We collect and use certain personal data from users of our website. In doing so, we act as the controller of such data and are subject to the provisions of Federal Law No. 13.709/2018 (General Data Protection Law – LGPD). We care about the protection of your personal data and therefore provide this privacy policy, which contains important information about:

• Who should use our website;
• What data we collect and what we do with it;
• Your rights regarding your personal data; and
• How to contact us.

1. Who should use our website

The content of this website is directed to healthcare professionals and should only be used by individuals over eighteen years of age.

2. Data we collect and reasons for collection

Our website collects and uses certain personal data from our users, as follows: Personal data expressly provided by the user: we collect the following personal data that our users expressly provide to us when using our website:

• Name
• Email
• Medical License Number
• Occupation
• Medical specialty
• State of residence

The collection of this data occurs at the following times:

• when a user registers on our website
• when a user registers for a digital or in-person event organized by MD Health
• when a user opts to receive our newsletter

The data provided by users is collected for the following purposes:

• to enable participation in our events
• to direct content and event invitations aligned with the user’s registration. For example, sending an invitation to an event related to the registered medical specialty.

Sensitive data: we will not collect sensitive data from our users. Therefore, there will be no collection of data regarding racial or ethnic origin, religious belief, political opinion, membership in a union or organization of a religious, philosophical, or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person. Cookies:

• Third-party cookies: some of our partners may set cookies on the devices of users who access our website. The purpose of this is to enable our partners to offer their content and services to users who access our website in a personalized manner, by obtaining browsing data extracted from their interaction with the website. Users may obtain more information about third-party cookies by accessing the following links:
• Google Analytics – https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage?hl=pt-br
• Facebook – https://www.facebook.com/policies/cookies/
• LinkedIn – https://www.linkedin.com/legal/cookie-policy?_l=pt_PT

The entities responsible for collecting cookies may transfer the information obtained to third parties.

• Cookie management: users may refuse the registration of cookies on our website by disabling this option in their browser. More information on how to do this in some of the main browsers used today can be accessed from the links below:
• Internet Explorer: https://support.microsoft.com/pt-br/help/17442/windows-internet-explorer-delete-manage-cookies
• Safari: https://support.apple.com/pt-br/guide/safari/sfri11471/mac
• Google Chrome: https://support.google.com/chrome/answer/95647?hl=pt-BR&hlrm=pt
• Mozilla Firefox: https://support.mozilla.org/pt-BR/kb/ative-e-desative-os-cookies-que-os-sites-usam
• Opera: https://www.opera.com/help/tutorials/security/privacy/

By disabling cookies, users may affect the availability of some tools and functionalities of the website, compromising its operation. This may also remove user preferences that may have been saved, impairing their experience. Collection of data not expressly provided for: other types of data not expressly provided for in this Privacy Policy may be collected, provided they are supplied with the express consent of the user, or that collection is permitted based on another legal basis provided by law. In any case, data collection and its processing activities will be disclosed to website users. Sharing of personal data with third parties – we share some of the personal data mentioned in this policy with third parties. The data shared are:

• Name
• Email
• Medical License Number
• Occupation
• Medical specialty
• State of residence

This data is shared for the following reasons and purposes:

• With sponsors: to measure participant progress in educational programs
• With service providers, contractors, and representatives: We share user data with third-party companies that provide services to our company, such as payment processing, fraud prevention, data analysis, marketing and advertising services, email services, hosting, and customer service/support. These service providers may access the user’s personal data and are required to use it only as directed by MD Health, to provide the requested service.

In addition to the situations above, we may share data with third parties for the purposes described in this policy, as well as to comply with legal or regulatory requirements, or to comply with any order issued by a public authority. In any case, the sharing of personal data will comply with all applicable laws and regulations, always seeking to ensure the security of our users’ data, in accordance with technical standards employed in the market. Retention period for personal data. Personal data is stored and used for the period of time necessary to achieve the purposes listed in this policy and that considers the rights of data subjects, the rights of the website controller, and applicable legal or regulatory provisions. Once the retention periods for personal data have expired, they are removed from our databases or anonymized, except in cases where there is the possibility or need for storage due to legal or regulatory provisions. Legal bases for the processing of personal data: we process the personal data of our users under the following circumstances:

• with the consent of the data subject
• for compliance with a legal or regulatory obligation by the controller
• when necessary to serve the legitimate interests of the controller or a third party

a. Consent Certain personal data processing operations carried out on our website will depend on the prior agreement of the user, who must express it freely, in an informed and unequivocal manner. Users may revoke their consent at any time, and, if there is no legal basis that permits or requires the storage of data, data provided through consent will be deleted. Furthermore, if desired, users may not agree to any personal data processing operation based on consent. In these cases, however, they may not be able to use some functionality of the website that depends on that operation. The consequences of lack of consent for a specific activity are disclosed prior to processing. b. Compliance with legal or regulatory obligation by the controller Some personal data processing operations, especially data storage, will be carried out so that we can comply with obligations provided for by law or other regulatory provisions applicable to our activities. c. Legitimate interest For certain personal data processing operations, we rely exclusively on our legitimate interest. To learn more about the specific cases in which we use this legal basis, or to obtain more information about the tests we conduct to ensure that we can use it, please contact our Data Protection Officer through any of the channels provided in this Privacy Policy, in the section “How to contact us.”

3. User rights

Website users have the following rights, granted by the Personal Data Protection Law:

• confirmation of the existence of processing;
• access to data;
• correction of incomplete, inaccurate, or outdated data;
• anonymization, blocking, or deletion of unnecessary, excessive, or improperly processed data as provided by law;
• portability of data to another service or product provider, upon express request, in accordance with regulations of the national authority, subject to commercial and industrial secrets;
• deletion of personal data processed with the consent of the data subject, except in cases provided by law;
• information about public and private entities with which the controller has shared data;
• information about the possibility of not providing consent and about the consequences of refusal;
• revocation of consent, in cases where the processing of personal data is carried out based on consent. In this case, personal data may still be processed based on other legal grounds.

It is important to note that, under the law, there is no right to deletion of data processed based on legal grounds other than consent, unless the data is unnecessary, excessive, or processed in violation of the law. Please note that exercising any of these rights will not render unlawful any data processing carried out prior to this choice. How the data subject can exercise their rights To ensure that the user who intends to exercise their rights is, in fact, the owner of the personal data subject to the request, we may request documents or other information that may assist in their correct identification, in order to protect our rights and the rights of third parties. This will only be done, however, if absolutely necessary, and the applicant will receive all related information. Security measures in the processing of personal data We employ technical and organizational measures capable of protecting personal data from unauthorized access and situations of destruction, loss, misplacement, or alteration of such data. The measures we use take into account the nature of the data, the context and purpose of processing, the risks that a potential violation would generate for the rights and freedoms of the user, and the standards currently employed in the market by companies similar to ours. Among the security measures we have adopted, we highlight the following:

• our users’ data is stored in a secure environment;
• we limit access to our users’ data, so that unauthorized third parties cannot access it;
• we use SSL (Secure Socket Layer) certificates, so that data transmission between users’ devices and our servers occurs in an encrypted manner;
• we maintain records of all those who have, in any way, contact with our data;
• internal data privacy policy

Even though we take all measures within our reach to prevent security incidents, it is possible that a problem may occur motivated exclusively by a third party – such as in the case of hacker attacks or, also, in the case of exclusive fault of the user, which occurs, for example, when they themselves transfer their data to a third party. Thus, although we are generally responsible for the personal data we process, we disclaim responsibility if an exceptional situation such as these occurs, over which we have no control. In any case, should any type of security incident occur that may generate risk or significant harm to any of our users, we will notify those affected and the National Data Protection Authority about the occurrence, in accordance with the provisions of the General Data Protection Law. Complaint to a supervisory authority Without prejudice to any other administrative or judicial remedy, personal data subjects who feel, in any way, harmed may file a complaint with the National Data Protection Authority. Changes to this policy The current version of this Privacy Policy was last updated on: 10/27/2020. We reserve the right to modify these terms at any time, especially to adapt them to any changes made to our website, whether through the provision of new functionalities or the modification of existing ones. Whenever there is a modification, our users will be notified of the change.

4. How to contact us

To clarify any questions about this Privacy Policy or about the personal data we process, please contact the Data Protection Officer through any of the channels mentioned below:

• Email: tecnologia@tribemd.com