Pessoa Integrative Cancer Care Lda, headquartered at Campo Grande 4, 1.º Esq., 1700-092 Lisbon, is responsible for processing the personal data collected through our website and the health services we provide. This Privacy Policy describes how we collect, use, share, and protect your information in accordance with the European Union’s General Data Protection Regulation (GDPR) and applicable Portuguese law. We may update this policy from time to time, so we recommend that you check it regularly.

Personal Data We Collect

• Identification and contact details: name, address, email address, telephone number, age and other personal information necessary to provide healthcare.
• Health data: medical and clinical history provided by the patient, information about diagnoses and treatments, and other sensitive data necessary for care. This data is considered sensitive personal data under the GDPR and receives enhanced protection.
• Financial and scheduling data: when you schedule appointments with us through external platforms (such as Calendly) and make payments (e.g. via Stripe), some of your data (e.g. payment details and appointments) is collected directly by these providers, in accordance with their own privacy policies. We do not store credit card data on our website; such information is handled securely by Stripe.
• Technical browsing data: IP address, browser type, pages visited, duration of visit, among other anonymous data on website usage. Currently, our website does not use analytical or marketing cookies, only cookies that are strictly necessary for basic functioning. If we incorporate cookies in the future to improve the experience (e.g. statistics cookies), we will only do so after obtaining the user’s prior, free, specific and informed consent, as required by law (ePrivacy Directive/Cookies Law).

Purpose of Data Processing

We use the data collected for the following purposes, always in strict compliance with what is necessary in each case:

• Provision of healthcare and scheduling: to comply with the contract for the provision of integrative healthcare services, schedule appointments, prepare consultations and issue prescriptions or referrals where applicable.
• Communication with the patient: to send information regarding appointment scheduling, reminders, test results and other communications necessary for clinical follow-up.
• Compliance with legal obligations: for billing and accounting purposes (invoices and tax returns), medical record keeping, and compliance with current legislation.
• Service improvement and statistics: we may use aggregated and anonymous patient data to prepare internal statistical reports, non-identifiable clinical studies, and continuously improve the quality of our services. All statistical data is processed in such a way as to prevent the personal identification of patients, thereby protecting individual privacy.
• Website security and administration: to ensure the integrity and functioning of our website, analyse traffic and prevent fraud or unauthorised access.

Legal basis for processing

The processing of personal data that we carry out is based on the following legal grounds:

• Execution of contract: processing necessary for the performance of the contract for the provision of health services to the patient (appointment scheduling, clinical follow-up, treatment billing).
• Consent: in particular for the processing of health data and for sending informative communications, we obtain the explicit consent of the data subject. Consent may be withdrawn at any time, without prejudice to the lawfulness of the processing until then.
• Legal obligation: compliance with legal obligations (e.g. tax, public health or clinical record obligations).
• Legitimate interest: in some cases, for statistical purposes, service improvement or system security, we consider that our legitimate interest does not override the rights of data subjects, always using anonymised data where possible.

Sharing Data with Third Parties

We do not sell or share your personal data with external entities for commercial purposes. However, we may share personal information in the following situations:

• External service providers: we use third-party platforms for scheduling (Calendly) and payments (Stripe). These providers process your data in accordance with their own privacy policies and applicable legislation; we only send them the necessary data (e.g. name, email address and scheduling details).
• Secure storage: electronic patient information is stored in an encrypted environment through the Tresorit service, which offers cloud storage with end-to-end encryption. Only authorised persons at the clinic have access to this data, reinforcing security and confidentiality.
• Authorities and legal compliance: we may disclose personal data to the competent authorities (health authorities, tax authorities, police, courts, CNPD, etc.) when required by law or to defend our rights in the event of a dispute, always within strict legal limits.
• Other specific cases: when authorised by the patient or required by law, for example to share data with other healthcare professionals or partners directly involved in the patient’s treatment. In this case, the information is restricted to the minimum necessary. Currently, we do not transfer data to countries outside the European Economic Area. Should this occur, we guarantee that appropriate legal safeguards will be put in place.

Information Security

We take strict technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These include:

• Encryption: all electronic patient data is stored in encrypted services (e.g. Tresorit) and backups are also encrypted.
• Restricted access: only authorised personnel with a clinical need for access can view patient data. Employees are instructed on confidentiality and data protection.
• Secure infrastructure: our website uses secure connections (HTTPS) and firewalls to protect information in transit. We perform regular system and antivirus updates.
  Despite these efforts, no system is foolproof. We cannot guarantee 100% security for data transmitted over the Internet; however, we undertake to notify the data subject in the event of a serious data breach that could compromise their rights.

Cookies and Tracking Technologies

The Pessoa Integrative Cancer Care website uses cookies, which are small text files stored on the user’s device to improve the browsing experience. Cookies can store information about the user’s previous interactions with the website (e.g., items in a shopping cart, data entered in forms), as well as authentication credentials to keep the session logged in. In short, they serve functions such as remembering preferences (language, region, etc.), maintaining essential operations (shopping cart, login) and collecting website usage statistics. In accordance with applicable legislation (General Data Protection Regulation – GDPR and European Electronic Privacy Directive, transposed in Portugal by Law No. 41/2004 of 18 August, amended by Law No. 46/2012 of 29 August), it is not necessary to obtain consent for cookies that are strictly necessary for the provision of a service requested by the user, such as authentication or shopping cart cookies.

Types of cookies used: Three main categories of cookies are used on our website:

• Functional (strictly necessary): these enable essential website functions, such as keeping you logged in, saving language or interface choices, and facilitating basic website functionality. For example, if you log into your account or add items to your basket, these cookies remember that information during your browsing session. These cookies do not require prior consent, but will be clearly described in the cookie banner.
• Analytical (usage statistics): collect aggregate data on how visitors use the website (e.g., pages visited, time spent, traffic source). We use Google Analytics for these purposes. Google analytics cookies (e.g. ‘_ga’) distinguish unique visitors and communicate usage statistics without personally identifying each user. The information thus obtained helps us to understand how the website is used and to improve it. These cookies are only activated after the user has given their consent.
• Marketing (advertising): these are used to personalise advertisements and measure advertising campaigns. We use tools such as Google Ads (AdWords). Marketing cookies may collect information about the user’s interests and allow Google and advertising partners to display relevant advertisements. For example, cookies such as ‘_gads’ allow Google ads to be displayed on third-party websites and measure user activity related to campaigns. Other cookies, such as Google’s “gcl” and ‘gac’, help determine how often an ad leads to an effective action (such as filling out a form). If the user refuses these cookies, the ads displayed will be less tailored to their interests. These marketing cookies are only activated with the user’s explicit consent.

Consent and management: When visiting the website, a banner is displayed allowing you to accept or refuse, in a granular manner, analytical and marketing cookies. Preferences can be changed at any time via the cookie management panel or browser settings.

Data processing: The information collected is processed in accordance with the GDPR. Marketing cookie data may be shared with partners such as Google, only for the purposes consented to.

In summary, Pessoa Integrative Cancer Care informs the user that it uses functional, analytical and marketing cookies as described, obtaining prior consent for all except those that are strictly necessary. The cookie policy is clear and transparent, in line with the GDPR and Portuguese legislation (Laws No. 41/2004 and 46/2012), ensuring the user effective control over their data.