Legal

Privacy Policy

Effective date: 25 May 2026  ·  Last updated: 25 May 2026

1. Who we are

This Privacy Policy (“Policy”) is issued by:

SCy Tech Ltda
CNPJ 28.256.924/0001-72 (Brazilian Limitada)
Rua Patrício Farias 101, Itacorubi, Florianópolis — SC, Brasil, 88034-132
Email: nptcalculator@gmail.com
General contact: https://nptcalc.med.br

In this Policy, “we”, “us”, and “our” refer to the entity above. “You” refers to any natural person whose personal data we process — typically a healthcare professional who uses the Service, a representative of an institutional customer, or a visitor to our website at https://nptcalc.med.br (the “Site”).

We act as the data controller for personal data about our account holders, Site visitors, and prospects. With respect to clinical parameters that healthcare-professional users enter into the Service about patients under their care, we act as a data processor / operator on behalf of that user (or their employing institution) as the controller.

Data Protection Officer / Privacy contact

For questions about this Policy, to exercise your rights, or for any data protection matter, contact our privacy lead at nptcalculator@gmail.com. In Brazil, this contact also serves as the Encarregado de Proteção de Dados (“DPO”) for purposes of LGPD Art. 41 and may communicate with the ANPD in Portuguese.

2. Scope and legal frameworks

This Policy describes how we handle personal data under the following frameworks, as applicable to you:

Where laws conflict, we apply the rule that is most protective of the data subject.

3. What information we collect

3.1 Information you provide directly

Account and billing information. When you create an account, subscribe, or contact us, we collect: your name, work email address, professional title or role (e.g., physician, dietitian, pharmacist), professional registration number where you provide one (CRM, CRN, CRF, NPI, etc.), institution or organization name, country, billing address, and payment method details. Payment card data is collected and tokenized by our payment processor; we do not store full card numbers on our systems.

Communications. If you contact us by email, support form, or other channels, we receive the content of your message and any attachments.

Marketing preferences. If you subscribe to product updates, we record your email address and consent timestamp.

3.2 Clinical inputs (patient parameters)

When you use the calculator, you may enter clinical parameters about a patient under your care. By design, the Service is intended to operate on non-identifying clinical inputs such as:

• patient weight, height, age, sex
• relevant clinical condition or indication (e.g., post-surgical, critical care)
• laboratory values you choose to enter
• formula selections you make
• targets and constraints you set

We do not ask you for, and we instruct you not to enter, direct patient identifiers (name, initials, date of birth, MRN, address, contact details, photographs, full-face images, biometric identifiers, or any of the 18 HIPAA identifiers). If you do enter such information into a free-text field contrary to these instructions, you do so as the controller of that data and remain responsible for any disclosure to us in that capacity. We will treat any such inadvertently-received data as confidential and delete it on a reasonable basis when identified.

The clinical inputs you enter are processed to:

• compute the dosing, macro- and micronutrient outputs displayed to you;
• maintain a calculation history visible to your account, if that feature is enabled.

The Service performs deterministic calculations based on the parameters you enter and the clinical guidance (ESPEN, ASPEN, and other peer-reviewed sources) encoded in its formulas. It does not make automated decisions producing legal or similarly significant effects within the meaning of GDPR Art. 22 or LGPD Art. 20; every output is presented for clinician review and acceptance, modification, or rejection.

3.3 Information collected automatically

When you visit the Site or use the Service we automatically collect:

• Device and connection data: IP address (truncated where possible for analytics), browser type and version, operating system, device type, screen resolution, language, time zone.
• Usage data: pages and features used, timestamps, referring URL, actions taken in the application, session duration, error and diagnostic logs.
• Cookies and similar technologies: see Section 7.

3.4 Information from third parties

If you sign in through a third-party identity provider (e.g., Google), we receive the basic profile information that provider shares with us based on your authorization. If your institution provisions accounts on your behalf, we receive your name, work email, and role from that institution.

4. Sensitive personal data

We do not knowingly collect sensitive personal data about you, the user, beyond what is necessary to verify your professional qualifications where you choose to provide them.

Patient clinical parameters that you enter (Section 3.2) constitute sensitive personal data under LGPD Art. 5(II) and GDPR Art. 9 (data concerning health) if and to the extent they can be associated with an identified or identifiable individual. Because the Service is designed to operate on non-identifying inputs, we generally do not consider the parameters we receive to be linked to an identifiable patient on our systems. Where they nonetheless are, our legal bases for processing are set out in Section 5.

5. Why we use your data and our legal bases

We process personal data only for the purposes set out below. The legal basis depends on the framework that applies to you.

Where we rely on legitimate interest, we have conducted a balancing assessment and determined that our interest does not override your rights and freedoms. You can object to legitimate-interest processing as described in Section 10.

For sensitive (health) data under LGPD, we do not rely on legitimate interest or contract execution as bases (these are not permitted by Art. 11). We rely on Art. 11(II)(f) — protection of health, in a procedure carried out by health professionals or sanitary entities — when that applies, and otherwise on the specific, prominent consent of the data subject.

6. Third parties and subprocessors

We use the following subprocessors to deliver the Service. We have a written data processing agreement with each, and where data leaves Brazil the safeguards in Section 8 apply.

We update this list when our subprocessor relationships change and will notify customers in advance of material changes where required by contract.

We do not sell personal data, and we do not “share” personal data for cross-context behavioural advertising as defined under the CCPA/CPRA. We do not engage in profiling for marketing purposes.

7. Cookies and similar technologies

We use a small number of strictly necessary cookies to keep you signed in, remember your language and theme preferences, and protect against abuse. We do not use third-party advertising cookies, and we do not run analytics or product-analytics trackers at this time. If we add analytics in the future, they will be loaded only after you grant consent through our cookie banner, and this Policy will be updated accordingly.

You can withdraw or change your consent at any time by re-opening the cookie banner from the footer of the Site or by clearing your browser storage for this domain.

8. International data transfers

Personal data we collect may be transferred to and processed in countries other than your country of residence. Where personal data subject to LGPD is transferred outside Brazil, or personal data subject to GDPR/UK GDPR is transferred outside the EEA/UK, we rely on one or more of the following safeguards:

• Standard Contractual Clauses approved by the European Commission (and UK Addendum where applicable), incorporated into our agreements with subprocessors;
• ANPD-approved transfer mechanisms under LGPD Arts. 33–36 (currently: SCCs in the form approved by ANPD Resolution CD/ANPD No. 19/2024, adequacy decisions where issued, and specific consent where appropriate);
• Adequacy decisions where the destination country has been deemed to provide an adequate level of protection;
• Your explicit consent, where the transfer is occasional and we have informed you of the risks.

A copy of the relevant transfer mechanism for a specific subprocessor is available on request to nptcalculator@gmail.com.

9. Data retention

We retain personal data only for as long as necessary for the purposes set out in this Policy:

After the applicable period, data is securely deleted or irreversibly anonymized.

10. Your rights

Subject to applicable law and to verification of your identity, you have the following rights:

Under GDPR / UK GDPR

• Access (Art. 15)
• Rectification (Art. 16)
• Erasure / right to be forgotten (Art. 17)
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Object to processing based on legitimate interest or for direct marketing (Art. 21)
• Withdraw consent at any time, without affecting the lawfulness of processing already carried out
• Not be subject to a decision based solely on automated processing producing legal or similarly significant effects (Art. 22)
• Lodge a complaint with your supervisory authority

Under LGPD

• Confirmation of processing and access to your data (Art. 18(I)–(II))
• Correction of incomplete, inaccurate or outdated data (Art. 18(III))
• Anonymization, blocking, or deletion of unnecessary or excessive data, or of data processed in non-compliance (Art. 18(IV))
• Data portability to another service or product provider (Art. 18(V))
• Deletion of data processed on the basis of consent (Art. 18(VI))
• Information about public or private entities with which we have shared data (Art. 18(VII))
• Information about the possibility of refusing consent and the consequences of refusal (Art. 18(VIII))
• Revocation of consent (Art. 18(IX))
• Lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd

Under CCPA / CPRA (California residents)

• Right to know what categories and specific pieces of personal information we collect, use, and disclose
• Right to delete personal information
• Right to correct inaccurate personal information
• Right to opt out of “sale” or “sharing” of personal information (we do not engage in either)
• Right to limit use and disclosure of sensitive personal information
• Right to non-discrimination for exercising your rights

How to exercise your rights

Send a request to nptcalculator@gmail.com from the email address associated with your account, or use the in-product privacy controls where available. We will respond within:

• 15 days for LGPD requests (Art. 19);
• 30 days for GDPR/UK GDPR requests (extendable by 60 days for complex requests, with notice);
• 45 days for CCPA requests (extendable once by 45 days, with notice).

We may need to verify your identity before fulfilling certain requests. If we cannot fulfil a request, we will explain why and tell you how to appeal or escalate.

11. HIPAA and Protected Health Information

The Service is not authorized to receive Protected Health Information (“PHI”) as defined under HIPAA absent an executed Business Associate Agreement (“BAA”) between us and the Covered Entity or its Business Associate. The Service is designed to operate on non-identifying clinical parameters (Section 3.2) and we do not market it as a HIPAA-covered product.

If you are a Covered Entity (or a Business Associate) and you require BAA coverage to use the Service with PHI, contact nptcalculator@gmail.com before transmitting any PHI to us. We offer a BAA on our enterprise tier. Where a BAA is in place, the terms of that BAA control with respect to PHI and prevail over any conflicting terms of this Policy or our general Terms.

If you use the Service in connection with patient care, you — as a Covered Entity or as an individually-licensed clinician — remain solely responsible for compliance with HIPAA, including the Minimum Necessary rule, the Security Rule’s safeguards, breach notification, and accounting of disclosures, with respect to PHI that you generate, hold, or disclose.

12. Security

We implement administrative, technical, and physical safeguards designed to protect personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing:

• Encryption in transit (TLS 1.2+ enforced across all endpoints) and at rest (AES-256 or equivalent on our managed databases and storage)
• Authentication: bcrypt/argon2 password hashing, multi-factor authentication offered to all users and required for administrative access
• Access control: role-based access, least-privilege principle, audited administrative actions
• Logging and monitoring: application and infrastructure logs, anomaly detection, alerting on suspicious activity
• Vulnerability management: dependency scanning, regular patching, periodic penetration testing
• Backups: encrypted, geographically separated, regularly tested
• Vendor due diligence: subprocessors selected against security and data protection criteria; written agreements in place
• Incident response plan: documented procedures with defined roles and escalation paths
• Personnel: confidentiality undertakings; training on data protection and security

No method of transmission or storage is perfectly secure. We cannot guarantee absolute security but commit to industry-standard practices and to continuous improvement.

13. Data breach notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will:

• notify the competent supervisory authority without undue delay and, where feasible, within 72 hours (GDPR Art. 33) or within the timeframe required by ANPD guidance for LGPD breaches;
• where the breach is likely to result in a high risk, notify affected data subjects without undue delay (GDPR Art. 34; LGPD Art. 48);
• document the facts, effects, and remedial action taken.

Customers operating in HIPAA-covered contexts under a BAA will be notified in accordance with the timelines set in the BAA and HIPAA’s Breach Notification Rule.

14. Children’s data

The Service is intended for use by licensed healthcare professionals and is not directed at individuals under the age of 18. We do not knowingly create accounts for, or collect personal data about account holders who are, children. Where the Service is used in pediatric or neonatal care, clinical parameters are entered by the clinician under their professional responsibility and are not directed by, or addressed to, the child.

If you believe we have collected personal data from a person under 18 in violation of this Policy, contact nptcalculator@gmail.com and we will delete it promptly.

15. Your obligations as a healthcare professional user

If you use the Service in your professional capacity, you represent and warrant that:

• you are a qualified healthcare professional or otherwise authorized to use clinical decision support tools in your jurisdiction;
• you have all necessary legal bases (consent, contract, legal obligation, or other) to process patient data under your applicable law, including LGPD, GDPR, HIPAA, professional codes of ethics, and any institutional policies;
• you will use the Service only with non-identifying patient parameters, except where a BAA is in place (Section 11);
• you will independently evaluate any output of the Service before relying on it for clinical purposes;
• you will not attempt to re-identify, reverse-engineer, or aggregate data in ways that would create new privacy risks for patients.

16. Changes to this Policy

We may update this Policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• update the “Last updated” date at the top of this Policy;
• post a prominent notice on the Site;
• where required by law or where the changes are significant, notify you by email and, where applicable, obtain renewed consent.

We encourage you to review this Policy periodically. Continued use of the Service after the effective date of changes constitutes acceptance of the updated Policy to the extent permitted by law.

17. Governing law and contact

This Policy is governed by the laws of the Federative Republic of Brazil, without prejudice to any mandatory provisions of the law of the country in which you reside.

For any question, concern, request, or complaint relating to this Policy or to our handling of personal data, contact:

SCy Tech Ltda
Attn: Privacy
Rua Patrício Farias 101, Itacorubi, Florianópolis — SC, Brasil, 88034-132
Email: nptcalculator@gmail.com

You also have the right to lodge a complaint with your local data protection authority:

• Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
• European Union: the supervisory authority of your country of residence — edpb.europa.eu
• United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk
• California: California Privacy Protection Agency — cppa.ca.gov

This Privacy Policy was prepared with reference to LGPD, GDPR, UK GDPR, CCPA/CPRA, and HIPAA as in force on the effective date above. It does not constitute legal advice. We recommend that you review this Policy with qualified counsel in your jurisdiction before deployment.