1. home
  2. /
  3. Privacy and cookies policy

privacy and
cookies policy

Insparya is a Clinical Group, exclusively dedicated to the diagnosis, treatment and investigation of Alopecia.


For the purposes of this Privacy Policy, the entity responsible for the processing of personal data is Insparya Hair Medical Clinic SL, with its registered office at: Calle Joaquín Costa, 26-28002 Madrid, (CIF): B-88066642, also known as Insparya, with the web address: www.insparya.com. Data protection is a particular priority for Insparya, which aims to protect the privacy of its users.

Insparya guarantees that all information of a personal nature is treated and protected with the utmost diligence and in accordance with Regulation 2016/679 – General Regulation on Data Protection (GRDP) and with the relevant domestic legislation.

Through this Privacy Policy, and under the Transparency Principle, you will obtain information on how Insparya collects, treats and uses the personal data of Users collected in connection with the use of the website www.insparya.com , the data type which it collects, the purposes for which it is used, the methods of data processing, as well as the users’ rights in relation to such processing and how to use them.

This Privacy Policy also applies to the personal data that the Candidate provides when submitting the Curriculum Vitae (“CV”) and managing the application. Insparya protects the Candidate’s privacy when he or she submits his or her CV spontaneously through the company’s website or is applying for a job offer under an ongoing recruitment process and ensures that the information collected is used exclusively for the purposes defined in this policy.


Insparya treats the personal information of the User, provided that one of the following grounds is verified:

a) Celebration or execution of a contract: in order to comply with the legal obligations inherent to contracts entered into and in force;
(b) Compliance with a legal obligation: Insparya is subject to certain legal obligations that may require it to process personal data, such as disclosure of data following court orders and collaboration with supervisory bodies;
(c) Legitimate Interests: If the data is necessary to pursue the legitimate interests of Insparya, or a third party, provided that they do not prevail over the rights, freedoms and guarantees of the data subject, including their right to the protection of their personal data.
(d) Consent: if the data subject has given his or her consent in a specific way, by signing or accepting an online or paper form.


Insparya requests personal data for the following:

A) Registration for Consultation on Hair Evaluation:
In order to submit the application for a Hair Evaluation Consultation on the Insparya website you must complete the form, in which are requested some personal data, such as your name, phone contact, email address. The reading and acceptance of the Terms and Conditions of Use of the Insparya website and the Privacy and Cookies Policy is a mandatory requirement to be able to complete your registration.
B) Registration for Online Hair Assessment, Diagnosis and Treatment Proposal:
If you wish to carry out an online evaluation, you will be asked for the following information: name, age, country, telephone, city, email, profession, what is the best time to contact you, how you learned about Insparya, hair history (hair color, texture, type), when your hair loss started, if you have a history of baldness in the family, if you have already used or are currently using Minoxil or Finasteride, if you have already undergone any corrective procedure for Alopecia, what is the degree of alopecia, intended goals in terms of result, photographic records (optional). This data will be processed so that we can respond to the Request for Hair Assessment, Diagnosis and Treatment Proposal and provide you with the Clinical recommendations that we consider appropriate in the case. By submitting the request for an online assessment consultation, the User expresses his free and informed consent, so that the personal data is collected and processed for the purposes and in the terms and conditions mentioned above, plus stating that all the information provided does not contain any omission and corresponds to the truth. The receiving of the photographic records, of an optional nature, demonstrates and confirms the consent of the User, for the use of the material sent for the intended purposes, by the clinical team, which is under the clinical coordination of Carlos Portinha, MD.
C) Submission of an application:
When submitting an application you will also be asked for some personal information (name, age, country, telephone, city, email, professional and academic qualifications) which is collected in specific form fields for this purpose and are not accessible to other users of the Insparya website.
Data treatment can also be done electronically, particularly if an applicant submits the corresponding application documents by email or through a form on the website.
As User data will be used to evaluate your application, you are advised to check the references and other information you provided. Insparya will use your data to respond to your application and call the candidate for an interview if your profile fits into a position for which a vacancy is open.
Your resumé will be stored in the Insparya database and will be accessible to our recruitment consultants.
The recipients of the Candidate’s personal data are the Human Resources department and the Team Leader of the function or area being applied for.
The recruitment process does not involve automated decision making, including profiling.
Candidates can update their CV at any time, following the same procedure as for sending a new CV. Your old resumé will automatically be replaced by the new one.
D) Submission a Suggestion/Complaint/Question:
When completing the form with your suggestion/complaint/question you will be asked for some additional personal data, such as the full name, email address, telephone contact and message. This data is collected in specific form fields and is processed by Insparya. The collection of this data is intended to provide Insparya with the correct identification of the entity concerned, the reported situation and direct contact with the owner of the suggestion/complaint/question. Except for the entity in question, Insparya will not transfer your data to third parties for any purpose.


Some Insparya services do not require any form of registration, and it is possible for the data holder to visit the company website without identifying themselves.
However, there are other services and features that necessarily require the provision of personal data.
The online assessment request form available through the Insparya website has mandatory fields (marked with *) and optional fields. Failure to provide the required mandatory data determines the impossibility of submitting the request for online consultation.
Insparya will only use personal data when voluntarily provided by its owners, for the purposes that have been provided and always with their consent.
Insparya pays particular attention to the protection of the rights of minors, so that the collection of personal data of minors under 16 years of age is dependent on the consent of their parents / holder of parental responsibilities. In case of possible collection of data of minors, the parents/guardians of parents will be asked for their written confirmation that they consent to the processing of the personal data of the minors concerned, if applicable.



Enables the candidate to present his CV in the context of spontaneous job applications, application for specific jobs or signing up to the employment alerts of Insparya, and the company will proceed to the treatment of data necessary for recruitment, selection and direct contact with the candidate.
For this effect, Insparya requests and collects the following personal information: name, e-mail, mobile phone, address, city, postcode, date of birth, nationality and gender. Some of this data (indicated in the forms in the site), are of obligatory supply, under penalty of not being possible to conclude the process of submission of the application.
In order to complete the application, the candidate is also requested to upload the CV.
The data provided by the candidate shall be kept for a period of 6 months, after which time they will be deleted or until the data subject exercises his right of cancellation. After this period, if the candidate wishes to continue to be included in the recruitment database of the Insparya Clinical Group, he must submit a new application.


Insparya owns, uses and discloses personal data of the User among the various entities of the Insparya Clinical Group, for its legitimate purposes, including:
• Fulfillment of contractual obligations;
• Informing Users of new services provided;
• Improvement and customization of the service provided to the User (answering questions posed by the User, processing requests for information and eventual complaints);
• Eventually, for marketing and communication purposes, such as offers, special campaigns and up-to-date information on the activity of Insparya.


Insparya will only use the contact data for direct and indirect marketing actions if such option is explicitly selected by the User in the registration process, authorizing the use of the email address available for manual or automatic sending of newsletters or personalized contacts about news, hair products, campaigns, promotions or other information.
Insparya will only use the data provided to carry out market studies, clinical and scientific studies, surveys of quality and satisfaction assessment, statistical analysis, communication and dissemination with a personalized offer of products and services provided by the companies that integrate the Clinical Group Insparya.
If you consent, you may also be contacted for direct marketing purposes. You may at any time revoke this consent by clicking on the communication made by email in “Unsubscribe” or directly contacting Insparya through the DPO ([email protected]).
You may also subscribe to our newsletter, and the email provided will only be used to receive our communications. You can, at any time, leave our contact list to send the newsletter, clicking on the communication made by email in “Unsubscribe” or directly contacting Insparya, through the DPO ([email protected]).
c1)- Profile definition (“profiling”)
Insparya performs the profile definition based on the information provided by the Patient, the information collected by visits to the website and consumption habits.

This information allows Insparya to send you personalized information tailored to your profile. Insparya uses statistical information related to the profiles of its patients, to improve its offers, plan its communication, manage campaigns and promotions.


Insparya may publish testimonials / comments / photos / videos and references of Patients on its website, for the purpose of promoting and publicizing its treatments and products.
Before publishing these images / testimonials, Insparya ensures it has obtained written consent of the data subject and guarantees that the disclosure of these testimonials / images will not be used for purposes other than those mentioned, unless the data subject is notified and provided consent.
If you would like your testimonial to be removed, please contact us to [email protected]


In certain circumstances Insparya may transmit personal data of the User to third parties, provided that, for that purpose i) has unambiguously obtained its consent; ii) when the transmission is made in compliance with a legal obligation, a court order or a decision of the National Data Protection Commission; or iii) to respond to requests from public or governmental authorities.
There may be transmission and relationship of personal data between the various entities of the Clinical Group Insparya and its collaborators.
Insparya will also share personal information with third parties who perform functions on behalf of Insparya and provide services to the company,such as:
• Professional consultants;
• Suppliers of data analysis;
• Function coordinators.
• Computer companies and management and hosting of websites
Insparya may transmit and receive data to subcontractors for the aforementioned purposes, under the terms of the agreements entered into them. These companies are provided with only the personal data necessary for the provision of the service in question, and these entities are obliged to treat such personal data solely and exclusively for the purposes indicated and under the duty of confidentiality.
Insparya may also share your data with third parties that manage digital platforms for the purpose of conducting marketing campaigns.
Insparya will not sell to third parties the personal data that the data subject provides in the process of requesting consultation, request for an online assessment consultation or in the submission form for applications.
Insparya will process user data within the European Economic Area (EEA) territory and therefore does not expect any international transfer of data.


The User has certain rights with respect to the personal information that Insparya maintains about his person. The details of these rights and how they are exercised are set out below. However, Insparya will need to prove the identity of the Holder before being able to act on his request.
Thus, while Insparya owns or processes the personal data, the Users can, at any moment and for free, exercise the following rights:
a) Right of Access: the right to, at any time, request from Insparya a copy of the personal information that the Company has about you.
b) Right of Correction or Completion: right to correct data that the user considers inaccurate, incomplete or outdated;
c) Right to Forgetfulness: in certain circumstances, the user has the right to request the deletion of the data that Insparya maintains about himself, for example, if the information is no longer necessary for the purposes for which it was collected or treated;
d) Right to restrict data processing: in certain circumstances, you have the right to object to the processing of your personal information and / or the use of your personal information for direct marketing purposes.
e) Right to object to automated processing, including profile;
f) Data Portability Right: the right to receive, in certain circumstances, any personal information that the Company maintains about you in a structured, generally used and legible format, and you may request that Insparya transmits this information to you or to a third party company.
g) Withdraw the Consent: to the extent Insparya is processing the User’s personal information based on your consent, the user has the right to withdraw its consent at any time.
However, this right does not compromise the lawfulness of the treatment made on the basis of the consent previously provided, nor the subsequent processing of the data, with another legal basis, such as the fulfillment of a contract or a legal obligation to which Insparya is subject.
Should the data subject intend to exercise any of the above rights or withdraw their consent, please contact our Data Protection Officer, through the following contact: [email protected]
If Insparya is subject to limitations and exceptions, it will state the reasons why it is not possible to proceed with the request for the exercise of the rights of the User.


Without jeopardizing other time limits laid down by the legislation in force, in particular in the areas of taxation, accounting, employment and contractual liability, personal data shall be kept for the minimum period of time necessary and proportionate to the pursuit of the purposes for which the personal data were collected.
For the purposes described in this Privacy Policy, (except for compliance with legal obligations, whose period of retention will depend on the applicable legal deadlines), personal data will be kept up to a maximum term of 10 years counted from withdrawal of consent or last registration and if, within this period, they have not withdrawn their consent.
With respect to recruitment procedures, if Insparya enters into an employment contract with a candidate, the data submitted will be stored for the purpose of processing the employment relationship in accordance with the legal requirements.
If no employment contract is entered into, the Candidate’s personal data will be kept for 6 months after which they are automatically eliminated, provided that no other legitimate interest of Insparya opposes the erasure.
Alternatively, the data may be anonymised in such a way that the candidate is not or can no longer be identified.


Insparya has established clear rules for the processing of personal data with its subcontractors and requires them to take appropriate technical and organizational measures to protect the personal data of its users.
Insparya may communicate to Subcontractors personal data of Users, and is always responsible for processing it, as long as there is previous and unequivocal authorization of the data subject. This will be the case for entities that provide support services for the company’s computer systems, clinical service providers, consulting firms and law firms.
Any subcontracting entity of Insparya will treat the personal data of Patients of Insparya in the name and for the account of Insparya in the strict obligation to follow its instructions, which must always be given in writing, in compliance with the RGPD, namely in the provisions of art. 28, no. a) of the RGPD.
All entities sub-contracted by Insparya will be bound by this contract by means of a written agreement which governs, in particular, the purpose and duration of the processing, its nature and purpose, the type of personal data, the categories of data subjects and the rights and obligations of the parties.
Insparya shall ensure that subcontractors provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing complies with the requirements of applicable law and ensures the security and protection of the rights of data subjects under the terms of the subcontracting agreement concluded with subcontracting entities.


Insparya undertakes all appropriate measures and technical and organizational measures to ensure an adequate level of security to protect the Personal Data and other information of Users, in particular against their destruction (accidental or illegal) , loss, alteration, dissemination, manipulation or unauthorized access and against any form of illicit treatment and continuously adapts its security measures in accordance with current technical developments.
Insparya ensures the technological and organizational security measures for the protection and confidentiality of the data collected through its website, having adopted and implemented strict rules in this matter. Compliance with these rules is an undeniable obligation of all those who legally access them.
On the Insparya website, personal data collection forms require encrypted browser sessions and all personal data that you give about yourself are securely stored on Insparya systems.
However, since it is impossible to guarantee the absolute security of any information sent over the internet (open network), there is a risk of data being accessed by unauthorized third parties. However, even in this circumstance, Insparya continuously adopts and develops security mechanisms that allow the protection of personal data collected.
In the event of a security breach that causes, inadvertently or unintentionally, the unauthorized deletion, loss, modification, propagation or access of personal data, Insparya endeavours to notify the CNPD whenever possible, within 72 hours of becoming aware of it and without undue delay, as well as to the data subject.
All personal data already indicated, including information entered by the User, as well as automatic information, electronic mail and other interactions with the Insparya website are stored in a secure database, accessible only to the authorized and accredited Employees of Insparya and subcontractors since duly authorized, accredited and identified.
Regular backups of all data are performed to prevent data loss, which are encrypted and kept in a safe place and inaccessible to unauthorized persons.
Only the duly authorized and accredited Employees of Insparya can access, insert and manipulate personal data of Users and only if strictly necessary. This access is always performed through platforms with access control and registration. In the case of physical (on paper) records, when existing and stored, they are filed in a restricted access location.
In order for this process to be imbued with a higher level of security and accuracy, the data collected on our website are directly integrated into software belonging exclusively to Insparya.
Insparya also records a complete audit that identifies the user, the day and time that he accessed each personal data.
Insparya has prepared and disseminated to all its employees procedures for the protection of personal data, in order to ensure its knowledge of the obligations imposed in this matter and has developed training actions with them, which are committed not to disclose to third parties or use for purposes contrary to law, any personal information of Insparya Patients whose knowledge comes to them from the exercise of their duties.
Insparya has also designated a Data Protection Officer (“DPO”) to monitor compliance with applicable policies and standards for the protection of personal data. As described in this Privacy Policy.

7) Video Surveillance

The Insparya Clinics have a video surveillance system, properly signaled. The installation of this system is a security measure.
The image recordings obtained by the video surveillance systems are kept in a codified record for a period of 30 days counted from the time of their capture, after which they are destroyed (without prejudice to the preservation for a longer period in case of legal proceedings).
We do not collect sound. Images are not allowed to be accessed, except by judicial request.
In the Insparya clinics there are informative warnings to alert to the existence of video surveillance, with the mention “For your protection, this place is object of video surveillance”.


The competent authority for the General Regulation on Data Protection (RGPD) and with the domestic legislation on this subject, is The National Data Protection Commission (CNPD).
Insparya shall cooperate with the Control Authority by providing it with all the information requested by it in the exercise of its powers.


The Insparya Clinical Group has a Data Protection Officer (DPO) who can be contacted through the following address: Insparya Hair Medical Clinic SL, headquartered at: Joaquín Costa Street, 26-28002 Madrid, or alternatively via email [email protected]
The Data Owner can always contact the DPO if he wishes to exercise his rights or receive any clarification. However, it must be borne in mind that in certain cases, under applicable law, your request may not be immediate or fully satisfied. However, it will always be informed of the measures taken to that effect within one month from the moment the request is made.


If you have any questions regarding this Privacy Policy, or have any questions, please contact us at [email protected] or by sending a written request to Insparya Hair Medical Clinic SL, with address at the address: Calle Joaquín Costa, 26 – 28002 Madrid.


Insparya uses cookies on its websites.
A cookie is a small text file that identifies the user’s computer / smartphone / tablet and includes information that allows you to memorize important data that will make your browsing more efficient and useful.
The cookies themselves only identify the computer you use and not your User, so cookies are not used to collect personal data.
At any time, the User may configure their device to accept, decline or delete cookies, in particular by selecting the appropriate settings in their browser. You can set cookies in the “Options” or “Preferences” menu of your browser. However, when you disable cookies, browsing our website may not display the same level of performance. In the collection and processing of the information described in this point, Insparya may contract the services of external entities, and they are not authorized to use the information collected by us, except to help us provide and improve our service.
By using the Insparya websites you agree to the collection and use of your information under the terms and conditions set forth in this Privacy and Cookies Policy.
For more information consult our cookie policy, available at www.insparya.com/politica-cookies
These are the cookies we use on our site:
ESSID .insparya.es Cookie for user session tracking
_fbp .insparya.es Used by Facebook to provide a series of advertising products such as real-time bidding from third-party advertisers.
_ga .insparya.es Web Analytics Cookie
_gat .insparya.es It is used to limit the percentage of requests.
_gcl_au .insparya.es Used by Google AdSense to control the publication of your ads through different websites
_gid .insparya.es It is used to distinguish users.
cf7msm_check .insparya.es Session control cookie
moove_gdpr_popup .insparya.es Control of emerging warnings for data protection


All intellectual property rights, including the trademark, underlying technology and content available through this site are owned or are exclusively licensed to Insparya.
The publication, printing, manipulation, distribution or reproduction, in any format, of any content of this site, nor the connection of the same to any business or company is not allowed.


This Privacy Policy may be reviewed and updated at any time by Insparya, which will be disclosed throughout our website. The invalidity of any of the provisions shall be deleted, with all other provisions remaining in full force and effect. The nullity of any of the provisions will be considered suppressed and the remaining provisions thereof will be kept fully effective and producing their effects.

Publication Date February 4, 2019, version I