Privacy policy

We collect and use some personal data from users of our website. In doing so, we act as the data controller of that data and are subject to the provisions of Federal Law No. 13.709/2018 (General Data Protection Law – LGPD).

We take the protection of your personal data seriously and therefore provide this Privacy Policy, which contains important information about:

• Who should use our website;
• What data we collect and what we do with it;
• Your rights regarding your personal data; and
• How to contact us.

1. Who should use our website

The content of this website is intended for healthcare professionals and should only be used by individuals over eighteen years of age.

2. Data we collect and reasons for collection

Our website collects and uses some personal data from our users, as detailed below:

Personal data expressly provided by the user: we collect the following personal data that our users expressly provide when using our website:

• Name
• Email
• CRM
• Occupation
• Medical specialty
• State of residence

The collection of this data occurs at the following times:

• when a user registers on our website
• when a user registers for a digital or in-person event organized by MD Health
• when a user opts to receive our newsletter

The data provided by users is collected for the following purposes:

• so that they can participate in our events
• for directing content and event invitations aligned with the user's registration. For example, sending an invitation to an event related to the registered medical specialty.

Sensitive data: we will not collect sensitive data from our users. Therefore, there will be no collection of data regarding racial or ethnic origin, religious belief, political opinion, union or religious, philosophical or political organization affiliation, data concerning health or sexual life, genetic or biometric data when linked to a natural person.

Cookies:

• Third-party cookies: some of our partners may set cookies on the devices of users who access our website. The purpose of this is to enable our partners to offer their content and services to the user in a personalized manner by obtaining browsing data from their interaction with the site. The user can obtain more information about third-party cookies by accessing the following links:
• Google Analytics – https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage?hl=pt-br
• Facebook – https://www.facebook.com/policies/cookies/
• LinkedIn – https://www.linkedin.com/legal/cookie-policy?_l=pt_PT

The entities responsible for collecting cookies may transfer the obtained information to third parties.

• Cookie management: the user may refuse the registration of cookies on our website by disabling this option in their browser. More information on how to do this in some of the most commonly used browsers can be accessed through the links below:
• Internet Explorer: https://support.microsoft.com/pt-br/help/17442/windows-internet-explorer-delete-manage-cookies
• Safari: https://support.apple.com/pt-br/guide/safari/sfri11471/mac
• Google Chrome: https://support.google.com/chrome/answer/95647?hl=pt-BR&hlrm=pt
• Mozilla Firefox: https://support.mozilla.org/pt-BR/kb/ative-e-desative-os-cookies-que-os-sites-usam
• Opera: https://www.opera.com/help/tutorials/security/privacy/

By disabling cookies, the user may affect the availability of some tools and functionalities on the website, compromising its operation. This may also remove any saved user preferences, negatively impacting the experience.

Collection of data not expressly provided: other types of data not expressly provided in this Privacy Policy may be collected, as long as they are provided with the user's express consent or if the collection is permitted based on another legal basis. In any case, the collection of data and its processing activities will be communicated to the website users.

Sharing of personal data with third parties – we share some of the personal data mentioned in this policy with third parties. The data shared are:

• Name
• Email
• CRM
• Occupation
• Medical specialty
• State of residence

These data are shared for the following reasons and purposes:

• With supporters: to measure the progress of participants in educational programs
• With service providers, contractors, and representatives: we share user data with third-party companies that provide services to our company, such as payment processing, fraud prevention, data analysis, marketing and advertising services, email services, hosting, and customer support. These service providers may access the user's personal data and are obligated to use them only as directed by MD Health to provide the requested service.

In addition to the situations above, we may share data with third parties for the purposes described in this policy, as well as to comply with legal or regulatory requirements, or to comply with any order issued by a public authority. In any case, the sharing of personal data will comply with all applicable laws and rules, always seeking to ensure the security of our users' data in accordance with the technical standards employed in the market.

Retention period for personal data. Personal data are stored and used for the period necessary to achieve the purposes set forth in this policy, taking into account the rights of the data subjects, the rights of the website controller, and the applicable legal or regulatory provisions. Once the retention periods for personal data have expired, they are removed from our databases or anonymized, except in cases where storage is possible or necessary due to legal or regulatory provisions.

Legal bases for processing personal data: we process our users' personal data under the following conditions:

• with the consent of the data subject
• for the fulfillment of a legal or regulatory obligation by the controller
• when necessary to meet the legitimate interests of the controller or a third party

a. Consent

Certain operations involving the processing of personal data on our website will depend on the user's prior consent, which must be given freely, informed, and unequivocally.

The user may revoke their consent at any time, and if there is no legal basis that permits or requires the storage of the data, the data provided with consent will be deleted.

Furthermore, if desired, the user may disagree with any operation involving the processing of personal data based on consent. In such cases, however, it may not be possible to use some functionality of the website that depends on that operation. The consequences of not providing consent for a specific activity are communicated prior to processing.

b. Fulfillment of a legal or regulatory obligation by the controller

Some operations involving the processing of personal data, especially the storage of data, will be carried out so that we can comply with obligations provided by law or other regulatory provisions applicable to our activities.

c. Legitimate interest

For certain operations involving the processing of personal data, we rely exclusively on our legitimate interest. To learn more about the specific cases in which we use this legal basis, or to obtain more information about the tests we perform to ensure we can rely on it, please contact our Data Protection Officer through one of the channels mentioned in this Privacy Policy, in the "How to contact us" section.

3. User Rights

The website user has the following rights, as provided by the Personal Data Protection Law:

• confirmation of the existence of processing;
• access to the data;
• correction of incomplete, inaccurate, or outdated data;
• anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data with the law;
• data portability to another service or product provider, upon express request, in accordance with the regulations of the national authority, subject to commercial and industrial secrets;
• deletion of personal data processed with the data subject's consent, except in cases provided by law;
• information about the public and private entities with which the controller has shared data;
• information on the possibility of not providing consent and the consequences of refusal;
• revocation of consent, in cases where the processing of personal data is based on consent. In this case, the personal data may still be processed based on other legal grounds.

It is important to note that, according to the law, there is no right to deletion of data processed on legal bases other than consent, unless the data are unnecessary, excessive, or processed in non-compliance with the law.

Please note that exercising any of these rights will not render any previous data processing illegal.

How the data subject can exercise their rights

To ensure that the user requesting to exercise their rights is, in fact, the data subject, we may request documents or other information to assist in proper identification, in order to safeguard our rights and those of third parties. This will only be done if absolutely necessary, and the requester will receive all related information.

Security measures in the processing of personal data

We employ technical and organizational measures capable of protecting personal data from unauthorized access and from situations of destruction, loss, misplacement, or alteration.

The measures we use take into account the nature of the data, the context and purpose of processing, the risks that a potential breach would pose to the rights and freedoms of the user, and the standards currently employed in the market by companies similar to ours.

Among the security measures we have adopted, we highlight the following:

• our users' data is stored in a secure environment;
• we limit access to our users' data so that unauthorized third parties cannot access it;
• we use an SSL (Secure Socket Layer) certificate, so that data transmission between users' devices and our servers is encrypted;
• we maintain records of all those who have had any form of contact with our data;
• internal data privacy policy

Although we take every measure within our power to prevent security incidents, it is possible that an issue may occur solely due to a third party – for example, in the case of hacker attacks or in the event of the user's exclusive fault, such as when they themselves transfer their data to a third party. Thus, although we are generally responsible for the personal data we process, we disclaim liability in the event of such exceptional situations beyond our control.

In any case, should any type of security incident occur that could pose a risk or cause significant damage to any of our users, we will notify those affected and the National Data Protection Authority in accordance with the provisions of the General Data Protection Law.

Complaint to a supervisory authority

Without prejudice to any other administrative or judicial recourse, data subjects who feel aggrieved in any way may file a complaint with the National Data Protection Authority.

Changes to this policy

This version of the Privacy Policy was last updated on: October 27, 2020.

We reserve the right to modify these terms at any time, especially to adapt them to any changes made to our website, whether through the provision of new functionalities or the modification of existing ones.

Whenever a change is made, our users will be notified about the update.

4. How to contact us

To clarify any questions about this Privacy Policy or about the personal data we process, please contact the Data Protection Officer through one of the channels mentioned below:

• Email: tecnologia@mdhealth.com.br