Privacy and Data Processing Policy of Beneficência Portuguesa

1. INTRODUCTION

This Policy aims to transparently demonstrate the commitment of R.B.A. PORTUGUESA DE BENEFICENCIA ("BP"), headquartered in the Municipality of São Paulo - SP, at Rua Maestro Cardim, 769, Bela Vista, CNPJ: 61.599.908/0001-58, and its respective branches, to your privacy and the protection of personal data, respecting the provisions of the Brazilian General Data Protection Law.

This Policy describes the applicable guidelines for the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction of personal data from clients and/or their legal representatives, companions and visitors, employees, members of its clinical and multidisciplinary staff, students, volunteers, researchers, service providers, sponsors and any other third parties, in accordance with current laws.

To access and use the services offered by BP, you, as the data subject, are aware of the terms and way we process your data and have read this Policy in full and attentively, granting your free and express agreement to the processing of your Data in accordance with the conditions specified below.

2. SCOPE

This Policy applies to all administrators (members of the Board of Directors, Advisory Board, Fiscal Council, Administrative Board, Associates) and BP employees, clients and their legal representatives, companions and visitors, members of its clinical and multidisciplinary staff, students, researchers, volunteers, goods, and service providers and any other third parties.

3. INFORMATION SUBJECT TO BP'S PRIVACY POLICY

3.1. All information provided or collected from clients and/or their legal representatives, whether physically or when accessing our virtual environments, in the context of providing healthcare services by BP.

Among the healthcare services that may be provided by BP, depending on the chosen unit, are: hospital services, hospitalization, outpatient, surgical, diagnostic exams, consultations, care lines, urgent care, or emergency services, among other health services; as well as for the application of clinical studies and research, credit recovery and predictive analysis to improve the experience of services provided, respecting the terms of applicable laws;

3.2. All information of BP administrators and employees, goods and service providers, collected in the context of contractual or legal obligation;

3.3. All information provided or collected from Volunteers in the context of promoting support activities providing well-being, leisure and social responsibility for our clients and companions;

3.4. All information provided or collected from members of its clinical and multidisciplinary staff, researchers in the context of providing healthcare services, contractual or legal obligation;

3.5. All information provided or collected from Students in the context of providing educational services.

4. PROCESSING OF PERSONAL DATA

4.1. Considering the principles and foundations defined by the Brazilian General Data Protection Law, the Processing of Personal Data by BP will only be carried out when the following hypotheses are observed:

5. ABOUT THE DATA WE COLLECT

5.1. How we collect personal data: Personal data and sensitive personal data may be collected physically and/or digitally when interacting with our institutional environments.

5.2. What personal data we collect and for what purposes:

SPECIAL NOTE FOR LEGAL REPRESENTATIVES

BP may collect and process Personal Data of children and adolescents under the age of 18, physically and/or digitally, when interacting with Our Environments, including Sensitive Personal Data, and therefore, depending on the purpose, there may be a need for legal consent from parents or legal representatives.

Even if there is consent for the collection and processing of Personal Data of children and adolescents, parents should supervise the online activities of their minor children in Our Environments, especially in Our digital environments. The activities of adolescents over 16 and under 18 years of age must be assisted by parents or legal representatives.

5.3. Many of BP's services depend directly on some of the personal data listed in the table above, mainly registration data.

5.4. BP is not responsible for the accuracy, truthfulness, or timeliness of the information or personal data provided by the data subject, it being the data subject's responsibility to provide them accurately or update them whenever necessary.

It is important to say that BP is relieved from processing or treating any personal data if there are reasons to believe that such processing or treatment may impute any legally foreseen infraction to us, or if Our Environments are being used for any illegal, illicit purposes or contrary to ethics and/or morality.

5.6. The database formed through the collection of personal data is the property and responsibility of BP, and its use, access, and sharing, when necessary, will be done within the limits of this Privacy Policy and specific Terms of Use, when existing.

6. DATA COLLECTION THROUGH COOKIES

6.1. BP collects cookies to identify you on your next access to the website, offering a personalized service according to your preferences or browsing history, providing more convenience when accessing service portals, and speeding up the user identification process.

6.2. To learn more about which cookies we collect, understand the purpose of collection and why we collect them, access and learn about our Cookie Policy available on the website: https://www.bp.org.br/politica-de-cookie

6.3. All technologies used by BP that involve the collection or processing of cookies within their scope comply with current cookie processing legislation and are in accordance with the terms set forth in this Policy.

7. SHARING OF PERSONAL DATA

7.1. The personal data collected and recorded activities may be shared by BP in the following cases:

• With competent judicial, regulatory, administrative, or governmental authorities, whenever there is a legal determination, request, requisition, or court order;
• With health operators and insurers, laboratories, pharmaceutical industries, professional councils, and other medical entities, exclusively for purposes related to the provision of health services, compliance with legal and regulatory obligations, and as provided for in current legislation;
• Procedurally, in case of corporate movements, such as merger, acquisition, and incorporation;
• In case of compliance with statutory obligations, as legally provided.
• With third-party suppliers and service providers in the healthcare area, whenever necessary for the proper provision of medical and hospital services, strictly observing confidentiality criteria, information security, and the limits established by data protection legislation.
• We may also share data with third parties and suppliers for other processes pertinent to BP's operations, in order to validate, within institutional possibilities, the due compliance with privacy, data protection, and other applicable legislation by the third party, ensuring that they act within what the LGPD (Brazilian General Data Protection Law) prescribes and are responsible for all data processing in their environment.

7.2. BP is not responsible for any misuse of personal information carried out by third parties, volunteers, students, or employees, when such conduct results from non-compliance with this Privacy Policy or contractual obligations previously assumed through specific instruments. In these cases, responsibility will be attributed exclusively to the infringing party, as provided by applicable law.

8. INFORMATION SECURITY AND DATA PROTECTION

8.1. Measures adopted by BP for the protection of information and data: BP employs its best efforts to maintain the privacy and security of information through the adoption of technical, physical, and administrative security measures:

• Technical measures: such as transmission of personal data through a secure internet page, storage of data in electronic media that maintain high security standards, use of a system whose access is controlled and segregated according to the responsibilities of each employee;
• Physical measures: such as restricted access to authorized persons maintained in facilities that include the use of market security tools;
• Administrative measures: including the adoption of Security Policies and Norms, employee training and awareness, and confidentiality agreements.

8.2. Internally, the Personal Data collected by BP is accessed only by duly authorized professionals, respecting the principles of proportionality, necessity, and relevance to the objectives of our business, in addition to the commitment to confidentiality and preservation of your privacy under the terms of this Policy.

8.3. When using Our digital environments, it is very important that the data subject(s) protect their data against unauthorized access to their computer or cell phone, account, or password, in addition to making sure to always click "log out" when ending their browsing on a shared computer.

It is also very important to inform that BP never sends electronic messages with attachments that can be executed (this can be verified through file extensions such as: .exe, .com, among others) or links for file downloads. The emails are intended to bring information about your appointments, scheduling, health bulletins and care, and other information consented to by the data subject(s). Always contact our service channels to verify the veracity of any content received in the name of BP.

8.4. When the data subject(s) access Our Environments, they may be directed, via link, to other portals or platforms (this also includes BP's social networks), which may request that you provide your personal data and other information and have their own Data Processing Policy or specific Terms and Conditions of Use:

• It is the data subject's responsibility to read the Privacy and Data Processing Policies of such portals or platforms outside our environment, and it is their responsibility to accept or reject them.
• BP will not be responsible for the Privacy and Data Processing Policies of Third Parties nor for the content of any websites or services linked to BP's virtual environments, even if linked to them via links;
• BP has commercial partners that may eventually offer services through functionalities or sites that can be accessed from Our Environments. When providing data to these partners, it will be their responsibility, and thus subject to their own data collection and usage practices.

The consent provided by the data subject, when applicable, is collected individually, clearly, specifically, legitimately, and in an informed manner.

8.5. BP uses technologies compatible with the market, respecting reasonable state of the art, with constant updates. All technologies used must respect current legislation and the terms of this Privacy Policy.

8.6. BP conducts training with its employees, clinical staff, and multidisciplinary professionals regarding norms and best practices related to information security, privacy and protection of personal data, and the Brazilian General Data Protection Law, and has developed a governance program, aiming to raise their awareness of the importance of preserving and maintaining the confidentiality of collected, recorded, stored, used, shared information, and responsible disposal.

8.7. BP respects the principles of lawfulness, purpose, adequacy, proportionality, necessity, free access, data quality, transparency, security, prevention, non-discrimination, accountability, auditing, subsidiarity, and storage limitation, in addition to affirming the commitment to confidentiality and preservation of privacy under the terms of this Privacy Policy.

8.8. BP is committed to making every possible effort, through technical and organizational measures, to protect the personal data it processes, preventing and correcting any incidents of privacy, security, or data protection. However, it is important to highlight that, even with all care, no system is completely immune to failures or malicious actions by third parties. Therefore, BP limits its liability in cases where such situations are beyond its control. We recommend that, in the face of any contact, request, or suspicious activity in the name of BP, data subjects contact our official service channels to confirm the veracity of the information before passing on any information or taking any action.

9. STORAGE OF PERSONAL DATA

9.1. BP will maintain and store Personal Data and sensitive personal data for as long as necessary to fulfill the purposes for which they were collected, as well as for the purposes of complying with any legal, regulatory, contractual, accountability obligations, or requests from competent authorities, in accordance with applicable legislation.

9.2. The Data collected will be stored on our servers located in Brazil, as well as in a cloud computing resource or server environment, which may require a transfer and/or processing of this Data outside Brazil.

10. INTERNATIONAL DATA TRANSFER

10.1. BP informs that, depending on the services used, your data may be transferred and maintained in an environment inside or outside Brazil. This transfer will always respect evaluation criteria for partners and suppliers that provide technological infrastructure in countries with data protection laws equivalent to the Brazilian General Data Protection Law.

10.2. Currently, data from some of our services are stored in:

• Brazil;
• Germany;
• Bolivia;
• Chile;
• United States of America;
• Canada;
• Netherlands;
• Switzerland;
• United Kingdom.

11. WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM

11.1. Any data subject has the right to request information from BP related to the processing of their data. According to the LGPD, your rights consist of:

• Confirmation: right to be informed about the existence of processing.
• Access: right to request access to the personal data being processed.
• Elimination: right to request the deletion of personal data, subject to compliance with legal or regulatory obligations;
• Revocation of consent: right to revoke consent at any time, through express manifestation, via a free and facilitated procedure.
• Portability: right to request the transmission of processed data to another service provider.
• Correction: right to request the alteration of processed personal data whenever they are incomplete, inaccurate, or outdated.
• Information: right to be informed about the public and private entities with which the data has been shared.
• Restriction: right to request the anonymization, blocking, or deletion of unnecessary, excessive data, or data processed in non-compliance with personal data protection legislation.
• Review of automated decisions: possibility to review decisions made solely based on automated processing of personal data that affect your interests.
• Access to Data: and a copy of your medical records;

11.2. To address your rights based on information requests, contact us through the DATA SUBJECT REQUEST FORM available in the form below: (Note: The form mentioned would be inserted here in the original document)

11.3. The data subject may exercise their rights directly or through a legally constituted representative. Through this channel, it is also possible to request a Copy of your Medical Records.

11.4. To protect the privacy of data subjects, some additional documents will be requested by the BP Team to verify your identity. All validation steps will be done via your email. We recommend adding the domain @m.onetrust.com to the safe sender list of your email provider to track emails sent.

11.5. To unsubscribe from the mailing list to receive communications from BP and other consents provided to our institution, access our preference center, available at the Link: https://privacyportal.onetrust.com/ui/#/preferences/multipage/login/46f72a0e-1293-4b45-976d-8d3d993e79e4

11.6. If we are requested to delete Personal Data, it may occur that the Data needs to be retained for a period longer than the deletion request, under the terms of Article 16 of the Brazilian General Data Protection Law, for:

• Compliance with a legal or regulatory obligation;
• Study by a research entity;
• Transfer to a third party (respecting the data processing requirements set forth in the same Law).

11.7. After the retention period and legal necessity have ended, Personal Data will be deleted using secure disposal methods or used in an anonymized form for statistical purposes, through the adoption of reasonable efforts and available techniques.

12. ARTIFICIAL INTELLIGENCE

12.1. Seeking to continuously improve and optimize the healthcare services provided, and provide a more efficient, personalized, and secure experience for its patients, BP may use resources from technologies that utilize Artificial Intelligence (AI) in its processes and development.

12.2. We may use AI for the automation of some processes, such as service and interactions with data subjects; optimization of internal processes and materials; support in clinical analyses, laboratory results, reports, and diagnoses; other processes that may be enhanced with the application of this technology. Our technological resources that use AI include human review and are under constant monitoring and control.

12.3. The use of Artificial Intelligence (AI) by BP is carried out ethically, responsibly, and in strict compliance with current legislation, especially the Brazilian General Data Protection Law (LGPD). The institution ensures that the processing of personal data through tools that use AI occurs for legitimate purposes, respecting patient privacy and limited to the minimum necessary to meet its objectives. Furthermore, the best practices of privacy, data protection, and information security are applied, including appropriate technical and organizational measures, such as anonymization whenever possible, ensuring that the use of such data occurs exclusively within legal limits.

13. AUTOMATED DECISION-MAKING

13.1. Automated decision-making occurs when an electronic system uses personal information to make a decision without human intervention.

13.2. If BP makes decisions that will have a significant impact on data subjects based on automated processing of personal data, we will provide full transparency regarding the criteria and procedures used and will make appropriate means available to request a review of these decisions, observing commercial and industrial secrets.

14. CONTACT US

14.1. In case of any questions regarding the provisions of this Privacy and Data Processing Policy, the data subject may contact us through the service channels listed below: Data Protection Officer - DPO: Amanda Beatriz Cezario E-mail: dpo@bp.org.br

15. CHANGES TO THIS POLICY

15.1. We seek to offer you services with the greatest possible efficiency and, for that reason, we constantly update them. Therefore, this Policy may be adjusted at any time. Whenever possible, access the updates of this Policy through this electronic address.

16. GENERAL PROVISIONS

16.1. If any point of this Policy is considered inapplicable by a Data or Judicial Authority, the other conditions will remain in full force and effect.

16.2. Any communication made by email (to the addresses provided in your registration), SMS, instant messaging applications, or any other digital form is also valid, effective, and sufficient for the disclosure of any matter referring to the services we provide, as well as the conditions of their provision or any other matter addressed therein, with the exception only of what this Policy provides as such.

17. APPLICABLE LAW AND JURISDICTION

17.1. This Policy will be interpreted according to Brazilian legislation, in the Portuguese language, with the jurisdiction of your domicile elected to settle any controversy involving this document, except for a specific reservation of personal, territorial, or functional jurisdiction by applicable legislation.

17.2. If domiciled in Brazil, and due to the services offered by BP only within national territory, you submit to Brazilian legislation, therefore agreeing that, should there be a dispute to be resolved, the lawsuit must be filed in the Court of the District of São Paulo.

18. PUBLIC REGISTRY

18.1. This Policy is registered at the 4th Registry of Deeds and Documents and Legal Entity Civil Registry of the District of São Paulo. For all purposes, consider the latest version in force as published on our website.

19. GLOSSARY

19.1. For the purposes of this Policy, the following definitions and descriptions should be considered for better understanding:

• National Data Protection Authority ("ANPD"): A public administration body responsible for overseeing, implementing, and enforcing compliance with the LGPD throughout the national territory.
• Anonymization: The use of reasonable and available technical means at the time of Processing, through which data loses the possibility of association, directly or indirectly, with an individual.
• CCTV: "Closed Circuit Television." A monitoring and surveillance camera system that transmits images in real-time to a video recorder and/or monitoring center via a wired or IP system.
• Cloud Computing: Technology for virtualizing services built from the interconnection of more than one server through a common information network (e.g., the Internet), aiming to reduce costs and increase the availability of supported services.
• Access Account: Credential required to use or access the functionalities of BP's virtual environments.
• Cookies: Small files sent by the Platform, saved on your devices, that store preferences and a few other pieces of information, with the purpose of personalizing your browsing according to your profile.
• Personal Data Controller: A natural or legal person, governed by public or private law, to whom decisions regarding the processing of personal data belong.
• Data: Any information entered, processed, or transmitted through Our Environments.
• Personal Data: Data related to an identified or identifiable natural person.
• Sensitive Personal Data: Personal data concerning racial or ethnic origin, religious conviction, political opinion, membership of a trade union or religious, philosophical, or political organization, data concerning health or sex life, genetic or biometric data, when linked to a natural person.
• Solely automated decisions: These are decisions that affect a user and that were programmed to function automatically, without the need for a human operation, based on automated processing of personal data.
• Data Protection Officer (DPO): Person appointed by BP to act as a communication channel between the controller, the data subjects, and the National Data Protection Authority (ANPD).
• Session ID: Identification of the user session when accessing BP's virtual environments.
• IP: Abbreviation of Internet Protocol. It is an alphanumeric set that identifies users' devices on the Internet.
• General Data Protection Law (or "LGPD"): Law No. 13,709/18, which governs the processing of Personal Data in Brazilian territory.
• Logs: Records of activities of any users who use BP's virtual platforms.
• Our Environments: Refers to both our digital environments such as our electronic address https://www.bp.org.br/ and appointment scheduling for consultations and exams, as well as our physical environments, such as our buildings and facilities.
• Personal Data Processor: A natural or legal person, governed by public or private law, who processes personal data on behalf of the Controller.
• Third Parties: A natural or legal person, governed by public or private law, that provides or supplies goods or services to BP, on its premises or remotely, and in the exercise of their activities may come to have access to information concerning BP's business or that of its clients.
• Data processing: Any operation performed with Personal Data, such as those related to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.