Legal & compliance documents
Last updated: April 28, 2026
Index
Here you will find all the legal documents governing the use of the VRET website and SaaS platform. Each document is versioned and its last-updated date appears in its header.
The single source of truth for the subprocessor list is the DPA Annex III; the Privacy Policy and the Security page are synchronised with that list.
Published documents
- Privacy Policy
What data we process, on what basis, and the rights you have. Controller/Processor split, subprocessors, transfers.
For: Site visitors, DPOs
- Terms of Service
The contract: plans, guarantees, intellectual property and responsibilities. B2B only.
For: Contracting professionals
- DPA — Data Processing Agreement
GDPR Art. 28 annex (with UK Addendum): documented instructions, Art. 32 measures, subprocessors, break-glass, no-AI, 90-day continuity, DPF/SCC transfers.
For: Data controllers, DPOs
- Cookie Policy
Strictly necessary cookies by default; analytics (GA4, Clarity) and advertising measurement (LinkedIn) only with consent via a banner compliant with Spanish Data Protection Agency guidance.
For: Site visitors
- Legal Notice (LSSI-CE)
Provider identification under Art. 10 LSSI-CE. General website terms.
For: Site visitors
- Medical Disclaimer
Use boundary: VRET is professional support software, not a medical device (EU MDR / US FDA / UK MDR). Contraindications and informed consent.
For: Contracting professionals, healthcare DPOs
- US Privacy Notice
State-law notice for US visitors (CPRA, Washington My Health My Data): categories, no sale/share, rights and how to exercise them, GPC.
For: US visitors
Internal documents available under NDA
The following documents are not published openly, to protect operational details, but are provided to the client’s DPO under a confidentiality agreement before the DPA is signed or during the client’s audit phase:
- Data Protection Impact Assessment (DPIA) — Art. 35 GDPR.
- Record of Processing Activities (RoPA) — Art. 30 GDPR.
- Internal security and acceptable-use policy for employees.
- Security breach response runbook with Spanish Data Protection Agency/ICO templates and data-subject communication.
- Auditable break-glass access SOP.
- Architecture diagram with data flows and jurisdictions.
- Signed DPAs with each subprocessor.
Request them from privacidad [arroba] vret.es with the subject «DPO documentation + clinic name».
Contact channels
Sales, support and product questions.
Rights requests, DPO questions, DPA requests.
Vulnerability reports, breaches, clinical adverse events.
Versioning
We keep a version history of every legal document so you can evidence which version was in force at a given time. Request prior versions by email at privacidad [arroba] vret.es.