1. Introduction

UPA Simulator ("we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our medical simulation training platform.

Data Controller: UPA Simulator
Contact: privacy@upasimulator.com

2. Legal Basis for Processing

We process your personal data under the following legal bases:

• Consent: You have given clear consent for us to process your personal data for specific purposes
• Contract: Processing is necessary for the performance of our services
• Legal Obligation: Processing is necessary for compliance with legal requirements (LGPD, GDPR)
• Legitimate Interests: Processing is necessary for our legitimate interests (fraud prevention, security)

3. Information We Collect

3.1 Personal Information

We collect the following types of personal information:

• Account Information: Name, email address, password (encrypted)
• Profile Information: Medical institution, specialization, year of study, medical formation stage
• Authentication Data: OAuth provider information (Google, GitHub), authentication tokens
• Billing Information: Payment card details (processed by Stripe), billing address, subscription status

3.2 Educational Activity Data

• Simulation Performance: Responses, decisions, diagnoses, treatment choices
• Learning Progress: Completion rates, scores, time spent on activities
• Chat Messages: Conversations with virtual patients during simulations

3.3 Technical Information

• Device Information: Browser type, operating system, device identifiers
• Usage Data: Pages viewed, features used, interaction patterns
• Log Data: IP address, access times, error logs (anonymized)
• Cookies: See our Cookie Policy for details

3.4 Sensitive Data

We do NOT collect real patient health information. All medical scenarios are fictional and for educational purposes only. User performance data is considered educational records, not medical records.

4. How We Use Your Information

We use your information for the following purposes:

• Service Delivery: Provide and maintain simulation training services
• Personalization: Customize learning experiences and recommendations
• Communication: Send service updates, educational content, and support responses
• Billing: Process payments and manage subscriptions
• Improvement: Analyze usage patterns to enhance our platform
• Security: Detect and prevent fraud, abuse, and security incidents
• Legal Compliance: Fulfill legal obligations and respond to legal requests
• Research: Conduct anonymized educational research (with explicit consent)

5. Data Sharing and Disclosure

5.1 Service Providers

We share data with trusted service providers who assist us:

• Authentication: Supabase (user authentication and authorization)
• Payment Processing: Stripe (payment and subscription management)
• AI Services: OpenAI (simulation conversation generation - anonymized)
• Error Monitoring: Sentry (error tracking - PII redacted automatically)
• Email Delivery: [Email service provider] (transactional emails)
• Hosting: [Hosting provider] (infrastructure)

All service providers are bound by data protection agreements and process data only as instructed.

5.2 Educational Institutions

If your account is linked to an educational institution, we may share aggregate performance data with your institution for academic purposes. Individual performance data requires explicit consent.

5.3 Legal Requirements

We may disclose information when required by law, court order, or government request.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. You will be notified of any such change.

6. Data Security

We implement industry-standard security measures:

• Encryption: Data in transit (TLS/SSL) and at rest (AES-256)
• Authentication: Secure password hashing (bcrypt), JWT tokens
• Access Control: Role-based access control (RBAC), least privilege principle
• Database Security: Row-level security (RLS) policies, parameterized queries
• Monitoring: Automated error tracking with PII redaction
• Backups: Regular encrypted backups with secure storage
• Incident Response: Security incident detection and response procedures

7. Data Retention

We retain your data according to the following schedule:

• Active Accounts: Data retained while account is active
• Inactive Accounts: Data retained for 2 years after last login, then anonymized
• Deleted Accounts: Personal data deleted within 30 days (backup copies within 90 days)
• Legal Requirements: Some data may be retained longer for legal/regulatory compliance
• Anonymized Data: Educational analytics may be retained indefinitely in anonymized form

8. Your Rights (LGPD & GDPR)

You have the following rights regarding your personal data:

To exercise your rights: Email privacy@upasimulator.com or use the settings page in your account. We will respond within 30 days.

9. International Data Transfers

Your data may be transferred to and processed in countries outside Brazil. When we transfer data internationally, we ensure appropriate safeguards are in place (Standard Contractual Clauses, Privacy Shield, etc.).

Primary Data Location: Brazil (São Paulo region)

10. Children's Privacy

Our service is intended for medical students and professionals aged 18 and older. We do not knowingly collect data from individuals under 18. If you believe we have collected data from a minor, please contact us immediately.

11. Cookies and Tracking

We use cookies and similar technologies for authentication, preferences, and analytics. For detailed information, please see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified via email or prominent notice on our platform. Continued use after changes constitutes acceptance.

13. Contact Information

For privacy-related questions or concerns:

• Email: privacy@upasimulator.com
• Data Protection Officer: dpo@upasimulator.com
• Address: [Company Address]

Supervisory Authority (Brazil - LGPD):
Autoridade Nacional de Proteção de Dados (ANPD)
Website: https://www.gov.br/anpd/

14. Automated Decision-Making

We use AI-powered systems to generate simulation scenarios and evaluate performance. These automated decisions are for educational purposes only and do not have legal or similarly significant effects. You have the right to human review of AI-generated evaluations.

Política de Privacidade (Portuguese - LGPD)

Última Atualização: 2 de Janeiro de 2026

Esta é a versão oficial em português da nossa Política de Privacidade para conformidade com a Lei Geral de Proteção de Dados (LGPD - Lei nº 13.709/2018).

1. Controlador de Dados

Razão Social: UPA Simulator
Contato: privacy@upasimulator.com
Encarregado de Dados (DPO): dpo@upasimulator.com

2. Dados Coletados

Coletamos os seguintes dados pessoais:

• Dados Cadastrais: Nome, e-mail, senha (criptografada)
• Dados Profissionais: Instituição de ensino, especialização, ano de formação
• Dados de Desempenho: Respostas em simulações, diagnósticos, escolhas de tratamento
• Dados de Pagamento: Informações de cartão (processadas pela Stripe)
• Dados Técnicos: Endereço IP (anonimizado), tipo de navegador, logs de acesso

3. Finalidade do Tratamento

Utilizamos seus dados para:

• Prestar o serviço de simulação médica educacional
• Personalizar a experiência de aprendizado
• Processar pagamentos e gerenciar assinaturas
• Enviar comunicações sobre o serviço
• Melhorar a plataforma através de análises
• Garantir segurança e prevenir fraudes
• Cumprir obrigações legais

4. Compartilhamento de Dados

Compartilhamos dados com:

• Supabase: Autenticação de usuários
• Stripe: Processamento de pagamentos
• OpenAI: Geração de conversas simuladas (dados anonimizados)
• Sentry: Monitoramento de erros (DII automaticamente removidos)

5. Seus Direitos (LGPD)

Você tem direito a:

• Confirmação e Acesso: Confirmar que tratamos seus dados e acessá-los
• Correção: Corrigir dados incompletos ou desatualizados
• Eliminação: Solicitar exclusão dos seus dados
• Portabilidade: Receber seus dados em formato estruturado
• Revogação de Consentimento: Retirar consentimento a qualquer momento
• Oposição: Opor-se a tratamentos específicos
• Revisão de Decisões Automatizadas: Solicitar revisão humana de avaliações por IA

6. Segurança

Implementamos medidas técnicas e organizacionais para proteger seus dados:

• Criptografia de dados em trânsito (TLS/SSL) e em repouso (AES-256)
• Controle de acesso baseado em função (RBAC)
• Políticas de segurança em nível de linha (RLS) no banco de dados
• Monitoramento contínuo de segurança
• Backups criptografados regulares

7. Retenção de Dados

• Contas Ativas: Durante a vigência da conta
• Contas Inativas: 2 anos após último acesso, depois anonimização
• Contas Excluídas: Exclusão em até 30 dias (backups em até 90 dias)
• Dados Anonimizados: Retidos indefinidamente para pesquisa educacional

8. Transferência Internacional

Seus dados podem ser transferidos para servidores fora do Brasil. Garantimos salvaguardas adequadas através de Cláusulas Contratuais Padrão e outros mecanismos de proteção.

9. Contato e Reclamações

E-mail: privacy@upasimulator.com
Encarregado (DPO): dpo@upasimulator.com
ANPD: https://www.gov.br/anpd/

10. Alterações

Podemos atualizar esta política periodicamente. Alterações materiais serão notificadas por e-mail ou aviso destacado na plataforma.