraud prevention).
    • Retention: Short‑term logs (e.g., up to 12 months) unless extended for security/legal needs.
  2. Contact management
    • Data: Name, email, phone, company, role, message.
    • Basis: Pre‑contractual steps; Legitimate interests (respond to requests).
    • Retention: Until resolution; if converted to client, retained with client file.
  3. Marketing communications
    • Data: Name, email, preferences, engagement.
    • Basis: Consent (opt‑in) or Legitimate interests for B2B where permitted; ability to opt out at any time.
    • Retention: Until withdrawal/objection; suppression list retained to avoid future mailings.
  4. Client service delivery
    • Data: Contact and billing data, project communications and artefacts.
    • Basis: Contract; Legal obligations (tax/accounting); Legitimate interests (service quality, defence of claims).
    • Retention: Contract term + statutory limitation periods (e.g., 6–10 years for tax/accounting).
  5. Events, webinars, and training
    • Data: Contact data, attendance, recordings/images where applicable.
    • Basis: Contract; Consent for recordings/images if required; Legitimate interests (community engagement).
    • Retention: Event lifecycle + limitation periods.
  6. Recruitment
    • Data: CV/resume, experience, education, references, evaluation notes.
    • Basis: Pre‑contractual steps; Consent where required.
    • Retention: Up to 24 months with consent for future opportunities; otherwise until end of process.
  7. Compliance
    • Data: Audit trails, logs, KYC/AML data where applicable.
    • Basis: Legal obligation; Legitimate interests (compliance, defence of claims).
    • Retention: As required by law and internal policies.
Request the Precision Medicine Services Pack​
Gain access to MDx’s Precision Medicine Services Pack—detailing our capabilities in clinical research, regulatory strategy, and companion diagnostics. Learn how we support pharma, CDx, and advanced therapy developers across the clinical and regulatory lifecycle.
We respect your privacy. All information submitted will 
remain confidential.
Checkboxes