Privacy Policy

Controller Identification

For the purposes of Art. 9, II of the LGPD, the controller of the personal data processed in the Service is:

• Company name: Fitcal Ltda.
• CNPJ (Brazilian tax ID): 61.468.082/0001-98
• Operated brand: OzemPro (www.ozempro.com)
• Data Protection Officer (DPO): Contact via e-mail contato@ozempro.com, as per Art. 41 of the LGPD. Postal address available upon request through this channel.

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

• Account: A unique account created for you to access our Service or parts of it.
• Company: Refers to Fitcal Ltda. (CNPJ 61.468.082/0001-98), the entity operating the OzemPro brand and controller of your personal data.
• Personal Data: Any information related to an identified or identifiable natural person.
• Sensitive Personal Data: Data about health, sexual life, biometrics, among others, as defined by Art. 5, II, of the LGPD.
• Data Subject: The natural person to whom the personal data refers — you.
• Processing: Any operation performed with personal data (collection, use, sharing, deletion, etc.).
• Controller: The natural person or legal entity that makes decisions regarding the processing of your personal data — in this case, OzemPro.
• Processor: The natural person or legal entity that processes data on behalf of the controller (e.g., hosting, payment, and notification providers).
• Data Protection Officer (DPO): The person appointed by the controller to act as a communication channel between you, the Company and the ANPD (Art. 41 of the LGPD).
• International Transfer: The transfer of personal data to a foreign country or international organization — subject to the conditions of Art. 33 of the LGPD.
• Cookies: Small files placed on your device containing information about your browsing history.
• Device: Any device that can access the Service such as a computer, cellphone or tablet.
• Service: Refers to the OzemPro website and/or app.
• You: The individual accessing or using the Service.

Collection and Use of Your Personal Data

Types of Data Collected

When using our Service, we may collect the following categories of data:

• Registration data: first name, last name, email, gender, date of birth, height, language, and profile photo (optional).
• Sensitive health data (Art. 11 of the LGPD): medication in use, dose, frequency, application dates, weight, BMI, body measurements, symptoms, reported side effects, and progress photos — used exclusively to operate the tracking Service.
• Meals and nutrition: meal descriptions, macronutrients, food photos (when you choose to upload them). Although not by nature sensitive data, they may reference your health condition at your discretion — they are treated as sensitive data as a precaution.
• Messages sent to the AI assistant: free text you type in the AI Chat. These messages are transferred to the AI provider outside Brazil, as detailed in the "International Transfer" section.
• Subscription and payment data: subscription status, platform used (Apple App Store, Google Play, Stripe) and an opaque order identifier. Full card details are NEVER processed by us — they are handled directly by the payment providers.
• Usage and telemetry data: interactions with the application, screens accessed, anonymized usage events, device identifiers, model, operating system, language, time zone, IP address, advertising identifiers (IDFA/AAID), and error logs.
• Consent audit: for every consent grant or revocation, we store the date/time, version of the document accepted, IP address, and User-Agent — necessary to evidence the data subject's expression of will (Art. 8 §6 of the LGPD).
• Market research data (when you choose to participate): where you usually purchase the medication, approximate price range, interest in future treatment access solutions, and — if you voluntarily provide it — name, email and phone for follow-up.
• Cookies and identifiers: as detailed below.

Tracking Technologies and Cookies

We use Cookies and similar technologies to track activity on our Service. Cookie types:

• Essential Cookies: Necessary for the Service to function.
• Functionality Cookies: Improve the user experience.
• Analytics Cookies: Collect information for usage and performance analysis.

Legal Bases for Processing

We process your data based on the legal hypotheses provided in Arts. 7 and 11 of the LGPD, according to the purpose:

• Consent (Art. 7, I and Art. 11, I): For processing sensitive health data, sending marketing communications, participating in market research, and sharing with healthcare sector partners.
• Performance of contract (Art. 7, V): To provide and maintain the Service features you contracted.
• Compliance with legal obligation (Art. 7, II): To meet legal, regulatory requirements or orders from competent authorities.
• Legitimate interest (Art. 7, IX): For aggregated usage analysis, information security and fraud prevention, always respecting your fundamental rights.

Purposes of Processing

The Company uses your Personal Data to:

• Provide and maintain the Service, including treatment tracking.
• Manage your Account and provide exclusive features.
• Contact you regarding operational updates of the Service.
• Conduct anonymous or optionally identified market research, aimed at understanding the treatment access landscape — always with specific consent.
• Send marketing communications about treatment access solutions, with your opt-in consent, with the option to unsubscribe at any time.
• Share contact data with selected healthcare sector partners (laboratories, distributors, pharmacies, health plans, platforms), exclusively when you mark the specific consent.
• Monitor Service usage for improvement and security purposes.

Sharing of Personal Data

Your personal data may be shared in the following situations:

• With service providers (processors) that support the operation of the Service, under contract with confidentiality and data protection clauses. The processors that handle data on our behalf are listed in the "Processors and Sub-processors" section below.
• With healthcare sector partners selected by us (laboratories, distributors, pharmacies, health plans, platforms and initiatives related to treatments), only when you manifest specific consent by marking the corresponding option — purpose: present solutions, offers and updates that make treatment more accessible.
• To comply with legal or regulatory obligations, or in response to orders from competent authorities (Art. 7, II and VI of the LGPD).
• In case of merger, acquisition or corporate reorganization, with prior notice to you.
• We do not sell your personal data and do not share it with third parties for commercial purposes not authorized by you.

Processors and Sub-processors

The list below identifies the processors that handle your personal data on our behalf. The list is updated whenever there is a relevant addition, change, or replacement of a supplier. The abbreviation "IT" indicates international data transfer (Art. 33 of the LGPD).

• Amazon Web Services (AWS) — Brazil (sa-east-1): Application hosting, PostgreSQL database, and image storage (progress photos, avatars) in private buckets with restricted access.
• Stripe — USA (IT): Processing of subscription payments contracted via the web. Receives only the data strictly necessary for payment; card data is handled exclusively by Stripe under the PCI-DSS standard.
• Apple and Google — USA (IT): In-app subscription processing (In-App Purchase / Google Play Billing) and optional social authentication (Apple Sign In / Google Sign In).
• Firebase (Google) — USA (IT): Push notification delivery (Firebase Cloud Messaging) and anonymous device identifier for message delivery.
• Resend — USA / European Union (IT): Sending of transactional emails (confirmation, password recovery, operational communications).
• OpenAI — USA (IT): Generation of AI assistant responses. Receives ONLY the text of the message you send in the AI Chat. We do not send your email, name, or other registration data. Processing is conditioned on your specific consent, captured upon first use of the AI Chat.
• Superwall — USA (IT): Remote delivery of subscription screens (paywall) and A/B testing of commercial configurations.
• Sentry — USA (IT): Collection of error logs for diagnostics and bug fixing. Configured not to send identifiable personal data in error messages.
• PostHog — USA (IT): Analysis of anonymized usage events for product improvement.
• Meta CAPI, AppsFlyer, Singular, TikTok Pixel — USA (IT): Measurement and attribution of advertising campaigns. Receive conversion events (install, registration, subscription) and pseudonymized device identifiers. Do not receive sensitive health data.
• Paywallo (Virex Tech) — Brazil: Internal platform for attribution, A/B testing, and paywall management. Sub-processor of the controller, under the same obligations of this Policy.

International Data Transfer (Art. 33 of the LGPD)

Some of our processors are located outside Brazil — predominantly in the United States. For this reason, part of the processing of your data involves international transfer. We ensure that these transfers occur under the hypotheses authorized by Art. 33 of the LGPD:

• Standard contractual clauses (Art. 33, II, d): With Stripe, AWS, Google/Firebase, Sentry, and our other processors, we maintain contracts (DPAs — Data Processing Agreements) with protection clauses compatible with the LGPD.
• Specific consent of the data subject (Art. 33, VIII): The use of the AI Chat, which involves sending messages to OpenAI in the USA, depends on your specific and highlighted consent, requested upon first use of the feature. You may choose not to use the AI Chat and continue using the other features of the Service normally.
• Performance of contract (Art. 33, V): Some transfers (such as payment processing by Apple/Google/Stripe when you subscribe to the Service) are necessary for the performance of the contract entered into between you and the Company.

Children and Adolescents (Art. 14 of the LGPD)

The Service is intended exclusively for individuals aged 18 (eighteen) or older. We do not intentionally collect data from children or adolescents. If we identify that an account was created by a person under 18 without the specific consent of at least one parent or legal guardian, the account will be deleted and the data will be erased, except where retention is legally required. If you are responsible for a minor who has used the Service, please contact our Data Protection Officer through the channels listed at the end of this Policy.

Information Security (Arts. 46 to 49 of the LGPD)

We adopt reasonable technical and administrative measures appropriate to the scale of the processing and the sensitivity of the data involved, including:

• Storage of your session token (JWT) in protected locations on the device: iOS Keychain on Apple and EncryptedSharedPreferences on Android, making access by third-party applications difficult even on rooted/jailbroken devices.
• Passwords are stored as one-way hashes, never in plain text.
• Connections with the server are protected by TLS/HTTPS.
• Image storage buckets (progress photos, avatars) are private; access occurs exclusively through short-lived signed URLs.
• The database is accessible only via the server's internal network, with strong credentials generated at deploy time.
• Structured auditing of every sensitive action (consent grant/revocation, export, account deletion), with date/time, IP, and User-Agent.
• Rate limiting on public endpoints to mitigate brute-force attacks.
• Periodic review of the DPIA (Data Protection Impact Assessment — Art. 38 of the LGPD) and of the technical controls.

Response to Security Incidents (Art. 48 of the LGPD)

Despite the measures adopted, no system is absolutely immune to incidents. Should a security incident occur that may result in relevant risk or harm to you, we will report the incident to the ANPD and to you within a reasonable period, in accordance with the determination of the National Data Protection Authority, providing: (i) a description of the nature of the data affected; (ii) the data subjects involved; (iii) the technical and security measures used to protect the data; (iv) the risks related to the incident; (v) the reasons for any delay, in the case of non-immediate notification; and (vi) the measures adopted to reverse or mitigate the effects of the harm.

Data Retention and Deletion

We retain your data for as long as necessary to fulfill the described purposes and applicable legal periods:

• Registration and usage data: Kept while your account is active and for up to 12 months after account deletion, unless otherwise legally required.
• Sensitive health data: Kept while your account is active, deleted after account deletion, except when retention is required for defense in legal proceedings or regulatory obligation.
• Market research data: Kept for up to 5 years from collection, or until consent revocation, whichever comes first.
• Security logs: Kept for up to 6 months, in accordance with the Brazilian Internet Civil Framework (Federal Law No. 12.965/2014).

Your Rights as Data Subject

Pursuant to Art. 18 of the LGPD, you may exercise the following rights at any time, free of charge. Many of them can be exercised directly within the app, on the "Privacy and Consents" screen — including exporting a copy of your data, permanently deleting your account, and revoking specific consents. For any other requests, please use our contact channel:

• Confirmation: Confirm whether we process data about you.
• Access: Access the data we hold about you.
• Correction: Correct incomplete, inaccurate or outdated data.
• Anonymization, blocking or deletion: Request anonymization, blocking or deletion of unnecessary, excessive or non-compliant data.
• Portability: Request portability of your data to another service provider, observing commercial and industrial secrets. Available directly within the app ("Privacy and Consents" screen → "Export my data"), which generates a JSON file with all your records.
• Deletion: Request permanent deletion of your data, except where legal retention applies. Available directly within the app ("Privacy and Consents" screen → "Delete my account"). Deletion is permanent and covers your registration information, sensitive health data, photos, AI Chat messages, and community history.
• Information about sharing: Obtain information about public and private entities with which we share your data.
• Consent revocation: Revoke consent at any time, without prejudice to the lawfulness of processing previously performed.
• Opposition: Object to processing based on legal hypothesis other than consent, in case of LGPD non-compliance.
• Complaint to ANPD: File a complaint with the Brazilian Data Protection Authority (ANPD) at www.gov.br/anpd.

Changes to this Privacy Policy

We may update this Policy periodically. Whenever there is a relevant change, we will communicate through registered contact channels or in the app itself. We recommend reviewing this page regularly.

Data Protection Officer and Contact Channel

To exercise your rights, clarify questions or file complaints related to the processing of your data, you may contact our Data Protection Officer (DPO) through the channel below. We will respond within the legal period of up to 15 (fifteen) days.

• By email: contato@ozempro.com