Privacy Policy
Last updated: June 3, 2026
1. Data controller
NuvaMed SpA ("NuvaMed"), domiciled in Chile, is the data controller for personal data collected through the NuvaMed platform (nuvamed.cl).
Contact: contacto@nuvamed.cl
2. Legal framework
This policy complies with current Chilean legislation:
- Ley 21.719 — Personal Data Protection (principles of purpose limitation, proportionality, data minimization, security, and transparency)
- Ley 20.584 — Patient Rights (confidentiality of clinical records)
- Ley 21.331 — Recognition and Protection of the Rights of Persons in Mental Health Care
- DS 41/2012 — Regulation on clinical records
3. Data we collect
3.1 Healthcare professional data
- Name, email, phone, RUT
- Specialty and registration number (SIS/Superintendencia)
- Billing information
- Video-call integration credentials (Zoom and/or Google — encrypted OAuth tokens), if the professional chooses to connect them
3.2 Patient data
- Full name, RUT, date of birth, contact information
- Health insurance (FONASA, ISAPRE, PRAIS)
- Clinical data: diagnoses, medications, clinical notes, risk assessments
- Wellness portal data (mood self-reports, medication adherence)
3.3 Technical data
- Audit logs (clinical record access, modifications)
- IP address and browser user agent (security and fraud prevention)
4. Purpose of data processing
- Provision of electronic clinical record services
- Compliance with regulatory obligations (GES/AUGE, Ley 21.331)
- Automatic generation of legal documents (prescriptions, epicrisis, certificates, transfer forms)
- Communication between healthcare professionals (CareLink network)
- Telemedicine videoconferencing (integration with Zoom and/or Google Meet, at the professional's choice)
- Appointment reminders and confirmations by email, with a calendar invite (.ics) and a video-call link
- Billing and electronic tax documents (SII DTE)
5. Legal basis
- Explicit consent from the patient for the processing of sensitive health data
- Legal obligation to maintain clinical records (Ley 20.584 Art. 12-13)
- Contractual performance for providing services to professionals
- Legitimate interest in security and fraud prevention
6. Third-party integrations
6.1 Zoom Video Communications
NuvaMed integrates with Zoom for telemedicine sessions. When a professional connects their Zoom account:
- We store encrypted OAuth2 tokens (Fernet, AES-128-CBC) with a unique derived key per professional
- We create Zoom meetings on behalf of the professional for scheduled appointments
- If the professional has cloud recording enabled, we process VTT transcripts to generate draft clinical notes using AI
- Raw transcripts are processed in memory and never stored in the database (data minimization, Ley 21.719 Art. 3)
- Tokens are revoked when the integration is disconnected
- Zoom webhook communications are validated via HMAC-SHA256 signature with replay protection
- When the app is deauthorized from the Zoom Marketplace, all stored credentials are immediately deleted (Zoom deauthorization compliance)
For more information, see Zoom's Privacy Policy.
6.2 Google — Sign-In
We offer Google Sign-In. When a user chooses this option, we access only their name, email address, and profile picture from the Google account, for the sole purpose of creating or authenticating their NuvaMed account. We do not access any other Google account data through sign-in.
6.3 Google Calendar and Google Meet (telemedicine)
If a healthcare professional chooses to connect their Google account to generate Google Meet video-call links, NuvaMed requests the https://www.googleapis.com/auth/calendar.events scope of the Google Calendar API. With this permission:
- What we do: when a telemedicine appointment is scheduled, we create a single event in the professional's calendar with an automatically generated Google Meet link. We update that event if the appointment is rescheduled and delete it if the appointment is canceled.
- What we do NOT do: we do not read, list, or access the professional's existing events in Google Calendar. We only manage the events that NuvaMed creates for telemedicine appointments. We do not use Google Calendar data for profiling, advertising, or any purpose other than the one described.
- What we store: only the encrypted Google OAuth2 tokens (Fernet, AES-128-CBC with a unique derived key per professional), the email address of the connected Google account, and the calendar event identifier and Meet link associated with each appointment. We do not store the contents of the professional's calendar or any other Google account data.
- Revocation: the professional can disconnect the integration at any time from the application settings; when they do, we revoke the token with Google and delete the stored credentials. They can also revoke access from their Google account permissions page.
Limited Use: NuvaMed's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular, data obtained through Google APIs is used exclusively to provide or improve user-facing features within NuvaMed; it is not transferred to third parties except as necessary to provide those features, for security purposes, to comply with applicable laws, or in connection with a merger or acquisition; and it is not used or sold for advertising purposes.
6.4 Google Gemini (AI)
We use Google Gemini for clinical assistance features (summaries, analysis, pre-session briefings). Data is processed server-side and is not stored on Google systems beyond immediate processing. In accordance with Google Cloud's terms, content sent to Gemini through the API is not used to train Google's models.
7. Security
- Encryption in transit (TLS 1.3) and at rest at the disk level (AES-256 managed by Google Cloud SQL)
- Additional application-level encryption for sensitive fields using Fernet (AES-128-CBC + HMAC-SHA256): integration tokens use a unique derived key per professional, and process notes use a unique derived key per record
- Infrastructure on Google Cloud Platform, region southamerica-west1 (Santiago, Chile)
- Authentication with JWT + httpOnly cookies, role-based access control
- Immutable audit log for all clinical data access
- Tenant isolation — each clinic can only access its own data
- Process notes encrypted with Fernet (unique key per note)
- 12-hour editing window for clinical notes; after that, only immutable addendums (Ley 20.584 Art. 12)
8. Data retention
- Clinical records: 15 years from the last entry (DS 41/2012 Art. 8)
- Audit logs: 6 years
- Professional account data: while the account is active, plus 1 year after deactivation
- Integration credentials (Zoom/Google): while the integration is connected; deleted upon disconnection or revocation
- Telemedicine transcripts: not retained (only the resulting clinical note)
9. ARCO rights (Ley 21.719)
Personal data subjects may exercise their rights to:
- Access: request a copy of the personal data being processed
- Rectification: correct inaccurate or incomplete data
- Cancellation: request data deletion (subject to legal retention obligations)
- Opposition: object to data processing under certain circumstances
- Portability: receive data in a structured format
Requests can be made through the privacy portal within the application or by writing to contacto@nuvamed.cl. We will respond within 10 business days.
10. Breach notification
In the event of a security breach affecting personal data, we will notify affected data subjects and the competent authority within 72 hours of detection, in accordance with Ley 21.719.
11. International transfers
Data is stored on Google Cloud Platform, Santiago (Chile) region. Some AI features use Google APIs that may process data transiently outside of Chile, always under Google Cloud's contractual guarantees and in compliance with Ley 21.719.
12. Modifications
We reserve the right to update this policy. We will notify material changes at least 15 days in advance through the platform.
13. Contact
For privacy and data protection inquiries:
NuvaMed SpA
Email: contacto@nuvamed.cl
Website: nuvamed.cl