Privacy Policy

1. Imáginos's two roles

For the professional/clinic User's own data — registration, identification, credentials, contact, billing, and browsing — Imáginos is the Controller.

For patients' clinical data entered into the platform by the User — dermatoscopy and trichoscopy images and clinical metadata — Imáginos is the Processor. The Controller is the professional or clinic, who holds the clinical relationship and the duty to obtain legal bases at source.

2. Data we process

User registration and identification (Controller): name, email, phone, professional registration, clinic name, role, and protected credentials. With external login (e.g., Google), we receive only name and email — never your provider password.

Billing data (Controller): processed by payment operators; we do not store full card numbers.

Patient clinical data (Processor): clinical images, identifiers, and metadata entered by the User — sensitive personal health data belonging to the User Controller.

Technical and browsing data (Controller): IP, device, browser, and logs, for security, fraud prevention, and service improvement.

3. Purposes and legal bases

We process data for: providing the contracted service (contract performance, art. 7, V); compliance with legal obligations (art. 7, II); legitimate interest (art. 7, IX) in security, fraud prevention, and feature development; operational communications and, with an opt-out, communications about the platform; exercise of rights (art. 7, VI); and protection of health (art. 11, II, "f"), within the clinical relationship led by the User Controller.

For sensitive patient data, the legal basis at source (including patient consent where required) is the responsibility of the User Controller.

4. Data sharing

We do not sell personal data. We share only with: infrastructure operators (hosting, database, storage, image processing) under security obligations; payment operators; competent authorities under legal obligation; and in corporate transactions, preserving this Policy's obligations.

We do not share patient clinical data for marketing. Clinical data is accessible only to those the User authorizes and to technical staff in restricted support or maintenance situations.

5. International transfer

Part of the infrastructure may be located outside Brazil. Where this occurs, the transfer will comply with the LGPD, with adequate contractual clauses and comparable protection guarantees. Where feasible, we prioritize storing clinical data in a region compatible with the User's requirements.

6. Information security

We adopt technical and organizational measures: encryption in transit and, where applicable, at rest; restricted, segregated access control; access logging and monitoring; environment segregation; and incident response. Images are kept in private storage, accessed only via authentication and signed URLs — with no public access.

No system is fully immune to incidents. You are responsible for safeguarding your credentials. In an incident that may pose relevant risk, we will notify the User Controller and, where applicable, the Brazilian data protection authority (ANPD), cooperating in fulfilling legal duties.

7. Anonymized images for research and AI

Imáginos may use data — including clinical images — in aggregated and anonymized form, without allowing re-identification, for research, statistics, scientific validation, and feature improvement, including the training and improvement of artificial intelligence and computer vision models.

Under article 12 of the LGPD, effectively anonymized data is not personal data. Anonymization is performed by Imáginos before any use. This purpose is enabled by default, especially on free and trial plans; exclusion may be requested at privacidade@imaginos.com.br. The User Controller must ensure, at source, the legal basis allowing this anonymization.

8. Retention and deletion

Data is kept for as long as necessary for its purposes and while the contractual relationship lasts, subject to legal retention periods. Upon account closure, clinical data may be made available for recovery for a reasonable period and then deleted or anonymized, per the User Controller's instructions. Data already anonymized and incorporated into studies and models is not affected by closure.

9. Data subject rights

Under the LGPD, the data subject may request confirmation, access, correction, anonymization, blocking, deletion, portability, information on sharing, and withdrawal of consent.

As Imáginos is generally the Processor of patient data, patient requests should be directed to the professional or clinic Controller; Imáginos will assist. For data where Imáginos is the Controller (User data), requests may be made to the Data Protection Officer.

10. Cookies

The platform uses cookies strictly necessary for operation and security and, with consent where required, usage measurement cookies. You can manage preferences in your browser; disabling necessary cookies may impair functionality.

11. Changes to this Policy

Imáginos may amend this Policy due to legal, regulatory, operational, or feature changes. Material changes will be communicated with reasonable notice, by email or platform notice, indicating the effective date. Continued use after the effective date constitutes agreement.

12. Data Protection Officer and contact

Data Protection Officer: privacidade@imaginos.com.br. General contact: contato@imaginos.com.br. Address: Rua Ambrosio Pereira, 42, São Paulo/SP, 04612-030, Brazil. The data subject may file a complaint with the Brazilian data protection authority (ANPD). Venue: courts of São Paulo/SP.