1. Introduction.

We are strongly committed to protecting individuals’ privacy, and therefore the protection of personal data is a priority for us.

We process data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), Organic Law 3/2018 on Personal Data Protection and the Guarantee of Digital Rights, and all other applicable regulations.

This Privacy Policy was reviewed in March 2026 in order to comply with the information and transparency duties applicable to the website and to the data controller in general, so that the controller’s general terms in this matter are available to any type of data subject, not only website users. Changes may occur until the next review.

2. Who is the controller of your personal data?

Controller: ISAK - INTERNATIONAL SOCIETY FOR THE ADVANCEMENT OF KINANTHROPOMETRY
Tax ID (NIF/CIF): G75578401
Address: AVENIDA JERÓNIMOS S/N, CÁTEDRA CINEANTROPOMETRÍA UCAM. 30107 GUADALUPE, MURCIA (SPAIN).
Email: info@isak.global

3. What is the source and what types of data do we process?

The information we process may come from any of the following sources:

• Paper, electronic or digital forms.
• Communication and messaging systems: email and messaging applications, telephone, etc.
• Other lawful sources of information.

The different categories of data we may process, depending on the type of data subject (user, customer, supplier, employee, etc.), the nature of the controller’s activity and the different processing operations, include:

• Identification data, e.g.: first and last name, image.
• Identification codes or credentials, e.g.: username, employee code.
• Postal or electronic contact details, e.g.: phone number, email, social media profile.
• Personal and professional characteristics, e.g.: age, date of birth, qualifications, professional experience, CV.
• Economic, financial and insurance data; e.g.: bank details, credit card, etc.
• Payroll-related economic and non-economic data and other employment-related information; e.g.: job position, payslip document, etc.
• Transaction data, e.g.: goods and services supplied and received.
• Special category data, e.g.: health, trade-union membership, racial or ethnic origin.
• Other data and information necessary or inherent to the development of our activities, services and purpose.
• Source: Registration and continued use of the ISAK Metry measurement software by members.
• Special category data (Health/Biometric): Anthropometric data, body mass history and physical measurements of third parties (patients/test subjects) entered by members into the ISAK Metry software.

MANDATORY OR OPTIONAL NATURE OF THE INFORMATION PROVIDED BY THE DATA SUBJECT.

By ticking the relevant boxes and entering data in the fields marked as mandatory (for example, with an asterisk) in the contact form or provided in download forms, the data subject expressly and freely agrees that their data is necessary to handle their request by the controller, while the inclusion of data in the remaining fields is voluntary.

The data subject guarantees that the personal data provided to the controller is truthful and undertakes to communicate any changes. The data requested through the website and marked as mandatory is necessary to provide an optimal service. If all the required data is not provided, we cannot guarantee that the information and services delivered will fully meet the data subject’s needs.

4. For what purposes do we process your personal data?

In general, data is processed in order to successfully carry out actions inherent to the normal development and management of the controller’s activity. We may specify different processing purposes depending on the possible categories of data subjects:

• Customers and prospects: management and maintenance of commercial, pre-contractual and contractual relationships; internal administration; financial management; advertising and marketing; customer service.
• Collaborators, creditors and suppliers: management and maintenance of business relationships, internal administration and financial management.
• Members and ISAK Metry users: onboarding/registration, membership maintenance, course enrolment and technical support. In addition:
  • Public directory: If a member reaches instructor level, their first and last name, country, city, ISAK level, photograph and email address will be published in the website directory in order to provide visibility of their accreditation and enable students to contact them. The instructor may configure the visibility of their email from their private area.
  • Quality Surveys: Management of mandatory satisfaction surveys after each course; responses (not linked to the student) will be shared with the evaluated instructor and the ISAK Secretariat for quality control.
• Employees: management, development and maintenance of the employment relationship; human resources management; communications; training activities; occupational risk prevention; working time recording; and other purposes arising from legal obligations and employment relationship management.
• Candidates: management of received CVs, job offers and recruitment processes.
• Website and social media users: user support and management of communications between the parties.
• Visitors: visitor support and access control to facilities.
• Any other category of data subjects processed by the controller will be processed within the scope of its activity, in strict compliance with applicable rules and under the general criteria of this Privacy Policy.
• Participants in in-person courses and events: administrative and organizational management of the event. Occasionally, images or videos may be captured during training activities for dissemination through ISAK’s official channels and social networks for informational and institutional purposes, requiring the express consent of attendees through the relevant registration forms.

Other general purposes that the controller may implement include:

• Creation of a commercial profile to improve your experience by personalizing offers and communications. No individualized decisions will be made based on such profile and processing will be carried out under legitimate interest.
• Video surveillance for the security of property and persons, as well as the corresponding labour control, based on legitimate interest.
• Telephone recordings to record communications for security, assurance and service quality, based on legitimate interest.
• Financial management and control of monetary obligations. In the case of debtors with certain, due and payable outstanding debts, the controller may communicate this circumstance to creditworthiness/debtor files and debt recovery services, among others, based on legitimate interest.
• Communications: development and execution of communications through available contact details and channels (email, instant messaging, etc.) with internal data subject categories (employees) and external categories (customers, prospects, collaborators, suppliers, etc.). The purposes of such communications may be informational, organizational, commercial and advertising-related, as applicable, based on informed consent and the controller’s legitimate interest.
• Other purposes derived from the nature of the controller, motivated by the normal development and exercise of its activity, under a valid legal basis.

5. Use of the ISAK Metry software and role allocation.

With regard to the personal and anthropometric data of subjects or patients entered into ISAK Metry by members, it is expressly established that:

The member who enters the data acts as the Data Controller and has the exclusive obligation to obtain explicit and informed consent from the measured subjects (or their legal guardians in the case of minors) to store their data on ISAK’s online platform.

ISAK acts solely as a Data Processor, limited to providing the technological infrastructure (software as a service) for storage and automatic report generation, without using such data for its own purposes. This relationship is governed by the Terms of Use and the corresponding Data Processing Agreement accepted by the member when accessing the tool. ISAK is not responsible for the accuracy, quality, or lawfulness of the data entered by members.

6. How long will we keep your data?

In general, personal data will be kept at least for as long as a relationship with the data subject exists, until deletion is requested, as long as liabilities may arise, or as required by applicable retention obligations.

As regards candidates and job applicants, their data will be deleted immediately when they are no longer of interest to the controller.

The controller maintains, within its data protection plan, an inventory of retention periods used to manage the different applicable retention timeframes.

Data will be deleted in all cases while ensuring its confidentiality.

7. What is the legal basis for processing your data?

The controller observes and applies the different legal bases that are applicable to each processing purpose:

• a) The data subject’s informed consent.
• b) Pre-contractual or contractual commitments.
• c) The controller’s legitimate interest.
• d) Applicable legal obligations.
• e) Other legally established legal bases.

8. To which recipients will your data be disclosed?

Data will not be disclosed to any third party by default, except for: a) auxiliary services, authorized processors or other necessary third parties implicitly required for the proper provision of goods and services; b) competent authorities and public administrations in the exercise of their functions; c) other legitimate interested parties and third parties as provided by law.

International Data Transfers. Due to ISAK’s international nature and the global location of its members, instructors and technology infrastructure providers (e.g., servers hosted in Azure/Microsoft), personal data may be transferred, stored and processed in countries outside the European Economic Area (EEA). Where international transfers are made to territories without an adequacy decision by the European Commission, ISAK ensures appropriate safeguards are applied, such as the execution of Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring that data remains protected at a level equivalent to that required under EU regulations.

9. What rights do you have when you provide us with your data and/or we process your data?

As a data subject, you may request at any time the exercise of any of the following rights under data protection regulations:

• Access to your personal data to confirm whether data concerning you is being processed and to obtain further information about such processing.
• Rectification or erasure of personal data concerning you when, among other reasons, it is inaccurate or no longer necessary for the purposes for which it was collected.
• Restriction of processing in certain circumstances, in which case data will only be kept for the establishment, exercise or defence of legal claims, for the protection of another person’s rights, or for reasons of public interest.
• Receive the personal data concerning you that you have previously provided to us, in a structured format where possible (data portability).
• Object to the processing of your data in certain circumstances and for reasons related to your particular situation. The controller will stop processing unless it demonstrates compelling legitimate grounds, or for the establishment, exercise or defence of legal claims.
• Withdraw your consent, which may result in the termination or cancellation of any existing contractual or business relationship, if applicable, without affecting processing carried out prior to withdrawal.

To do so, simply contact us via the email or postal address indicated above.

Optionally, you may also contact our appointed Data Protection Officer (if applicable), or your Data Protection Authority to learn more about your rights or to request protection by the supervisory authority.

10. Data security.

We implement the technical and organizational measures necessary to ensure an appropriate level of confidentiality, integrity, availability and resilience of data in order to protect the rights and freedoms of data subjects.

The controller complies with the provisions and principles described in the GDPR to process data in a lawful, fair and transparent manner in relation to the data subject, and in a manner that is adequate, relevant and limited to what is necessary for the purposes for which it is processed.

However, to the extent permitted by law, we do not assume any liability for damages arising from alterations that third parties may cause in our information systems. Any security breach will be duly and immediately reported to the competent authority and/or law enforcement agencies, where applicable.

11. Sending communications or information.

Our policy regarding the sending of information through electronic means (email, instant messaging, etc.) is limited to sending only communications that we consider of interest to our users and data subjects, related to the entity’s functions and activities, or that you have consented to receive.

If you prefer not to receive these messages, we will provide you with the possibility to exercise your right to opt out and renounce receiving such messages, in accordance with Title III, Article 22 of Law 34/2002 on Information Society Services and Electronic Commerce.

12. Social networks.

The controller may be present on social networks through the corresponding profiles. This section and any legal and privacy terms available on the website will apply to the processing of data of users or data subjects who follow or otherwise connect with such profiles.

The purposes of these profiles include communication, business development, marketing and advertising, handling inquiries submitted to the controller and user support, informing about actions, activities and events organized by the controller or in which it participates, and interacting through official profiles.

The legal bases described above are complemented here because the user or data subject may have a profile on the same social network and has decided to join or connect with the controller’s profile, thus showing interest in the information published by the controller. Therefore, when following the controller’s profiles, the user provides their consent to the processing of the data available in their profile.

The user may access at any time the privacy policies and terms of the relevant social network, as well as configure the privacy settings available for their profile. Content published by the user will be visible to other users; therefore, the user is primarily responsible for their own privacy.

Users who follow and/or participate in our profiles shall refrain from:

• a) Posting content or information contrary to laws, morality, and good faith. Any unlawful, annoying, inappropriate use or behaviour that could generate negative opinions on the profile or infringe individuals’ rights is not permitted.
• b) Behaving contrary to the principles of legality, honesty, responsibility, protection of human dignity, protection of minors, protection of public order, protection of private life, consumer protection, and intellectual and industrial property rights.

The controller reserves the right to remove any content deemed inappropriate without prior notice. Likewise, the controller shall not be liable regarding the security measures of each platform, and the user must be aware of them together with the platform’s own legal terms and conditions of use.

The controller shall be expressly exempt from any liability arising from the use of social networks by minors or persons with special capacities. The controller’s social networks do not knowingly collect personal information from minors; therefore, if the user is underage, they must not register, use the controller’s social networks, or provide any personal information. In Spain, the processing of a minor’s personal data may only be from the age of 14. Moreover, where required by law or regulation, or where the user has special capacities, the intervention of the holder of parental authority/guardianship or their legal representative will be required through a valid document evidencing representation.

13. Employment and candidate management

Individuals interested in job opportunities offered by the controller may provide their data and professional information through different channels, preferably through existing forms, email addresses, and other means available for this purpose, where applicable.

This data will be processed in accordance with the privacy terms set forth herein for the purpose of managing applications to possible job offers, internships and training of the controller entity and any affiliates or third-party entities belonging to the same organization, where existing and applicable.

Processing will be carried out based on the data subject’s informed consent or another valid legal basis.

The data provided, if it is not of professional interest to the entity or once it is no longer necessary for the purposes for which it was collected, will be deleted while ensuring confidentiality and anonymization.

Any data subject may withdraw their consent and exercise their privacy rights in accordance with the terms set out in this privacy policy.