Privacy Policy

Last updated: March 2026

1. Data Controller

The controller of personal data processed through the Aura Med platform is:

  • Company name: Auramedical Tecnologia da Informacao Ltda ("Aura Tech")
  • CNPJ (Tax ID): 58.107.486/0001-41
  • Headquarters: Av. Paulista, 1106 - 16th floor, Bela Vista, Sao Paulo-SP, ZIP 01310-914, Brazil
  • Data Protection Officer (DPO): dpo@aura.med

This Privacy Policy ("Policy") describes how we collect, use, store, share, and protect the personal data of Platform users, in compliance with the Brazilian General Data Protection Law (Law No. 13,709/2018 — "LGPD") and other applicable regulations.

2. Personal Data Collected

2.1 Identification and Registration Data

  • Full name
  • Email address
  • Mobile phone number
  • CPF (Brazilian Individual Taxpayer Registry)
  • Date of birth
  • Biological sex
  • Residential address

2.2 Sensitive Health Data

The Platform collects and processes sensitive personal data related to health, pursuant to Art. 5, II, of the LGPD, including:

  • Wearable device data: heart rate, heart rate variability (HRV), sleep patterns (duration, REM and deep sleep phases), physical activity level, estimated VO2max, oxygen saturation, body temperature, and stress level;
  • Laboratory test results: blood biomarkers such as HOMA-IR, HbA1c, ApoB, hs-CRP, homocysteine, cortisol, lipid profile, hormonal profile, and other markers entered by the user or imported from partner laboratories;
  • Clinical questionnaire responses: data on medical history, symptoms, lifestyle habits, diet, medication and supplement use;
  • Genomic data: genetic variants relevant to pharmacogenomics, nutrient metabolism, and predispositions, when provided by the user.

2.3 Usage and Technical Data

  • IP address and approximate geolocation
  • Device type, operating system, and app version
  • Browsing data, pages accessed, and time spent
  • Device identifiers and push notification tokens
  • Access logs, as required by the Internet Civil Framework (Law No. 12,965/2014)

3. Legal Basis for Processing

The processing of personal data is carried out based on the following legal grounds under the LGPD:

  • Explicit and specific consent (Art. 11, I): for the processing of sensitive health personal data. Consent is collected in a prominent, informed, and unequivocal manner at the time of registration and may be revoked at any time;
  • Contract performance (Art. 7, V): for data necessary for the provision of contracted services;
  • Compliance with legal or regulatory obligation (Art. 7, II): for retention of access records and data required by applicable legislation;
  • Legitimate interest (Art. 7, IX): for Platform improvement, information security, and fraud prevention, always respecting the data subject's expectations and fundamental rights.

4. Purposes of Processing

Personal data is processed for the following specific purposes:

  • Health monitoring: generation of visualizations, scores, and insights about the user's health domains (metabolic, cardiovascular, sleep, nervous, and inflammatory);
  • Personalization: adaptation of content, recommendations, and protocols to the user's individual biological profile;
  • Service provision: enabling the Platform's operation, including integration with wearable devices and test result imports;
  • Communication: sending notifications about the account, Platform updates, and, with additional consent, informational health communications;
  • Analytics and improvements: aggregated and anonymized statistical analyses to enhance algorithms and user experience;
  • Legal compliance: fulfillment of legal, regulatory, judicial, or administrative obligations.

5. Data Sharing

Aura Tech may share the user's personal data with:

  • Aura Servicos Medicos: medical partner responsible for providing clinical services (teleconsultations, prescriptions, reports). Sharing is limited to data strictly necessary for medical care and occurs with the user's specific consent;
  • Infrastructure providers: cloud computing services (Amazon Web Services — AWS) and database (Supabase) for data storage and processing, under contracts that ensure confidentiality and security;
  • Integration providers: APIs from wearable device manufacturers (Garmin, Oura) for health data collection, with the user's express authorization;
  • Competent authorities: when required by court order, law, or applicable regulation.

Aura Tech does not sell, rent, or commercialize its users' personal data to third parties for marketing, advertising, or any other commercial purpose.

6. International Data Transfer

Due to the use of cloud infrastructure providers, the user's personal data may be stored and processed on servers located outside Brazilian territory, including the United States of America and the European Union.

International data transfer is carried out in compliance with Art. 33 of the LGPD, through:

  • Standard contractual clauses that ensure an adequate level of data protection;
  • Provider certifications in recognized data protection frameworks (SOC 2, ISO 27001);
  • Contractual commitment by providers to comply with the LGPD and equivalent legislation in their respective countries.

7. Data Retention

Personal data is retained for the time necessary to fulfill the purposes for which it was collected, subject to the following periods:

  • Health and medical record data: a minimum of 20 (twenty) years from the date of the last record, in compliance with CFM Resolution No. 1,821/2007 and Art. 6 of Law No. 13,787/2018, which regulate electronic medical records;
  • Registration and account data: during the term of the contractual relationship and for 5 (five) years after account closure, to comply with legal obligations, including the statute of limitations for civil claims (Art. 206, Par. 5, of the Civil Code);
  • Access records: 6 (six) months from the event, pursuant to the Internet Civil Framework (Art. 15, Law No. 12,965/2014);
  • Anonymized data: may be retained indefinitely, as it does not allow identification of the data subject and is not subject to the LGPD.

After the retention period expires, personal data will be securely and irreversibly deleted or anonymized, unless legislation requires its preservation.

8. Data Subject Rights

Pursuant to Art. 18 of the LGPD, the data subject has the right to:

  • Confirmation and access: confirm the existence of processing and access their personal data;
  • Correction: request the correction of incomplete, inaccurate, or outdated data;
  • Anonymization, blocking, or deletion: of unnecessary, excessive, or non-compliant data under the LGPD;
  • Portability: request the portability of data to another service or product provider, in a structured and interoperable format;
  • Deletion: request the deletion of data processed based on consent, except in cases where retention is required by law;
  • Information about sharing: know with which public and private entities the data has been shared;
  • Consent revocation: revoke consent at any time, without prejudice to the lawfulness of processing carried out previously;
  • Opposition: oppose processing carried out based on a consent waiver hypothesis, in case of non-compliance with the LGPD;
  • Review of automated decisions: request the review of decisions made solely based on automated data processing.

To exercise their rights, the data subject may contact our Data Protection Officer (DPO) at dpo@aura.med. Requests will be answered within 15 (fifteen) business days, as provided by law.

The data subject also has the right to file a complaint with the National Data Protection Authority (ANPD) if they believe that the processing of their personal data violates the LGPD.

9. Information Security

Aura Tech adopts appropriate technical and organizational measures to protect personal data against unauthorized access, destruction, loss, alteration, or any form of unlawful processing, including:

  • Encryption: data in transit protected by TLS 1.2+ (Transport Layer Security) and data at rest encrypted with AES-256;
  • Access control: multi-factor authentication, principle of least privilege, and segregation of duties for access to health data;
  • Audit records: access logs and operations on personal data, maintained for traceability and compliance purposes;
  • Continuous monitoring: intrusion detection systems and real-time anomaly monitoring;
  • Backups: encrypted backup copies at regular intervals and storage in geographically distinct locations;
  • Incident management: documented procedures for responding to security incidents, including notification to ANPD and affected data subjects, when applicable, pursuant to Art. 48 of the LGPD.

10. Cookies and Tracking Technologies

The Platform uses cookies and similar technologies for:

  • Essential cookies: necessary for the basic operation of the Platform, including authentication, security, and session preferences. These cannot be disabled;
  • Analytical cookies: collect aggregated and anonymous information about Platform usage for continuous improvement purposes, including pages visited, time spent, and browsing patterns.

The user can manage their cookie preferences at any time through browser settings or the Platform's privacy panel. Disabling essential cookies may affect the proper functioning of the Platform.

The Platform does not use cookies for advertising or retargeting purposes.

11. Changes to This Policy

Aura Tech reserves the right to update this Privacy Policy to reflect changes in our data processing practices or legal and regulatory requirements.

Material changes will be communicated to the user with a minimum advance notice of 30 (thirty) days, through notification on the Platform or by sending an email to the registered address. The "last updated" date at the top of this Policy will always reflect the current version.

Continued use of the Platform after the changes take effect constitutes acceptance of the updated Policy. If the user does not agree with the changes, they must cease using the Platform and may request the deletion of their data as described in Section 8.

12. Contact

For questions related to this Privacy Policy, personal data processing, or exercise of data subject rights, please contact:

  • Data Protection Officer (DPO): dpo@aura.med
  • General contact: contato@aura.med
  • Address: Av. Paulista, 1106 - 16th floor, Bela Vista, Sao Paulo-SP, ZIP 01310-914, Brazil

This Privacy Policy is governed by the laws of the Federative Republic of Brazil. Any disputes shall be resolved in the courts of Sao Paulo, State of Sao Paulo, except for the consumer's right to opt for the forum of their domicile.