top of page

Privacy

Policy

kalavik-carrot.png

Privacy Policy

​

Kalavik – Integrative Nutrition & Clinical Research

Effective Date: 25 Feb 2026

 

1. Data Controller

Kalavik – Advanced Clinical Nutrition Therapy & Research Studio (“Kalavik”, “we”, “us”, “our”) is operated as a sole trader (autónomo) registered in Spain.

For the purposes of Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”), Kalavik acts as the Data Controller of personal data collected through its website, client portal, email communications, and clinical services.

​

Contact:
Email: hello@kalavik.com

​

Kalavik’s lead supervisory authority is the Agencia Española de Protección de Datos (AEPD), Spain.
EU data subjects also retain the right to lodge a complaint with their local supervisory authority.

Kalavik has not appointed a Data Protection Officer, as this is not required under Article 37 GDPR for the current scale and structure of operations.

​

2. Scope of This Policy

This Privacy Policy applies to:

  • Website visitors

  • Registered website users

  • Clinical clients (online and in-person)

  • Workshop participants

  • Research collaborators

  • Newsletter subscribers

​

This policy governs how personal data, including special category health data, is collected, processed, stored, and protected.

​

3. Categories of Personal Data Collected

Kalavik may collect and process the following categories of data:

 

3.1 Identity and Contact Data

  • Full name

  • Email address

  • Date of birth

  • Country of residence

  • Communication history

 

3.2 Clinical and Health Data (Special Category Data – Article 9 GDPR)

Where relevant to therapeutic services, Kalavik processes:

  • Full medical history

  • Laboratory reports

  • Medication records

  • Previous medical diagnoses (as provided by the client)

  • Supplement use

  • Nutrition and lifestyle information

  • Uploaded clinical documents (via website portal or email)

 

This data qualifies as special category data concerning health under Article 9 GDPR.

​

3.3 Account Data

  • Login credentials

  • Account preferences

  • Secure access logs

 

3.4 Financial Data

  • Bank transfer details

  • Revolut payment records

  • Transaction history

 

Kalavik does not store debit or credit card information.

 

3.5 Technical Data

Limited technical data may be processed by the website infrastructure (Notion), including:

  • IP address

  • Device/browser information

  • Essential technical cookies required for platform functionality

 

Kalavik does not use advertising pixels or behavioural tracking tools.

 

4. Legal Bases for Processing

Personal data is processed under the following legal bases:

  • Article 6(1)(b) – Performance of a contract (delivery of clinical services)

  • Article 6(1)(c) – Compliance with legal obligations

  • Article 6(1)(f) – Legitimate interests (service administration and security)

  • Article 9(2)(a) – Explicit consent for health data processing

  • Article 9(2)(h) – Provision of health-related care services

 

Health data is processed only when necessary and with explicit consent.

 

5. Purpose of Processing

Personal data is processed for the following purposes:

  • Delivering personalised integrative nutritional guidance

  • Reviewing laboratory data and clinical information

  • Maintaining professional clinical records

  • Communicating regarding appointments and services

  • Conducting workshops and educational activities

  • Managing billing and accounting

  • Responding to rights requests

  • Ensuring platform security

 

Kalavik does not sell personal data.

 

6. Professional Confidentiality

All clinical information shared during consultations is treated as confidential and handled in accordance with professional ethical obligations.

Information will only be disclosed where:

  • Legally required

  • Necessary to protect vital interests

  • Explicitly authorised by the client

 

7. Research Use of Data

Anonymised client data may be used for research analysis or educational case studies only with prior written consent.

Kalavik does not automatically aggregate or repurpose identifiable client data for research.

Where research publication occurs, all data is anonymised unless explicit written authorisation states otherwise.

 

8. AI Usage Transparency

Kalavik uses AI-based tools solely for:

  • Scientific literature research assistance

  • Academic synthesis

  • Internal workflow support

 

AI providers used include:

  • OpenAI

  • Anthropic

  • Elicit

  • SciSpace

 

Kalavik does not:

  • Input identifiable client data into AI systems

  • Use AI to generate automated clinical decisions

  • Profile or score clients

  • Use AI to train models with client data

  • Conduct automated decision-making under Article 22 GDPR

 

All clinical decisions are made by a qualified human professional.

 

9. Data Storage and Security

Client data is stored within a secure Notion workspace.

Kalavik implements:

  • Two-factor authentication

  • Strong password management

  • Device encryption

  • VPN-secured access

  • Restricted access (controller-only access)

  • Regular backups

 

Reasonable technical and organisational measures are applied to protect data integrity and confidentiality.

 

10. Third-Party Processors

Kalavik uses limited third-party service providers, including:

  • Notion (website and data infrastructure)

  • Proton Mail (email services)

  • Porkbun (domain registrar)

  • Revolut (payment processing)

  • Calendly (appointment scheduling)

  • WhatsApp (communication and booking)

 

These providers may process personal data under their respective privacy frameworks.

Where providers operate outside the EU/EEA, appropriate safeguards such as Standard Contractual Clauses or applicable data transfer mechanisms are relied upon.

 

11. International Data Transfers

Some service providers (including AI providers and messaging platforms) may process data outside the European Economic Area.

Where such transfers occur, they are subject to:

  • Standard Contractual Clauses

  • Applicable EU–US Data Framework mechanisms

  • Contractual safeguards

 

Kalavik does not knowingly transfer identifiable health data to AI systems.

 

12. Data Retention

Clinical records are retained for the period necessary to fulfil professional, legal, and insurance obligations, after which they are securely deleted or anonymised.

Financial and accounting records are retained for 6 years, in accordance with Spanish legal requirements.

​

13. Data Subject Rights

Under GDPR, you have the right to:

  • Access your personal data

  • Request rectification

  • Request erasure (subject to legal retention obligations)

  • Restrict processing

  • Object to processing

  • Data portability

  • Withdraw consent at any time

 

Requests may be submitted to:
hello@kalavik.com

 

Kalavik will respond within 30 days.

​

You may lodge a complaint with the Agencia Española de Protección de Datos (AEPD) or your local supervisory authority within the EU.

 

14. Educational vs Clinical Services

Educational materials, workshops, and publicly available content are provided for informational purposes only. Therapy guidance provided during private sessions is personalised integrative nutritional guidance and does not constitute medical diagnosis.

​

Clients are encouraged to consult licensed medical professionals for medical diagnosis or treatment.

 

15. Children’s Data

Kalavik services are intended for adults (18+).
Kalavik does not knowingly collect data from minors.

 

16. Data Breach Notification

In the event of a personal data breach posing a risk to data subjects, Kalavik will notify the relevant supervisory authority and affected individuals in accordance with GDPR requirements.

 

17. Updates to This Policy

This Privacy Policy may be updated periodically. The revised version will be published on this page with an updated effective date.

bottom of page