Esthetica Plastic Surgery - Privacy Policy

Privacy Policy

Last update: October 30th 2025

1. INTRODUCTION

The privacy and security of our Users’ personal data—and in particular medical data, due to its especially sensitive and confidential nature—are a top priority for Esthetica, the trade name of Microsurgery S.L. ('Microsurgery' or the 'Company'). This Privacy Policy applies to the processing of Users’ personal data on this website ('Website'), through our patient support channels via WhatsApp ('WhatsApp'), and more broadly across all digital communication channels through which Esthetica provides its services (the 'Services').

You are not required to provide us with personal data if you do not wish to, and you can still access the content of our Website and Social Media. However, to use our Services, it is necessary to provide certain personal data. If you do not provide the data needed to deliver the Services you have requested, or if you object to such processing, we may be unable to provide the Services, or may only be able to provide them partially.

For certain activities, we process your personal data based on our legitimate interest. In such cases, we conduct a careful balancing test to ensure that your fundamental rights are not compromised or put at risk by our legitimate interest. You always have the right to contact us to object to such processing.

We encourage our Users to read this Policy carefully, along with our terms and conditions set out in our Legal Notice, before using any of our Services.

2. PURPOSE OF THIS POLICY

The main purpose of this Policy is to provide comprehensive information on how we collect, use, store, disclose, and process our Users’ personal data when we act as the data controller. The data controller is the entity that determines the purposes and means of processing personal data.

Under our collaboration agreements with the Surgeons we recommend, in order for these Surgeons to provide services to our Users, and always with the Users’ express consent, we share the Users’ personal and medical data with the proposed Surgeon, at which point the Surgeon becomes an independent data controller.

The Surgeon must explain to the User how their data is processed as an independent data controller. Therefore, it is important that when a User contacts or visits a Surgeon, they review the Surgeon’s privacy policy and provide their explicit consent to such processing. The information provided in this Policy does not replace the information that Surgeons are required to provide, nor does it exempt them from any other data protection obligations.

3. DATA CONTROLLER

The Data Controller of the personal data of Users of this Website and of Esthetica’s Services is Microsurgery, S.L.U. (hereinafter referred to, interchangeably, as 'Esthetica' or 'Microsurgery'), with registered office at Calle Molinos 10, 30002 Murcia (Spain), Tax ID B-05508882, and registered in the Murcia Commercial Registry, Volume 3333, Folio 46, Section 8, Sheet MU-98028; as the owner and controller of the Website, the communication channels, and the forms used to collect such data.

4. DATA PROTECTION OFFICER

Microsurgery S.L. has appointed a Data Protection Officer, with whom our Users can contact regarding any matters related to the processing of their personal data at info@esthetica.es.

5. SOURCE OF THE DATA

As a general rule, the personal data we process is obtained directly from our Users when they complete any of the forms and questionnaires available on our Website, at which point we obtain their express consent. These forms or questionnaires are intended for: 1) scheduling advisory sessions with our patient care team; 2) preparing these advisory sessions by our patient care managers based on the patients’ motivations, concerns, and medical history; and 3) enabling patients to evaluate the surgical proposals produced by the recommended surgeons and presented to them by our team.

Additionally, a User may access our communication channels via WhatsApp and Social Media to request information of various kinds, in which case we will temporarily process any publicly available identifying data from their account(s), such as their name, username, and/or phone number. In these cases, we always ask Users to first complete the advisory session scheduling form, if they have not already done so, to identify them unequivocally and obtain their express consent for the processing of their data. If the User does not complete this form and provide their express consent for processing within 7 calendar days, any public data identifying them on these channels will be deleted. Every User of these communication channels has the right to control what personal data they share with third parties through the Privacy Settings of the corresponding applications.

It is also common for a User to share the contact details of a friend or family member interested in using our Services. The User sharing a third party’s data must have obtained that person’s express consent; Esthetica is not responsible for the absence of such consent. In any case, when this occurs, we always inform our Users that the interested person must complete the advisory session scheduling form and provide their express consent for the processing of their data.

Our Website also collects User data automatically through tracking technologies (such as cookies). You can find more information about the cookies and other tracking technologies we use in our Cookies Policy.

In order to coordinate the logistics and patient experience before, during, and after surgery, we may receive medical data related to appointment dates and patient outcomes from the Surgeons and Medical Centers, in which case we act not as data controllers but as data processors.

6. PURPOSES, LEGAL BASES AND CATEGORIES OF DATA

- 1 -

Purpose: To track Users visiting our Website and analyze their interaction with its content in order to offer them personalized services and content.
Legal basis: Express consent provided (Art. 6.1.a GDPR).
Categories of data: Identifying data (IP address, browser); personal characteristics (language, pages visited, videos watched, time spent, playback time).

- 2 -

Purpose: To contact Users who request our advisory service through the appointment scheduling form on the Website, in order to provide such service.
Legal basis: Performance of the contractual relationship (Art. 6.1.b GDPR) and express consent provided (Art. 6.1.a GDPR).
Categories of data: Identifying data (first and last name); contact data (mobile phone number, WhatsApp number, email address); health data (surgical procedures of interest).

- 3 -

Purpose: To prepare the advisory session in order to tailor surgeon recommendations to the patient’s characteristics, preferences, and medical history, and to verify their suitability to receive the recommendation.
Legal basis: Performance of the contractual relationship (Art. 6.1.b GDPR) and express consent provided (Art. 6.1.a GDPR).
Categories of data: Identifying data (first and last name, ID/NIE/passport, full address); personal characteristics (gender, date of birth, height, weight); contact data (mobile phone number, WhatsApp number, email address); financial data (need for financing); employment data (occupation); health data (surgical procedures of interest, aesthetic improvement goals, motivations, concerns, habits, medical history, current medical conditions, allergies, previous experiences with surgery and aesthetic medicine).

- 4 -

Purpose: To schedule the evaluation in the surgeon’s agenda and provide them with the patient’s data and case information, in order to provide medical advice and develop a surgical proposal.
Legal basis: Performance of the contractual relationship (Art. 6.1.b GDPR) and express consent provided (Art. 6.1.a GDPR).
Categories of data: Identifying data (first and last name, ID/NIE/passport, full address); personal characteristics (gender, date of birth, height, weight); contact data (mobile phone number, WhatsApp number, email address); financial data (need for financing); employment data (occupation); health data (surgical procedures of interest, aesthetic improvement goals, motivations, concerns, habits, medical history, current medical conditions, allergies, previous experiences with surgery and aesthetic medicine).

- 5 -

Purpose: To contact patients who have been evaluated by a recommended surgeon, in order to present the surgical proposal prepared by the surgeon, obtain their feedback, and act as an intermediary between the patient and surgeon to facilitate acceptance of the proposal.
Legal basis: Performance of the contractual relationship (Art. 6.1.b GDPR) and express consent provided (Art. 6.1.a GDPR).
Categories of data: Identifying data (first and last name); contact data (mobile phone number, WhatsApp number, email address); medical data (feedback on the surgical proposal).

- 6 -

Purpose: To coordinate the logistics and patient experience during the preoperative, surgery, and postoperative phases, acting as a communication link between the Patient, Surgeon, and Medical Center.
Legal basis: Performance of the contractual relationship (Art. 6.1.b GDPR) and express consent provided (Art. 6.1.a GDPR).
Categories of data: Identifying data (first and last name); contact data (mobile phone number, WhatsApp number, email address); medical data (surgery date, preoperative test dates, follow-up dates, results of all these).

- 7 -

Purpose: We may send you different types of communications via various channels such as email, SMS, or WhatsApp.
Legal basis: The legal basis varies depending on the type of communication. For some communications (e.g., to confirm or manage your appointment bookings, explain updates to our Services or terms, or inform you on how to use our Services), the processing of personal data is necessary to provide you with the Services, and you cannot object. The legal basis is performance of the contractual relationship (Art. 6.1.b GDPR). You may also receive communications about similar Services that may interest you, or requests for feedback on your experience using our Services or the Services of the recommended Surgeons. We send these communications based on our legitimate interest, and you always have the right to object. For marketing communications related to third-party services, or communications about our products or services not similar to those you contracted, we will only send communications based on your consent. Consent will also be used when we personalize communications.
Categories of data: Identifying data (first and last name); contact data (mobile phone number, WhatsApp number, email address); medical data (procedures of interest, advisory appointment dates, evaluation appointment dates with the Surgeon, surgery date, preoperative test dates, follow-up dates, results of all these).

7. DATA RETENTION PERIODS

As a general rule, your data will only be retained for the time strictly necessary for the purpose for which it was collected.

The personal data provided, as well as those received from Surgeons and Medical Centers, will be retained for the periods established in the applicable national and regional regulations, and at least for five years following the completion of each surgical process, as established in Law 41/2002, the basic law regulating patient autonomy and rights and obligations regarding clinical information and documentation. Once this minimum period has elapsed and the contractual relationship has ended, the data controller will keep your data properly blocked for the duration of the legally prescribed limitation periods.

Personal data provided for the purpose of handling any request for information, complaints, suggestions, claims, exercise of data protection rights, etc., will be retained for the time necessary to process the request, and in any case for the legally established period, as well as for the time necessary for the submission, exercise, or defense of claims.

Data processed for compliance with legal obligations will be retained for the period established in the applicable legislation.

Data collected for the formalization and execution of the contract will be retained for the duration of the contractual relationship, as well as for the period necessary for the submission, exercise, or defense of claims, at least five years.

For processing specifically consented to by the user, the data will be retained as long as the data subject does not revoke the consent given or request the deletion/cancellation of their data.

8. HOW WE PROTECT YOUR DATA

We take the protection of your data very seriously. We implement appropriate technical and organizational security measures to protect your personal data, including from unauthorized access. We follow industry-accepted standards to safeguard the personal information you provide, both during transmission and after receipt: for example, periodic security checks of the platform, segmentation and access control within the organization, and the use of pseudonymization, anonymization, or encryption techniques.

Unfortunately, the transmission of information over the Internet (including email) is not always completely secure. Therefore, when using our applications, you should only use a secure Internet connection and always maintain device security. Once we receive your information, we use strict procedures and appropriate security measures to prevent unauthorized access or sharing. For health data, we apply additional protection measures such as multiple layers of encryption or pseudonymization techniques.

We use Medical Software and Electronic Health Record management systems that comply with LOPD, GDPR, and HIPAA regulations and exceed the standards recommended by official authorities regarding IT Security. All information entered into this software is stored in Microsoft’s Data Center in France (within the EU), encrypted both on the server and during transmission with a 256-bit SSL certificate. Daily backups are performed and stored in geographically distinct locations. Microsoft Cloud services ensure the security of the information and provide 99.95% online availability.

The software provider guarantees that it does not commercialize the information. The electronic health record ensures the confidentiality of patients’ identities, as well as the integrity and reliability of clinical information, and establishes the appropriate and adequate security measures to prevent illegal or unauthorized use that could harm the legal rights of the information subject, in accordance with applicable regulations. Furthermore, the information contained in the records may be disclosed to the patient, or to anyone legally authorized to decide on their behalf, and, where appropriate, to third parties by order of the competent judicial or administrative authority. An external company constantly audits the security of its systems, and in the last 10 years, no incidents have occurred.

9. RECIPIENTS

Microsurgery, as the data controller of Users’ personal data, may make the following disclosures to the indicated categories of recipients:

a) Plastic, aesthetic, and reconstructive surgeons that we recommend to our patients, so that they can provide their services; these surgeons thereby become independent data controllers.

b) Medical Centers where these surgeons operate, so that they can provide services to our Users; these centers thereby become independent data controllers.

c) Competent administrative and judicial authorities when they require Microsurgery to provide information about our Users in the context of administrative or judicial proceedings (for example, the Spanish Tax Agency or health authorities with inspection and sanctioning powers).

d) Registers, organizations, and public authorities, for compliance with specific legal reporting or information obligations, such as, for example:

e) Financial entities, to manage our Users’ financing requests. When a User requests advice to finance their surgical procedure, Esthetica may disclose identity and financial data to the financial entities with which it collaborates for the analysis of conditions and requirements and, if applicable — according to the conditions and requirements established by the collaborating financial entity — for the formalization of the financing agreement. Such disclosure is necessary to take appropriate pre-contractual measures and, if applicable, to execute the financing contract between the client and the financial entity. In doing so, these entities become independent data controllers.

Notwithstanding the above, the User’s personal data (and, where applicable, that of their legal representatives) may be accessed by service providers of Microsurgery in the fields of technology and information systems, administrative management, marketing, legal advice, and consulting. These third parties will only access personal data under the instructions and supervision of Microsurgery and solely for the purpose of providing the contracted service.

The third parties mentioned in this section may act as data processors or as independent data controllers, as applicable. When acting as data processors, we ensure that an appropriate data processing agreement is in place, as required by Article 28 of the GDPR and local regulatory requirements.

10. RIGHTS

When we act as data controllers, you have the following rights. To exercise these rights, please consult the contact details of our Data Protection Officer in Section 4 of this Policy.

a. Right to be informed about the processing of your personal data (i.e., the purposes, types of personal data, recipients, retention periods, and whether international data transfers are carried out). All this information can be found in this Privacy Policy. Please note that the surgeons we recommend and the medical centers where they operate must inform you separately when processing your data as independent data controllers.

b. Right of access to the personal data we process.

c. Right to erasure of your personal data unless we need it to provide our Services or have a legal obligation or legitimate interest to retain it.

d. Right to rectify your personal data if it is inaccurate, incomplete, or incorrect. You can correct this information yourself or request that we do it for you. Following a complaint or request, we will seek to ensure the rectification of the personal data we hold about you.

e. Right to object to the processing of your data by us and, therefore, to restrict it. Please note that there are certain processing activities to which you cannot object, as they are strictly necessary to provide our Services.

f. Right to withdraw any previously given consent. Please note that we may no longer be able to provide certain Services from the moment your consent is withdrawn. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

g. Right to data portability of your data stored by us, in digital format. This means receiving your personal data in a structured, commonly used, and machine-readable format, in order to transfer it to another data controller or carry out such transfer directly, if technically feasible.

h. Right to lodge a complaint with the data protection authority.

We reserve the right to charge a reasonable fee if you make requests that can be considered manifestly unfounded or excessive (for example, due to the repetitive nature of the request or because it involves additional effort, cost, or time beyond what is required by law).

We will always comply with our legal obligations regarding your rights. We will seek to respond within a reasonable timeframe and, in any case, within one month (or another period we notify you of in case of complex or numerous requests).

To protect your privacy against unauthorized access, we reserve the right to verify the identity of the requester (only when we have reasonable doubts about their identity).

Important note: we can only make decisions on requests and act accordingly when we act as data controllers. If you are a User who has booked a consultation with a surgeon through one of our advisors, we can delete your data or stop sending certain communications at your request. However, the surgeon may still retain and process your personal data (as an independent data controller). If you wish to exercise your rights regarding the data held by the surgeons or medical centers as data controllers, you must contact them directly. Whenever possible and within our means, we may assist you in doing so, but we cannot be held responsible for the surgeon’s or medical center’s policies, practices, procedures, actions, or conduct.

Follow Us On Social Media

©2025 Esthetica

Privacy Policy
Cookie Policy
Legal Notice