Last Update: September, 24, 2021
For the purposes of this document, the following definitions and descriptions should be considered for better understanding.
Cloud Computing: It is a service virtualization technology built from the interconnection of more than one server through a common information network (e.g., Internet), aiming at reducing costs and increasing the availability of sustained services.
Mobile Application or Application (APP): refers to any computer program used for a specific function on mobile devices such as tablets and smartphones. Available through specific Operating Systems, designed for objectives previously set by its developer.
Personal Data: It is any information that identifies or makes the individual identifiable; sensitive data comprises personal data on ethnicity, race, religious beliefs, political opinions, genetic or biometric data, in addition to information about affiliation to organizations.
Cookies: files sent by the website server or application (digital interface) from a computer or to the USER'S computer, when USER visits the website, in order to identify the computer and obtain access data, such as browsed pages or accessed links, thus enabling to customize USERS’ browsing on the website or in the application, according to their profile.
IP: Abbreviation of Internet Protocol. It is an alphanumeric set that identifies USERS' devices on Internet.
Logs: USERS’ activity records made through our digital interface.
Session ID: Identification of the USERS session in the process of purchasing services or when accessing the restricted area.
USER: Any individual that accesses and/or uses the features and/or services.
2. PERSONAL DATA AND INFORMATION WE COLLECT
2.1 SLEEPUP respects and is committed to the security of your data and privacy, and is liable to keep you in control of your personal data.
2.2 We collect your personal information so that you can enjoy our products and services. We do not collect or use your personal data without your consent or without any reason to do so. For any reason while processing your personal data, we need to have the legal basis and purpose that allow it, in a transparent manner and within the scope of the General Data Protection Regulation.
2.3 Depending on the case, we will process your personal data based on the following legal bases:
3. DATA COLLECTION AND USE AND ACTIVITIES RECORD
3.1 Data collected with the express consent of the USER or collected automatically is carried out by registration on the website and/or by SLEEPUP APP.
3.2 It is up to the USER to configure his/her mobile device if he/she wishes to block the collection of cookies or other data. In this case, some SLEEPUP features may be limited.
3.3 SLEEPUP is not responsible for the accuracy, veracity or absence/omission of information provided by the USER or its outdatedness, thus being the USER liable to provide it with accuracy and update it whenever necessary.
3.6 USERS' data will only be internally accessed by professionals duly authorized by SLEEPUP, in accordance with the principles of proportionality, necessity and relevance for SLEEPUP purposes, all in compliance with the confidentiality and privacy of the present Terms.
4.1 The consent provided by the USER is collected in a free, informed, unambiguous, specific and legitimate form.
4.2 The USER may change his/her consent grants, grant new permissions or withdraw consent for current permissions through SLEEPUP service channels available on the website and platform, being warned of the consequences such consent withdrawal may cause.
4.3 The USER has the right to obtain clear and thorough information about the possibility and consequences of not providing his/her consent. Therefore, whenever we ask for your consent, you are free to deny it, although in those cases we may not be able to provide certain services.
5. STORAGE, INTERNATIONAL TRANSFER, RETENTION AND DISPOSAL OF DATA and RECORDS
5.1 You are the proprietary of your personal data, therefore, you have the right to be empowered to control what happens to it. Therefore, we provide you with resources to let you know what is being done with your personal data through our informed service channels.
5.2 The data and activity records collected will be stored in a safe and controlled environment, under the terms of the Internet Bill of Rights in force in Brazil, observing the state of the methodology available at the time.
5.4 However, considering that no security system is infallible, SLEEPUP is exempt from any liability for any damages and/or losses arising from failures, viruses or invasions of SLEEPUP database, except in cases where misconduct or negligence is incurred.
5.5 For purposes of auditing, security, fraud control, preservation of rights and compliance with legal obligations or regulatory standards, SLEEPUP may keep the history of USERS' access records for a minimum period of 6 (six) months. The clinic or health professional is fully responsible for the custody of data related to the patient's medical record, according to the sector’s specific legislation. (Resolution CFM No. 1821/2007)
5.6 At the end of the contract between the USER and SLEEPUP, the Account Administrator USER is fully responsible for exporting all data entered into his/her account on the SLEEPUP platform within a period of 60 (sixty) days as of the end of the subscription.
5.7 If the USER requests data deletion, SLEEPUP will only be able to delete it if there is no longer any purpose of use or legal, regulatory or judicial obligation that justifies its retention. After the end of the purpose of use and the mandatory retention period, data may be deleted using safe disposal methods, or used anonymously for statistical purposes.
6. DATA SHARING AND EXPORT
6.1 The data collected and the activities recorded may be shared: i) with competent judicial, administrative or governmental authorities, whenever there is a legal request from the authorities or a court order; ii) automatically in case of corporate changes; iii) automatically with service providers contracted by SLEEPUP to make SLEEPUP website and platform viable together with all its features and services made available.
6.2 All third parties, for the purpose of item iii) above, undertake to treat data with confidentiality and only for the contracted purpose, in accordance with the express legal provisions and best practices in information security.
6.3 There may also be sharing of medical records between accredited health professionals or from the same clinic, depending on the rules set by the clinic for accessing data and providing health care services.
6.4 Data from medical records can only be exported with authorization from the clinic's Account Administrator USER on the platform, who will be fully responsible for legitimizing the operation.
7. DISPLAY, CORRECTION, PORTABILITY, LIMITATION, OPPOSITION AND DATA ELIMINATION
7.1 The USER may have access to his/her data (display) and rectify such data through the environment logged on the SLEEPUP platform or through the service channels provided by SLEEPUP.
7.3 Data portability must be requested by the patient to the health professional in charge or to SLEEPUP, responsible for storing the data. Data portability must be carried out, in this case, by express request on the DPO channel.
8.1 SLEEPUP handles personal data in accordance with the best information security practices and, in particular, stores it in the Amazon Web Service (AWS) cloud, which applies the most advanced information security techniques available in the market, being certified in meeting all the security requirements established by ISO 27018, at https://aws.amazon.com/compliance/iso-27018-faqs (accessed on 03/01/2021), and Google Cloud Platform (GCP);
8.2 SLEEPUP also applies technical and administrative measures to protect personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or dissemination, subject to the nature, scale and volume of its operations, as well as the sensitivity of the processed data and the probability and severity of damages for holders, such as:
8.2.1 VPC built-in network firewalls and web application firewall features that allow you to create private networks and control access to instances and applications;
8.2.2 Encryption in transit with TLS on all devices, controlled by the USER;
8.2.3 Connectivity options that allow private or dedicated connections and connections from local environment or office;
8.2.4 Automatic encryption of all traffic on global and regional networks, among secure facilities.
8.3 The USER expressly acknowledges here that he/she will not provide any information he/she considers confidential at SLEEPUP.
8.4 With regard to information on payment methods such as Credit Cards, it will not be stored by SLEEPUP, but by payment institutions, which, therefore, will be responsible for such information, using PCI-DSS certification (Payment Card Industry - Data Security Standard), bringing benefits to both merchants and the end customer and providing both good practices similar to those provided by ISO certification.
8.5 The USER guarantees and is responsible for the veracity, accuracy, validity and authenticity of the personal data informed and undertakes to keep it duly updated. Even though it strives to ensure data quality, SLEEPUP will not be liable for the inaccuracy of personal data entered by USERS, or even for falsification of data in its possession.
8.6 If access recovery is required, the USER must submit himself/herself to the process addressed in the Application, which will direct him/her to the correct steps for this operation.
9. RESPONSIBILITIES AND FUNCTIONS CONTEMPLATED BY THE GENERAL DATA PROTECTION REGULATION
9.1 SLEEPUP is a data controller according to the GDPR.
9.2 The person in charge of data protection and management must ensure compliance with data protection regulation and known good practices, including the development and implementation of the GDPR as a requirement of this Policy and the security and risk management in relation to complying with this Policy;
10. GENERAL PROVISIONS
10.1 SLEEPUP does not use any type of automated decision that impacts the USER.
10.3. In the event of updates to this document that require a new consent collection, SLEEPUP will notify the USER through the contact details provided.
10.4. If outsourced companies process any data collected by SLEEPUP, compliance with the conditions set herein and the best information security practices are mandatory.
11. APPLICABLE LAW AND JURISDICTION
11.1. The present instrument will be ruled by and interpreted in accordance with Brazilian legislation, in Portuguese language, and the jurisdiction of the District of São Paulo, Brazil will be elected to settle any litigation or controversy involving this document, except in the specific exception of personal, territorial or functional jurisdiction by the applicable law.
If you have any questions or concerns about your privacy, please contact us:
SLEEPUP TECNOLOGIA EM SAÚDE LTDA, CNPJ No. 35.408.641/0001-64, Rua São Jorge, No. 604, São Caetano do Sul, São Paulo - Brasil. CEP 09.530-25.
Email : email@example.com
Last update, September 24, 2021