Privacy policy
Last updated:
1. Who we are
Zaniora is a software-as-a-service operated by Nortework (norteworks.com). Full legal name and tax registration details will be published before public launch.
General contact: [email protected]
Privacy contact: [email protected]
2. What data we process and why
2.1. Practitioner data (our customer)
- Account data: name, email, hashed password (Argon2id), license number, preferred language.
- Billing data: trade name, tax ID, address — required for subscription invoicing.
- Usage data: access logs, truncated IP address (last octet zeroed), browser.
- Payment data: handled by Stripe as a processor. We do not store card numbers.
Legal basis: performance of the subscription contract (GDPR art. 6.1.b) and legal tax obligations (art. 6.1.c).
2.2. Patient data (managed by the practitioner)
Practitioners store data about their patients on Zaniora. This includes health data, a special category under GDPR art. 9:
- Identifiers: name, surname, date of birth, sex, contact (optional email/phone).
- Anamnesis and interviews configured by the practitioner.
- Body measurements (weight, perimeters, body fat %, etc.).
- Assigned diets and their history.
- Comments written by the patient from their portal.
- Patient portal access logs.
In this relationship, the practitioner is the data controller and Zaniora is the data processor under GDPR art. 28. The legal basis is determined by the practitioner.
Zaniora signs a data processing agreement with each practitioner outlining obligations, security measures and notification processes.
3. Retention
- Practitioner account: as long as the account is active. After deletion, soft-delete for 30 days, then physical deletion.
- Billing data: 6 years per Spanish accounting law (Code of Commerce art. 30).
- Patient data: retention period is set by the practitioner as controller. Zaniora deletes upon request or contract end (+ 30-day grace).
- Access logs: 90 days.
- Backups: up to 12 months, encrypted and isolated.
4. Where data is processed (subprocessors)
All Zaniora infrastructure is in the European Union.
| Subprocessor | Purpose | Location |
|---|---|---|
| Cloudflare | CDN, DDoS protection, landing hosting. | EU. |
| Stripe Payments Europe Ltd. | Subscription payment processing. | Ireland (EU). |
| Resend | Transactional emails (verification, reminders). | EU. |
| Backblaze B2 EU | Encrypted backups. | Netherlands (EU). |
| Nortework | Platform development and maintenance. | Spain. |
5. How we protect data
- TLS 1.3 in transit (HTTPS only).
- Database and backups encrypted at rest.
- Application-level encryption with per-tenant keys for the most sensitive fields.
- Hard isolation between tenants via PostgreSQL Row Level Security.
- Patient portal access protected by single-use link + numeric PIN with rate limiting.
- Access logs visible to the practitioner. Instant access revocation.
- Off-site encrypted backups with monthly restore testing.
6. Your rights
- Access, rectification, erasure.
- Restriction and objection to processing.
- Data portability.
- Withdrawal of consent when applicable.
- Complaint to the Spanish Data Protection Agency (aepd.es).
Email [email protected] to exercise your rights. If you are a patient, contact your practitioner first as data controller; we will assist either way.
7. Cookies
Technical and functional cookies only. No advertising, no cross-site tracking. Full list on our cookie policy.
8. Changes to this policy
We will notify the account holder by email and publish the updated version here with the update date visible.