Privacy Policy and Personal Data Protection

1. INTRODUCTION

Nova Health Journey LTDA ("NHJ"), registered under CNPJ 60.741.088/0001-24, establishes this Privacy Policy and Personal Data Protection ("Policy"), in compliance with Law No. 13.709/2018 – Brazilian General Data Protection Law ("LGPD"), other health sector regulations, professional council resolutions (COREN) and good governance practices. The objective is to ensure transparency, security and legal compliance in the treatment of personal data and sensitive personal data, especially those related to health, within the scope of services provided by NHJ.

2. SCOPE

This Policy applies to:

• I.Patients, family members and caregivers who use NHJ services.
• II.Health professionals associated with NHJ (nurses, psychologists) who work in telecare.
• III.Hospitals, clinics, health insurance operators, laboratories and institutional partners.
• IV.Employees, contractors and suppliers of NHJ.

3. DATA CATEGORIES PROCESSED

NHJ may process, directly or indirectly, the following data categories:

• I.Personal identification data: name, CPF, ID, address, phone, email, date of birth, gender.
• II.Sensitive health data: diagnoses, clinical evolution, treatment adherence, interaction records with nurses and psychologists, information about rare or chronic diseases.
• III.Professional data: information about doctors, nurses, psychologists and other health professionals.
• IV.Electronic and system usage data: IP address, access logs, cookies, call recordings (when applicable), interactions in applications and digital portals.

4. PROCESSING PURPOSES

The processing of personal and sensitive data by NHJ occurs for the following purposes:

• a)Execution of remote care services, through nurses and psychologists, in monitoring the patient's health journey.
• b)Management and coordination of the patient journey, including communication with family members, doctors, hospitals, health insurance operators and partners.
• c)Compliance with legal and regulatory obligations, including those issued by health authorities, professional councils and health surveillance.
• d)Production of statistical and anonymized reports for research purposes, real-world evidence (RWDE), health innovation and institutional partnerships.
• e)Protection of the health and life of the data subject, in situations of risk or emergency.
• f)Administrative and contractual activities, such as billing, auditing and quality control.

5. LEGAL BASIS

NHJ processes data based on the legal hypotheses provided in articles 7 and 11 of the LGPD, highlighting:

• I.Data subject's consent.
• II.Execution of a contract or preliminary procedures.
• III.Compliance with a legal or regulatory obligation.
• IV.Protection of the life or physical safety of the data subject or third parties.
• V.Health protection, in procedures performed by health professionals or health entities.
• VI.NHJ's legitimate interest, respecting the fundamental rights and freedoms of the data subject.

6. DATA SHARING

Personal and sensitive data may be shared, when necessary, with:

• I.NHJ health professionals, linked to their respective professional councils.
• II.Hospitals, clinics, laboratories and health insurance operators, for continuity of care purposes.
• III.Health authorities, regulatory bodies and professional councils, under legal obligation.
• IV.Technology suppliers and business partners, through contracts that impose confidentiality and security duties compatible with the LGPD.
• V.Pharmaceutical industries and institutional partners, exclusively in anonymized form, unless express consent to the contrary.

7. INFORMATION SECURITY

NHJ adopts appropriate technical, administrative and organizational measures to protect personal data, including:

• I.Encryption of data in transit and at rest.
• II.Access control restricted to authorized professionals.
• III.Log recording and internal audits.
• IV.Ongoing training in privacy and professional ethics.

8. TECHNICAL RESPONSIBILITY

NHJ maintains formally appointed technical officers registered with: COREN (Regional Nursing Council), for nursing services. These professionals assume responsibility for the ethical and technical compliance of remote care activities conducted on behalf of NHJ.

9. DATA SUBJECT RIGHTS

In accordance with articles 18 et seq. of the LGPD, the data subject may exercise, at any time, the following rights:

• I.Confirmation of the existence of processing.
• II.Access, correction, updating and portability of data.
• III.Anonymization, blocking or deletion of unnecessary or excessive data.
• IV.Deletion of data processed based on consent.
• V.Information about public and private entities with which data was shared.
• VI.Revocation of consent.

Requests must be sent to NHJ's Data Protection Officer (DPO).

10. DATA RETENTION

Data will be stored:

• I.For the period necessary to fulfill the contractual and legal purpose.
• II.While the relationship with the patient or partner is in effect.
• III.For an additional period to comply with legal, regulatory and health record obligations.
• IV.In anonymized form, when intended for scientific studies, statistical reports or research.

11. DATA PROTECTION OFFICER (DPO)

NHJ has appointed a Data Protection Officer (DPO), who will act as a communication channel with data subjects and competent authorities:

12. FINAL PROVISIONS

12.1 This Policy may be updated periodically, through publication on NHJ's official channels. 12.2 Any disputes arising from this Policy will be resolved in accordance with Brazilian legislation, electing the jurisdiction of São Paulo/SP for dispute resolution.