Salutho

Privacy Policy

Last updated: May 2026 | Pursuant to Brazil's LGPD (Law 13,709/2018)

1. Controller and Processor

Your clinic is the Data Controller: it decides what patient data to collect and for what purpose. Salutho acts as Data Processor: it processes data on behalf of your clinic, following its instructions and the contract terms, without using patient data for unauthorized commercial purposes.

2. What data we process

Through SaluGestor, the following categories of data are processed on behalf of contracting clinics:

  • Identification data (name, CPF, date of birth, contact details)
  • Health data considered sensitive personal data under LGPD Art. 5, II (medical history, diagnoses, prescriptions, EHR records)
  • Scheduling and appointment data
  • Financial data related to billing (no credit card data is stored on Salutho servers)
  • AI transcription data (processed exclusively to generate the requested output)

3. Legal bases (LGPD Art. 7 and Art. 11)

Data processing is based on: performance of a healthcare services contract (Art. 7, V), protection of life and physical safety (Art. 7, I), compliance with a legal obligation (Art. 7, II) and, for sensitive data, provision of healthcare services by health professionals (Art. 11, II, f).

4. How we protect your data

Encryption in transit (TLS) and at rest. Data stored exclusively on servers in Brazilian territory. Granular access permissions per user profile. Full audit trail. Redundant backups and recovery procedures. Privacy and Security by Design applied from system conception.

5. Data sharing

Patient data is not sold or shared with third parties for commercial purposes. Sharing may occur with: cloud infrastructure providers (under data processing agreements), the Mevo prescription partner (for digital prescription signing via ICP-Brasil, Brazilian PKI), WhatsApp Business API providers (for appointment confirmations), and payment processors (for billing only).

6. Data subject rights (LGPD Art. 18)

Patients whose data is processed in SaluGestor, and clinic employees, may exercise the following rights: access and confirmation of processing, correction of inaccurate data, deletion (where legally permitted), data portability, information on sharing, opposition to processing, and withdrawal of consent.

To exercise rights, contact our DPO: [email protected]

7. Cookies

See our Cookie Policy for full details on cookies used on this website.

8. Data Protection Officer (DPO)

Salutho has a formally designated DPO for LGPD compliance. Contact: [email protected]

9. Changes to this policy

Material changes will be communicated to registered users in advance. The current version is always available on this page.