Last updated on: October 21, 2024 9:08 PM.

Privacy Policy

Please read this document carefully before accessing or using any services or information through the link https://www.otoh.com.br (“Site”).

BY ACCESSING THE SITE, YOU DECLARE THAT YOU HAVE READ, UNDERSTOOD AND CONSENTED, IN A FREE, INFORMED AND UNEQUIVOCAL WAY, TO BE BOUND BY THIS PRIVACY POLICY.

UNDERSTANDING AND CONSENT TO THIS PRIVACY POLICY ARE REINFORCED BY SENDING THE CUSTOMER REGISTRATION FORM THROUGH THE LINK PROVIDED BY THE SITE'S DIRECTED CUSTOMER SERVICE.

IF YOU DO NOT FULLY AGREE WITH ALL OF THE TERMS SET FORTH HEREIN, DO NOT USE THE SITE OR ANY SERVICES THROUGH THE SITE.

OTOH LTDA, a limited liability company headquartered in the City of São Paulo, State of São Paulo, at Avenida Mofarrej, 1200 - Floor 2, Room 2, registered with the CNPJ/ME under no. 51.406.656/0001-40 (“we” and/or “OTOH”) values ​​all visitors to the Website (“users” OR “you”) and we understand that privacy is of the utmost importance to any individual. Therefore, this document, as referred to as the “Privacy Policy”) explains in detail how we collect, use and disclose data when you use our Website and use our services, the purposes of our processing, what your rights are, and how to contact us.

When processing the information collected, we act in accordance with current legislation on the protection of data relating to an identified or identifiable natural person (“Data Subject”), including, but not limited to, personal data of customers, employees, service providers and business partners (“Personal Data”), using systems structured to meet security and transparency requirements, good practice and governance standards and, especially, the principles established in Law No. 13,709/2018 (“General Personal Data Protection Law” or “LGPD”) and the guidelines of the National Data Protection Authority - ANPD.

We inform you that the ANPD acts as the enforcement authority of the LGPD, being the competent body to receive complaints and claims registered regarding non-compliance with the regulations applicable to the protection of Personal Data. All technologies used will always comply with current legislation and the terms of this Privacy Policy.

In order to make it easier for you to read, we have separated the topics into small chapters, which we list below:

  1. To whom the Privacy Policy applies
  2. Categories of Personal Data we collect
  3. How we collect Personal Data
  4. Purposes and uses of Personal Data and their Legal Basis
  5. Sharing of Personal Data
  6. Storage of your information
  7. Your rights and options;
  8. Security;
  9. Retention of records;
  10. Contact us; and
  11. Updates to the Privacy Policy.

In addition to the terms of this Privacy Policy, when contracting our services, you must sign our Service Provision Agreement, as well as other specific documents, depending on the type of service contracted. Such documents contain additional provisions regarding our processing and the Personal Data necessary for such purposes, and may be used to obtain your consent for such purposes, as necessary.

I. To whom the Privacy Policy applies

If you are a patient, or simply visiting the Site as a user, this Privacy Policy applies to you.

For the most part, we will be the controller of your Personal Data under the LGPD, and therefore we are responsible for defining what happens to such data and protecting it.

If you provide us with Personal Data of third parties for any reason, such as your dependents, we will use it only for the purpose for which it was shared. In this case, you confirm that you are authorized to provide such data to us for such purposes, under the LGPD.

I.1 Of minors and incapacitated persons

Appointments made on the Website and/or services contracted by OTOH must be made by persons with legal capacity to schedule appointments, exercise rights and/or assume obligations, in accordance with the laws of the Federative Republic of Brazil, and not by persons who are minors or in any way prohibited from performing legal acts, exercising rights and/or assuming obligations, unless duly represented or assisted.

Likewise, in order for us to process Personal Data of children (under the terms of the Statute of Children and Adolescents), as well as of persons who do not have legal capacity to contract, exercise rights and/or assume obligations (including adolescents under 16 (sixteen) years of age), we will request the consent of their legal guardian.

Persons under 16 (sixteen) years of age or who do not have legal capacity to contract, exercise rights and/or assume obligations must not provide information, nor provide personal data or other information without the prior, specific and highlighted consent given by at least one of their parents or legal guardian. For people who are at least 16 (sixteen) years old, but under 18 (eighteen) years old, or otherwise relatively incapable, we recommend that their legal guardians assist them so that they can understand the terms of this document and, consequently, feel capable of providing their consent if necessary.

II. Categories of Personal Data we collect

a) Navigation / Cookies

When you visit the Site, we may collect information about you, some of which may be Personal Data. This information may include your IP address, browser used, operating system and settings, access times, and referring URL. If you access the Site via a mobile device, we may also collect data that identifies your device, its settings, the carrier used, and your location.

We may also collect information about how your device interacted with our online services, including the pages accessed, links clicked, journeys viewed, and features used, along with associated times and dates; and details of exit pages and referring Sites, as well as general geographic location (such as city or country). We may also collect information through cookies. Cookies are small text files that the Sites send to your computer or other internet-connected device to uniquely identify your browser or to store information or settings in your browser. Cookies allow us to recognize you when you return. They also help us provide a personalized experience and may enable us to detect certain types of fraud. In many cases, the information we collect using cookies and other tools is used only in a non-identifiable form, without reference to personal information. For example, we may use the information we collect to better understand traffic patterns and optimize your experience while browsing our Site. In some cases, we associate the information we collect using cookies and other technologies with your personal information.

Most web browsers are set up to accept cookies, but users can reset their web browser to refuse all cookies or to have the system inform them when a cookie is being sent. However, if cookies are disabled, some features and services of the websites may not function properly.

In addition, we may use pixel tags, web beacons, scripts, and similar technologies. Pixel tags, scripts, and web beacons are tiny graphic images and small blocks of code embedded in our website pages, advertisements, and/or emails that allow us to determine whether you have performed a specific action. When you access these pages or open an email from us, pixel tags, scripts, and web beacons tell us that you have accessed the web page or opened the email, as well as other statistical data. These tools help us measure the response to our communications, better understand the behavior of our users, and improve our web pages and promotions by increasingly tailoring the content to what interests you.

For more information about our use of tracking technologies, please see our Cookie Policy and the Privacy Settings on the Site.

b) Identification Data / Appointment Scheduling

In order for you to schedule an appointment through the Website (including if directed to WhatsApp service) or through our other service channels, it will be necessary to share certain information, namely:

Complete patient qualification, namely: name, date of birth, CPF/ME and email address, cell phone number and address, including zip code.

In addition, when scheduling an appointment, OTOH may collect the data mentioned above from the clients' companions, for identification and access control purposes. Additionally, we may request the submission of a legible copy of personal documents that prove the information above, including identity documents and proof of residence.

c) Sensitive Data

We will only collect data to the extent necessary to provide our services and in compliance with our legal and regulatory obligations, including regarding storage.

d) Contacts and Communications

The following are collected:

(i) Data relating to communications with OTOH, made through the Website or by telephone or email; and

(ii) Data that you provide about other people, such as family members or other people with whom you are scheduling an appointment.

III. How we collect information

We collect the information you submit on the Website, via WhatsApp, email and/or other OTOH service channels, in order to create an internal OTOH registry, exclusively for scheduling appointments, registering customer profiles, and related activities.

We also collect the information you submit so you can contact us and comment on our social networks, as well as the information shared by you or on your behalf to perform our service and other procedures related to our services.

In addition, we may collect information passively through tools that identify data from your browsing, such as IP address, browser used, operating system and settings, access times and reference URL.

We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

IV. Purposes and use of Personal Data and Legal Bases

Personal Data provided by the user or otherwise collected in accordance with the provisions of these Privacy Policies will be used by OTOH for the following purposes, and using the following legal bases:

(i) Identify the user - Legal Basis: Legitimate interest (Art. 7, IX of the LGPD);

(ii) Provide the user with access to the website upon registration - Legal Basis: Execution of a contract or preliminary procedures related to a contract (Art. 7, V of the LGPD);

(iii) Meet appointments sent via the Website, via WhatsApp or other service channels - Legal Basis: Execution of a contract or preliminary procedures related to a contract (Art. 7, V of the LGPD);

(iv) Provide healthcare services, including through access by OTOH professionals involved in their care - Legal Basis: Protection of the patient's life or physical safety and protection of the patient's health (when it involves sensitive personal data, only if indispensable for such purposes) (Art. 7, VII and VIII and Art. 11, II "e" and "f" of the LGPD);

(v) Share data with third parties, if strictly necessary for the provision of the services offered by OTOH upon hiring the responsible party, or upon express request from the data subject - Legal Basis: Consent (Arts. 7, I and Art. 11, I of the LGPD), except in urgent situations and essential for the protection of the patient's life or physical safety and protection of the patient's health, in which case Art. 7, VII and VIII and 11, II "e" and "f" of the LGPD will apply;

(vi) Receive audits, reviews of OTOH's internal processes and procedures - Legal Basis: Compliance with legal or regulatory obligations (Art. 7, II and Art. 11, II "a" of the LGPD);

(vii) Share data with health operators/insurers for purposes of accountability, requesting authorizations, auditing and settlement, only to the extent strictly necessary and in compliance with the provisions of the LGPD - Legal Basis: Consent (Arts. 7, I and Art. 11, I of the LGPD);

(viii) Comply with OTOH's legal or regulatory obligations, including those related to storage and sharing with public agencies - Legal Basis: Compliance with legal or regulatory obligations (Art. 7, II and Art. 11, II "a" of the LGPD);

(ix) Analyze searches carried out by users on the Website to improve and personalize the content and its presentation - Legal Basis: Legitimate interest (Art. 7, IX of the LGPD);

(x) Contact you regarding the services contracted and your appointments - Legal Basis: Execution of a contract or preliminary procedures related to a contract (Art. 7, V of the LGPD);

(xi) Send information or messages by email and/or social media about news and services provided by OTOH - Legal Basis: Consent (Arts. 7, I and Art. 11, I of the LGPD);

(xii) Manage and respond to any questions or complaints made to OTOH - Legal Basis: legitimate interest (Art. 7, IX of the LGPD); and

(xiii) Support and promote the activities of OTOH, including for its administrative organization, making payments and analyzing the services provided by OTOH, respecting the legal limitations - Legal Basis: legitimate interest, (Art. 7, IX of the LGPD).

For the processing indicated above that requires your consent, we will collect your consent through appropriate means. You may revoke your consent at any time by filling in the appropriate field in the emails sent to you (in relation to newsletters/emails not related to your service), or by communicating with OTOH through the channels provided in this Policy. In the event of revocation, you will not be entitled to the features/services that require processing based on consent.

If we request your Personal Data to comply with a legal requirement or to perform a contract with you, this will be made clear at the relevant time and we will inform you whether the provision of your Personal Data is mandatory (as well as the possible consequences if you do not provide it).

For more information on the processing of your Personal Data after you have effectively contracted our Services, please check the Service Provision and Other Services agreement.

V. Sharing of Personal Data

We share your Personal Data as described below and in this Privacy Policy and as permitted by applicable Laws.

Service providers and employees. When you make service requests, schedule appointments, pre-service appointments and contact us through our Website or through our other communication systems, your Personal Data will be shared with our service representatives and infrastructure service providers of the systems managed by OTOH, who are trained and qualified to handle your Personal Data ethically and in line with this Privacy Policy. Other sharing may be carried out for the purpose of meeting your requests and duly providing services.

If, for medical reasons, it is necessary to share the content of your medical record or file with third parties, we will request your specific consent to do so, unless, due to an emergency that prevents or excessively hinders the collection of your consent, such data sharing is indispensable for the protection of the life or physical safety and/or protection of the patient's health.

For detailed information on the names of third parties with whom we share your Personal Data, please contact our Data Protection Officer via email: contato@otoh.com.br.

Third-party service providers. We share Personal Data with third parties in connection with delivering services to you and operating our business (for example, to provide customer support, business analytics, fraud prevention, compliance services, and to show you personalized advertising). These third-party service providers are required to protect the Personal Data we share with them and may not use directly identifiable Personal Data other than to provide the services for which they have been contracted. We commit to requiring such partners, service providers, or contractors to protect your information at least as set forth in this Privacy Policy. They may not use the Personal Data we share with them for advertising (unless you have given your consent in accordance with the terms provided by them).

Legal obligations and rights. We may disclose your Personal Data to enforce our policies, or when we are permitted (or have a good faith belief that we need) to do so in accordance with applicable Law, such as in response to a request from a law enforcement or government agency, in connection with actual or proposed litigation, or to protect and defend our property, employees, and other rights and interests. We may also share your Personal Data to comply with a subpoena or other lawful request, or as necessary to remit certain taxes when processing payments, as required by Law or legal process.

Corporate Transactions. We may share your Personal Data in connection with a corporate transaction, such as a divestiture, merger, consolidation, assignment, or sale of assets, or in the unlikely event of bankruptcy. In the event of an acquisition, we will notify the buyer that it must use your Personal Data only for the purposes set forth in this Privacy Policy.

Insurers and health plan providers. We may share your Personal Data with health insurance companies/insurers for the purposes of accounting, requesting authorizations, auditing and settlement, only to the extent strictly necessary and in compliance with the provisions of the LGPD. In such cases, we will collect your consent or that of your responsible party for such sharing, under the terms of our Service Provision Agreement and Other Services.

Aggregated information. Finally, we may publish or share aggregated information that does not allow the identification of customers to provide information about the Website and the provision of services through it.

VI. Storing your information

We may store your data on our own or third-party servers and data centers. Both these servers and data centers and the providers of such services may be located outside of Brazil. You hereby consent to the storage or transfer of your information outside of Brazil, pursuant to Art. 33, VIII of the LGPD. The countries in which we may store your data may have different and/or less stringent privacy/data protection and data security rules than those in Brazil. Consequently, your information may be subject to access requests by governments, courts or law enforcement authorities in those countries in accordance with the Laws of such countries. Subject to the Laws applicable in those other countries, we will provide the necessary safeguards to protect your personal information, as well as require our storage service providers, as applicable, to comply, to the greatest extent permitted by local law, with the provisions of this Privacy Policy and the LGPD.

VII. Your rights and options

You have certain rights and choices in relation to your Personal Data, as described below:

(i) You can control how we use some of your cookies by following the guidance in our Privacy Policy, as well as the Cookie Policy and our Privacy Settings;

(ii) If we are processing your Personal Data with your consent, you may withdraw that consent at any time by contacting us. The withdrawal of your consent will not affect the lawfulness of any processing previously carried out and will not affect the processing of your Personal Data conducted in accordance with other legal bases; and

(iii) In addition to the rights above, you have the right to lodge a complaint with a data protection authority about our collection and use of your Personal Data. However, we encourage you to contact us first so that we can resolve your concern. Please send your request by email to the following address: contato@otoh.com.br. We respond to all requests we receive from individuals who wish to exercise their Personal Data protection rights in accordance with the applicable Data Protection Law.

All Data Subjects are assured ownership of their Personal Data and are guaranteed the fundamental rights of freedom, intimacy and privacy, under the terms of article 17 of the LGPD.

Finally, you have the rights provided for in article 18 of the LGPD, some of which have already been described above, especially regarding the revocation or refusal of consent and its consequences, through which you may request, upon request:

(i) confirmation of the existence of processing;

(ii) access to data;

(iii) correction of incomplete, inaccurate or outdated data;

(iv) anonymization, blocking or deletion of unnecessary,

excessive data or data processed in non-compliance with the LGPD;

(v) portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets;

(vi) deletion of Personal Data processed with the consent of the data subject, except in the cases provided for in art. 16 of the LGPD; and

(vii) information on public and private entities with which OTOH shared data;

The rights provided for above shall be exercised by the Data Subjects upon express request by the Data Subject or their legally constituted representative to OTOH. This request shall be met at no cost to the Data Subject, within 10 (ten) business days from its receipt by OTOH, and, once the matter has been regulated, within the deadlines and terms provided for in the regulation. If it is impossible to immediately adopt the requested measure, OTOH shall send the data subject a response indicating the factual or legal reasons that prevent the immediate adoption of the measure.

OTOH must immediately inform the processing agents with whom it has shared data of the correction, deletion, anonymization or blocking of the data, so that they may repeat the same procedure, except in cases where this communication is demonstrably impossible or involves disproportionate effort.

To exercise the rights provided for in this Chapter, you must send an email with the subject “Access to Personal Data – OTOH” to contato@otoh.com.br. OTOH may require the Data Subject to identify themselves, as well as specify the Personal Data they wish to access, rectify or remove.

The Data Subject has the right to file a petition with the ANPD regarding their data against OTOH.

VIII. Security

We want you to feel secure about using our Site and all associated services and tools, and we are committed to taking appropriate measures to protect the information we collect. While no organization can guarantee perfect security, we implement and continually update administrative, technical, and physical security measures to help protect your information from unauthorized access, loss, destruction, or alteration. However, you acknowledge that no system, server, or software is absolutely immune to attacks and/or intrusions by hackers and other malicious actors, and OTOH is not responsible for any unauthorized deletion, obtaining, use, or disclosure of your data resulting from attacks that OTOH could not reasonably prevent through such security standards.

IX. Record retention

We will retain your Personal Data in accordance with all applicable Laws for as long as is relevant to fulfill the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by Law. We will de-identify, aggregate or anonymize your Personal Data if we intend to use it for analytics or trend analysis purposes over longer periods of time.

The criteria we use to determine retention periods include:

(i) The length of our relationship with you, including appointment bookings;

(ii) Whether we have a legal obligation with respect to your Personal Data, for example, Laws requiring us to keep records of your transactions with us; and

(iii) The existence of legal obligations that affect how long we will retain your Personal Data, including contractual obligations, litigation holds, statutes of limitations and regulatory investigations.

X. Contact Us

If you have any questions or concerns about how we use your Personal Data, please contact us through the following channels:

Email: contato@otoh.com.br;

Phone: +55 11 3032 9662; and

WhatsApp: +55 11 2780-0323.

XI. The Data Controller

Leonardo Jacomussi Pereira de Araujo, Brazilian, Acoustic Engineer, holder of Identity Card RG No. 45.680.629-5 and registered in the Registry of Individuals of the Ministry of Economy under No. 446.940.788-79 is the person in charge of OTOH to act as a communication channel between OTOH, the Holders of Personal Data and the ANPD, under the terms of the LGPD. If the Holder has any questions about the Privacy Policy, its application and/or the processing of Personal Data, he/she should contact the person in charge above, at any time, by sending an email to contato@otoh.com.br.

XII. Privacy Policy Updates

This Privacy Policy may be modified at any time, as required for the purpose or need to adapt and comply with the provisions of the Law or whenever OTOH deems it necessary. You can see when this Privacy Policy was last modified by checking the date of the last update, now at the top of this page. In the event of significant changes, we will also provide you with notice of the modifications, by email, at least 30 (thirty) days before the date they are scheduled to come into effect. After the changes come into effect, even if you have not expressly agreed to the revised Privacy Policy, your continued access and/or use of the Site will be subject to the revised Privacy Policy.

WhatsApp