Version 2.0 | Effective date: August 28, 2025 | Last updated: September 1, 2025

1. General Information

1.1 About Atri

Atri is a digital platform for education and lifestyle support for people with diabetes, developed by ATRI LTDA, a private legal entity, registered under CNPJ no. 52.941.676/0001-83, headquartered at RUA JOSÉ LICÍNIO LOPES, 1241, CEP 88.070-780, CANTO, FLORIANÓPOLIS, SC.

Important: Atri is not a medical device, does not make diagnoses, does not prescribe medications, and does not replace medical consultations. We are an educational platform that connects you with licensed professionals and offers support for managing your lifestyle.

1.2 Data Protection Officer (DPO)

Our Data Protection Officer is João Gabriel Chagas Bogado, responsible for ensuring compliance with the General Data Protection Law (LGPD) and handling your privacy requests.

DPO Contact:

• Name: João Gabriel Chagas Bogado

• Email: privacidade@useatri.com

• Phone: +55 11 93503-1121

• Address: RUA JOSÉ LICÍNIO LOPES, 1241, CEP 88.070-780, CANTO, FLORIANÓPOLIS, SC

1.3 Support Channels

You can exercise your privacy rights through:

• App: “Privacy & Data” section in the menu

• WhatsApp: +55 11 93503-1121 — direct contact with our platform

• Email: privacidade@useatri.com

• Phone: +55 11 93503-1121 (business hours)

Response timelines:

• Acknowledgment of receipt: within 5 business days

• Resolution of request: within 15 business days

2. Personal Data We Collect

2.1 Personal Identification Data

Data collected:

• Full name

• Email

• Phone/WhatsApp number

• Date of birth

• CPF (required for payment processing, invoicing, and tax compliance)

• Address (for product delivery)

Purpose: Identification, communication, service provision, and compliance with legal obligations.
Legal basis: Contract performance (LGPD Art. 7, V) and consent (LGPD Art. 7, I).

2.2 Sensitive Health Data

Data accessed through authorized integration:

• Glucose measurements from connected CGM devices

• Information on glycemic patterns and device-generated trends

• Historical monitoring data already present on the user’s device

• Routine, exercise, and health data from various connected apps and devices (smartwatches, health apps, etc.)

• Historical monitoring data already present in those apps/devices

Data voluntarily provided by the user:

• Type of diabetes and time since diagnosis (during initial sign-up)

• Information on medications in use (when shared voluntarily)

• Physical activity data (when logged by the user)

• Nutritional information (when provided by the user)

• Personal glycemic control goals

Important: Atri does not actively or independently collect health data. All sensitive data are:

• Shared voluntarily by the user through the platform, or

• Accessed via authorized integrations with devices the user already uses (e.g., CGM, smartwatches, etc.),

• Available only when the user connects their devices to our platform.

Purpose: Personalization of educational content, connection with appropriate professionals, and service improvement.
Legal basis: Explicit consent (LGPD Art. 11, I) and protection of life or physical safety of the data subject (LGPD Art. 11, II, “f”).

2.3 Platform Usage Data

Data collected:

• Access and navigation logs

• Interactions with educational content

• Configuration preferences

• Location data (when authorized)

• Device information (model, operating system)

Purpose: Improve user experience, platform security, and develop new features.
Legal basis: Legitimate interest (LGPD Art. 7, IX).

3. How We Collect Your Data

3.1 Direct Collection

We collect data directly when you:

• Create your Atri account

• Fill out forms in the app

• Interact with our WhatsApp bot

• Contact us

• Participate in surveys or assessments

3.2 Automatic Collection

We automatically collect:

• Platform browsing and usage data

• Technical device information

• Security and access logs

3.3 Third-Party Integration

CGM integrations:

• We access integrator-app data only with your express authorization

• Access is performed through a professional account supervised by a licensed physician

• Data are used exclusively to personalize your support

Other devices and apps:

• Integration only with your specific authorization

• Data are synchronized according to your privacy settings

4. How We Use Your Data

4.1 Service Provision

• Personalization of educational content

• Connection with licensed nutritionists and physical educators

• Technical support and customer care

• Order processing at the partner pharmacy

4.2 Communication

• Delivery of personalized educational content

• Notifications about appointments and reminders

• Communications about service updates

• Direct marketing (only with your consent)

4.3 Service Improvement

• Analysis of aggregated patterns to improve the platform

• Development of new features and product improvements

• Research and development in digital health

4.4 Security & Compliance

• Fraud prevention and mitigation of malicious activities

• Compliance with legal obligations

• Security auditing and monitoring

• Responses to requests from competent authorities

5. Data Sharing

5.1 Licensed Health Professionals

We share your data with:

• Nutritionists registered with the Regional Nutrition Council (CRN): for personalized nutritional guidance

• Physical educators registered with the Regional Council of Physical Education (CREF): for exercise prescriptions

• Physicians registered with the Regional Medical Council (CRM): when medical supervision is needed

Assurances: All professionals are bound by confidentiality agreements and adhere to their professional codes of ethics.

5.2 Commercial Partners

Partner pharmacy:

• We share only the data necessary to process orders

• The partner acts as the merchant of record, responsible for issuing invoices for sold products

• Data shared: name, delivery address, requested products

5.3 Technology Vendors

We use vendors for:

• Hosting: Google Cloud Platform (data stored and processed in São Paulo, Brazil)

• Communication: Meta/WhatsApp Business API

• Email: Google Workspace

• Analytics: Analysis tools with pseudonymized data

Protections: All vendors are bound by Data Processing Agreements (DPAs) and ANPD-approved standard contractual clauses.

5.4 International Transfers

When it is necessary to transfer data outside Brazil:

• We use ANPD-approved standard contractual clauses

• We perform transfer impact assessments

• We ensure an adequate level of protection in the destination country

6. Data Security

6.1 Technical Measures

Encryption:

• In transit: TLS 1.2+ for all communications

• At rest: AES-256 for stored data

• Keys: Secure management via KMS (Key Management Service)

Security Architecture:

• Segregation of personally identifiable information (PII) in a separate “vault”

• Pseudonymization via unique tokens

• Role-based access control (RBAC)

• Continuous monitoring and anomaly detection

6.2 Organizational Measures

• Regular team training in data protection

• Internal information-security policies

• Regular audits of access and processes

• Security incident response plan

6.3 Anonymization for Analytics

For analysis, development, and product improvement, we use anonymization techniques:

• k-anonymity: ensuring each record is indistinguishable from at least k-1 others

• l-diversity: ensuring diversity in sensitive attributes

• Generalization: replacing specific data with ranges (e.g., “25–30 years” instead of exact age)

7. Your Rights

7.1 Rights Guaranteed by the LGPD

You have the right to:

Confirmation and Access (Art. 18, I and II):

• Confirm whether we process your personal data

• Access your personal data

Correction (Art. 18, III):

• Correct incomplete, inaccurate, or outdated data

Anonymization, Blocking, or Deletion (Art. 18, IV):

• Request anonymization, blocking, or deletion of unnecessary data or data processed in non-compliance

Portability (Art. 18, V):

• Receive your data in a structured and interoperable format

Deletion (Art. 18, VI):

• Request deletion of data processed based on consent

Information about Sharing (Art. 18, VII):

• Know which public and private entities we share your data with

Information about Non-Consent (Art. 18, VIII):

• Be informed of the consequences of refusing to provide consent

Revocation of Consent (Art. 18, IX):

• Revoke consent at any time

7.2 How to Exercise Your Rights

Through the app:

• Go to Settings > Privacy & Data

• Select the desired action

• Follow the on-screen instructions

Through WhatsApp:

• Send “DADOS” to receive your data

• Send “DELETAR” to request deletion

• Send “PRIVACIDADE” for privacy information

By email:

• Send your request to privacidade@useatri.com

• Include information that allows us to identify you

• Clearly describe what you want

7.3 Identity Verification

To protect your data, we may request:

• Confirmation of information only you would know

• A verification code sent by SMS

• Other forms of secure authentication

7.4 Limitations to Rights

Your rights may be limited when:

• Necessary to comply with a legal obligation

• Required by competent authorities

• Essential to protect life or safety

• Necessary for the regular exercise of rights in judicial proceedings

8. Data Retention

8.1 Retention Criteria

We keep your data for as long as necessary for:

• Providing the contracted services

• Complying with legal obligations

• The regular exercise of rights in judicial proceedings

8.2 Specific Timeframes

Identification data:

• During the term of the contract

• Up to 5 years after termination (for tax and legal purposes)

Health data:

• During service provision

• Up to 20 years after the last interaction (per CFM Resolution 1.821/2007)

Communications data:

• WhatsApp messages: up to 2 years

• Support emails: up to 5 years

• System logs: up to 1 year

Anonymized data:

• May be kept indefinitely for research and service improvement

8.3 Automatic Deletion

We implement automated routines for:

• Deletion of temporary data

• Archiving of inactive data

• Anonymization of older data

9. Cookies and Similar Technologies

9.1 Types of Cookies

Essential cookies:

• Necessary for the basic functioning of the platform

• Cannot be disabled

Performance cookies:

• Collect information about platform usage

• Help improve functionality

Personalization cookies:

• Remember your preferences

• Personalize your experience

9.2 Cookie Management

You can:

• Configure preferences in your browser

• Use management tools within the app

• Opt out of non-essential cookies

10. Minors

We do not serve users under 18 years of age.

For care of children and adolescents with diabetes, we recommend seeking specialized medical follow-up in pediatric endocrinology.

This is a company policy due to regulatory and safety reasons.

11. Updates to This Policy

11.1 Modifications

This Policy may be updated to:

• Reflect changes in our services

• Comply with new legal obligations

• Improve data protection

11.2 Notice of Changes

You will be notified of changes through:

• In-app notification

• Email to your registered address

• WhatsApp message

• Publication on our website

11.3 Significant Changes

For changes that substantially affect your rights:

• We will request new consent when necessary

• We will offer an adaptation period

• We will keep prior versions available

12. Applicable Law and Venue

12.1 Applicable Law

This Policy is governed by Brazilian law, especially:

• General Data Protection Law (LGPD) — Law 13.709/2018

• Marco Civil da Internet — Law 12.965/2014

• Consumer Defense Code — Law 8.078/1990

12.2 Supervisory Authority

The National Data Protection Authority (ANPD) is responsible for overseeing compliance with the LGPD.

ANPD Contact:

• Website: https://www.gov.br/anpd

• Email: comunicacao@anpd.gov.br

12.3 Dispute Resolution

In case of questions or disputes:

• Contact us through the available channels

• Contact ANPD for data-protection matters

• Use consumer-protection bodies when applicable

• Resort to the Judiciary as a last instance

13. Contact

13.1 Communication Channels

For privacy matters:

• Email: privacidade@useatri.com

• WhatsApp: +55 (11) 97242-3122 (commands: DADOS, DELETAR, PRIVACIDADE)

• Phone: +55 (11) 97242-3122

For general support:

• Email: ajuda@useatri.com

• WhatsApp: +55 (11) 97242-3122

• App: “Help” section

• Phone: ++55 11 93503-1121

Physical address: ATRI LTDA — RUA JOSÉ LICÍNIO LOPES, 1241, CANTO — FLORIANÓPOLIS/SC — CEP 88.070-780

13.2 Service Hours

• Email: Response within 24 hours (business days)

• WhatsApp: 24/7 (automated bot) + human support from 8 a.m. to 6 p.m. (business days)

• Phone: Monday to Friday, 8 a.m. to 6 p.m.

• App: 24/7 support

This Privacy Policy was drafted in accordance with the LGPD and reflects our commitment to protecting your personal data and privacy.

Version 2.0 | Effective as of 09/01/2025