At Merlín, we value our users’ privacy and are committed to protecting their personal data. This privacy policy aims to inform you about how we collect, use, and protect the information you provide when using our services. Merlín is a product of Kunan SA, and by using Merlín, you accept the terms of this privacy policy.

The protection of personal data and all data flowing through our platform is our top priority.

The General Data Protection Regulation (GDPR) is a regulation of the European Parliament and the Council of the EU concerning the protection of individuals with regard to the processing of personal data and the free movement of such data. It is binding on all member states and came into effect on May 25, 2018.

The purpose of this regulation is to protect citizens’ rights against unauthorized handling of their confidential and personal data. These rules respect citizens’ rights to personal data protection, regardless of their nationality or residence.

Our goal is to provide services in accordance with the European GDPR while equipping our customers with the necessary tools to easily comply with the regulation’s requirements.

The data controller is primarily responsible for processing personal data. An essential prerequisite is the existence of an adequate legal basis for processing personal data, which the data controller must have to perform this task and ensure the personal data is sufficiently protected.

The data processor is a natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the controller. What distinguishes the data controller from the processor is that the processor can only perform processing operations that the controller has entrusted or that result from the activity commissioned by the controller.

Kunan SA acts as a data processor, providing services to the data controller.

In the context of Merlín, our clients act as data controllers.

For example, our clients decide:

  • What information about their patients is transferred to their Merlín account,
  • What messages they wish to send to their patients through our application.

The appointment of Merlín as a data processor by the controller is formalized by signing the general terms of use of our service contract.

Purpose of the Technological Product

Merlín is a conversational assistant designed to offer advanced appointment management and communication services for healthcare facilities. Our goal is to provide our clients, whether clinics, hospitals, or medical offices, with a powerful and user-friendly tool to manage their appointment schedules, efficiently communicate with their patients, and optimize their administrative processes.

Personal Data Collected

Merlín collects a variety of personal data to effectively provide our services. This data may include, but is not limited to:

  • Name and Surname
  • Email Address
  • Phone Number
  • Details of medical appointments, such as date, time, healthcare professional, specialty, location, and hospital.

In addition to this data, we may also collect non-personally identifiable information, such as interaction history with our service.

Where Are Merlín’s Servers Located?

For EU clients, Amazon Web Services, located in Ireland and Frankfurt, both within the European Community. See the certification here.

Methods of Data Collection

Personal data is collected by applying the principle of data minimization, through various means, including:

It should be noted that the end user of the assistant has other communication channels with the institution responsible for processing their personal data.

  • Integration flows with healthcare management systems (HIS) that allow automatic data synchronization between Merlín and other systems used by the client.

Users’ Rights Regarding Their Data

We recognize and respect users’ rights over their personal data. These rights include:

  • Right of Access: You have the right to access the personal information we have collected about you and to obtain details on how it is used.
  • Right of Rectification: If the information we have about you is incorrect or outdated, you have the right to correct it.
  • Right of Deletion: You can request the deletion of your personal data from our database if it is no longer necessary for the purposes for which it was collected.
  • Right of Objection: You have the right to object to the processing of your personal data under certain circumstances, such as direct marketing.
  • Right of Portability: If requested, we can provide your personal data in a structured format for you to transfer to another data controller.

Sharing Collected Data

We understand the importance of protecting your privacy and commit to not sharing your personal data with third parties, except in the following circumstances:

  • With your explicit consent.
  • When necessary to comply with the law or protect our legal rights.
  • With external service providers who help us provide our services, such as cloud storage providers or payment processors. In these cases, we ensure these providers adhere to strict privacy and security standards.

Data Security Measures

The security of your personal data is a priority for us. Therefore, we implement a series of technical and organizational measures to protect your data against loss, theft, or unauthorized access. These measures include:

  • Data encryption to protect the transmission of confidential information.
  • Access controls to limit who can access information on our platforms.
  • Regular monitoring of our security measures to detect and prevent potential security breaches.
  • Periodic training of our staff on best practices for data security and privacy.

Data Retention Period

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal obligations. This may include:

  • Keeping records of medical appointments to ensure proper follow-up of the patient’s medical history.
  • Retaining certain data to comply with applicable laws and regulations, such as tax retention requirements.

Handling Data Security Breaches

In the event of a data security breach, we commit to taking immediate measures to protect your information and mitigate any negative impact. This may include:

  • Notifying relevant authorities and affected individuals as required by applicable laws and regulations.
  • Investigating the root cause of the breach and taking corrective actions to prevent similar incidents in the future.
  • Providing assistance and resources to affected users to help them protect their personal information.

Questions and Contact

If you have any questions or concerns about our privacy policy or the handling of your personal data, please contact our data protection officer at We are here to help and address any issues you may have.