ATHENA SAÚDE PRIVACY AND DATA PROTECTION POLICY – HEALTH PLAN OPERATORS

Hello! Welcome to the Privacy Policy (“POLICY”) of ATHENA HEALTHCARE HOLDING S.A (“ATHENA SAÚDE”), CNPJ nº 26.753.292/0001-27, based on Avenida Dra. Ruth Cardoso, 8501, 4° andar, São Paulo/SP, CEP 05425-070.

This POLICY explains how ATHENA SAÚDE uses, stores, shares, and protects the personal data eventually collected by insurance plan operators under the ATHENA SAÚDE portfolio – you can find all of them at http://www.athenasaude.com.br/marcas-do-portfolio/ – related to all of their products.

This POLICY applies to the personal data of every Beneficiary and Dependent of ATHENA SAUDE health plans, as well as websites and applications users of ATHENA SAÚDE Health Operator companies. If you are an ATHENA SAÚDE employee, collaborator, or supplier, or if you are participating in any project or specific activity with ATHENA SAÚDE, you should seek the respective privacy policy, or the person responsible for your hiring at ATHENA SAÚDE, to obtain applicable terms and inform you of your rights to your data.

1. GENERAL TERMS

ATHENA SAÚDE respects the privacy and security of the personal data to which it has access. In its established processes, ATHENA SAÚDE ensures transparent personal data processing. The data won’t be processed for purposes other than, or incompatible with, purposes for which it was collected.
 
Specific Privacy Policies may apply to some of our products and services. For more information about our product-or-service-specific privacy policies, please visit the website for that product or service.
 
2. PERSONAL DATA CONTROLLER IDENTIFICATION
 
Within the scope of this POLICY, each ATHENA SAÚDE company will be the collected personal data controller.
 
If you have any inquiries regarding this POLICY, please, contact the person in charge at [email protected]
 
3. DATA
 
In order to provide our services, we collect the following information:
 
Beneficiary: We collect personal information that is reasonably necessary to provide health plan and clinical care services to the Beneficiary, as well as for administrative purposes related to the services. Information includes registration data, such as name, CPF, address, date of birth, gender, mother’s name, contact information, financial information, personal health statement, and CNS – National Health Card.
 
We will usually collect this information directly from the beneficiaries. However, we may also receive this information from third parties, for example: from a family member or another service provider.
 
Dependents: We may collect information from the Beneficiaries’ dependents, similar to the data we collect from the Beneficiary’s registration. ATHENA SAÚDE will only collect information reasonably necessary for primary activities, such as providing our services and for administrative purposes related to the services.
 
Browsing Information, Access Logs and other automated information: We automatically collect data every time you use or interact with our website, apps, social media posts and accounts, and ads from ATHENA SAÚDE. Internet Protocol (IP) address, browser information, pages visited, search terms, address, and unique device identifier or other persistent or non-persistent device identifiers (“Device ID”) are some examples of the data we collect. The date and time of access are also stored.
 
4. HOW WE USE YOUR DATA
 
ATHENA SAÚDE’s primary purpose to process Personal Data is to establish a contractual relationship for the management, administration, provision, expansion, and improvement of the services provided.
 
We can also utilize data to:
  • Provide, manage and communicate with you about the products, services, offers, programs, events, and promotions of ATHENA SAÚDE companies. If you no longer wish to receive marketing communications from ATHENA SAÚDE, you can adjust your preferences at [www.athenasaude.com.br/xxx] at any time, or by contacting our Data Protection Officer [[email protected]].
  • Meet the legitimate interests of ATHENA SAÚDE companies, always within the limits of what is expected by the data subject, and never to the detriment of their interests, fundamental freedoms, and rights.
  • Manage our communications; determine the effectiveness and optimize our marketing campaigns; review our products, services, websites, mobile applications, and any other digital resources to facilitate their use; and perform due diligence, accounting, auditing, billing, reconciliation, and collection analysis activities;
  • Anonymize the collected personal data, and prepare and provide aggregated data reports with anonymized information (including compilations, analyses, analytical and predictive rules, models, and other aggregated reports);
  • Comply with legal or regulatory obligations;
  • Exercise ATHENA SAÚDE’s rights in judicial, administrative, or arbitration proceedings;
  • For other purposes, for which we provide specific notice at the time of collection, or otherwise as authorized or required by law.

AATHENA SAÚDE may centralize the collected personal data, which may be used in other services related to all ATHENA SAÚDE brands, respecting the purposes set forth herein and the consent of the Owner, whenever required by law.

5. WITH WHOM WE MAY SHARE THE DATA

ATHENA SAÚDE may share the collected data in the following cases:

a) With its affiliated/controlled companies, incorporated or operating in any State of Brazil or abroad – therefore ATHENA SAÚDE is hereby committed to only do so if the country of destination provides by law an adequate degree of personal data protection;

b) With third-party service providers to help us operate, run, improve, understand, customize, support, and advertise our services. When we share data with third-party service providers, we require them to use your data following our instructions and terms or with your express consent, where applicable.

c) With authorities, government entities, or third parties to defend ATHENA SAÚDE’s interests in any type of conflict, including legal actions and administrative proceeding;

d) In the case of transactions and corporate restructure involving ATHENA SAÚDE in which the information transfer is necessary for the continuity of the provision of the relevant Healthcare Services;

e) By court order, or by the request of administrative authorities that have legal competence to request..

f) With your permission. In other cases not mentioned above, in case we need to share your personal data, we will send you a notification to request your consent, allowing us to share the data for a specific purpose.

6. COOKIES

A “cookie” is a small bit of record-keeping information that websites often store on a user’s computer. ATHENA SAÚDE cookies are typically used to quickly identify a User’s device and to “remember” the User. We also use cookies as information to constantly improve our content and user experience.

Users can disable cookies or set their browsers to alert them when cookies are being sent to their device; however, disabling cookies may affect their ability to use the Service.

 

Types of cookies

What they do

Mandatory

These cookies are essential for ATHENA SAÚDE pages to load correctly and allow you to browse our websites.

Performance

These cookies help us understand how visitors interact with ATHENA SAÚDE pages, providing information about the areas visited, the time spent on the site, and any problems you may find, such as error messages.

Functional

These cookies allow ATHENA SAÚDE pages to remember your choices, to provide a more personalized experience, and for the Beneficiary to watch videos and use social tools, comment sections, and forums, among others.

Marketing

These cookies are used to provide more relevant content and are of interest to the Beneficiary. We may use it to display targeted advertising or to limit the number of times we display an ad on the site; to measure the effectiveness of an advertising campaign, and to indicate the pages and sites the Beneficiary visited. ATHENA SAÚDE may share this information with third parties, such as contracted advertising agencies.

 

7. PERSONAL DATA INTERNATIONAL TRANSFERS

ATHENA SAÚDE may transfer your personal data to third-party service providers abroad, including cloud service providers..

When your personal data gets transferred abroad, ATHENA SAÚDE will take appropriate measures to ensure adequate protection of your personal data under the requirements of applicable data protection legislation, reaching data transfer agreements with third parties when required.

8. HOW WE KEEP YOUR DATA SAFE

ATHENA SAÚDE follows generally accepted industry standards to safeguard the privacy of your personal information, taking reasonable steps and guidelines on security standards, such as:

a) Data encryption and anonymization;

b) Protection against unauthorized access to your systems;

c) Control and registration of all people who access each location where personal data is stored;

d) Confidentiality Agreements and Commitments with all those who access personal data;

e) Institutional measures such as updated privacy governance;

Even adopting the necessary measures, however, no data transmission is secure. ATHENA SAÚDE encourages Beneficiaries to adopt personal protective measures within their own environment.

9. DATA RETENTION

ATHENA SAÚDE retains the data collected under this Privacy Policy for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. ATHENA SAÚDE may still retain some of the data to the extent such retention is necessary to resolve disputes, enforce ATHENA SAÚDE user agreements, and comply with technical and legal requirements and constraints related to the security, integrity, and operation of the Service. Thereafter if the collected data is no longer needed for purposes specified in this Privacy Policy, ATHENA SAÚDE deletes all aforementioned data in its possession within a reasonable timeframe.

10. YOUR RIGHTS

In compliance with and respect for the legislation applicable to the processing of personal data, ATHENA SAÚDE guarantees the Beneficiary the following rights:

a) Personal data processing confirmation. Upon the Beneficiary’s request, ATHENA SAÚDE will confirm the existence of personal data processing, under the applicable legislation;

b) Access to data. The Beneficiary may request access to their personal data collected and stored by ATHENA SAÚDE;

c) Correction of incomplete, inaccurate, or outdated data. The Beneficiary may, at any moment, alter and edit their personal data through the Operator’s Call Centers and the channel [email protected];

d) Personal data portability. Upon express request from the Beneficiary, ATHENA SAÚDE will carry out the personal data portability to another service provider, under the terms of the applicable legislation;

e) Personal Data Erasure. The Beneficiary may request the erasure of personal data that have been collected by ATHENA SAÚDE, upon the Beneficiary’s request, at any time. The erasure of personal data will only take place in cases when the personal data is not necessary for ATHENA SAÚDE to comply with legal, and contractual obligations, for the protection of its legitimate interest and in other cases legally admitted;

f) Shared use of personal data info. Information about shared personal data can be found in this Privacy Policy. In case the Beneficiary needs additional clarifications, ATHENA SAÚDE makes itself available to the Beneficiary;

g) Consent withdrawal. The consent given by the User for ATHENA SAÚDE Personal Data processing can be revoked at any time. This, however, will not affect the lawfulness of processing based on the User’s consent before its withdrawal. The consent withdrawal request will not imply the deletion of personal data previously processed and maintained by ATHENA SAÚDE based on other legal grounds.

The beneficiary may directly exercise these rights by contacting our Data Protection Officer via the email address [email protected].

5. LEGISLATION AND JURISDICTION

This Notice will be governed, interpreted, and executed under national legislation, especially Law 13.709/2018 (LGPD), and any doubts arising from this document will be resolved by the competent jurisdiction of the personal data Holder.

6. CHANGES TO THIS POLICY

We reserve ourselves the right to correct or update this POLICY from time to time. When we update this Privacy Policy, we also update the date at the top of the document.

In relevant situations, mainly in the eventual modification of the purposes for which the data were collected, the Beneficiary will be informed about the changes made. The new Privacy Policy will take effect immediately upon publication.

São Paulo/SP, August 01, 2020