Data Processing Agreement (DPA)

1. Roles

For patient personal data processed on the platform, the User (professional/clinic) is the Controller and Imáginos is the Processor, under arts. 5, VI and VII, of the LGPD. Imáginos processes such data exclusively per the Controller's documented instructions and this Agreement.

2. Subject matter, nature, and purpose

Subject: storage, organization, image processing (derivatives and comparisons), AI support, and report generation over clinical dermatoscopy and trichoscopy images. Nature: sensitive personal health data and identifiers. Data subjects: the Controller's patients. Duration: while the contractual relationship is in force.

3. Imáginos's obligations (Processor)

Process data only per the Controller's documented instructions, except for legal obligation; ensure confidentiality of authorized personnel; adopt technical and organizational security measures aligned with best practices; assist the Controller in handling data subject requests and incident notification; report incidents without undue delay; and delete or return data at the end of the relationship.

4. Controller's obligations (User)

Ensure the legal basis at source, including patient consent where required and confidentiality waiver where applicable; provide lawful instructions and enter only authorized data; inform patients about the processing and handle data subject requests; and minimize identifiers, entering only what is necessary for the clinical purpose.

5. Sub-processing

The Controller authorizes Imáginos to engage sub-processors (hosting, database, object storage, analytics, and payments) to deliver the service, under equivalent protection obligations. Material changes to the sub-processor list will be communicated with reasonable notice.

6. Security and incidents

Imáginos adopts the measures described in the Privacy Policy. It is acknowledged that no system is fully immune; liability follows the limits of the Terms of Use, except for willful misconduct, gross negligence, and mandatory rights. In a relevant incident, Imáginos will support the Controller in notifications to the ANPD and data subjects, where required.

7. International transfer

Any international transfers will comply with the LGPD and rely on adequate safeguards, as described in the Privacy Policy.

8. Anonymized data and artificial intelligence

The Controller acknowledges and authorizes Imáginos to anonymize data (including images) for research, validation, and the improvement of products and AI models, under article 12 of the LGPD. Once effectively anonymized, such data ceases to be personal data.

This authorization is enabled by default, especially on free and trial plans. The Controller may request its exclusion at privacidade@imaginos.com.br; exclusion does not affect data already anonymized and incorporated into studies or models. The Controller represents that it has, at source, a legal basis allowing this anonymization.

9. Termination

Upon termination, Imáginos will make data available for recovery for a reasonable period and then delete or anonymize it, per the Controller's instruction and legal retention obligations.

10. Patient consent template

As a courtesy, Imáginos provides the Controller with a Consent Form template for the capture and processing of clinical images, to be adapted and used with their patients. Imáginos is not a party to that consent; it acts as Processor handling images at the Controller's request. The template informs the patient, among other points, about anonymized use for research and technology improvement, including AI.