Privacy policy

1. Data controller

The institutional reference entity is Universidad de La Laguna, within which the NEXO project is framed.

Project contact: [email protected].

2. Data we process

• Authorized staff data: name, professional email, organization, role and access logs needed for authentication and traceability.
• Psychosocial assessment data: responses, scores, descriptive profiles by area and recommendations, processed pseudonymously and under professional review.
• Technical data: only what is strictly necessary for service delivery and security (session, language, CSRF protection).

Public product demonstrations use synthetic or pseudonymized data. No identifiable individual data or small-group results that could allow re-identification are published.

3. Purpose and legal basis

Data is processed to provide the organizational wellbeing assessment, descriptive reading, professional feedback and reporting service requested by the client organization, as well as to manage authorized staff access and platform security.

The applicable legal bases are the performance of a contract or service relationship, the legitimate interest in security and traceability, and, where applicable, compliance with legal obligations on occupational risk prevention. Processing of special categories of data requires professional authorization and the corresponding additional safeguards.

4. Retention

Data is kept for the time necessary to fulfil the purpose for which it was collected and, subsequently, for any legally required periods. The retention and deletion policy is agreed with each client organization in accordance with applicable law.

5. Recipients and processors

Data is not shared with third parties except where legally required. Use of the platform must be covered by the controller’s instructions and, where applicable, by the corresponding data processing agreement (Art. 28 GDPR).

Professional feedback and validation of results is carried out by qualified professionals. Technology prioritizes and explains; the final decision always rests with a competent professional.

6. Rights of data subjects

You may exercise your rights of access, rectification, erasure, objection, restriction and portability by writing to [email protected]. If you believe the processing does not comply with the regulations, you may file a complaint with the Spanish Data Protection Agency (www.aepd.es).

7. Security

Reasonable technical and organizational measures are applied: encryption in transit (HTTPS), role-based access control, activity logging in the authenticated area, and separation between responses, scores and interpretations. These measures are reviewed as the platform evolves.

8. Changes

This policy may be updated to reflect regulatory or service changes. The current version will be published with its update date.

Contact