Legal

Privacy Policy

Effective:19 May 2026 Last updated:19 May 2026 Version:3.0 Languages:EN · ES

This Privacy Policy explains how Veos Pharmaceuticals, S.L. ("Veos", "we", "us", or "our") collects, uses, discloses, and protects personal data of visitors, customers, partners, and other individuals who interact with our websites, products, and services. This Policy is designed to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

01.Data Controller

The data controller responsible for processing your personal data is:

Veos Pharmaceuticals, S.L.
Calle Núñez de Balboa, 35 A-5 Planta Oficina A1
28001 Madrid, Spain
Spanish Tax ID (CIF): B10704534
Email: info@veospharma.com
Privacy inquiries: privacy@veospharma.com
Telephone: +34 911 925 649

Veos is registered with the Registro Mercantil de Madrid. [CONFIRM with counsel:] Whether Veos has formally appointed a Data Protection Officer (DPO) under Article 37 GDPR. If yes, list the DPO's contact details here. If not, confirm that processing of health data does not reach the scale-trigger that would mandate appointment.

02.Personal Data We Collect

We collect personal data in three principal ways: data you provide directly, data we collect automatically, and data we receive from third parties.

2.1 Data You Provide

Contact and identification data: name, surname, email address, postal address, telephone number, country, professional role (where relevant).
Account and transaction data: account credentials, purchase history, billing and shipping information, payment confirmations (we do not store full card numbers; see Section 5).
Inquiry data: information you submit through our contact, partnership, distribution, careers, or investor-relations forms — including the content of your message and any attachments.
Career data: CV, education and employment history, references, and any other information you submit in connection with a job application.
Marketing preferences: consent status for newsletters and commercial communications.

2.2 Data Collected Automatically

Device and connection data: IP address, browser type and version, operating system, device identifiers, screen resolution, language settings, time zone.
Usage data: pages visited, referring URL, links clicked, time spent on pages, search terms entered on our site.
Cookies and similar technologies: see our Cookies Policy for full detail on cookie categories, providers, and durations.

2.3 Data Received from Third Parties

Distributors and retail partners may share customer information for order fulfilment and after-sales support.
Amazon and marketplace operators may share order and customer-service data necessary to process transactions involving Veos products.
Service providers for marketing analytics, advertising verification, fraud prevention, and similar functions.
Public sources such as professional networks and corporate registries for B2B prospecting (in accordance with Recital 47 GDPR legitimate-interest balancing).

03.Purposes of Processing & Legal Bases

Under Article 6 GDPR, we only process personal data when we have a valid legal basis. The table below sets out, for each processing purpose, the categories of data involved, the legal basis, and the retention period.

Purpose	Data Categories	Legal Basis (Art. 6 GDPR)
Respond to your inquiries (general, partnership, distribution, press, investor)	Contact details, content of message	Art. 6(1)(b) — performance of pre-contractual measures; or Art. 6(1)(f) — legitimate interest in responding to communications
Process orders and deliver products	Identity, billing/shipping, payment confirmation	Art. 6(1)(b) — performance of a contract
After-sales service, returns, complaints	Identity, order data, communications	Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation (consumer rights legislation)
Send commercial communications (newsletter, product updates)	Email, name, preferences	Art. 6(1)(a) — explicit consent (revocable at any time); Art. 21(2) GDPR right to object always available
Career applications	CV, education, employment history	Art. 6(1)(b) — pre-contractual; Art. 6(1)(a) — consent to retain in talent pool
Regulatory and pharmacovigilance reporting	Identity (limited), adverse-event information	Art. 6(1)(c) — legal obligation; Art. 9(2)(i) — public-health processing
Accounting, tax, and statutory record-keeping	Transaction and billing data	Art. 6(1)(c) — legal obligation (Spanish Commercial Code; tax law)
Website analytics and performance	Usage and device data (cookies)	Art. 6(1)(a) — consent for non-essential cookies
Fraud prevention, security, IT integrity	IP address, access logs	Art. 6(1)(f) — legitimate interest
Defence of legal claims	All relevant data	Art. 6(1)(f) — legitimate interest; Art. 9(2)(f) for special-category data

04.Sensitive & Health-Related Data

As a pharmaceutical and consumer-health company, Veos may, in limited circumstances, receive special-category data under Article 9 GDPR — in particular, data concerning health.

This occurs primarily in the following contexts:

Adverse-event and pharmacovigilance reports: when a consumer or healthcare professional reports a side effect or product issue. Legal basis: Article 9(2)(i) GDPR — public-health interest; combined with mandatory reporting obligations under EU and Spanish pharmaceutical legislation.
Customer-care communications: when you voluntarily disclose health information in the context of a product question or complaint. Legal basis: Article 9(2)(a) — explicit consent, inferred from your voluntary disclosure with sufficient context.
Clinical or research collaborations: processed under specific informed consent and, where applicable, separate agreements with research partners. Legal basis: Article 9(2)(a) and 9(2)(j) GDPR.

Please note: we ask that you do not include unnecessary health information when contacting us through general web forms. If you need to discuss a medical or product-safety issue, please email info@veospharma.com directly so we can manage the data with appropriate safeguards.

We share personal data only with carefully selected recipients, bound by contractual confidentiality and data-processing obligations. Categories of recipients:

Service providers acting as processors on our behalf under Article 28 GDPR, including: web hosting, email infrastructure, customer-relationship management, payment processing (e.g., Stripe, PayPal — [CONFIRM] with Hassan which are actually in use), shipping carriers, marketing platforms, analytics providers.
Distribution partners with whom we have contractual agreements, for fulfilment and after-sales support.
Group companies and acquired entities (e.g., following the November 2025 SSD Trading acquisition or the 2026 Veos Ventures merger), bound by intra-group data-protection arrangements.
Professional advisers: lawyers, auditors, accountants, regulatory consultants — bound by professional confidentiality.
Public authorities when required by law, court order, or regulatory action (e.g., AEPD, Spanish tax authority, EMA, FDA, Health Canada).
Acquirers, investors, and successors in the context of an actual or contemplated corporate transaction, subject to confidentiality.

Sale of personal information: Veos does not sell personal data in the conventional commercial sense, nor — as that term is defined under CCPA/CPRA — does Veos sell or share personal information for cross-context behavioural advertising. [CONFIRM with counsel] whether any current advertising relationships (e.g., Meta Pixel, Google Ads) might constitute a "share" under CPRA; if so, a "Do Not Sell or Share My Personal Information" link must appear in the website footer.

06.International Data Transfers

Veos operates across Europe and North America, and some of our service providers are based outside the European Economic Area (EEA), including in the United States, Canada, and the United Kingdom.

When we transfer personal data outside the EEA, we rely on one of the following safeguards required by Chapter V GDPR:

Adequacy decisions issued by the European Commission (e.g., for the UK; for the United States under the EU–U.S. Data Privacy Framework where applicable).
Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), supplemented where necessary by additional technical, organisational, and contractual measures following the Schrems II jurisprudence.
Your explicit consent under Article 49(1)(a) GDPR, in limited cases.

A copy of the applicable safeguards can be requested from privacy@veospharma.com.

07.Retention Periods

We retain personal data only as long as necessary for the purposes for which it was collected, plus any additional period required by law for evidentiary or accounting purposes.

Data Category	Retention Period
General inquiry data (web forms)	Up to 12 months from the last interaction
Customer and transaction data	6 years after the end of the customer relationship (Spanish Commercial Code, Art. 30)
Tax and invoicing records	Minimum 4 years; up to 10 years for VAT and certain corporate-tax records
Marketing data (newsletter)	Until you withdraw consent, plus a blocked-retention period for evidence of opt-out
Career applications (unsuccessful)	Up to 12 months from application, or longer with your consent (talent pool)
Pharmacovigilance and adverse-event data	Lifetime of the product on market, plus 10 years after withdrawal (EU pharmacovigilance rules)
Website analytics (cookie-based)	As specified in the Cookies Policy (typically 14–26 months)
Legal-claims defence	Statute-of-limitations period applicable to the claim, typically 5 years in Spain

After expiry, data is securely deleted or irreversibly anonymised, except where retained in a blocked form (Art. 32 LOPDGDD) for compliance evidence only.

08.Security Measures

Veos implements appropriate technical and organisational measures under Article 32 GDPR to protect personal data against unauthorised access, alteration, loss, or disclosure. These include:

Encryption of data in transit (TLS/HTTPS) and at rest where technically feasible.
Access controls, role-based permissions, and the principle of least privilege.
Regular backups, with periodic restore testing.
Employee confidentiality undertakings and data-protection training.
Vendor due diligence and Data Processing Agreements (DPAs) with all processors.
Incident-response procedures, including a 72-hour breach-notification protocol under Article 33 GDPR.

No system is perfectly secure. If we become aware of a personal-data breach likely to result in risk to your rights and freedoms, we will notify the Spanish Data Protection Authority (AEPD) within 72 hours and, where the risk is high, communicate the breach to affected individuals without undue delay.

If you are in the European Union, the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

Right of access (Art. 15 GDPR) — to obtain confirmation of whether we process your data and a copy of it.
Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
Right to erasure / "right to be forgotten" (Art. 17) — to request deletion when one of the legal grounds applies.
Right to restriction of processing (Art. 18) — to limit processing in defined circumstances.
Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to object (Art. 21) — including the absolute right to object to direct-marketing processing at any time.
Right not to be subject to automated individual decision-making (Art. 22), including profiling with significant effects.
Right to withdraw consent (Art. 7(3)) at any time, without affecting prior lawful processing.
Right to lodge a complaint with a supervisory authority — see Section 15.

Additionally, under Articles 93–96 LOPDGDD (Spanish Organic Law on Data Protection), you have:

The right to digital testament — your heirs may exercise access, rectification, and erasure rights regarding your data after death.
The right to digital disconnection in employment contexts.

To exercise any of these rights, contact privacy@veospharma.com. We will respond within one month, extendable by two further months for complex requests (Art. 12(3) GDPR). We may request reasonable identification before complying.

10.Your Rights Under California Law (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Right to know what personal information we have collected about you, the categories of sources, the purposes, and the categories of third parties with whom we share it.
Right to access a copy of the specific pieces of personal information we have collected about you in the prior 12 months (or longer, on request).
Right to correct inaccurate personal information.
Right to delete personal information we collected from you, subject to legal exceptions.
Right to opt out of the sale or sharing of personal information for cross-context behavioural advertising. Veos does not currently engage in such sale or sharing as those terms are defined under CPRA. [CONFIRM]
Right to limit the use of sensitive personal information to specified business purposes.
Right to non-discrimination — we will not deny goods or services, charge different prices, or provide a different level of quality because you exercised your rights.

To exercise these rights, contact privacy@veospharma.com with "California Privacy Request" in the subject line. We will verify your identity using information already on file with us. You may also use an authorised agent, in which case we will require written proof of authorisation.

Categories of personal information collected in the prior 12 months (CCPA Section 1798.110): identifiers; commercial information; internet activity; geolocation (approximate, IP-based); professional or employment-related information (career applicants only); inferences drawn from the above for analytics purposes.

Categories of sources: directly from you; automatically from your devices; from our service providers and distribution partners.

Categories of recipients in the prior 12 months: service providers (processors); legal and regulatory authorities; corporate-transaction counterparties under confidentiality.

Note for other US states: if you reside in Colorado, Virginia, Connecticut, Utah, Texas, Oregon, or another US state that has enacted comprehensive privacy legislation, similar rights may apply. We will respond to verifiable requests from residents of these states in accordance with applicable state law. Contact privacy@veospharma.com.

11.Minors

Our website and services are directed to adults and are not intended for children under the age of 14 (Spain), 16 (other EU Member States as applicable under Article 8 GDPR), or 13 (United States, under COPPA). We do not knowingly collect personal data from children below these ages without verifiable parental consent.

If we learn we have collected personal data from a minor below the applicable age threshold without parental authorisation, we will delete it without undue delay. Parents or guardians who believe their child has provided personal data to Veos should contact privacy@veospharma.com.

12.Automated Decision-Making

Veos does not currently make decisions about you that produce legal effects or similarly significant effects based solely on automated processing, including profiling. If this changes, we will update this Policy and, where required, obtain your prior consent or rely on another applicable Article 22 GDPR ground.

13.Cookies & Similar Technologies

Our use of cookies, pixels, local storage, and similar technologies is governed by a separate Cookies Policy, which forms part of this Privacy Policy. The Cookies Policy explains what cookies are used, by whom, for how long, and how you can manage your preferences.

Under Article 22 LSSI-CE (Spanish Information Society Services law) and the EU ePrivacy Directive, we obtain your prior consent for all non-strictly-necessary cookies through our Cookie Consent Banner. You can revisit your preferences at any time via the "Cookie Settings" link in the website footer.

14.Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, in the legal framework, or in the services we provide. The "Last updated" date at the top indicates when the Policy was last revised.

For material changes, we will provide reasonable advance notice — for example, by a banner on our website, by email (where we have your address), or both. Continued use of our services after the effective date of an updated Policy constitutes acknowledgement, but does not by itself constitute consent for any new processing that legally requires consent — for that, we will obtain a fresh opt-in.

15.Contact & Complaints

For any questions, requests, or complaints relating to this Privacy Policy or your personal data, please contact:

Privacy Office — Veos Pharmaceuticals, S.L.

Calle Núñez de Balboa, 35 A-5 Planta Oficina A1, 28001 Madrid, Spain

Email: privacy@veospharma.com

General: info@veospharma.com

Telephone: +34 911 925 649

Right to lodge a complaint with a supervisory authority. If you believe our processing of your personal data infringes applicable data-protection law, you may lodge a complaint with the supervisory authority of your habitual residence, place of work, or where the alleged infringement occurred.

In Spain, the supervisory authority is:

Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6 — 28001 Madrid, Spain
Telephone: +34 901 100 099 / +34 912 663 517
Web: www.aepd.es

For California residents, complaints may be filed with the California Privacy Protection Agency (cppa.ca.gov) or the California Attorney General's Office (oag.ca.gov/privacy).