Privacy Policy

Last updated: March 28, 2026

1. Data controller

NuvaMed SpA ("NuvaMed"), RUT 77.XXX.XXX-X, domiciled in Chile, is the data controller for personal data collected through the NuvaMed platform (nuvamed.cl).

Contact: contacto@nuvamed.cl

2. Legal framework

This policy complies with current Chilean legislation:

• Ley 21.719 — Personal Data Protection (principles of purpose limitation, proportionality, data minimization, security, and transparency)
• Ley 20.584 — Patient Rights (confidentiality of clinical records)
• Ley 21.331 — Recognition and Protection of the Rights of Persons in Mental Health Care
• DS 41/2012 — Regulation on clinical records

3. Data we collect

3.1 Healthcare professional data

• Name, email, phone, RUT
• Specialty and registration number (SIS/Superintendencia)
• Billing information
• Integration credentials (Zoom — encrypted tokens)

3.2 Patient data

• Full name, RUT, date of birth, contact information
• Health insurance (FONASA, ISAPRE, PRAIS)
• Clinical data: diagnoses, medications, clinical notes, risk assessments
• Wellness portal data (mood self-reports, medication adherence)

3.3 Technical data

• Audit logs (clinical record access, modifications)
• IP address and browser user agent (security and fraud prevention)

4. Purpose of data processing

• Provision of electronic clinical record services
• Compliance with regulatory obligations (GES/AUGE, Ley 21.331)
• Automatic generation of legal documents (prescriptions, epicrisis, certificates, transfer forms)
• Communication between healthcare professionals (CareLink network)
• Telemedicine videoconferencing (Zoom integration)
• Billing and electronic tax documents (SII DTE)

5. Legal basis

• Explicit consent from the patient for the processing of sensitive health data
• Legal obligation to maintain clinical records (Ley 20.584 Art. 12-13)
• Contractual performance for providing services to professionals
• Legitimate interest in security and fraud prevention

6. Third-party integrations

6.1 Zoom Video Communications

NuvaMed integrates with Zoom for telemedicine sessions. When a professional connects their Zoom account:

• We store encrypted OAuth2 tokens (Fernet, AES-128-CBC) with a unique derived key per professional
• We create Zoom meetings on behalf of the professional for scheduled appointments
• If the professional has cloud recording enabled, we process VTT transcripts to generate draft clinical notes using AI
• Raw transcripts are processed in memory and never stored in the database (data minimization, Ley 21.719 Art. 3)
• Tokens are revoked when the integration is disconnected

For more information, see Zoom's Privacy Policy.

6.2 Google (authentication)

We offer Google sign-in. We only access the name, email, and profile picture from the Google account. We do not access any other Google data.

6.3 Google Gemini (AI)

We use Google Gemini for clinical assistance features (summaries, analysis, pre-session briefings). Data is processed server-side and is not stored on Google systems beyond immediate processing.

7. Security

• Encryption in transit (TLS 1.3) and at rest at the disk level (AES-256 managed by Google Cloud SQL)
• Additional application-level encryption for sensitive fields using Fernet (AES-128-CBC + HMAC-SHA256): integration tokens use a unique derived key per professional, and process notes use a unique derived key per record
• Infrastructure on Google Cloud Platform, region southamerica-west1 (Santiago, Chile)
• Authentication with JWT + httpOnly cookies, role-based access control
• Immutable audit log for all clinical data access
• Tenant isolation — each clinic can only access its own data
• Process notes encrypted with Fernet (unique key per note)
• 12-hour editing window for clinical notes; after that, only immutable addendums (Ley 20.584 Art. 12)

8. Data retention

• Clinical records: 15 years from the last entry (DS 41/2012 Art. 8)
• Audit logs: 6 years
• Professional account data: while the account is active, plus 1 year after deactivation
• Telemedicine transcripts: not retained (only the resulting clinical note)

9. ARCO rights (Ley 21.719)

Personal data subjects may exercise their rights to:

• Access: request a copy of the personal data being processed
• Rectification: correct inaccurate or incomplete data
• Cancellation: request data deletion (subject to legal retention obligations)
• Opposition: object to data processing under certain circumstances
• Portability: receive data in a structured format

Requests can be made through the privacy portal within the application or by writing to contacto@nuvamed.cl. We will respond within 10 business days.

10. Breach notification

In the event of a security breach affecting personal data, we will notify affected data subjects and the competent authority within 72 hours of detection, in accordance with Ley 21.719.

11. International transfers

Data is stored on Google Cloud Platform, Santiago (Chile) region. Some AI features use Google APIs that may process data transiently outside of Chile, always under Google Cloud's contractual guarantees and in compliance with Ley 21.719.

12. Modifications

We reserve the right to update this policy. We will notify material changes at least 15 days in advance through the platform.

13. Contact

For privacy and data protection inquiries:

NuvaMed SpA
Email: contacto@nuvamed.cl
Website: nuvamed.cl