aicarefy is operated by DISTU TECH LTDA (CNPJ 49.195.504/0001-01), the data controller. This policy describes what data we collect, how we use it, who we share it with, and your rights under Brazil's General Data Protection Law (LGPD, Law 13.709/2018).
1. Data we collect
We collect: (a) professional account data (name, email, license number, phone); (b) patient data entered by the professional (name, email, phone, clinical notes, session history); (c) financial data (transactions, receipts, billing); (d) usage data (access logs, devices, IP); (e) session audio — only when the professional requests transcription and the patient has consented (aiConsentAt).
2. How we use it
Data is processed exclusively for: providing the contracted service (scheduling, records, finance, reminders), customer support, legal compliance (tax, professional councils), fraud prevention, and product improvement. We do not profile users for advertising nor sell data to third parties.
3. Legal basis (LGPD art. 7)
We process data based on: contract performance (art. 7, V) between professional and aicarefy; legal obligation (art. 7, II) for tax and professional council retention; specific patient consent (art. 7, I) for AI session transcription; legitimate interest (art. 7, IX) for security and fraud prevention.
5. International transfers
Part of the infrastructure runs in US-based servers. We adopt standard contractual clauses and security measures equivalent to LGPD art. 33 requirements. Request more details via our contact channel.
6. Retention and deletion
We keep your data while your account is active. After deletion request (LGPD art. 18, VI) the account is marked and data is permanently erased after 30 days, except for records we must retain by law (tax: 5 years; CFP 06/2019: 20 years for clinical records). After this period, data is erased or anonymized.
7. Your rights (LGPD art. 18)
You may at any time: confirm processing exists; access your data; correct incomplete data; request anonymization or erasure; portability (structured JSON via /settings/privacy); information on sharing; revoke consent. We respond within 15 days of request.
8. Security
Technical and administrative measures: TLS 1.3 in transit, AES-256 at rest, optional MFA, workspace isolation via DB-level RLS, full audit log, AES-256-GCM encryption on integration tokens. In case of a security incident creating relevant risk to data subjects, we notify the ANPD and affected parties per LGPD art. 48.
9. Children and adolescents
aicarefy is intended for healthcare professionals over 18. Minor patients have data entered by the responsible professional, with parental or legal guardian consent obligation per LGPD art. 14.
10. Policy changes
We may update this policy to reflect regulatory or product changes. Material changes will be communicated by email at least 15 days in advance. The last update date appears at the top of this document.
Data Protection Officer (DPO) and contact
To exercise rights, ask questions or report incidents, write to contato@aicarefy.com.