Privacy Notice for the CARAMEL Self-Assessment App

Last updated: APRIL 2026

What is this notice about?

This privacy notice explains how personal data are used when you participate in the CARAMEL research study (“Study”, “Project”) and use the following digital tool:

• CARAMEL Self-Assessment App

The CARAMEL study is a Horizon Europe research project funded by the European Union (Grant Agreement No. 101156210). The project is coordinated by VICOM (Fundación Centro de Tecnologías de Interacción Visual y Comunicaciones).
The aim of the CARAMEL project is to support cardiovascular disease prevention in women during menopause through research and data analysis.
This notice applies to (i) women using the CARAMEL Self-Assessment App.
The CARAMEL Self-Assessment App is made available to the general public.

Who is responsible for your data?

The Study is carried out by a consortium of research partners (see Partners - CARAMEL), who act as joint controllers because they jointly determine why and how your data are used within the Study.
These partners have signed a Joint Controllers Agreement that sets out their respective responsibilities for protecting your data and handling your rights. The essence of this arrangement may be made available upon request.
The joint controllers remain independently responsible for ensuring that processing activities falling within their respective roles comply with the applicable data protection law.

Who manages the App?

For the tool described in this notice, the main responsible partner is:

PARTICLE SUMMARY (PARTICLE)
Rua da Venezuela N 29 14 E
1500-618 Lisbon, Portugal

Responsible for the CARAMEL Self-Assessment App

Who can you contact?

If you have questions or want to exercise your data protection rights, you can contact:

For the CARAMEL Self-Assessment App (PARTICLE)

• Marco Manso: marco@particle-summary.pt
• Bárbara Guerra: barbara@particle-summary.pt

What is the CARAMEL app used for?

The CARAMEL Self-Assessment App is a web-based mobile application.

What does the CARAMEL Self-Assessment App do?

The CARAMEL Self-Assessment App allows you to complete a structured cardiovascular self-assessment questionnaire and to visualise your personalised risk indicators generated from your responses. Also, it allows you to visualise the CVD risk awareness and prevention materials in the CVD Prevention Portal.
The data you enter into the CARAMEL App helps researchers better understand cardiovascular health in menopausal women. They are automatically and securely transmitted to the CARAMEL Data Lake.

Is this app medical tools?

No. The CARAMEL Self-Assessment App does not provide medical diagnosis and does not replace professional medical advice. Any information or indicators presented within the application are generated for research and informational purposes only.

How does the data move inside the Project?

When you enter information in the app:

1. Your data are securely transmitted to the CARAMEL Data Lake, the Project’s secure data infrastructure.
2. The Data Lake is hosted by VICOM in Spain.
3. It is operated within the project infrastructure by TREE.
4. Analytical processing and research calculations take place there.

The app mainly serves as interface for entering information and viewing results.

Does the app tracks me or include advertising tools?

No.

The CARAMEL Self-Assessment App :

• does not include advertising technologies,
• does not use commercial tracking tools,
• does not contain third-party marketing analytics, and
• the Self-Assessment App is also intended to provide informational and awareness functionalities to users.

What personal data are collected?

Some data are entered directly by you, while other data are generated by the research system based on your inputs.

What identification information is collected?

No identification information is collected by the CARAMEL Self-Assessment App.

What demographic information is collected?

You may be asked to provide:

• your country.

What health-related information is collected?

The app may collect information such as:

• responses to a CVD risk self-assessment questionnaire.

Because this relates to health, it is treated as sensitive personal data under the GDPR.

Are any results generated from my data?

Yes.

Based on the information you provide, the research system may generate cardiovascular risk indicators or scores.
These are calculated within the secure project infrastructure and are used for research purposes only.

What technical information is collected?

To keep the system secure and functioning properly, some technical data may also be recorded, such as:

• access logs,
• timestamps.

These data are used only for security and system monitoring, not to analyse your behaviour.
The CARAMEL Self-Assessment App is publicly accessible and does not require user registration or login credentials.

Why are your data used?

Your personal data are used for the following purposes:

• conducting the CARAMEL research study in accordance with the approved study protocol;
• collecting and analysing health and lifestyle data for cardiovascular disease prevention research;
• generating research-based cardiovascular risk indicators;
• operating, securing and maintaining the app and research infrastructure;
• managing secure user access;
• providing access to study information, materials and research outputs;
• ensuring compliance with legal, regulatory and funding obligations applicable to Horizon Europe projects.

Personal data are not used for marketing, advertising, or unrelated secondary commercial purposes.

What legal basis allows the Study to use your data?

Processing related to participation in the CARAMEL Study is based on your explicit consent pursuant to Articles 6(1)(a) and 9(2)(a) GDPR, as documented in the study informed consent form.
Processing related to the CARAMEL Self-Assessment App is carried out in accordance with applicable data protection law and may rely on different legal bases, including user consent, where required.
This applies especially to the processing of health-related data.

Some technical processing strictly necessary for the operation, security and integrity of the app may also be based on:

• legal obligations, or
• legitimate interests in maintaining secure systems.

Are automated analyses used?

Yes, some data collected may be analysed using statistical or algorithmic methods to generate cardiovascular risk indicators for research purposes.
These analyses serve research and decision-support purposes only. No automated processing produces legal effects concerning you nor does it similarly significantly affects you. You are not subject to a decision based solely on automated processing within the meaning of Article 22 GDPR.
The CARAMEL Self-Assessment App provides a risk assessment based on the information you enter into the questionnaire. The feedback is provided under the responsibility of DCU and is developed in coordination with clinical experts within the CARAMEL Consortium. The output is informational in nature and does not constitute a medical diagnosis or clinical decision.

Who can access your data?

Your personal data may be accessible to authorised members of the CARAMEL consortium, in accordance with their role in the project, but only when it is strictly necessary for the study.

Key roles include:

• PARTICLE - developer and hosting provider of the App;
• VICOM - hosting provider of the CARAMEL Data Lake and credential management administrator;
• TREE - operator of the CARAMEL Data Lake infrastructure;
• SIT – developer and hosting provider of the CVD Prevention Portal;
• Clinical research partners participating in the study;
• Technical partners developing the CARAMEL AI models.

Where necessary, external service providers may assist with technical services, but they are bound by strict confidentiality, security and data protection obligations.
Your personal data are never shared for commercial or marketing purposes.
Your personal data will not be sold, rented, or otherwise disclosed to third parties outside CARAMEL, except where required by applicable law or strictly necessary for the secure operation of the CARAMEL Tools.

Are your data transferred outside Europe?

Your personal data collected through the CARAMEL Tools are stored and processed within the European Economic Area (EEA).
Access to pseudonymised data by authorised consortium partners established outside the EEA may occur strictly in accordance with the GDPR.
In particular, access by partners established in Israel may rely on the European Commission adequacy decision recognising Israel as providing an adequate level of data protection.
No transfer to Colombia is planned. If any future transfer becomes necessary, appropriate safeguards such as EU Standard Contractual Clauses will be used.

How long are your data kept?

Access to the CARAMEL Self-Assessment App will be freely provided without restrictions, including after the end of the project.

Personal data collected through the CARAMEL Self-Assessment App may be retained beyond the periods stated above where necessary to:

• ensure the scientific integrity and reproducibility of the study results,
• allow verification and auditing of research findings,
• comply with legal obligations and EU funding rules.

Where personal data are no longer needed, they will be securely deleted or irreversibly anonymised.
We regularly review how long the data need to be kept.

How are your data protected?

The project uses strong technical and organisational measures, including:

• pseudonymisation of research data before further processing within the project infrastructure,
• encryption of personal data in transit and storage,
• role-based access control limiting access to authorised personnel,
• system logging and monitoring,
• secure hosting of the CARAMEL Data Lake within the EU,
• backup and disaster recovery procedures.

Only authorised staff from the CARAMEL partners can access personal data, and only when it is necessary for their role in the Project.
We use appropriate security measures to protect your data. We regularly review and update these measures to help keep your data secure.

What rights do you have over your data?

Under the GDPR, you have the right to:

• access your personal data;
• request correction of inaccurate or incomplete data;
• request deletion of your personal data, where applicable;
• request restriction of processing;
• data portability, where applicable;
• withdraw your consent at any time.

You also have the right to lodge a complaint with a competent data protection authority in the Member State of your habitual residence, place of work or place of the alleged infringement. A list of supervisory authorities in the EU and the EEA is available here: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

To exercise your rights, you may contact:

PARTICLE:

• Marco Manso: marco@particle-summary.pt
• Bárbara Guerra: barbara@particle-summary.pt

We may need to verify your identity to properly answer your request.

Can this privacy notice change?

Yes.

This privacy notice may be updated if there are changes to the CARAMEL Self-Assessment App, the study protocol or applicable legal requirements.
If important changes occur, you will be informed through appropriate communication channels, including publication within the App, the Portal, or the project website.
If important changes affect how your personal data are used, you may be asked to confirm that you have read the updated notice in the App and/or Portal, where this is technically possible.