Medical Harbour – Privacy Policy

We at Medical Harbour, a company of the AFYA Group, have prepared this Privacy Policy to inform users of our services about how we collect, store, protect, and use their Personal Data.

The privacy of your information is of great importance to us, and for this reason, we follow strict policies for the Processing of Personal Data, in compliance with applicable legal and regulatory standards, with the aim of ensuring and respecting your privacy and providing transparency regarding the processes carried out with your Personal Data.

Through this Privacy Policy, we present the general guidelines related to the Processing of Personal Data of our users and potential users of the services offered by Medical Harbour, including users of websites or other channels operated by the group.

Conditions

The user agrees that Medical Harbour is not a medical company, but rather a provider of technology services applied to health. The acquisition of medical images and the preparation of medical reports, as well as the communication of findings from images or reports to the patient and responsible doctor(s), are the exclusive responsibility of the doctor, hospital or clinic and never of Medical Harbour.

1. PURPOSE OF THIS PRIVACY POLICY

COMMITMENT TO PRIVACY

Reinforce our commitment to privacy and security in the Processing of Personal Data;

SIMPLE AND TRANSPARENT

Demonstrate, in a simple and transparent manner, which Personal Data we process, the reason for processing and the method used to collect, store, process, transfer and consult said data;

EXERCISE OF RIGHTS

Describe your rights related to Personal Data and how these rights can be exercised;

DATA PROTECTION

Present how we protect your Personal Data.

2. WHAT CONCEPTS ARE IMPORTANT FOR UNDERSTANDING THIS PRIVACY POLICY?

We know that some terms used in this Privacy Policy may not be common in your day‑to‑day life. Therefore, we have prepared a small glossary to consult their definitions:

Processing Agents: the agents responsible for the Processing of Personal Data, namely the Controller and the Operator;
Anonymization: a technique whereby data loses the possibility of direct or indirect association with an individual, making it impossible to identify the holder of the anonymized data;
ANPD: the National Data Protection Authority, a federal public administration body with responsibilities related to the protection of Personal Data and privacy, including oversight of compliance with the LGPD throughout Brazil;
Consent: the free, informed, and unequivocal expression by which the Data Subject agrees to the Processing of their Personal Data for a specific purpose;
Controller: refers to the natural or legal person responsible for decisions regarding the Processing of Personal Data;
Cookies: files sent by the website server to the user's computer to identify the device and obtain access data, such as pages visited or links clicked, allowing personalized site usage according to the user's profile;
Personal Data: all information that allows the identification of a natural person directly or that can make that person identifiable. Examples include name, address, CPF, RG, email, ID documents, phone number, internet access records (date and time of use, IP address), among others;
Sensitive Data: Personal Data related to racial or ethnic origin, religious beliefs, political opinions, union membership, or affiliation to religious, philosophical, or political organizations, health or sexual life data, genetic or biometric data linked to a natural person;
Device: any electronic device used by the User to access products and services offered by Medical Harbour, such as desktops, laptops, TVs, mobile phones, tablets, smartphones, and/or other internet-connected devices;
Data Protection Officer: the person designated by the Processing Agents to act as a communication channel between the Controller, Data Subjects, and the ANPD, ensuring compliance with data privacy laws and regulations. Contact information for Medical Harbour's Data Protection Officer is available in section 12 of this Privacy Policy;
IP Address: the number assigned to each Device connected to the internet, known as Internet Protocol (IP) address. These numbers are usually assigned in geographic blocks and can be used to identify the location from which a Device is connecting;
Geolocation: a feature that, when enabled by the User, allows the precise or approximate location of a Device, providing information such as country, state, city, and street, along with the access time;
ANPD: the National Data Protection Authority, a federal public administration body with responsibilities related to the protection of Personal Data and privacy, including oversight of compliance with the LGPD throughout Brazil;
LGPD: refers to the General Data Protection Law, Federal Law No. 13.709, published on August 14, 2018, which regulates the Processing of Personal Data, including in digital media, by natural or legal persons, public or private, aiming to protect fundamental rights of freedom, privacy, and the free development of the personality of the natural person. The full content of the LGPD can be accessed at: L13709 (planalto.gov.br);
Logs: records of user activities performed on the website;
Operator: the natural or legal person who processes Personal Data on behalf of the Controller, following its instructions;
Platform: the electronic platform or website owned by Medical Harbour;
Sites: any web page under the domain of Medical Harbour;
Session ID: identification of the user's session while using the website;
User: anyone who uses the website;
Data Subject: the natural person to whom the Personal Data being processed refers;
Processing: any operation performed with Personal Data, whether automated or not. This includes collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, storage, archiving, deletion, evaluation, modification, communication, transfer, dissemination, or extraction;

If you still have questions after reading the definitions above, please contact us through the support channel indicated in section 12 of this Privacy Policy;

Accessing, browsing, and using the Web to access the institutional website and social media of Medical Harbour implies express and unconditional acceptance of all items contained in this “Policy”, which is reflected in the “Consent Form” made available to the user, whose validity and effectiveness are equivalent to any written and signed contract. Compliance will apply to anyone who accesses, browses, or uses the Web to access the site or social media of Medical Harbour. Therefore, if you do not agree with these Terms of Use or fail to comply with them for any reason, you must immediately stop browsing and refrain from using the Web to access Medical Harbour's websites.

3. HOW DO WE COLLECT YOUR PERSONAL DATA?

3.1. Method of collecting User Personal Data: The user's Personal Data may be collected through website registration, participation in events, interactions with various tools available on the website or app, voluntary information submission, and contact through communication channels available on the website;
3.2. Method of collecting Potential User Personal Data: The Personal Data of Potential Users may be collected through participation in events, both in-person and/or virtual, registration forms, questionnaires, attendance lists, and similar occasions related to the promotion of products and services by Medical Harbour;
3.3. Personal Data automatically collected via Platform: We may collect certain files and/or information stored on your Devices when you visit Medical Harbour's websites and/or use any online service or product from Medical Harbour. These files or information are called “cookies” and are used to facilitate and optimize the use of our websites according to your interests, preferences, and needs. If desired, cookies can be disabled through the browser settings used to access the Platforms;
3.4. Personal Data automatically collected via Platform: The User may, at any time, request specific information about the Processing of their Personal Data by Medical Harbour through the support channel indicated in section 12 of this Privacy Policy;

4. WHAT PERSONAL DATA ARE PROCESSED?

	Personal Data / Sensitive Data processed
User	Full name, email, phone and WhatsApp, username and password specific to access Medical Harbour's platforms; job title; verbal and written communication between the user and Medical Harbour;
Potential User	Name, email, job title, and phone number
Personal Data automatically collected by Platforms	User's browser, IP address, date and time of access, geolocation, operating system of the Device used, and User actions on the Platforms;

4.1. Additionally, Medical Harbour is authorized to make decisions regarding the processing and to carry out the processing of the following data entered by the user, with the intention of obtaining the services offered by Medical Harbour: distribution of institutional material via email and social media; photographs posted on public social networks to enable interaction between Medical Harbour and the user;
4.2. Medical Harbour commits to using the minimum necessary information to achieve the intended Processing purpose, limiting itself to the use of relevant, proportional, and non-excessive data;
4.3. Medical Harbour may collect other Personal Data and/or Sensitive Data from the Data Subject, as necessary to fulfill the purposes outlined in section 6 below and always in accordance with the criteria and procedures established by the LGPD;
4.4. You may, at any time, request specific information about which Personal Data is being processed by Medical Harbour through the support channel indicated in section 12 of this Privacy Policy;

5. WHAT ARE THE PURPOSES FOR THE PROCESSING OF PERSONAL DATA?

The processing of the personal data listed in this Policy serves the following purposes:

Perform any communication resulting from the site’s own activity or the identification of the respective recipient;
Respond to any questions and requests from the user;
Provide access to the restricted area of the site or its exclusive functionalities;
Comply with a legal or judicial order;
Establish, defend, or exercise rights regularly in judicial or administrative proceedings;
Enable Medical Harbour to keep user records updated for authorized contact via phone, email, SMS, direct mail, or other communication methods, and to promote customer service activities for service or commercial relationship purposes;
Enable Medical Harbour to develop general statistics to identify user profiles and create advertising campaigns;
Enable Medical Harbour to structure, test, promote, and advertise services, personalized or not, according to the user's profile;
Enable Medical Harbour to use such data in market research;
Enable Medical Harbour to use such data in its communication materials;
Enable Medical Harbour to use such data for contract preparation, invoice issuance, tax documents, and related financial documents, enabling billing for services provided;
Medical Harbour generates statistical reports on trends, usage, behavior analysis, and associations. Medical Harbour may use account data as part of an aggregated dataset in publishing these trend statistics and associations (e.g., Medical Harbour found that a certain group of specialist doctors uses some modalities more than others). These aggregated data do not contain any personally identifiable information;

5.1. The user’s information may be used in other services provided directly by Medical Harbour, respecting the purposes set out above;
5.2. You may, at any time, request specific information about the Processing of your Personal Data by Medical Harbour through the support channel indicated in section 12 of this Privacy Policy;

6. WHAT ARE THE LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA?

6.1. According to the LGPD, the Processing of Personal Data may be carried out:
1. (i) With the consent of the Data Subject;
2. (ii) To comply with legal or regulatory obligations by the Controller;
3. (iii) By public administration, for the processing and shared use of data necessary for the implementation of public policies provided for in laws and regulations or supported by contracts, agreements, or similar instruments;
4. (iv) For research studies conducted by research institutions;
5. (v) When necessary for the execution of a contract or preliminary procedures related to a contract;
6. (vi) For the regular exercise of rights in judicial, administrative, or arbitration proceedings;
7. (vii) For the protection of life or physical safety of the Data Subject or third parties;
8. (viii) For health protection, exclusively in procedures carried out by healthcare professionals, health services, or health authorities;
9. (ix) When necessary to meet the legitimate interests of the Controller or third parties;
10. (x) For credit protection.
6.2. Sensitive Data, in turn, pose greater risks to the Data Subject and have specific legal bases for their Processing as provided by the LGPD, which are:
1. (i) The Consent of the Data Subject or their legal guardian;
2. (ii) Without Consent, in cases where Processing is essential for:
  1. (ii.i) compliance with legal or regulatory obligations by the Controller;
  2. (ii.ii) shared processing of data necessary for the implementation of public policies by public administration, as provided in laws or regulations;
  3. (ii.iii) research studies conducted by research institutions;
  4. (ii.iv) the regular exercise of rights, including in contracts and judicial, administrative, and arbitration proceedings;
  5. (ii.v) the protection of life or physical safety of the Data Subject or third parties;
  6. (ii.vi) health protection, exclusively in procedures carried out by healthcare professionals, health services, or health authorities;
  7. (ii.vii) ensuring fraud prevention and security of the Data Subject during electronic system registration authentication processes.
6.3. All Personal Data and/or Sensitive Data Processing carried out by Medical Harbour is legitimized by one of the legal bases listed above. To ensure compliance, we periodically review our processes, considering their context, risks, and benefits to the User. Additionally, we maintain records of all our Processing operations, which may be subject to clarification requests by the Data Subject or competent public authorities.
6.4. It is important for you to be aware that, as detailed in items 6.1 and 6.2 of this Policy, we do not always need your Consent to use your Personal Data. As explained above, there are situations in which, for various reasons, we may use your information without your Consent (for example, if we are legally required to use your Personal Data or if we need it for contractual purposes).
6.5. However, whenever we need your Consent to use your Personal Data for a specific purpose, you will be informed before any data collection. At that time, we will clearly explain why we need your Personal Data, and you may choose whether or not to provide it.
6.6. If you choose to provide your Consent for the stated Processing purpose, we will formalize your expression of will through the signing and/or acceptance of a document describing the situation. If you choose not to provide your Consent, we will inform you of the consequences of this refusal.
6.7. You may, at any time, revoke the Consent previously provided to Medical Harbour by express request through the support channel indicated in section 12 of this Privacy Policy.

7. WITH WHOM MAY WE SHARE YOUR PERSONAL DATA?

7.1. To achieve the purposes described in section 5 of this Privacy Policy, your Personal Data may be shared with certain recipients, such as:
1. (i) Legal entities that are part of Medical Harbour, when necessary for the proper provision of services and/or supply of products by Medical Harbour;
2. (ii) Our business partners and service providers, when necessary to enable the services provided by Medical Harbour, such as providers of (i) software licensing, (ii) infrastructure and technology for platform operations, (iii) cloud computing, (iv) research, analysis, and evaluations, (v) external audits, (vi) marketing and advertising platforms, (vii) financial services, (viii) collection services, (ix) recruitment and selection, (x) event, fair, and workshop organization;
3. (iii) Public agencies and competent authorities, when necessary to comply with legal and/or regulatory obligations and/or for the regular exercise of rights by Medical Harbour in arbitration, administrative, or judicial proceedings.
7.2. Call Centers, Advertising Agencies, Banks, Collection Offices, Protest Registries, and Credit Protection Agencies, if necessary for the purposes listed in this policy, in accordance with the principles and guarantees established by Law No. 13.709.
7.3. The service providers mentioned in item (iii) above are contracted by Medical Harbour as Personal Data Operators.
7.4. To ensure maximum security in commercial relationships involving Personal Data Processing, Medical Harbour certifies, prior to contracting an Operator, that they have adequate technical, legal, and organizational structures compatible with strict governance, security, and data privacy standards.
7.5. Processors will only be authorized to process Personal Data upon receiving lawful instructions from Medical Harbour, which will be provided in strict compliance with the provisions of this Privacy Policy and the LGPD.
7.6. Any sharing of Personal Data will be carried out in the minimum necessary form to achieve a legitimate purpose, in accordance with the security and confidentiality standards established by the LGPD and other applicable laws, regulations, and standards related to Personal Data protection and privacy.
7.7. In cases where Personal Data has been collected with Consent, Medical Harbour commits to obtaining your specific Consent for the purpose of sharing Personal Data with other Controllers and Operators, except in cases where Consent is not required under the LGPD.
7.8. You may, at any time, request specific information about the third parties with whom Medical Harbour shares your Personal Data, through the support channel indicated in section 12 of this Privacy Policy.

8. TRANSFERS OF YOUR PERSONAL DATA OUTSIDE BRAZIL:

Medical Harbour may transfer your Personal Data to business partners and/or service providers located outside Brazil, such as cloud document storage providers or educational institutions involved in academic exchanges and/or cooperation with our Students. Whenever it is necessary to transfer Personal Data abroad, we will take all necessary measures to ensure the proper protection and security of all information, within the limits established by the LGPD and other applicable laws, regulations, and standards related to Personal Data protection and privacy.

9. HOW LONG DO WE STORE YOUR PERSONAL DATA?

9.1. All data and information collected from users will be incorporated into the database of Medical Harbour, which will be its controller and owner. The collected data and information will be stored in a secure environment, in accordance with the current state of the art, and may only be accessed by qualified and authorized personnel of Medical Harbour. Furthermore, Medical Harbour affirms that it will not share, sell, or disclose user data to third parties who are not directly involved in its processes for the purposes stated in this policy.
9.2. The Personal Data provided by you to Medical Harbour is stored on proprietary or contracted servers, nationally or internationally, for a period defined according to:
1. (i) the period required by law;
2. (ii) the time necessary to achieve the purpose of Personal Data Processing, as listed in section 5 of this Privacy Policy;
3. (iii) the time necessary to preserve the legitimate interest of Medical Harbour, as applicable;
4. (iv) the time necessary to safeguard the regular exercise of rights by Medical Harbour in judicial, administrative, or arbitration proceedings, including in accordance with applicable limitation periods.
9.3. Except in cases where legislation authorizes the retention of your Personal Data by Medical Harbour, it will be deleted when:
1. (i) the purpose of Processing is achieved;
2. (ii) the Personal Data is no longer necessary or relevant for the specific intended purpose;
3. (iii) the User exercises their right to revoke Consent, through express communication and in applicable cases;
4. (iv) there is a determination by the ANPD, in case of LGPD violation.
9.4. You may, at any time, expressly request the deletion of your Personal Data stored by Medical Harbour based on your Consent, through the support channel indicated in section 12 of this Privacy Policy.
9.5. Medical Harbour commits to making its best efforts to respond to all Personal Data deletion requests as quickly as possible, provided they are permitted under applicable law.

10. WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?

10.1. You, as the holder of Personal Data, have a series of rights provided by the LGPD:
1. (i) Confirmation of the existence of Processing: you may request Medical Harbour to confirm whether your Personal Data is being processed.
2. (ii) Access to Personal Data: you may request access to your Personal Data under Processing. In this case, Medical Harbour will provide, electronically or physically, a copy of your stored Personal Data. Medical Harbour cannot provide Personal Data of other Users and/or third parties.
3. (iii) Correction or update of Personal Data: you may request correction or update of your Personal Data when it is inaccurate, incomplete, or outdated. Before updating your Personal Data, Medical Harbour may request documents and/or information to verify the data provided.
4. (iv) Request anonymization, blocking, or deletion of Personal Data: you may request that unnecessary, excessive, or unlawfully processed Personal Data be anonymized, blocked, or deleted from Medical Harbour's database.
5. (v) Portability of Personal Data: you may request the migration of your Personal Data collected by Medical Harbour to another organization after regulation by the ANPD.
6. (vi) Deletion of Personal Data: you may request the deletion of your Personal Data processed by Medical Harbour based on your Consent, at any time, through a free and easy request. Personal Data will not be deleted in cases where retention is authorized by the LGPD.
7. (vii) Information about the sharing of Personal Data: you may request information about the sharing of your Personal Data with third parties.
8. (viii) Information about the possibility of not providing consent: you may request information about the possibility of not providing Consent for the Processing of your Personal Data by Medical Harbour, in which case Medical Harbour will inform you of the consequences of such refusal, which may prevent the provision of certain products and services.
9. (ix) Revocation of Consent: you may revoke the Consent given to Medical Harbour for the Processing of Personal Data for specific purposes at any time. It is important to note that revocation does not imply deletion of Personal Data retained under other legal grounds.
10. (x) Objection to Processing: you may object to the Processing of Personal Data by Medical Harbour based on legal grounds that do not require Consent and that conflict with LGPD provisions.
11. (xi) Report to ANPD and consumer protection agencies: you may report to ANPD and/or consumer protection agencies any incidents related to your Personal Data.
12. (xii) Revision of automated decision: you may request Medical Harbour to review decisions made solely based on automated Processing of Personal Data that affect your interests, including decisions aimed at defining your personal, professional, consumption, credit profile, or personality traits.
10.2. To exercise the rights described above, you may use the data subject support channel Data Subject Request, available on the Medical Harbour website.
10.3. To fulfill the rights exercised under this section and to ensure the security of the User's Personal Data, Medical Harbour may request information and documents to verify the identity and authenticity of the requesting User.

11. HOW DO WE KEEP YOUR PERSONAL DATA SAFE?

11.1. Medical Harbour makes every reasonable market effort to ensure the security of the systems used in the Processing of Personal Data, including::
1. (i) technical measures capable of keeping Personal Data secure and protected from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any other form of improper or unlawful Processing, in accordance with applicable data protection and information security regulations;:
2. (ii) access authorization to the locations where Medical Harbour stores information is granted only to previously designated individuals;:
3. (iii) awareness training for Medical Harbour employees on best practices in compliance and Personal Data protection, in accordance with the LGPD;:
4. (iv) execution of contracts with employees and service providers who have access to User information, including data protection clauses to establish the obligation of absolute confidentiality, under penalty of civil and criminal liability, as provided by Brazilian law;:
11.2. The Platforms may contain links that redirect the User to other pages, including those of partners, which have policies with provisions different from those in this Privacy Policy. Therefore, Medical Harbour is not responsible for the collection, use, sharing, and storage of your data by the entities responsible for such pages outside the domains of Medical Harbour;:
11.3. In accordance with Article 48 of Law No. 13.709, Medical Harbour will notify the user and the National Data Protection Authority (ANPD) of any security incident that may pose a risk or significant harm to the user;:

12. HOW CAN YOU CONTACT MEDICAL HARBOUR?

In case of questions, complaints, and/or the need to contact Medical Harbour regarding matters related to Personal Data protection, you may use the data subject support channel: Data Subject Request, available on the Medical Harbour website.

13. RECORD OF ACTIVITIES:

Medical Harbour may record user activities on the website through logs, including:

1. User IP address;
2. Actions performed by the user on the website;
3. Pages accessed by the user;
4. Dates and times of each action and access to each website feature;
5. User Session ID, when applicable.

The records mentioned may be used by Medical Harbour in cases of fraud investigation or unauthorized changes to its systems and registrations;

Cookies: the website may use cookies, and it is up to the user to configure their Internet browser if they wish to block them. In such cases, some website/system features may be limited;

14. GENERAL PROVISIONS:

14.1. Registration: to subscribe to the Medical Harbour newsletter, the Client must provide the following information at the time of registration:
- full name;
- email;
14.2. People of any age may subscribe to receive news and/or updates from Medical Harbour by simply providing the basic registration requested on the websites;
14.3. In the case of individuals under 18 years of age, parental or legal guardian consent and their respective data will be required;
14.4. This Privacy Policy may be amended by Medical Harbour at any time. If you wish to check the current version of the Privacy Policy at the time of your consultation, simply refer to the “Last updated on” box located at the top of this Privacy Policy;
14.5. This Privacy Policy shall be governed and interpreted in accordance with the laws of the Federative Republic of Brazil;
14.6. If any provision of this Privacy Policy is deemed invalid, illegal, or unenforceable in any respect, the validity, legality, or enforceability of the remaining provisions shall not be affected or impaired as a result;
14.7. The court of the district of Belo Horizonte, state of Minas Gerais, is elected as the sole competent jurisdiction to resolve any disputes regarding the interpretation and compliance with this Privacy Policy. However, before initiating formal legal proceedings, you may always rely on the support of the Medical Harbour team to resolve your issues more quickly and amicably by contacting the support channel indicated in section 12 of this Privacy Policy;

English