Volver

PRIVACY POLICY

Last updated: 4 May 2026

1. Data controller

SURGE LABS
Email: hola@surgelabs.es
Website: www.surgelabs.es

To exercise any of the rights described below, or for any query relating to the protection of your data, please contact us in writing at the email above.

2. Data we collect

We collect personal data in two different contexts:

a) Corporate website form (surgelabs.es)

When you fill in the main contact form we collect: name, email, phone, company, website (optional) and any information you voluntarily share about your project.

b) Client clinic landing forms (surgelabs.es/<clinic>)

When you fill in the appointment-request form on a dedicated clinic landing page we collect: first and last name, phone, age, email (optional), aesthetic treatment of interest, urgency, any notes you share, IP address and browser technical data, as well as information about the advertising campaign that brought you to the page (source, medium, campaign, identifiers such as gclid or fbclid).

3. Special category data (health)

The «treatment of interest» field in the client clinic landing forms constitutes data concerning health, treated as special category data under Article 9 of Regulation (EU) 2016/679 (GDPR). We will only process this data with your explicit consent, given by ticking the corresponding box on the form, in accordance with Article 9.2.a GDPR.

4. Purpose of processing

  • Corporate website: respond to your enquiry, send you quotes, manage the commercial relationship.
  • Clinic landings: validate lead quality, pass it on to the clinic that owns the landing and allow them to contact you to manage your appointment.
  • Comply with legal obligations (accounting, tax).
  • Service improvement through aggregated statistical analysis.

5. Legal basis

  • Explicit consent (Art. 6.1.a and, for health data, Art. 9.2.a GDPR), given by ticking the box on the form.
  • Legitimate interest of Surge Labs in responding to commercial enquiries received (Art. 6.1.f GDPR).
  • Compliance with legal obligations for accounting and tax purposes (Art. 6.1.c GDPR).

6. Sharing of data with third parties

Data submitted through a client clinic landing is transferred to that clinic for the sole purpose of managing your appointment and providing the healthcare service requested. The clinic acts as an independent data controller from the moment it receives your data. Surge Labs does not transfer your data to any other entity unless required by law.

Some technology providers (web hosting, email, messaging) may process data on our behalf as data processors, always under a signed contract pursuant to Art. 28 GDPR.

7. Retention periods

  • Lead data from clinic landings: 24 months from the last interaction, unless you exercise your right of erasure earlier.
  • Corporate website data: until you request its deletion or the commercial relationship ends.
  • Data subject to legal accounting obligations: the period required by the applicable tax legislation.

8. User rights

You may exercise the following rights at any time:

  • Access, rectification, erasure and objection.
  • Portability of your data to another controller.
  • Restriction of processing.
  • Withdrawal of consent at any time.

To exercise them, write to hola@surgelabs.es with «Data protection» in the subject line. We will respond within a maximum of one month.

9. Security

We apply technical and organisational measures appropriate to the risk of processing: encryption in transit (HTTPS), European-based storage infrastructure, access controls, staff training and periodic reviews.

10. Complaints

If you believe your rights have been infringed, you may lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es