Contents
- Introduction and Scope
- Data Controller
- Personal Data We Collect
- How We Collect Your Data
- Legal Basis for Processing
- Purposes of Processing
- Data Sharing and Disclosure
- International Data Transfers
- Data Retention
- Your Data Protection Rights
- Cookies and Tracking Technologies
- Data Security
- Minors and Age Restriction
- Third-Party Services and Links
- Changes to This Policy
- Contact and Complaints
1. Introduction and Scope
The Clinical Lighthouse ("Company," "we," "us," or "our") respects your privacy and is committed to processing your personal data lawfully, fairly, and transparently. This Privacy Policy ("Policy") describes how we collect, use, store, share, and protect personal data in connection with your use of the Platform at https://theclinicallighthouse.com.
This Policy applies to all Users of the Platform: Visitors, Free Users, Subscribers, and newsletter recipients. It covers personal data collected through the Platform website, newsletter, and any associated features or communications.
This Policy is designed to comply with the Brazilian Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018). Where the Platform is accessed by Users in the European Economic Area or the United Kingdom, we also comply with the GDPR (Regulation 2016/679) and UK GDPR respectively. Where standards under LGPD and GDPR differ, we apply the higher standard.
This Policy is incorporated by reference into our Terms of Service. By using the Platform, you acknowledge that you have read and understood this Policy.
2. Data Controller
The data controller for personal data processed through this Platform is The Clinical Lighthouse.
We have designated a responsible person for data protection matters. While we do not currently meet the threshold requiring a formally appointed DPO under LGPD, we treat our data protection contact as fulfilling an equivalent function. EU/EEA Users may contact this address for GDPR-related matters.
3. Personal Data We Collect
We apply a data minimization principle: we collect only the personal data that is adequate, relevant, and limited to what is necessary for the purposes described below.
3.1 Account and Registration Data
Collected when you create an account:
- Full name
- Email address
- Professional category (e.g., physician, resident, student)
- Password (stored exclusively in hashed, non-reversible form using industry-standard algorithms — never in plain text)
3.2 Subscription and Billing Data
Collected when you purchase a subscription:
- Subscription tier, status, and renewal dates
- Transaction reference number and billing date
- Country of billing address (for tax compliance purposes)
Full payment card details, bank account details, and CVV codes are handled exclusively by our third-party payment processors. We do not receive, process, or retain this sensitive financial data.
3.3 Usage and Behavioral Data
Collected automatically when you interact with the Platform:
- Articles viewed and reading history
- Inferred content preferences and specialty interests (derived from reading behavior)
- Session duration, frequency, and navigation patterns
- Device type, operating system, and browser version
- IP address and approximate geolocation (country and city level — not precise location)
- Referring URL and exit pages
This data is used solely to improve Platform functionality and personalize your reading experience. It is never sold, rented, or shared with advertising networks or data brokers.
3.4 Communication Data
- Email address for transactional communications (account confirmations, password resets, billing receipts, and security alerts)
3.5 Voluntarily Provided Data
- Feedback, support requests, or correspondence submitted to us
- Professional credential documentation provided for eligibility verification
3.6 Data We Do Not Collect
We do not collect sensitive categories of personal data (as defined under LGPD Art. 11 and GDPR Art. 9), including health data about Users themselves, racial or ethnic origin, political opinions, religious beliefs, biometric data, or criminal record data. We do not collect data from minors.
4. How We Collect Your Data
- Directly from you: when you register, subscribe, fill out forms, contact support, or provide feedback.
- Automatically: via server logs, cookies, and analytics tools when you access or interact with the Platform.
- From payment processors: transaction status and billing reference data only.
We do not purchase, acquire from, or share data with third-party data brokers, data marketplaces, or marketing list providers.
5. Legal Basis for Processing
All processing of personal data is carried out only where a valid legal basis exists under LGPD and/or GDPR:
- Performance of a contract (LGPD Art. 7(V) / GDPR Art. 6(1)(b)): account creation, service delivery, and subscription management. Without this processing, we cannot provide the Platform to you.
- Consent (LGPD Art. 7(I) / GDPR Art. 6(1)(a)): newsletter subscriptions and non-essential cookies. Consent is freely given, specific, informed, and unambiguous. You may withdraw consent at any time without detriment.
- Legitimate interests (LGPD Art. 7(IX) / GDPR Art. 6(1)(f)): Platform security, fraud prevention, product analytics, and improvement of editorial quality. We have conducted a balancing assessment and determined these interests are not overridden by your data protection rights.
- Legal obligation (LGPD Art. 7(II) / GDPR Art. 6(1)(c)): compliance with Brazilian tax law, ANPD orders, court orders, and applicable regulatory requirements.
We do not engage in fully automated individual decision-making (including profiling) that produces legal or similarly significant effects on you without your explicit consent.
6. Purposes of Processing
We process personal data strictly for the following purposes and no others without additional consent or a separate legal basis:
- Account creation, authentication, and management.
- Delivery of Platform content and subscription services.
- Personalization of reading experience based on inferred interests.
- Transactional communications: account confirmations, billing receipts, password resets, and service notifications.
- Payment processing and subscription billing.
- Aggregated, anonymized analytics on Platform usage patterns.
- Fraud prevention, security monitoring, and abuse investigation.
- Enforcement of our Terms of Service and legal rights.
- Compliance with legal, regulatory, and judicial obligations.
We will not use your data for purposes incompatible with those listed above without first providing notice and obtaining consent or establishing a separate legal basis.
7. Data Sharing and Disclosure
We do not sell, rent, lease, or trade your personal data to any third party for commercial purposes. Disclosure occurs only in the following limited and controlled circumstances:
7.1 Service Providers (Sub-Processors)
We engage vetted third-party processors who act under our written instructions and are contractually bound to data protection standards at least equivalent to those in this Policy:
- Payment processors (e.g., LemonSqueezy, Stripe): subscription billing and payment management only.
- Email service providers: delivery of transactional communications.
- Cloud infrastructure and hosting providers: Platform operation and secure data storage.
7.2 Legal Compulsion
We may disclose personal data to law enforcement, courts, or regulatory authorities (including the ANPD) if required by a valid legal process, court order, or applicable law. We will notify you of such requests where legally permitted to do so.
7.3 Corporate Transactions
In the event of a merger, acquisition, restructuring, or sale of all or part of the Company, personal data may be transferred as a business asset. We will notify you at least 30 days before such a transfer takes effect and, where required by law, seek your consent.
7.4 Safety and Rights Protection
We may disclose data where reasonably necessary to: protect the safety of any person; protect the rights, property, or security of the Company; or detect, prevent, or address fraud or security incidents.
8. International Data Transfers
Our infrastructure is primarily located in Brazil. Some third-party service providers operate internationally, which may involve transferring your data to countries outside Brazil or the EEA that may not have equivalent data protection laws.
Where such transfers occur, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission, for transfers subject to GDPR.
- Contractual protections consistent with ANPD guidance, for LGPD-governed transfers.
- Due diligence assessments of recipient processors' security standards.
You may request information about the safeguards in place for specific transfers by contacting us at sac@beyond78.com.
9. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes in this Policy or as required by applicable law. Our standard retention periods are:
| Data type | Retention period |
|---|---|
| Account data | Duration of active account + 5 years after closure |
| Subscription and payment records | Up to 10 years (Brazilian fiscal law) |
| Usage and behavioral data | Duration of active account; aggregates may be retained indefinitely |
| Newsletter subscription data | Until unsubscribed + 6 months (suppression list) |
| Support and correspondence | Up to 3 years following resolution |
| Security logs and incident records | Up to 2 years |
After the applicable retention period, data is securely and irreversibly deleted or anonymized. Your right to request deletion is subject to our right to retain data where required by law.
10. Your Data Protection Rights
10.1 Rights Under LGPD (All Users)
Under LGPD Art. 18, you have the following rights, exercisable subject to legal limitations:
- Confirmation and access: to confirm whether we process your data and to obtain a copy (Art. 18(I)(II)).
- Correction: to correct incomplete, inaccurate, or outdated personal data (Art. 18(III)).
- Anonymization, blocking, or deletion: of unnecessary, excessive, or unlawfully processed data (Art. 18(IV)).
- Portability: to receive your data in a structured, machine-readable format (Art. 18(V)).
- Third-party information: to know which entities we have shared your data with (Art. 18(VII)).
- Consent withdrawal: to withdraw consent at any time without affecting prior lawful processing (Art. 18(IX)).
- Objection to processing: to object to processing in breach of LGPD provisions (Art. 18(II)).
- ANPD complaint: to file a complaint with the Autoridade Nacional de Proteção de Dados — anpd.gov.br.
10.2 Additional Rights Under GDPR (EU/EEA/UK Users)
Users in the EU, EEA, or UK additionally have:
- Right to erasure (Art. 17 GDPR): to request deletion of your data in defined circumstances, including withdrawal of consent.
- Right to restriction of processing (Art. 18 GDPR): to limit processing in defined circumstances.
- Right to object (Art. 21 GDPR): to processing based on legitimate interests or for direct marketing.
- Right to lodge a complaint with your national supervisory authority (e.g., CNIL — France; Garante — Italy; ICO — UK; AEPD — Spain).
10.3 Exercising Your Rights
Submit a written request to sac@beyond78.com including: your full name, registered email address, the right you wish to exercise, and sufficient information to verify your identity. We do not require excessive documentation — identity verification is proportionate to the request.
Response timeframes: 15 days under LGPD; 30 days under GDPR (extendable by 60 days for complex requests, with prior notice). We will not charge a fee for first-time requests. Manifestly unfounded or repetitive requests may be subject to a reasonable administrative fee or declined, with written explanation.
11. Cookies and Tracking Technologies
We use the following categories of cookies and similar technologies:
- Strictly necessary cookies: essential for the Platform to function (session management, authentication, CSRF protection). These cannot be disabled without breaking core functionality.
- Functional/preference cookies: remember your settings, language preferences, and reading history across sessions.
We do not use: advertising cookies; analytics trackers; behavioral retargeting pixels; social media tracking pixels; or any cookies that transmit personal data to third-party networks.
You may manage cookie preferences at any time through your browser settings. Disabling functional cookies may affect your experience (e.g., theme preference will not be remembered).
12. Data Security
We implement a layered set of technical and organizational security measures proportionate to the sensitivity of the data and the risks of processing:
- TLS/HTTPS encryption for all data in transit between your device and our servers.
- Industry-standard one-way cryptographic hashing for all stored passwords.
- Role-based access controls limiting personal data access to authorized personnel on a need-to-know basis.
- Logical separation of production and non-production environments.
- Regular security assessments and infrastructure monitoring.
- Documented incident response procedures for detection, containment, and notification of security events.
No information system is completely secure. In the event of a personal data breach that poses a risk to your rights, we will notify you and the ANPD within 72 hours in accordance with LGPD Art. 48, and relevant EU supervisory authorities within 72 hours under GDPR Art. 33.
13. Minors and Age Restriction
The Platform is not intended for, and does not knowingly collect personal data from, individuals under the age of 18. Our eligibility requirements require Users to be adult healthcare professionals or students.
If we become aware that we have inadvertently collected personal data from a minor, we will promptly delete it. If you believe a minor has submitted data to us, please contact sac@beyond78.com immediately.
14. Third-Party Services and Links
The Platform may link to third-party websites, journal portals, or databases. This Policy does not govern those sites. We are not responsible for their privacy practices and encourage you to review their policies independently.
Our payment processors and email service providers process your data under their own privacy policies. Links to their policies are available on their respective websites.
15. Changes to This Policy
The current version of this Policy will always be maintained at https://theclinicallighthouse.com/privacy. We may update this Policy to reflect changes in law, regulatory guidance, or our data practices.
For material changes — those affecting your rights or how we process your data — we will provide at least 30 (thirty) days' prior notice by email and Platform notification. For minor or non-substantive changes, we will update the effective date without specific notification.
Continued use of the Platform after any material change takes effect constitutes acceptance of the revised Policy.
16. Contact and Complaints
The Clinical Lighthouse
Data Protection Contact: sac@beyond78.com
Website: https://theclinicallighthouse.com
We will acknowledge all requests within 5 (five) business days and aim to resolve them within the statutory timeframes in Section 10.
If you are dissatisfied with our response, you may escalate to:
- ANPD (Brazil): anpd.gov.br
- Your national EU/EEA data protection authority.
- ICO (United Kingdom): ico.org.uk