Privacy Policy
Version: 5 — April 2026
Legal references: GDPR (EU) 2016/679 · LOPDGDD 3/2018 · Spanish Biomedical Research Act 14/2007 · Patient Autonomy Act 41/2002
1. Data Controller
| Field | Value |
|---|---|
| Full name | Dr. Pascal MENSAH |
| Trading name | Ymmunoledge |
| Address | Calle Solleric 3, 07340 Alaró, Balearic Islands, Spain |
| drpascalmensah@proton.me | |
| Tax ID | Y4159702M |
| Medical Registration No. | 070710746 |
| Website | https://drpascalmensah.com |
2. Categories of Data Processed
2.1 Browsing data (automatic)
IP address, browser type, pages visited, session duration. Used exclusively for technical operation and aggregated statistics.
2.2 Booking data
Full name, email, phone, country of residence and voluntarily provided health information.
2.3 Health data (Art. 9 GDPR)
Medical history, biological markers, GlycanAge biological age profile, personalised clinical report.
2.4 Genetic data
Laboratory analysis is performed exclusively by N-Gene (Mallorca, Spain), acting as an independent data controller under its own consent framework. Dr. Mensah receives raw genetic data and the results report for clinical interpretation.
Variants processed: MTHFR, VDR, IL6, TNF, FADS1/2, CYP1A2, GSTT1, TCF7L2 and others.
2.5 Genetic interpretation methodology
Interpretation carried out entirely by Dr. Mensah using reference scientific literature (PubMed, ClinVar, OMIM, clinical practice guidelines). No external AI tools are used for identifiable patient genetic data.
2.6 Communication data
Emails and WhatsApp messages (+34 626 175 546) processed exclusively to respond to enquiries.
3. Purposes and Legal Basis
| Purpose | Legal basis | Regulation |
|---|---|---|
| Booking management | Art. 6.1(b) + 6.1(a) | Act 41/2002 |
| Clinical consultation | Art. 6.1(b) + 9.2(h) | LOPS; Act 41/2002 |
| Genetic interpretation (from N-Gene) | Art. 9.2(a) + 9.2(h) | Act 14/2007 Art. 45–47 |
| GlycanAge profile | Art. 9.2(h) + 9.2(a) | Act 41/2002 |
| Clinical report and therapeutic strategy | Art. 6.1(b) + 9.2(h) | Act 41/2002 |
| Website statistics (anonymised) | Art. 6.1(a) cookies | ePrivacy; LOPDGDD |
| Responding to enquiries | Art. 6.1(b) + 6.1(a) | — |
4. DPIA — Art. 35 GDPR
5. Data Retention
- Clinical and genetic data: minimum 5 years from last consultation (Act 41/2002)
- Contact data and communications: 3 years from last interaction
- Browsing data: according to cookie type
- Invoicing data: 6 years (Spanish commercial law)
6. Recipients
6.1 N-Gene — Independent data controller
N-Gene (Mallorca) acts as independent data controller for laboratory analysis. For questions about sample processing, the patient should contact N-Gene directly.
6.2 GlycanAge (if applicable)
GlycanAge Ltd. (United Kingdom) — independent data controller for glycan profile analysis. [Verify post-Brexit international transfer safeguards.]
6.3 Other service providers (processors)
| Provider | Purpose | Location |
|---|---|---|
| Booking system Topdoctors.es | Appointment management | Barcelona, Spain. |
| WordPress hosting. Digital Business Lounge Ltd | Website hosting | Farnborough, Hampshire, United Kingdom |
| Complianz BV | Cookie consent management | EU (Netherlands) |
| DeepL Pro (DeepL SE) | Translation of de-identified clinical documents | EU (Germany) — DPA signed |
7. Your Rights
| Right | Description |
|---|---|
| Access | Copy of raw genetic, clinical data and reports |
| Rectification | Correction of inaccurate data |
| Erasure | Deletion when no longer necessary |
| Restriction | Temporary suspension of processing |
| Portability | Data in structured format |
| Objection | Object to processing based on legitimate interest |
| Withdrawal of consent | Without retroactive effect |
| Right not to be informed (genetics) | Act 14/2007 Art. 4; Act 41/2002 |
Contact: drpascalmensah@proton.me
Supervisory authority: AEPD — www.aepd.es
8. Security Measures
- HTTPS/TLS encrypted transmission
- Access to raw genetic data restricted exclusively to Dr. Mensah
- Identifiable raw genetic data not transmitted to external platforms
- Regular backups and incident recovery procedures
- Breach notification to AEPD (Art. 33 GDPR) within legal timeframes
9. Affiliate Programmes and Commercial References
Dr. Mensah may participate in paid affiliate programmes. Where an active affiliate relationship exists, it will be clearly labelled [Affiliate link] or [Paid partnership]. Unlabelled references are independent clinical recommendations.
10. Minors
Services directed exclusively at persons aged 18 and over.
11. Updates
Policy available at https://drpascalmensah.com. Last revised: April 2026.
12. DPO and Contact
Processing of raw genetic data may require designation of a DPO (Art. 37.1(c) GDPR). Consult a specialist data protection adviser.
| Field | Value |
|---|---|
| Data Controller | Dr. Pascal MENSAH |
| drpascalmensah@proton.me | |
| Address | Calle Solleric 3, 07340 Alaró, Balearic Islands, Spain |
| DPO | appointment in progress |