Privacy Policy
Last updated: 27/05/2026 Version: 1.0
This Privacy Policy explains how NexoMed collects, uses, stores, and protects your personal data. It applies to the NexoMed application (the “App”) and the website nexomed.me (the “Site”), collectively referred to as the “Services”.
This policy complies with Brazil’s Lei Geral de Proteção de Dados (LGPD - Law 13.709/2018) and the European Union’s General Data Protection Regulation (GDPR - Regulation (EU) 2016/679).
Reference version: The Portuguese text is the legally binding version. This English translation is provided for convenience only and is available at nexomed.me/privacidade. In case of discrepancy, the Portuguese version prevails.
1. Who we are
NexoMed is operated by the following entities:
Data controller (primary):
- FEYDIT INFORMATICA UNIPESSOAL LDA
- NIPC: 515791539
- Registered office: Praça Henrique Lopes Mendonça, 59 2870-475 Montijo Setúbal
Representative in Brazil (under LGPD Art. 5, XVIII):
- CAMPOS E SANTOS INFORMATICA LTDA
- CNPJ: 29.893.256/000157
- Address: R VOLUNTARIOS DA PATRIA, 487 - Sala 606 28030-260 Campos dos Goyatacazes-RJ
Data Protection Officer (DPO):
- CAMPOS E SANTOS INFORMATICA LTDA
- Email: dpo@nexomed.me
You may contact the DPO at any time to exercise your rights regarding personal data, ask questions, or file complaints.
2. Data we collect
NexoMed is designed to collect the minimum personal data necessary. We do not require registration with email, real name, or phone number to use the App.
2.1 Data created automatically when you use the App
When you first open the App, we automatically create an anonymous account for you, consisting of:
- A randomly generated anonymous identifier (UUID), with no link to your real identity
- The account creation date and time
- The date and time of last access
This data is generated by our authentication provider, Supabase, and is not linked to your name, email, phone, or any other personal identifier.
2.2 Data you provide while using the App
As you use the App, you create the following data, stored on your anonymous account:
- Name or nickname that you choose to identify yourself and family members (you may use fictitious names — we do not validate)
- Avatars selected from a predefined emoji list
- Medication information: medication name, dosage, form (tablet, liquid, etc.), times, frequency, and treatment duration
- Dose history: doses you marked as taken, skipped, or unconfirmed, with date and time
- Personal settings: language preference, notification preferences
2.3 Technical data collected automatically
- Device language (automatically detected to set the App’s default language)
- Crash reports: when the App encounters a technical error, we automatically send anonymous technical information to the Sentry service so we can fix the issue. These reports include your account’s anonymous identifier, but do not include your medication names, schedules, or health data — these are stripped before sending.
- Minimal operational logs, kept for up to 90 days, for security and diagnostics
2.4 Data we do NOT collect
For your peace of mind, we explicitly list what we do not collect:
- Email, phone number, real name, identity documents of any kind
- Geographic location (GPS, address, IP-based geolocation)
- Contacts from your device
- Photos, videos, or files from your device
- Browsing history or data from other apps
- Biometric information
- Health data beyond the medication information you yourself enter
- Tracking or advertising cookies (we use no cookies beyond what is strictly necessary for the site to function)
We do not sell, rent, or share your data with third parties for marketing or advertising. Ever.
3. What we use your data for
We use your personal data exclusively for the following purposes:
| Purpose | Legal basis (LGPD / GDPR) |
|---|---|
| Enable the App to function (reminders, supply tracking, history) | Contract performance (LGPD Art. 7, V / GDPR Art. 6(1)(b)) |
| Send local notifications about your medications | Contract performance |
| Maintain your account across sessions | Contract performance |
| Diagnose technical errors via crash reports | Legitimate interest (LGPD Art. 7, IX / GDPR Art. 6(1)(f)) |
| Comply with legal obligations (LGPD, GDPR, court orders) | Legal obligation (LGPD Art. 7, II / GDPR Art. 6(1)(c)) |
We do not use your data for profiling, targeted advertising, sales to third parties, behavioral analysis for commercial purposes, or any other purpose not listed above.
3.1 About sensitive data
Medication information may reveal health data, which is classified as sensitive personal data under LGPD (Art. 11) and special categories of data under GDPR (Art. 9).
We process this data exclusively based on the specific and prominent consent you provide by using the App. This consent may be withdrawn at any time by deleting your account (Section 7).
4. Where your data is stored
4.1 Local storage on your device
Most of your data — including all medication information, schedules, and dose history — is stored locally on your device, in the App’s encrypted storage (iOS/Android AsyncStorage). This data does not leave your device, except when you use synchronization features (not available in V1).
4.2 Server storage
The following data is stored on our infrastructure provider, Supabase, in the São Paulo, Brazil region (AWS sa-east-1):
- Anonymous account identifier
- Creation date and last access
- Initial “family” structure (empty until V2 sync launches)
Physical location: Data is held in Amazon Web Services data centers in São Paulo, Brazil. This means your data is not transferred outside Brazil for primary storage.
4.3 International transfer for technical purposes
Crash reports are sent to Sentry, whose servers are located in the European Union. This transfer is necessary to diagnose and fix bugs.
This international transfer is protected by:
- Standard Contractual Clauses (SCCs) between us and Sentry (under Brazilian ANPD Decree 11.937/2024 for LGPD)
- Standard Contractual Clauses (SCCs) under GDPR
We do not send Sentry any data that could identify you directly nor specific information about your medications.
5. Who has access to your data
5.1 The NexoMed team
The NexoMed operational team may access server data (anonymous identifiers and account metadata) only when strictly necessary to:
- Investigate technical issues you report
- Comply with legal obligations
We do not access individual medication data stored locally on devices — we have no technical means to do so in V1.
5.2 Processors (sub-processors)
We share data, only to the extent strictly necessary, with the following processors:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase, Inc. | Authentication and database | São Paulo, Brazil (AWS sa-east-1) | DPA signed, SCCs |
| Functional Software, Inc. (Sentry) | Technical crash reports | United States | SCCs, pseudonymized data |
| Vercel, Inc. | Hosting of nexomed.me website | Multi-region (global CDN) | DPA signed |
| Apple Inc. / Google LLC | App distribution via App Store / Google Play | Per platform policy | Per platform policy |
Each of these processors has access only to data strictly necessary for their function, under contracts that limit use to service execution.
5.3 Public authorities
We may share data with competent public authorities when required by law, court order, or formal administrative request. In such cases, we will notify you whenever legally permitted.
6. How long we keep your data
| Data type | Retention period |
|---|---|
| Anonymous account | Kept indefinitely, until you request deletion via the App |
| Dose history (on device) | 90 days, with automatic cleanup |
| Account after you request deletion | Deleted immediately (see Section 7) |
| Operational server logs | Up to 90 days |
| Sentry crash reports | 30 days (default Sentry retention) |
Because anonymous accounts are not linked to an email or personal identity, we have no way of identifying abandoned accounts to delete them proactively. If you uninstall the App without using the “Delete my account” function, your account data will remain on our servers until you reinstall and delete it, or contact us via the means described in Section 11.
After these periods (or after your deletion request), data is irreversibly erased from our systems and our processors’ systems.
7. Your rights
Under LGPD (Art. 18) and GDPR (Art. 15–22), you have the following rights:
7.1 Right of access
You may request a copy of the data we hold about you. Since most of your data is on your own device, you already have direct access — just open the App. For server data, email dpo@nexomed.me.
7.2 Right of rectification
You can correct any information directly in the App. For data you cannot edit, email dpo@nexomed.me.
7.3 Right of erasure
You can delete your account and all data at any time:
- In the App: Profile → Delete my account. Deletion is immediate and permanent.
- Important limitation: Since our V1 uses anonymous authentication, we have no way to identify you outside the App. To delete your account, you need access to the App on the device where it was created. If you’ve lost access to the device, write to dpo@nexomed.me — although we cannot identify individual accounts, we can advise you on available options.
Deletion removes:
- Your anonymous server account
- All associated server data
- All associated crash reports, from Sentry
- All local data on the device
There is no grace period or recovery. Deletion is final.
7.4 Right of portability
You can request a copy of your data in a structured format (JSON) to transfer to another service. Email dpo@nexomed.me.
7.5 Right to object and withdraw consent
You may object to the processing of your data or withdraw previously granted consents, except where processing is necessary to fulfill a legal obligation or active contract. In practice, this is equivalent to deleting your account.
7.6 Right to information about processors and sharing
This policy already provides such information (Section 5). For further details, email dpo@nexomed.me.
7.7 Right to review automated decisions
We do not make automated decisions affecting you. App reminders follow exactly the schedules you configure.
7.8 Right to lodge a complaint with the supervisory authority
- In Brazil: National Data Protection Authority (ANPD) — www.gov.br/anpd
- In Portugal: Comissão Nacional de Proteção de Dados (CNPD) — www.cnpd.pt
- In other EU countries: your national data protection authority
7.9 Response time
We will respond to any request about your rights within 15 days (LGPD) or 30 days (GDPR), extendable in legally provided cases.
8. Data security
We adopt technical and organizational measures to protect your data:
- Encryption in transit: all communications between the App and our servers use TLS 1.2 or higher
- Encryption at rest: server data encrypted by Supabase with AES-256
- Access restriction: only authorized personnel may access server data, always with strong authentication
- Auditing: data access logs are kept for incident investigation
- Least privilege: each service accesses only strictly necessary data
- Security updates: we regularly apply security patches to our systems and dependencies
No system is 100% secure. In the event of a security incident affecting your personal data, we will notify ANPD and/or CNPD within applicable legal deadlines and communicate with affected users when required by law.
9. Children and minors
NexoMed is not directed at children under 13 years old. We do not knowingly collect data from children.
Parents or guardians may use the App to manage medications for their minor children — this use is at the legal guardian’s discretion, and the data remains under the guardian’s account.
If you suspect a child used the App independently, email dpo@nexomed.me and we will delete the data immediately.
10. Changes to this policy
We may update this Privacy Policy occasionally to reflect App, legal, or operational changes.
- Substantial changes (new purposes of use, new processors, data location changes): we will notify you in the App and on the site, at least 30 days in advance.
- Minor changes (corrections, clarifications): reflected in the “Last updated” date at the top of this page.
The current version is always available at nexomed.me/privacidade.
Previous versions are archived and may be requested by email.
11. How to contact us
For privacy questions:
- Email: dpo@nexomed.me
- Responsible person: FEYDIT INFORMATICA UNIPESSOAL LDA, Data Protection Officer
For general questions or support:
- Email: oi@nexomed.me
Postal address (controller): FEYDIT INFORMATICA UNIPESSOAL LDA Praça Henrique Lopes Mendonça, 59 2870-475 Montijo Setúbal
Postal address (Brazilian representative): CAMPOS E SANTOS INFORMATICA LTDA R VOLUNTARIOS DA PATRIA, 487 - Sala 606 28030-260 Campos dos Goyatacazes-RJ