Neural Omega S.L. ("Neural Omega," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information. As a biotechnology company developing solutions for autoimmune disease management, we process sensitive personal data, including health information, in accordance with the highest standards of data protection.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platforms and services. This policy has been designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD"), and applicable international data protection standards.
This policy applies to Neural Omega (corporate website), Neural Omega Health (patient and clinician platform), and Neural Omega Research (bioinformatics tools and research platform).
1. Data Controller and Contact Information
Neural Omega S.L. is the data controller responsible for processing your personal data in accordance with this Privacy Policy.
For all data protection matters, including exercising your rights under GDPR, please contact our Data Protection Officer.
2. Categories of Personal Data We Collect
2.1 Basic Personal Information
We collect standard personal information to provide and maintain our services, including identification data (full name, date of birth, nationality), contact information (email, telephone, postal address), account credentials, professional information (institution, licence numbers), and financial data (billing address, payment method processed through PCI-DSS compliant processors — we do not store full card details).
2.2 Health and Medical Data (Special Category Data)
When you use Neural Omega Health, we process special categories of personal data under Article 9 GDPR, including clinical information (diagnoses, lab results, medication history), patient-reported data (symptoms, disease activity indices, quality of life assessments), biometric and physiological data from wearable devices (with explicit consent), and genetic and molecular data (under explicit informed consent).
Special Category Data Notice
Health and medical data receive enhanced protection under GDPR Article 9. We process this data only with your explicit consent or where necessary for the provision of healthcare services. You have the right to withdraw your consent at any time. Health data is encrypted in transit (TLS 1.3) and at rest (AES-256), stored in ISO 27001-certified data centres within the European Economic Area, and subject to strict access controls.
2.3 Research and Scientific Data
When you use Neural Omega Research or participate in research activities, we process de-identified or pseudonymised datasets, research queries and protocol designs, computational workflows, authorship information, and sample identifiers where applicable to biobanking activities.
2.4 Technical and Usage Data
We automatically collect device and browser information, usage analytics (pages accessed, feature adoption), network data (IP address, anonymised where possible), performance data, and security data (login attempts, authentication events).
2.5 Communications and Support Data
We collect correspondence (emails, support tickets, feedback submissions) and marketing communications data (newsletter subscriptions, event registrations, marketing preferences).
3. Legal Basis for Processing Personal Data
Under GDPR Article 6, we process your personal data only where we have a valid legal basis:
Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR)
We rely on your explicit consent for processing special category health data, sharing anonymised data for research, sending marketing communications, using non-essential cookies, and collecting biometric data. You may withdraw consent at any time through your account settings.
Contractual Necessity (Art. 6(1)(b) GDPR)
Processing is necessary to perform our contract with you, including account creation and management, provision of platform features, payment processing, customer support, and delivery of requested reports or analyses.
Legal Obligation (Art. 6(1)(c) GDPR)
Processing is necessary to comply with legal obligations, including responding to regulatory requests, tax and accounting obligations, compliance with healthcare regulations, and maintaining records as required by Spanish and EU law.
Legitimate Interests (Art. 6(1)(f) GDPR)
We process data based on legitimate interests — improving security and preventing fraud, conducting internal analytics to enhance user experience, protecting intellectual property, and exercising or defending legal claims — where these do not override your rights.
Public Health and Scientific Research (Art. 9(2)(i) and (j) GDPR)
Where applicable, we process health data for public health monitoring and scientific research in the field of autoimmune disease, subject to pseudonymisation, data minimisation, and ethics committee approval.
4. How We Use Your Personal Data
4.1 Service Provision and Platform Functionality
To provide access to Neural Omega platforms, enable communication between patients and healthcare providers, process bioinformatics data for research institutions, generate clinical decision support tools, and facilitate data sharing within your authorised care team.
4.2 Research and Development
To conduct scientific research into autoimmune disease mechanisms, develop and improve AI/ML algorithms for predictive analytics, identify disease patterns and biomarkers, and publish anonymised research findings in peer-reviewed literature.
Research Data Safeguards: All research uses pseudonymised or anonymised data wherever possible. Where identifiable data is necessary, processing occurs under explicit consent, ethics committee approval, and in compliance with Good Clinical Practice (GCP) standards.
4.3 Platform Improvement and Innovation
To analyse usage patterns to enhance user experience, develop new features based on user needs, test and validate new algorithms, and optimise platform performance and reliability.
4.4 Communication and Support
To respond to enquiries, provide technical support, send service notifications, communicate changes to our services or policies, and send marketing communications (with consent).
4.5 Security, Fraud Prevention, and Legal Compliance
To monitor and prevent unauthorised access, comply with legal obligations, enforce our Terms of Service, protect our intellectual property, and exercise or defend legal claims.
4.6 Automated Decision-Making and Profiling
Our platforms may use AI and machine learning to provide personalised insights and recommend treatment options. Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing. Our AI-powered recommendations are designed as clinical decision support tools — all clinical decisions must be made by qualified healthcare professionals.
5. Data Sharing and Disclosure
We do not sell your personal data. We may share your data only in the following strictly limited circumstances:
5.1 Healthcare Providers and Care Teams
With your explicit authorisation, we share relevant health information with your designated healthcare providers to facilitate coordinated care.
5.2 Research Collaborators and Academic Institutions
We may share anonymised or pseudonymised data with trusted research partners including academic medical centres, pharmaceutical and biotechnology companies, clinical research organisations, and public health agencies. Data shared for research is subject to Data Processing Agreements, ethics approvals, and strict confidentiality obligations. Where identifiable data is shared, we obtain your explicit informed consent.
5.3 Service Providers and Processors
We engage carefully vetted third-party service providers for cloud infrastructure (ISO 27001 and SOC 2 certified, EU-based data centres), payment processing (PCI-DSS compliant), email and communication platforms, customer support software, and analytics tools. All processors are bound by GDPR Article 28-compliant Data Processing Agreements.
5.4 Legal and Regulatory Authorities
We may disclose personal data when required by law, including responding to valid legal process, complying with regulatory investigations, reporting adverse events to medicines agencies, or cooperating with legitimate law enforcement investigations.
5.5 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you of any such change and ensure the acquiring party commits to protecting your data under equivalent terms.
5.6 Aggregated and Anonymised Data
We may share aggregated, anonymised data that cannot reasonably be used to identify individuals, including statistical reports, research publications, and industry benchmarking data.
6. International Data Transfers
Neural Omega primarily processes and stores personal data within the European Economic Area (EEA), in data centres located in Spain and other EU member states.
In limited circumstances, we may transfer personal data outside the EEA: to the United Kingdom (recognised as adequate by the European Commission), to the United States (only to providers certified under the EU-U.S. Data Privacy Framework or subject to Standard Contractual Clauses), and to other countries only where an adequacy decision exists or appropriate safeguards are in place.
For health data, we employ additional safeguards including encryption in transit and at rest, pseudonymisation where possible, and contractual restrictions on processing. You may request information about specific safeguards applied to international transfers by contacting our DPO at dpo@neuralomega.com.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations:
Account and Profile Data
Duration of active account plus 12 months following account closure, unless longer retention is required by law or for legitimate purposes (e.g., defending legal claims).
Health and Medical Data
Duration of active account plus a minimum of 10 years following the last healthcare interaction, in accordance with Spanish medical records retention requirements (RD 1093/2010). Longer retention may apply for ongoing research under explicit consent.
Research Data
Pseudonymised or anonymised research data may be retained indefinitely for scientific purposes. Identifiable research data is retained only as long as necessary for the specific research project, typically 5–15 years depending on regulatory requirements.
Financial and Transaction Data
Retained for 6 years from the end of the relevant financial year, in compliance with Spanish tax and accounting legislation.
Technical and Usage Data
Log files and usage analytics are typically retained for 12–24 months. Security logs may be retained longer where necessary for investigation or legal compliance.
At the end of the applicable retention period, personal data is securely deleted or anonymised.
8. Your Rights Under GDPR
As a data subject under GDPR, you have extensive rights regarding your personal data. To exercise any of the following rights, please contact our DPO at dpo@neuralomega.com. We will respond within one month.
Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data along with information about the purposes, categories, recipients, and retention periods. We provide one copy free of charge.
Right to Rectification (Art. 16 GDPR)
You have the right to correct inaccurate or incomplete personal data. Many corrections can be made directly through your account settings.
Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)
You may request deletion of your personal data where it is no longer necessary, you withdraw consent, you object to processing, or it has been unlawfully processed. This right is not absolute — we may retain data where we have a legal obligation or legitimate interest.
Right to Restriction of Processing (Art. 18 GDPR)
You may request restriction of processing where you contest the accuracy of the data, processing is unlawful but you oppose erasure, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification.
Right to Data Portability (Art. 20 GDPR)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV).
Right to Object (Art. 21 GDPR)
You have the right to object to processing based on legitimate interests or for direct marketing purposes. For direct marketing, we will cease processing immediately upon objection.
Right Not to be Subject to Automated Decision-Making (Art. 22 GDPR)
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. You may request human intervention and contest any automated decision.
Right to Lodge a Complaint
If you believe we have not processed your personal data in accordance with GDPR, you have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.
Exercising Your Rights
Contact our Data Protection Officer at dpo@neuralomega.com. We will respond within one month, extendable by two further months for complex requests. We may request additional information to verify your identity.
9. Data Security and Protection Measures
We implement rigorous technical and organisational measures to protect personal data, aligned with ISO 27001 standards.
9.1 Technical Security Measures
End-to-end encryption for health data transmission using TLS 1.3; data at rest encrypted using AES-256. Role-based access control (RBAC), multi-factor authentication (MFA), and least-privilege principles ensure only authorised personnel access personal data. Firewalls, intrusion detection and prevention systems protect our infrastructure. Security-by-design principles are embedded throughout our development lifecycle.
9.2 Organisational Security Measures
Designated Data Protection Officer overseeing GDPR compliance. Mandatory data protection training for all staff. All employees and contractors sign confidentiality agreements. Documented procedures for detecting, reporting, investigating, and mitigating data breaches. Due diligence assessments of all third-party processors.
9.3 Breach Notification
In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the AEPD within 72 hours as required by GDPR Article 33, and notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms as required by GDPR Article 34.
10. Cookies and Similar Technologies
Our platforms use cookies and similar tracking technologies to enhance functionality, analyse usage, and improve user experience, in adherence to the EU ePrivacy Directive.
10.1 Types of Cookies We Use
Strictly Necessary Cookies
Essential for website functionality, user authentication, and security. These cannot be disabled. Examples: session cookies, authentication tokens, security cookies.
Functional Cookies
Enable enhanced functionality and personalisation, such as remembering your preferences, language settings, and customised views. Require your consent.
Analytics Cookies
Help us understand how users interact with our platforms. We use privacy-preserving analytics tools with IP anonymisation. Require your consent.
Marketing Cookies (Not Currently Used)
We do not currently use third-party advertising or marketing cookies. Should this change in future, we will update this policy and obtain your explicit consent.
10.2 Managing Cookie Preferences
You can manage cookie preferences through our cookie consent banner (displayed on first visit), your account settings (for registered users), or your browser settings. Disabling certain cookies may limit functionality and affect your user experience.
11. Children's Privacy
Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18 without verifiable parental or guardian consent.
If you are a parent or guardian and believe your child under 18 has provided personal data to us without consent, please contact us immediately at dpo@neuralomega.com. We will promptly investigate and delete such data.
In cases where our services are used for patients under 18, we require explicit consent from a parent or legal guardian with parental responsibility, in accordance with GDPR Article 8.
12. Third-Party Services and Links
Our platforms may contain links to third-party websites, services, or integrations (e.g., wearable device APIs, healthcare provider portals). This Privacy Policy applies only to Neural Omega's services. Third-party services have their own privacy policies and we are not responsible for their data practices. We encourage you to review the privacy policies of any third-party services you access through our platforms.
Where we integrate third-party services that process personal data on our behalf, we ensure they are bound by Data Processing Agreements and provide adequate safeguards.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make material changes, we will update the "Last Updated" date, notify you via email, display a prominent notice on our platforms, and where required by law, seek your renewed consent.
Your continued use of our services after notification of changes constitutes acceptance of the updated policy, unless you exercise your right to object or withdraw consent.
14. Intellectual Property and Confidentiality
Neural Omega's algorithms, AI models, bioinformatics tools, and clinical decision support systems constitute valuable intellectual property. Our algorithms, models, and methodologies are protected by intellectual property rights and trade secret laws. Reverse engineering, decompiling, or attempting to extract proprietary algorithms is strictly prohibited. Research data and analyses produced by our platforms remain subject to confidentiality obligations outlined in user agreements. Publications or disclosures of research findings must comply with data protection requirements and anonymisation standards.
15. Governing Law and Jurisdiction
This Privacy Policy shall be governed by the laws of Spain and the European Union, without regard to conflict of law principles.
Any disputes arising out of or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Madrid, Spain, except where GDPR grants you the right to bring proceedings in the courts of your habitual residence.
Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we process your personal data, please contact us:
Neural Omega S.L.
Paseo de la Castellana 40, 8º Planta
28046 Madrid, España
NIF: B75998922
EUID: ES28065.082339668
Neural Omega S.L. is registered in the Mercantile Registry of Madrid and operates in full compliance with Spanish and European Union data protection legislation, including the General Data Protection Regulation (EU) 2016/679 and the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights.