Privacy Policy — Brazil

1. Who We Are

The Fractal Resonance Model platform ("FRM", "we", "us", "our") is operated by Neuro-Medtech UK Ltd, a company registered in England and Wales. We act as the Controller (controlador) of your personal data as defined under Brazil's Lei Geral de Proteção de Dados (LGPD, Lei nº 13.709/2018).

In accordance with LGPD Article 41, an Encarregado (Data Protection Officer) will be appointed and their contact details published on this page once designated. In the interim, privacy enquiries may be directed to our general contact below.

The LGPD applies to our processing activities pursuant to Article 3, as we process personal data of individuals located in Brazil, the processing is carried out for the purpose of offering services to individuals in Brazil, and the personal data was collected in Brazilian territory.

2. Scope and Applicability

This privacy policy applies specifically to the processing of personal data of individuals located in Brazil, in accordance with LGPD Article 3. The LGPD applies when:

• The processing is carried out in Brazilian territory
• The processing activity aims to offer or provide goods or services to individuals located in Brazil
• The personal data being processed was collected in Brazil

This policy should be read alongside our general privacy practices. Where there is a conflict between this policy and local Brazilian law, the provisions that afford greater protection to the data subject (titular) shall prevail.

3. What Data We Collect

We collect and process the following categories of personal data, classified under LGPD Article 5:

Personal Data (Dados Pessoais — Art. 5, I)

• Full name, email address, and login credentials (hashed with bcrypt)
• Role assignment (super_admin, admin, technician, or patient)
• Clinic association and organisational identifiers
• IP address, browser type, device information, and session timestamps
• Audit trail records (immutable, append-only)

Sensitive Personal Data (Dados Pessoais Sensíveis — Art. 5, II)

• Date of birth, age, sex, and clinical identifiers
• Medical history and medication records relevant to neurological assessment
• Quantitative electroencephalography (qEEG) recordings across 19 standard 10-20 electrodes
• Spectral analysis results: power spectral density, band power, and alpha peak frequency
• Fractal analysis metrics: DFA, Hurst exponent, Higuchi fractal dimension, entropy, and correlation dimension
• Resonance model outputs: i-APF, i-FAI, CDI, BDWS scores, and Better Frequencies
• Session recordings and condition metadata (eyes-closed, eyes-open, activity)

4. Sensitive Health Data

EEG recordings and neurological analysis results are classified as sensitive personal data (dados pessoais sensíveis) under LGPD Article 5, II. The LGPD imposes stricter requirements for processing such data under Article 11.

We process sensitive health data under the following legal bases:

• LGPD Article 11, I — Explicit consent from the data subject (titular), provided in a specific, prominent, and informed manner for defined purposes
• LGPD Article 11, II(f) — Health protection, exclusively, in a procedure carried out by health professionals, health services, or health authorities
• LGPD Article 13 — For studies conducted by research bodies, ensuring, whenever possible, anonymisation of sensitive personal data

5. Legal Basis for Processing

Under the LGPD, every processing activity must have a valid legal basis. Below is a summary of the bases we rely on:

6. How We Use Your Data

We use your personal data for the following purposes, always in accordance with the principles of LGPD Article 6 (purpose, adequacy, necessity, transparency, security, non-discrimination, and accountability):

• Clinical qEEG analysis: spectral processing, fractal analysis, resonance model calculations (i-APF, i-FAI, CDI, BDWS), and neuromodulation protocol generation
• Generating clinical reports and session comparisons for healthcare providers
• TVB (The Virtual Brain) simulation of whole-brain network dynamics
• Longitudinal monitoring of patient neurological health trends
• Platform security, access control (RBAC), and maintaining immutable audit trails
• Scientific research, where data is anonymised or pseudonymised in accordance with LGPD Article 13

7. International Data Transfers

As Neuro-Medtech UK Ltd is based in the United Kingdom, personal data of Brazilian data subjects is transferred internationally. The LGPD regulates international transfers under Articles 33 to 36.

We rely on the following mechanisms to ensure adequate protection for international transfers:

• ANPD adequacy decisions (Art. 33, I) — where the Autoridade Nacional de Proteção de Dados (ANPD) has recognised the receiving country as providing an adequate level of protection (note: as of the date of this policy, no ANPD adequacy decisions have been issued)
• Standard contractual clauses (Art. 33, II(b)) — contractual safeguards approved or modelled on international standards ensuring data protection obligations
• Explicit consent (Art. 33, VIII) — specific and prominent consent from the data subject for the transfer, with prior information about the international nature of the processing
• Binding corporate rules (Art. 33, II(a)) — where applicable, internal policies within the corporate group approved by the ANPD

8. Data Storage and Security

In accordance with LGPD Articles 46 and 47, we implement administrative, technical, and organisational security measures to protect personal data against unauthorised access, accidental or unlawful destruction, loss, alteration, communication, or any form of improper or unlawful processing.

Technical Measures

• TLS 1.2+ encryption for all data in transit
• Two-layer encryption at rest: Fernet (AES-128-CBC) for session data plus AES-256 for database-level encryption
• Password hashing with bcrypt (work factor 12)
• JWT-based authentication with short-lived access tokens (30 minutes) and refresh tokens (7 days)
• Role-based access control (RBAC) with four hierarchical roles and granular permissions
• Immutable, append-only audit trail for all data access and modifications (with PHI access flagging)

Incident Response

In the event of a security incident that may cause relevant risk or damage to data subjects, we will notify the ANPD and the affected data subjects within a reasonable time, in accordance with LGPD Article 48. The notification will include:

• Description of the nature of the affected personal data
• Information about the data subjects involved
• Technical and security measures adopted for data protection
• Risks related to the incident and measures taken to reverse or mitigate its effects

9. Data Retention

Under LGPD Articles 15 and 16, personal data must be deleted after the end of its processing period, except where retention is required by law or regulation. Brazilian medical records are subject to CFM (Conselho Federal de Medicina) Resolution 1.821/2007, which establishes a minimum retention period of 20 years.

Upon termination of processing, data will be deleted or anonymised, unless retention is authorised under LGPD Article 16 for legal compliance, research (with anonymisation), transfer to third parties (with adequate safeguards), or the exclusive use of the controller in anonymised form.

10. Third Parties and Data Sharing

In accordance with LGPD Articles 26 and 27, we may share personal data with the following categories of recipients:

• Clinical team members — Authorised healthcare professionals within the same clinic, under strict access controls and audit logging
• AI and cloud providers — For model inference only; no patient data is used for training third-party models. Data is transmitted encrypted and not stored by providers
• Legal and regulatory authorities — Where required by law, regulation, or valid legal process (Art. 7, II)
• Service providers (operadores) — Infrastructure and hosting providers acting under our instructions, bound by data processing agreements ensuring LGPD compliance

11. AI Processing

The FRM platform uses computational algorithms and AI-assisted analysis for qEEG interpretation. Under LGPD Article 20, you have the right to request a review of decisions made solely on the basis of automated processing that affect your interests.

Important clarifications about our AI processing:

• All AI outputs are decision-support tools — they assist but do not replace clinical judgement by qualified healthcare professionals
• No fully automated decisions with legal or significant effects are made without human oversight
• You may request information about the criteria and procedures used in automated decision-making (Art. 20, §1)
• Patient data is never used to train third-party AI models

12. Your Rights

Under LGPD Article 18, you (as the data subject / titular) have the following rights, which may be exercised at any time by contacting us:

1. Confirmation of the existence of processing (Art. 18, I)
2. Access to your personal data (Art. 18, II)
3. Correction of incomplete, inaccurate, or out-of-date data (Art. 18, III)
4. Anonymisation, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD (Art. 18, IV)
5. Data portability to another service or product provider (Art. 18, V)
6. Deletion of data processed with consent, except where retention is legally required (Art. 18, VI)
7. Information about public and private entities with which your data has been shared (Art. 18, VII)
8. Information about the possibility of denying consent and the consequences thereof (Art. 18, VIII)
9. Revocation of consent (Art. 18, IX)

Automated Decision Review

Under LGPD Article 20, you also have the right to request a review of decisions made solely on the basis of automated processing of personal data that affect your interests, including decisions intended to define your personal, professional, consumer, or credit profile, or aspects of your personality.

Right to Petition the ANPD

Under LGPD Article 18, §1, you have the right to file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) if you believe your data protection rights have been violated.

13. Cookies and Local Storage

The FRM platform uses only essential, functional cookies and browser local storage required for the application to operate. We do not use tracking cookies, advertising cookies, or third-party analytics.

Data stored locally in your browser includes:

• JWT authentication tokens (session management)
• User interface preferences (language, theme settings)
• Cached clinical data for offline fallback functionality

This use of cookies and local storage is consistent with the Marco Civil da Internet (Lei 12.965/2014), which governs internet use in Brazil, and the LGPD principles of necessity and purpose limitation.

14. Children's Data

Under LGPD Article 14, the processing of personal data of children and adolescents must be carried out in their best interest.

For patients under 18 years of age:

• Processing of children's data requires specific and prominent consent from at least one parent or legal guardian (Art. 14, §1)
• We collect only the minimum data strictly necessary for clinical qEEG assessment (Art. 14, §4)
• Children's data is never used for marketing, profiling, or any purpose beyond direct clinical care
• We make reasonable efforts to verify that consent was given by the parent or guardian, considering available technologies (Art. 14, §5)

15. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or ANPD guidance. When we make material changes:

• We will update the "Last updated" date at the top of this page
• For significant changes affecting your rights, we will provide prominent notice through the platform
• Where required, we will seek renewed consent before applying changes to existing data processing

We encourage you to review this policy periodically to stay informed about how we protect your data.

16. Contact and Complaints

To exercise any of your rights under the LGPD, or for any questions about this privacy policy, you may contact us through the following channels:

Filing a Complaint with the ANPD

If you believe your data protection rights have been violated, you have the right to file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD):