Data Protection Notice

We are MARISA.CARE LTDA. ("Marisa.Care"), a private legal entity, registered under Brazilian Tax ID (CNPJ) nº 50.181.011/0001-93, located at Rua Araguari, nº 1720, Setor 601, Santo Agostinho, Belo Horizonte/MG, ZIP 30.190-118. We are a healthtech specialized in Artificial Intelligence applied to healthcare. Our solutions are contracted by hospitals, clinics, health insurance operators, and other institutions in the sector to support them in managing their processes and in their patients' care journey. We do not provide medical services or perform clinical care: our solutions are exclusively technological and operational in nature.

NATIONAL DATA PROTECTION AGENCY (ANPD): the Brazilian National Data Protection Agency, the public administration body responsible for overseeing, implementing, and enforcing compliance with the LGPD across the national territory;

DATA PROTECTION NOTICE ("NOTICE"): also known as Privacy Policy, the Data Protection Notice is this document, prepared to provide transparency about the Processing of Personal Data, as well as to highlight the rights of Data Subjects, how to exercise them, and the means of contacting the Data Protection Officer;

LEGAL BASES: the legal hypotheses that authorize Marisa.Care to Process Personal Data. It may be the Data Subject's consent, Marisa.Care's legitimate interest, the need to fulfill a contract to which the Data Subject is a party, or compliance with a legal obligation, for example;

PERSONAL DATA OR DATA: any information related to an identified or identifiable natural person, that is, information that has the potential to be used, directly or indirectly, alone or in combination, to identify a natural person, such as name, Tax ID, government ID, email, phone, address, consumer profile, etc.;

SENSITIVE PERSONAL DATA: Personal Data related to intimate elements of a person's life that may generate discrimination. Examples: data on racial or ethnic origin, data on religious beliefs or political opinions, genetic or biometric data and data related to health, data on a person's sexual orientation;

DATA PROTECTION OFFICER ("DPO"): also known as DPO (Data Protection Officer), this is the person we have appointed to act as the channel of communication with Data Subjects and the ANPD;

SECURITY INCIDENT: adverse event, confirmed or suspected, related to the security of computer systems or computer services;

LGPD: Brazilian General Data Protection Law – Law nº 13,709, of August 14, 2018 – which provides for the Processing of Personal Data by digital or physical means carried out by a natural person or legal entity, of public or private law, aimed at defending Personal Data Subjects while allowing the use of Data for various purposes, balancing interests and harmonizing the protection of the human person with technological and economic development;

DATA SUBJECT: natural person (individual) to whom the Personal Data being Processed refers. For the purposes of this Notice, anyone who uses our services, whether as a patient of hospitals or clinics, pharmacy customers, or even our employees, is a Data Subject for legal purposes;

PROCESSING: any operation performed with Personal Data, such as those referring to collection, production, reception, classification, use, access, reproduction, transmission, distribution, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination or extraction.

We commit to always carry out the Processing of Personal Data in accordance with the LGPD and other applicable data protection regulations. Depending on how you interact with the partner institutions that use our solutions, we may Process Personal Data such as name, Tax ID, phone, email, and other registration data, in addition to Sensitive Personal Data, especially information related to your health.

As a rule, when you interact with our solutions in the context of care provided by a partner institution, hospitals, healthcare providers, clinics, health insurance operators, laboratories, and other healthcare partners are the controllers of your Personal Data, and Marisa.Care acts as a processor, processing your Data in accordance with the instructions of these institutions and within the limits set forth in the contracts entered into. To understand, for example, how long your Data will be stored by the partner institution or what Data it collects about you, we recommend reading the privacy notice or policy of the establishment itself.

Depending on the solution used by the partner institution, part of the interactions with our systems may be recorded, captured, or transcribed automatically, in order to execute the care, support continuity of care, and improve the quality of the service provided. This Processing follows the guidelines defined by the healthcare institution responsible for your care and is accompanied by technical and organizational measures appropriate to the nature of the Data involved.

Since our operation is based on Artificial Intelligence, part of the Processing of your Data occurs in an automated manner. In any case, sensitive decisions are referred to the human team of the partner institution, and you have the right to request the review of decisions made solely on the basis of automated Processing, as detailed in the topic "Your rights as a Data Subject" of this Notice.

Marisa.Care Processes Personal Data of its internal employees, whether to comply with legal or regulatory obligations, such as labor and social security legislation, or for the execution of the employment contract or service agreement itself. If you, as an internal employee, want to know more about how Marisa.Care Processes your Data, just contact our DPO.

The storage of Personal Data takes into account the nature, necessity, and purpose for which it will be Processed. During the use of our services and for the entire period in which we Process your Data, it will be kept in a secure and controlled environment. Data will be stored only for the time necessary to achieve the proposed purposes, unless there is another reason for its retention. For example, Data may be necessary to comply with a legal, regulatory, or contractual obligation.

Whenever there is a need to Process Data of minors under the age of eighteen, we commit to carrying out such Processing in accordance with the provisions of the LGPD, the Brazilian Statute of the Child and Adolescent, Law nº 15,211/2025, and ANPD Board Resolution nº 18/2024, always considering the best interests of children or adolescents.

When necessary, we may share your Data with our business partners, such as service providers, suppliers, authorities, and regulatory bodies, for different purposes. We will always share your Data in compliance with applicable legislation, especially the LGPD, as well as the limits of our business model.

We may transfer your Data to other countries, for example when it is stored on cloud computing servers located outside Brazil. We guarantee compliance with the requirements established by the LGPD and by ANPD Board Resolution nº 19/2024, adopting mechanisms such as standard contractual clauses, specific contractual clauses, or other hypotheses authorized by the ANPD, whenever applicable, as well as good security practices to ensure the integrity and confidentiality of your Data.

We commit to adopting the best market standards for the protection of your Personal Data against accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inadequate, unlawful, or discriminatory Processing of information.

Access to the stored Data is restricted to authorized and qualified professionals, within the limits of the needs for the performance of their duties. We ensure that these professionals are subject to confidentiality obligations and that we assess partners and suppliers, before hiring, to ensure that we only build relationships with those who also care about Personal Data protection.

As part of our Program, we have a structured internal process to act in the event of Security Incidents. As part of this and, among other measures, we commit to informing you and the Personal Data protection authorities of any security incident that may pose a relevant risk or damage, within a reasonable period of time, justifying any delay in communication, in accordance with the regulations published by the ANPD.

It is important to emphasize that your active participation is essential for effective Data protection. We therefore recommend that you take care of your access passwords, without sharing them with third parties, and count on us to understand and ensure your rights.

You can exercise any of the rights provided above by sending us a request to encarregado@marisa.care, and you just need to wait for our response to operationalize your request.

For your safety, whenever you request the exercise of a right, we may require some additional information and/or documents to prove your identity. We do this to prevent fraud and ensure your security.

In some cases, we will have legitimate reasons to not fulfill a request to exercise rights. These situations include, for example, cases where disclosure of specific information could violate any industrial or commercial secret, ours or of third parties with whom we have assumed confidentiality obligations. We may also fail to fulfill a request if there is legislation that requires us to act in a certain way, for example, by storing Personal Data for a specific period.

Still, some requests may not be answered immediately, but we commit to responding to all requests as soon as possible and always in compliance with applicable legislation.

Our DPO is Drumond Cunha Oliveira Milagres Mackey Advogados, a pure civil partnership, registered under Tax ID (CNPJ/ME) nº 33.778.282/0001-01 and with the Brazilian Bar Association (OAB/MG) under nº 8.505, headquartered at Alameda Oscar Niemeyer, 288, 2nd Floor, Vila da Serra, Nova Lima/MG, ZIP 34.006-049, or, simply, "dcom", whose representative is Henrique Cunha Souza Lima. He is available to discuss your Personal Data via the email encarregado@marisa.care.

If you have any questions, comments, requests, or suggestions related to the Processing of your Data, or if you believe your Data has been Processed in a manner incompatible with this Notice, with legislation, or with your choices, please contact us. It will be a pleasure to assist you!

In the case of contact, by any means, we may ask for some Personal Data to confirm your identity and enable the response and completion of the service safely.

We may update this Notice with some frequency or whenever we deem it necessary. By continuing to use our services, you acknowledge that this Notice may be subject to changes. We invite you to access it periodically.