Regi's Scale Back to Home

Privacy Policy

Last updated: March 1, 2026

Regi's Scale ("Company", "we", "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

This policy complies with the Brazilian General Data Protection Law (LGPD — Lei 13.709/2018), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and HIPAA requirements for protected health information.

1. Data Controller

The data controller responsible for the processing of your personal data is:

Regi's Scale
Recife, PE, Brazil
E-mail: privacy@regisscale.com
Data Protection Officer (DPO / Encarregado): dpo@regisscale.com

2. Data We Collect

2.1 Account Data

  • Full name, email address, professional registration number;
  • Organization name, role, and specialty;
  • Authentication credentials (password stored as bcrypt hash).

2.2 Patient Health Data

  • Patient name, date of birth, medical record number;
  • Clinical assessment data (Regis Scale scores, domain evaluations);
  • Risk classifications and evolution history;
  • Emergency contact information;
  • Clinical notes and AI-assisted analyses.

2.3 Automatically Collected Data

  • IP address, browser type, operating system;
  • Access logs and timestamps;
  • Usage patterns and feature interactions.

3. Legal Basis for Processing (LGPD Art. 7 / GDPR Art. 6)

PurposeLegal Basis
Providing the ServiceContract performance
Patient clinical dataHealth protection / Legitimate interest
Security and fraud preventionLegitimate interest
Legal complianceLegal obligation
Marketing communicationsConsent
Analytics and improvementLegitimate interest

4. How We Use Your Data

  • Providing and maintaining the Regi's Scale platform;
  • Processing patient assessments and generating clinical reports;
  • AI-powered analytics and clinical insights;
  • Audit trail for regulatory compliance;
  • Customer support and communication;
  • Service improvement and feature development;
  • Billing and subscription management.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share data with:

  • Within your organization: Authorized team members within your healthcare organization;
  • Service providers: Hosting (cloud infrastructure), email services, payment processors — under strict data processing agreements;
  • AI services: Anonymized/pseudonymized data for clinical intelligence features (Google Gemini API) — no patient-identifiable information is shared;
  • Legal compliance: When required by law, regulation, or legal process;
  • Business transfers: In the event of merger, acquisition, or asset sale.

6. International Data Transfers

Your data may be processed in servers located in Brazil. If data is transferred internationally, we ensure:

  • Compliance with LGPD Chapter V (International Transfer);
  • EU Standard Contractual Clauses (SCCs) for GDPR compliance;
  • Adequate safeguards as required by applicable law.

7. Data Retention

  • Active accounts: Data retained while your account is active;
  • Post-termination: Account data retained for 90 days, then deleted;
  • Clinical data: Retained per healthcare regulatory requirements (minimum 20 years in Brazil per CFM Resolution);
  • Audit logs: Retained for 5 years;
  • Backup deletion: Backups purged within 30 days of primary deletion.

8. Data Security

We implement technical and organizational measures to protect your data:

  • Encryption in transit (TLS 1.2+) and at rest;
  • Bcrypt password hashing;
  • JWT-based authentication with role-based access control;
  • Complete audit trail of all data access and modifications;
  • Regular security assessments and vulnerability testing;
  • Access restricted to authorized personnel only.

9. Your Rights

Under LGPD (Brazil)

You have the right to: confirmation of processing; access; correction; anonymization, blocking, or deletion of unnecessary data; data portability; information about sharing; revocation of consent; petition to ANPD.

Under GDPR (EU/EEA)

You have the right to: access; rectification; erasure ("right to be forgotten"); restriction of processing; data portability; object to processing; not be subject to automated decisions; lodge a complaint with a supervisory authority.

Under CCPA (California, USA)

You have the right to: know what data we collect; request deletion; opt-out of sale (we do not sell data); non-discrimination for exercising your rights.

Under HIPAA (USA)

For protected health information (PHI), you have the right to: access your PHI; request amendments; obtain an accounting of disclosures; request restrictions on uses.

10. HIPAA Compliance

When processing Protected Health Information (PHI) from United States entities, we:

  • Act as a Business Associate under HIPAA;
  • Execute Business Associate Agreements (BAAs) with covered entities;
  • Implement required administrative, physical, and technical safeguards;
  • Report security breaches as required by the Breach Notification Rule;
  • Maintain minimum necessary access to PHI.

11. Children's Privacy

The Service is not intended for individuals under 18. We do not knowingly collect personal data from minors except as patient health data entered by authorized healthcare professionals with proper consent.

12. Cookies and Tracking

For details about our use of cookies and similar technologies, please see our Cookie Policy.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification at least 30 days before taking effect.

14. Contact and Complaints

For privacy-related queries or to exercise your rights:
Email: privacy@regisscale.com
DPO: dpo@regisscale.com

You may also file a complaint with:

  • Brazil: ANPD (Autoridade Nacional de Proteção de Dados)
  • EU: Your local Data Protection Authority
  • USA: HHS Office for Civil Rights (HIPAA) or your state attorney general