MYHIXEL HUB - Privacy Policy

1. Introduction and Commitment to Health Privacy

This Privacy Policy governs the processing of personal data carried out by NEW WELLNESS CONCEPT S.L. hereinafter, “Myhixel”, through its digital ecosystem, which includes the website, the Myhixel Hub mobile application and interaction with the Myhixel Trainer device.

At Myhixel, we understand that male intimate health is an area of the highest sensitivity. For this reason, we have designed our platform according to the principles of Privacy by Design and by Default, complying not only with the General Data Protection Regulation, GDPR, and the Spanish Data Protection and Digital Rights Guarantee Act, LOPDGDD, but also with international ISO 27001 security standards and Class I Medical Device regulations.

2. Types and Categories of Data Processed

In compliance with the principle of transparency, Myhixel informs users that it processes the following categories of data, adapted to the user’s specific interaction with the platform:

Identifying and Contact Data: This includes name, surname, email address, postal address for physical shipments and, optionally, a pseudonymous nickname for use within the App, minimizing the direct link with the user’s civil identity.

Profile and Context Data: Information related to age, gender, weight, sleep quality and general wellness habits, necessary for segmentation and personalization of the experience.

Special Categories of Data, Health and Sexual Life: These constitute the core of the digital therapy and include answers to validated clinical questionnaires, such as IELT and TLEI, levels of sexual satisfaction, perception of ejaculatory control and sexual orientation.

Telemetry and IoT Data: Information captured by the sensors of the Myhixel Trainer device during use, such as acceleration, speed, temperature and vibration patterns. These data are essential to objectively measure adherence and treatment progress.

3. Detailed Analysis of Data Processing Activities

Below is a detailed explanation of the governance of your data, grouping purposes, lawful bases and retention periods for each activity flow.

A. Digital Therapy and Use of the Myhixel Hub App

Purpose: Provision of a personalized intimate health service, clinical monitoring of progress and dynamic adaptation of therapeutic programs.

Lawful Basis: For identifying data, performance of the contract, Article 6.1.b GDPR. For health, sexual life and telemetry data, your explicit consent, Article 9.2.a GDPR, specifically collected in the App.

Retention Period: Account data are retained for as long as the contractual relationship remains in force. Health data are retained for five years after the last activity, by analogy with patient autonomy regulations, and are subsequently legally blocked.

B. Purchase and Logistics Management

Purpose: Processing of orders, invoicing, shipment of physical devices and warranty management.

Lawful Basis: Performance of the contractual relationship, Article 6.1.b GDPR, and compliance with tax and commercial legal obligations.

Retention Period: For the time necessary to complete delivery and, subsequently, blocked for the applicable statutory limitation periods, 6 years for commercial matters and 4 years for tax matters.

C. Newsletter Subscription and Communications

Purpose: Sending news, health studies and commercial offers from the Myhixel ecosystem.

Lawful Basis: Your consent, Article 6.1.a GDPR, granted when subscribing.

Retention Period: Until you withdraw your consent. Immediate unsubscribe is available in every communication.

4. Advanced Digital Health and Governance Clauses

4.1. Scientific Research and Bioethics, R&D

Myhixel is committed to advancing medical science in sexual health. For this reason, we may use your telemetry and health data to create anonymized datasets.

This process is carried out under a strict Cohort Threshold Policy, N≥20, ensuring that it is mathematically impossible to re-identify a user. These anonymized data may be transferred to academic or clinical research institutions for studies on male intimate health, in accordance with Recital 26 of the GDPR.

4.2. Artificial Intelligence, AI, Governance

Our platform uses AI exclusively for analytical and interface personalization functions. Myhixel guarantees that no automated AI-based diagnoses are performed that have legal or significant effects on the user without professional human supervision.

All therapeutic recommendations are based on predefined and validated medical protocols.

4.3. Interaction with Health Ecosystems, Apple Health / Google Fit

Currently, Myhixel Hub operates independently to ensure maximum isolation of your intimate health data.

We do not share or extract data from Apple Health, Google Fit or other external health aggregators, preventing your intimate information from being mixed with other general activity profiles without your full control.

5. Processing Security, Technical Resilience and Cybersecurity Culture

In strict compliance with Article 32 of the GDPR, Myhixel has implemented a hospital-grade security ecosystem designed to protect the integrity, confidentiality and availability of the health information processed.

Our technical architecture, deployed in the AWS Ireland region, European Union, is based on the following advanced security pillars:

Military-grade Data Encryption: We apply robust encryption protocols at all stages of the data lifecycle. Information at rest within our Amazon RDS databases and S3 storage volumes is protected using AES-256 algorithms managed through AWS KMS. Likewise, all communications between the Myhixel Hub mobile application and our servers are carried out through secure channels using TLS 1.2 or higher protocols, ensuring that information cannot be intercepted or altered by unauthorized third parties during transmission.

Identity Governance and Granular Access Control: We implement the principle of “Least Privilege” through an extremely restrictive identity and access management, IAM, system. Access to production environments is protected by mandatory Multi-Factor Authentication, MFA, for all authorized personnel. In addition, we have established a strict segregation of duties, ensuring that only essential technical staff can interact with data systems, always under strict confidentiality agreements and permanent auditing.

Resilience, Availability and Disaster Recovery: Myhixel guarantees service continuity and data protection against physical or technical incidents. We have an automated daily backup system with geographical replication within the EU availability zone. We perform monthly restoration tests to validate our disaster recovery plans, DRP, ensuring that, in the event of any incident, the availability of your therapeutic history can be restored within minimal timeframes.

Proactive Monitoring and Continuous Auditing: Our system integrates observability tools that monitor any anomalous access attempt or suspicious behavior in real time. We periodically conduct security audits and penetration testing exercises to identify and mitigate vulnerabilities before they can be exploited. This cybersecurity culture is reinforced through continuous training of our team and the adoption of ISO 27001 standards, consolidating Myhixel as a secure environment for your digital health.

6. Deletion of Personal Data and/or Account Cancellation

The user may request the deletion of their personal data and/or the definitive cancellation of their Myhixel account at any time.

This request is configured as a specific form of exercising the right to erasure provided for under the GDPR, without prejudice to cases in which Myhixel must retain certain data, duly blocked, in order to comply with legal obligations, contractual, healthcare, tax, commercial or warranty responsibilities, security requirements or defense against claims.

6.1. Channels Available to Request Deletion

To request the deletion of personal data and/or account cancellation, the user may use any of the following channels:

  1. Send an email to the Data Protection Officer at dpd@myhixel.es, indicating in the subject line: “Request for data/account deletion”.
  2. Use, when available, the specific privacy, account settings or support functionality within the Myhixel Hub App.

The request must sufficiently identify the user, including at least the email address associated with the account and a clear description of whether the request concerns only the deletion of certain data, total account cancellation or both actions.

Myhixel may request reasonable additional information when necessary to verify the identity of the applicant and prevent unauthorized access or deletion.

6.2. Scope of Deletion and Effects on the Service

Once the request has been validated, Myhixel will proceed to delete or anonymize, as appropriate, the personal data linked to the user’s active account, including identifying data, profile data, App usage data and data associated with therapeutic monitoring, provided that there is no legal basis requiring or permitting its retention.

Likewise, the account will cease to be operational and the user will lose access to the history, programs, metrics, settings and other functionalities associated with Myhixel Hub.

Account cancellation will not necessarily affect the separate retention of minimal information linked to purchases, invoicing, warranties, customer service, security, fraud prevention or regulatory compliance, when such retention is required or legitimate under applicable regulations.

In the case of commercial communications, unsubscribing will result in the cessation of promotional messages, except for transactional or legally necessary communications.

6.3. Blocked Data, Backups and Anonymized Data

Where retention is required due to a legal obligation or for the possible handling of liabilities, the data will not remain available for ordinary use of the platform. Instead, they will be blocked and processed only for such restricted purposes during the legally applicable periods.

Once these periods have expired, Myhixel will proceed with their definitive deletion.

Deletion from backup copies may not be immediate for technical reasons related to integrity, continuity and disaster recovery. However, data included in backups will be subject to security measures and will not be restored for ordinary use, unless strictly necessary for technical, legal or security reasons.

In the event of restoration, Myhixel will reapply the deletion request to the affected data.

Data previously and irreversibly anonymized for statistical, scientific, service improvement or research purposes will not allow the identification of the user and, therefore, cannot be linked again to their account or be subject to individual deletion.

6.4. Response Deadlines and Confirmation

Myhixel will respond to the request within a maximum period of one month from receipt.

This period may be extended by an additional two months when the request is particularly complex or when there is a high number of requests, informing the user of the extension and the reasons for it within the first month.

Once the deletion or cancellation has been completed, Myhixel will send confirmation to the user through the same channel used or to the email address associated with the account.

If Myhixel is unable to fully or partially comply with the request due to a legal obligation, an exception provided for under data protection regulations or a legitimate need for retention, it will inform the user with reasons, indicating the affected data, the purpose of retention, the applicable period and the rights that may be exercised before the Spanish Data Protection Agency.

7. Changes to the Privacy Policy

Myhixel may update this policy to adapt it to technical, legal or product changes.

Any substantial modification will be notified through the App or by email with sufficient prior notice.

Continued use of the service after notification shall imply acceptance of the new terms, without prejudice to your right to request data deletion.

8. Rights and Contact

You may exercise your rights of access, rectification, erasure, restriction, portability and objection by sending an email to our Data Protection Officer at dpd@myhixel.es.

You have the right to file a complaint with the Spanish Data Protection Agency, AEPD.