Privacy Policy.

This Policy applies to all personal data processed by our physiotherapy practice — including current and former patients, prospective patients who contact us to schedule sessions, website visitors and anyone whose data is processed in connection with our clinical and administrative activities. Given the health-sensitive nature of physiotherapy, we apply the highest standards of data protection under both LGPD Art. 11 and the COFFITO professional ethical framework.

• Identification and contact data: Full name, CPF, date of birth, phone and email — collected when a patient schedules their first session or completes our intake form.
• Physiotherapy assessment and clinical records (prontuário fisioterapêutico): Functional assessment findings, clinical history, treatment objectives, session notes, outcome measurements and all clinical records produced in the course of physiotherapy care. Maintained per COFFITO professional standards. Classified as sensitive health data under LGPD Art. 5º, II.
• Medical and health history: Information about diagnoses, surgeries, medications, comorbidities and relevant health history — provided by the patient or their referring physician as part of the clinical intake process. Sensitive data under Art. 5º, II, processed under Art. 11.
• Medical referrals and reports: Where patients bring medical referrals, imaging reports or specialist letters — retained in the patient's clinical file for the duration of care.
• NFS-e billing data: Name and CPF for NFS-e issuance — processed only when the patient requests an NFS-e for health insurance reimbursement, income tax deduction or employer reimbursement purposes.
• Contact and scheduling data: Name, phone and message when scheduling sessions by WhatsApp, phone or website form.
• Technical website data: IP address, browser type, pages visited and access times.

• Referring or treating physicians (with patient consent): Where a patient consents for us to communicate with their referring doctor, specialist or multidisciplinary care team — only the information relevant to coordinated care is shared, under the patient's explicit instruction.
• Health insurance companies (when requested by patient): Where a patient requires documentation for reimbursement — sessions records or invoices — shared only at the patient's request, in the format required by their insurer.
• Receita Federal / SEFAZ-DF: Tax data for NFS-e issuance and Distrito Federal fiscal compliance. Note: the DF has no municipal ISS — only Receita Federal and SEFAZ-DF apply.
• COFFITO / CREFITO-DF: Where required by a professional ethics investigation or regulatory proceeding.
• Emergency and urgent safety (LGPD Art. 11, II, "a"): Where a patient's physical safety or the safety of a third party is at imminent serious risk — minimum necessary information is communicated to appropriate emergency services. This exception is applied only in genuine medical emergencies.
• Legal authorities: When required by a competent judicial or administrative order — minimum necessary information only.
• PROCON-DF: When required in a consumer dispute under the CDC — limited to non-clinical contractual information only.

Our physiotherapy practice is based in Brasília, DF. All patient clinical records are stored in Brazil. Where scheduling or communication platforms operate on international servers, we use only platforms compliant with Art. 33 of the LGPD or recognised adequacy mechanisms. Patient health data is never transmitted internationally as part of our clinical operations.

• Prontuário fisioterapêutico (clinical records): Minimum 5 years from the date of the last session, per COFFITO Resolution 424/2013 on clinical documentation standards. For minors, minimum 5 years after the patient reaches the age of majority. Records may be retained longer where clinically or legally warranted.
• Medical referrals and specialist reports: Retained within the patient's file for the minimum clinical records retention period above.
• NFS-e and fiscal records: Minimum 5 years under Receita Federal and SEFAZ-DF requirements.
• Scheduling and contact data (patient did not attend): Deleted within 30 days of the scheduled date.
• Website analytics: Aggregated and anonymised after 12 months.

• Prontuário fisioterapêutico records accessible only to the responsible physiotherapist — no administrative access to clinical data;
• Physical clinical records stored in locked filing systems at our Jardim Botânico practice;
• Digital clinical records stored in access-controlled, encrypted systems;
• WhatsApp scheduling data processed with appropriate discretion — clinical content not exchanged via open messaging without patient consent;
• Website and digital communications encrypted in transit (HTTPS/TLS);
• PCI-DSS certified payment platforms — card data never retained;
• As a Ltda, formal internal data handling protocols maintained;
• Incident response procedures and breach notification per LGPD Art. 48.

• Confirmation and Access (Art. 18, I–II): Confirm whether we hold your data and receive a copy — including a copy of your own prontuário fisioterapêutico.
• Correction (Art. 18, III): Request correction of inaccurate identification or contact data. Note that clinical records reflect professional assessment and corrections are subject to professional ethical constraints.
• Anonymisation / Blocking / Deletion (Art. 18, IV): Request deletion — subject to the mandatory COFFITO clinical record retention period (minimum 5 years from last session) and fiscal obligations.
• Portability (Art. 18, V): Receive a copy of your clinical records in a structured format for transfer to another physiotherapist or health provider.
• Deletion of consent-based data (Art. 18, VI): Withdraw consent for consent-based processing — note this does not affect the mandatory retention of clinical records.
• Information on sharing (Art. 18, VII): Find out whether and with whom your data has been shared.
• Withdrawal of Consent (Art. 8º, §5º): Withdraw consent at any time. Note: withdrawing consent for treatment processing will effectively end the therapeutic relationship.
• Complaint to the ANPD (Art. 18, §1º): Lodge a complaint at www.gov.br/anpd.
• Complaint to COFFITO / CREFITO-DF: Ethical complaints about a physiotherapist's professional conduct can be lodged with CREFITO-DF independently of LGPD rights.

We respond within 15 business days.

Our website may use cookies for essential functionality and aggregated performance analysis. We do not use behavioural tracking or advertising cookies. We are mindful that people seeking physiotherapy may value discretion — we do not use any tracking that could identify or profile visitors by their interest in health services.

Where physiotherapy services are provided to minors (individuals under 18), we apply LGPD Art. 14 and applicable COFFITO guidance:

• Parental or guardian consent is required for physiotherapy of children under 16, in compliance with LGPD Art. 14 and COFFITO professional standards;
• Clinical records for minors are retained for the minimum 5 years after the patient reaches 18, per applicable guidance;
• We do not collect data from children under 12 via our website.

All personal data processed in the context of physiotherapy care — including assessment findings, diagnoses, treatment plans, session notes and medical history — constitutes sensitive health data under LGPD Art. 5º, II. This data is processed exclusively under the heightened protection framework of LGPD Art. 11.

This Policy may be updated to reflect changes in our activities, the LGPD, ANPD guidance, COFFITO resolutions or applicable Distrito Federal tax legislation. Material changes will be communicated to active patients by WhatsApp or email and via our website.

All privacy requests — including requests for copies of your clinical records — and ethical complaints should be directed to our Data Protection Officer (Encarregado — LGPD Art. 41):