Privacy Policy and Data Treatment of Oncoclínicas Por Você (“Policy”

• INTRODUCTION

This Policy aims to demonstrate Oncoclínicas do Brasil Serviços Médicos S.A.’s commitment, on its behalf and on behalf of all its subsidiaries, controlled companies, affiliates, or any other entities that are part of its structure (“Oncoclínicas”), headquartered at Av. Pres. Juscelino Kubitschek, n° 510, 2nd floor, Vila Nova Conceição neighborhood, São Paulo city, São Paulo state, ZIP code 13571-410 (“We”), to your privacy and the protection of your Data, in a clear manner and in accordance with the laws in force.

This Policy describes the main rules regarding the Processing of your Personal Data when we assist You through our virtual environment (“Oncoclínicas for You”).

To access and use the features offered in Oncoclínicas for You, You declare that You have read this Policy in full and carefully, being fully aware of the terms set forth herein and confirming your free and express agreement to the Processing of Personal Data in accordance with the conditions specified below.

We seek to offer you the services as efficiently as possible and, for that reason, we constantly update ourselves. For this reason, this Policy may be adjusted at any time, and it is up to You to verify it whenever possible through this electronic address.

In case of any significant changes in the way we handle your personal data, we will inform you of the new additional conditions through the contact means provided by you.

1. DATA COLLECTION

2.1. How we collect data. Data may be collected when you submit them, or when you interact with our Environments and services, which includes:

Registration data

Data:

Full name; CPF (Brazilian ID number); Telephone/cellphone; Residential address; Photo; Professional council registration; Date of birth; Age; Gender; Profession; Place of birth; Nationality; Email; Health insurance card number; Health insurance beneficiary number;

Purpose:

1. To identify and authenticate you.
2. To comply with obligations arising from the use of our services and required by legal and/or regulatory obligations;

iii. To enhance our relationship, informing you about news, features, content, news, and other events that we consider relevant to you;

1. To provide services tailored to your needs; iv. To ensure the portability of registration data to another Controller in the same branch of our operation, if requested by you, complying with the obligation of article 18 of the General Data Protection Law.

Image Data

Data:

Medical reports; Examination results; Requests for consultations/examinations; Consultation/examination histories; Summary of the medical case; Treatment protocol; CID (International Statistical Classification of Diseases and Related Health Problems); and Medical record data; Health insurance card; Patient identification documents.

Formats:

PNG; JPG; PDF.

Purpose:

1. To comply with obligations arising from the use of our services and required by legal and/or regulatory obligations;
2. Issuance of medical prescriptions;

iii. To monitor your entire patient history, regarding the data in your medical record; and

1. Support for healthcare professionals.

Health Data

Data:

Medical reports; Examination results; Requests for consultations/examinations; Consultation/examination histories; Summary of the medical case; Treatment protocol; CID (International Statistical Classification of Diseases and Related Health Problems); and Medical record data.

Purpose:

1. To comply with obligations arising from the use of our services and required by legal and/or regulatory obligations;
2. Issuance of medical prescriptions;

iii. To monitor your entire patient history, regarding the data in your medical record; and

1. Support for healthcare professionals.

Digital Identification Data

Data:

IP address and Logical Source Port; Device (operating system version); Geolocation; Login; Password; Date and time records of each action You perform; Which screens You accessed; Session ID.

Purpose:

1. Identify and authenticate You;
2. Comply with legal obligations for record keeping established by Law No. 12.965/2014 (“Internet Civil Rights Framework”).

iii. Mapping and improvements for future versions of the application, as well as consultation for support in case of bugs.

2.1.1. You declare yourself aware that additional data may be collected when You use Oncoclínicas por Você, which offers services and functionalities to users.

2.2. Necessary Data and Sensitive Personal Data. Many of our services depend directly on some of the data provided in the table above, mainly Registration Data. If You choose not to provide some of this data, we may be unable to fully or partially provide our services to You.

2.3. Data Accuracy and Veracity. You are solely responsible for the accuracy, veracity, or lack thereof regarding the Data You provide or its lack of updating. Be aware that it is your responsibility to ensure accuracy or keep them updated.

2.3.1. You may, at any time, request the change and/or update of your registration data through our Relationship Centers.

2.3.2. Similarly, We are not obliged to process any of your data if there are reasons to believe that such processing may impute any infringement of any applicable law, or if Oncoclínicas por Você is being used for any illegal, illicit, or immoral purposes.

2.4. Database. The database formed through data collection is our property and is under our responsibility, and its use, access, and sharing, when necessary, will be done within the limits and purposes of the business described in this Policy.

3. DATA SHARING

3.1. Data sharing scenarios. The collected data, images, and recorded activities may be shared, always respecting the sending of the minimum necessary information to achieve the purposes:

1. With partner companies and service providers necessary for the execution of our services, always requiring compliance by such companies with data security and protection guidelines;
2. Viewing of medical records by Healthcare Professionals. Access and use of this data will be limited to the purpose of patient healthcare;
3. With competent judicial, administrative, or governmental authorities, whenever there is a legal determination, requirement, request, or judicial order; and
4. Automatically, in case of corporate transactions, such as mergers, acquisitions, and incorporations.

3.2. Data Anonymization. For statistical purposes relating to the general qualitative and quantitative characteristics of Oncoclínicas por Você, the data provided by you may be shared in anonymized form, meaning that it does not allow for your identification.

3.3. Monitoring. Oncoclínicas por Você does not collect or monitor information exchanged between Doctors and Patients through the Platform (“Medical-Patient Communication”). Medical-Patient Communication consists of information protected by professional secrecy of the Doctors, as provided for in medical ethics rules issued by the Federal Council of Medicine and by the confidentiality of communications, under the terms of the Federal Constitution.

3.4. Responses to email messages. Oncoclínicas por Você reserves the right to respond to email messages received from you and use the information contained therein to send you subsequent communications related to the platform, such as sending the Token. You should be aware that third parties may read the emails sent, so Oncoclínicas por Você suggests that no information you would like to keep confidential be sent by email.

4. HOW WE PROTECT YOUR DATA AND HOW YOU CAN PROTECT IT TOO

4.1. Implemented Measures. We make every effort to maintain the privacy and security of information by adopting technical, physical, and administrative security measures:

1. Technical measures, such as transmitting personal data through a secure internet page, storing data in electronic media that maintain high security standards, using a system whose access is controlled;
2. Technical measures related to image archiving, such as storing data in electronic media that maintain high security standards, using a system whose access is controlled and encrypted;

iii. Administrative measures, including the adoption of Security Policies and Standards, employee training/awareness, confidentiality agreements.

4.2. Sharing Passwords. You are also responsible for the confidentiality of your Data and should always be aware that sharing passwords and accessing data violates this Policy and may compromise the security of your Data and Oncoclínicas por Você.

4.3. Precautions You Should Take. It is very important that you protect your Data against unauthorized access to your computer or mobile device, account, or password when using Oncoclínicas por Você.

4.4. Access to Personal Data, proportionality, and relevance. Internally, the collected Data is accessed only by duly authorized professionals, respecting the principles of proportionality, necessity, and relevance to the objectives of our business, as well as the commitment to confidentiality and preservation of your privacy under the terms of this Policy.

4.5. External links. When you use Our Environments, you may be directed, via link, to other portals or platforms, which may collect your information and have their own Privacy and Data Treatment Policy.

4.5.1. It will be your responsibility to read the Privacy and Data Treatment Policies of such portals or platforms outside our environment, and to accept or reject them. We are not responsible for the Privacy and Data Treatment Policies of third parties or for the content of any websites or services linked to environments other than our own.

4.6. Processing by third parties under our direction. If third-party companies carry out the Treatment on our behalf of any Data we collect, they will respect the conditions stipulated here and the information security standards, mandatorily.

5. STORAGE OF PERSONAL DATA AND RECORD OF ACTIVITIES

5.1. The Data collected and the activity records are stored in a secure and controlled environment for a minimum period as follows:

Storage period and legal basis

For as long as the relationship lasts and there is no request for deletion, according to Art. 9, II, of the General Data Protection Law

5 years after the end of the relationship, according to Arts. 12 and 34 of the Consumer Protection Code

6 months for Digital Identification Data, according to Art. 15 of the Internet Civil Rights Framework

5.2. Longer storage periods. We may retain the history of your Data records for a longer period in cases where the law or regulatory norm so establishes or for the preservation of rights.

5.3. International Transfer. The collected Data will be stored in a cloud computing environment, which may require a transfer of this Data outside of Brazil.

6. DATA SUBJECT RIGHTS

6.1. Your basic rights. You may request confirmation of the existence of Data processing, as well as the display or rectification of your Data, through the Communication Channel: dpo@oncoclinicas.com.

6.2. Limitation, objection, portability, and deletion of data. Through the Communication Channel, you may also request:

1. Limitation of the use of your Personal Data;
2. Express your objection and/or revoke consent regarding the use of your Personal Data;
3. Portability of the registration data to another Controller in the same branch of our business; or
4. Request the deletion of your Personal Data that has been collected by us.

6.2.1. If you request the deletion of your Personal Data, it may be necessary to keep the Data for a longer period than the deletion request, in accordance with article 16 of the General Data Protection Law, for (i) compliance with legal or regulatory obligations, (ii) study by a research body, and (iii) transfer to a third party (subject to the data processing requirements set forth in the same Law). In all cases, with the anonymization of Personal Data, if possible.

6.2.2. Upon the expiration of the maintenance period and legal need, Personal Data will be deleted using secure disposal methods, or used in an anonymized form for statistical purposes.

6.2.3. Legal Representatives. Users under 18 years of age may not register with Oncoclínicas por Você on their own, and registration must be done by their legal representatives. The Legal Representative may communicate with us if they wish to exercise their rights under this chapter.

7. INFORMATION ABOUT THIS POLICY

7.1. Inapplicability. If any provision of this Policy is deemed inapplicable by the National Data Protection Authority or judicial authority, the remaining conditions shall remain in full force and effect.

7.2. Communication Channels. If you have any questions regarding the provisions of this Policy, you can contact us via email at dpo@oncoclinicas.com.

7.3. Applicable Law and Jurisdiction. This Policy shall be interpreted according to Brazilian law, in the Portuguese language, with the forum of your domicile elected to settle any controversy involving this document, except for specific reservation of personal, territorial, or functional jurisdiction as provided by applicable law.

8. GLOSSARY

8.1. For the purposes of this Policy, the following definitions and descriptions should be considered for better understanding:

1. Anonymization: Use of reasonable and available technical means at the time of Processing, through which data loses the possibility of direct or indirect association with an individual.
2. National Data Protection Authority: Government body responsible for overseeing and enforcing compliance with the General Data Protection Law.
3. Relationship Centers: Physician (+55 11 97270-9897), Patient (+55 31 30039855)
4. Cloud Computing: Also known as cloud computing, it is a technology for virtualizing services built from the interconnection of more than one server through a common information network (e.g., the Internet), with the aim of reducing costs and increasing the availability of supported services.
5. Access Account: Credential required to use or access the functionalities of Oncoclínicas por Você.
6. Data: Any information inserted, processed, or transmitted through Oncoclínicas por Você.
7. Personal Data: Data related to an identified or identifiable natural person.
8. Sensitive Personal Data: Personal data about racial or ethnic origin, religious belief, political opinion, union membership, or membership in religious, philosophical, or political organizations, data concerning health or sex life, genetic or biometric data, when linked to a natural person.
9. Data Protection Officer (DPO): Person appointed by Us to act as a channel of communication between the controller, data subjects, and the National Data Protection Authority (ANPD).
10. Session ID: User session identification when accessing Our Environments.
11. IP: Abbreviation for Internet Protocol. It is an alphanumeric set that identifies users’ devices on the Internet.
12. Physicians: Individuals who are previously and regularly registered in Oncoclínicas por Você and who are duly registered with the respective Regional Council of Medicine for the purpose of legally practicing medicine.
13. Healthcare Professionals: Healthcare professionals are all of our employees who work in patient care (such as doctors, nurses, dentists, physiotherapists).
14. Data Subject: Natural person to whom the Personal Data being processed refers.
15. Processing: Any operation performed with Personal Data and Sensitive Personal Data, such as those related to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, disposal, assessment, or control of information, modification, communication, transfer, dissemination, or extraction.
16. You: The individual who is the Data Subject, i.e., the user of Oncoclínicas por Você.