Effective Date: 2025-08-01

This privacy policy outlines how Remotelys Portais de Internet Ltda. (CNPJ 37.553.462/0001-46), operating under the trade name Dupip, collects, uses, shares, and protects your personal and sensitive health data. We are committed to complying with the Brazilian General Data Protection Law (LGPD), the European Union’s General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA/CPRA). Our goal is to build and maintain your trust by being transparent about our data practices.

1. Data We Collect

We collect both personal data and sensitive health data to provide and improve our services.

Personal Data: Includes your name, contact information (email, phone, address), Brazilian individual taxpayer ID (CPF), date of birth, gender, and technical data like your IP address, device information, and usage patterns.

Sensitive Health Data: This is a special category of information that requires heightened protection. We collect details about your health assessments, medical history, lab results, lifestyle habits (like exercise and diet), and biometric data (if used for authentication or health monitoring).

We collect this data directly from you when you register, from your devices as you use our service, and, with your consent, from third-party sources like integrated wearable devices (e.g., Fitbit, Apple Watch).

2. How We Use Your Data

We process your data for specific, legitimate, and clearly defined purposes.

To Provide Services: We use your data to create and manage your account, deliver personalized health recommendations, track your progress, and improve the overall functionality of the Dupip portal.

For Research: We conduct internal research and analytics to understand user behavior and health trends. For these purposes, we prioritize using anonymized or pseudonymized data to protect your privacy.

For Communication: We use your data to send essential service updates and support messages. With your explicit consent, we may also send you marketing and promotional materials.

For Security and Compliance: We process data to monitor for suspicious activity, prevent fraud, and comply with all legal obligations.

3. Our Legal Basis for Processing

Under LGPD and GDPR, every data processing activity must have a legal basis. Our legal bases include:

Consent: Your explicit, freely given, and informed consent is the most common legal basis for processing your sensitive health data. You have the right to withdraw your consent at any time.

Legal Obligation: Processing is necessary to comply with a legal or regulatory obligation.

Protection of Health: Processing is carried out by health professionals or entities to provide health services or treatment.

Performance of a Contract: Processing is necessary to fulfill the terms of our service contract with you.

4. Data Sharing and Disclosure

Your data, especially sensitive health data, is treated with the utmost care. We share data only in specific circumstances and with strict safeguards.

Service Providers: We may share your data with third-party vendors (e.g., for cloud hosting or analytics) who perform services on our behalf. These providers are contractually obligated to protect your data and are prohibited from using it for any other purpose.

Legal Authorities: We may disclose your data when required by law, a court order, or a valid government request.

Crucially, under LGPD, we will never communicate or share your sensitive health data for economic advantage. This means we do not sell your identifiable health data. Any data used for research or public health studies remains within our secure environment, and only anonymized or pseudonymized results can be shared externally.

5. International Data Transfers

We protect your personal data no matter where it is processed or stored. If your data is transferred outside of Brazil or the European Economic Area (EEA), we will ensure it is protected by specific safeguards, such as standard contractual clauses or explicit consent, to maintain a level of protection equivalent to LGPD and GDPR.

6. Your Data Subject Rights

You have a comprehensive set of rights concerning your personal data. We are committed to helping you exercise these rights.

Access and Correction: You have the right to access the data we hold about you and to request the correction of any incomplete, inaccurate, or outdated information.

Anonymization or Deletion: You can request the anonymization, blocking, or deletion of data that is unnecessary or processed in non-compliance with the law.

Data Portability: You can request a copy of your personal data in a structured, machine-readable format to transfer to another service.

Withdrawal of Consent: You have the right to withdraw your consent for data processing at any time. We will inform you of the potential consequences, such as the unavailability of certain services.

Opt-Out of Sale/Sharing: Under CCPA/CPRA, California residents have the right to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information.

We will respond to your requests within the legally mandated timeframes: 15 days under LGPD, one month under GDPR, 30 days under HIPAA, and 15 to 45 days under CCPA/CPRA.

7. Data Security Measures

We implement robust technical and organizational measures to protect your data.

Encryption: Your data is protected by strong encryption both when it is stored and when it is being transferred.

Access Control: Access to sensitive data is strictly limited to employees on a "need-to-know" basis.

Continuous Monitoring: We regularly monitor our systems for suspicious activity and conduct routine risk assessments to identify and address vulnerabilities.

Staff Training: All our staff receive mandatory and continuous training on data security and privacy best practices.

In the event of a data breach, we have a comprehensive plan to detect, contain, and address the incident. We will notify you and the relevant authorities in accordance with all applicable laws.

8. Data Retention

We only retain your personal data for as long as is necessary to fulfill the purposes for which it was collected, and to comply with our legal obligations. For example, we are required to keep Internet application access records for six months and medical records for at least 20 years. When data is no longer needed, we will securely delete or anonymize it.

9. Cookies and Other Tracking Technologies

We use cookies and similar technologies to enhance your experience and analyze website performance. For non-essential cookies, we will obtain your explicit consent. Under LGPD and GDPR, we use an opt-in model, meaning we will not place these cookies on your device without your active choice. Under CCPA/CPRA, we provide an opt-out option, and we honor Global Privacy Control (GPC) signals.

10. Changes to This Privacy Policy

We may update this policy periodically. We will notify you of any significant changes through a prominent notice on our website or via email. If a change involves a new purpose for processing your data that is not compatible with your original consent, you will have the right to revoke your consent. We encourage you to review this policy regularly to stay informed.

11. Contact Information

If you have any questions, concerns, or wish to exercise your data subject rights, please contact our Data Protection Officer (DPO).

Data Protection Officer (DPO) for Dupip

Email: dpo, at dupip dot com