InformationSecurity&PrivacyCommitment

We protect the information of our users, providers, partners and employees with industry-standard safeguards.

We design products and partnerships with privacy and security in mind (privacy-by-design / security-by-default).

We comply with applicable data protection laws (including NDPR where relevant) and align our practices with recognized standards such as ISO/IEC 27001:2013.

We limit data collection and only use personal data for the purposes we specify and for which we have lawful basis or consent.

Technical safeguards: encryption in transit and at rest, strong authentication, role-based access controls, network security and logging.

Operational safeguards: least-privilege access, change control, regular backups, and secure development and testing practices.

Governance: a dedicated Data Protection and Compliance Officer who oversees our Information Security Management System (ISMS) and policy implementation.

Continuous assurance: regular risk assessments, internal audits, and third-party security reviews and penetration tests.

Third parties that process VivaFemini data must meet our security and privacy standards, sign appropriate agreements (including Data Processing Agreements), and undergo security and due-diligence checks.

Data minimisation: we collect only what we need to deliver our services and improve care.

Purpose limitation: personal and clinical data are used only for clearly stated, legitimate purposes (care delivery, platform operations, research with consent, etc).

Rights: users may request access, correction, deletion or restriction of their personal data in line with applicable law. We provide mechanisms for consent management and portability where required.

We maintain an incident response plan to detect, investigate and contain incidents quickly.

Where there is a risk to individuals' rights or safety, we will notify affected people and, where required, relevant regulators within the legal timeframes.

We review this policy and our ISMS at least once a year and whenever there is a significant change to our services, risk profile or legal requirements. Findings from audits, risk assessments and incidents drive improvements.