Privacy Policy

This Privacy Policy (“Policy”) governs the collection, processing, storage, transfer, and disposal of all Personal Data and Protected Health Information (“PHI”) submitted to, transmitted through, or generated by the BE SATAS platform (“Platform”), operated by BE SATAS LLC, a Delaware limited liability company (“Company,” “we,” “us,” or “our”), its subsidiaries, affiliates, and authorized service providers. By accessing, using, or submitting any information to the Platform, You (“User,” “Patient,” “Practitioner,” or “You”) expressly and irrevocably consent to the practices described herein.

This Policy applies regardless of the device, medium, or jurisdiction from which You access the Platform, and survives any termination of Your relationship with the Company.

We collect and process the following categories of data, each of which is encrypted at rest using AES-256-GCM symmetric encryption with application-layer key management:

2.1 Identity Data: Full legal name, email address, telephone number, postal address, government-issued identification numbers (including cédula or national ID), date of birth, medical license numbers, professional credentials, and biometric authentication data (where applicable).

2.2 Health Data: Medical history as voluntarily disclosed, treatment preferences, Signal data (clinical recommendations issued by Practitioners through the Platform, including substance protocols, dosages, routes of administration, and scheduling), substance administration records, vital signs captured during clinical visits, adverse reaction reports, and all communications between Patient and Practitioner conducted through the Platform.

2.3 Financial Data: Payment method details, transaction histories, invoice records, credit terms, outstanding balances, and proof-of-payment documentation. The Company does not store unencrypted credit card numbers; all payment processing is delegated to PCI-DSS-compliant third-party processors.

2.4 Technical Data: IP addresses, browser fingerprints, device identifiers, session tokens, authentication logs, API request logs, geolocation data derived from IP addresses, and cookie identifiers.

2.5 Behavioral Data: Platform usage patterns, navigation paths, feature interactions, and aggregate analytics derived from anonymized usage data.

All Personally Identifiable Information (“PII”) is encrypted prior to database persistence using AES-256-GCM authenticated encryption. Encryption keys are managed at the application layer and are never stored alongside ciphertext. Lookup operations utilize SHA-256 cryptographic hashes to enable retrieval without decryption of stored PII.

THE COMPANY EMPLOYS COMMERCIALLY REASONABLE SECURITY MEASURES. HOWEVER, NO SYSTEM IS IMPENETRABLE. THE COMPANY EXPRESSLY DISCLAIMS ANY WARRANTY, EXPRESS OR IMPLIED, THAT THE PLATFORM IS OR WILL REMAIN FREE FROM UNAUTHORIZED ACCESS, DATA BREACHES, OR SECURITY VULNERABILITIES. YOUR USE OF THE PLATFORM CONSTITUTES ACCEPTANCE OF THIS INHERENT RISK.

Personal Data is processed under one or more of the following legal bases: (a) Your explicit, informed consent as provided at the point of data collection; (b) the necessity of processing for the performance of a contract to which You are party; (c) compliance with legal obligations to which the Company is subject, including but not limited to applicable data protection and health information privacy laws in the jurisdictions in which the Company operates; (d) the legitimate interests of the Company in providing, improving, and securing the Platform, provided such interests are not overridden by Your fundamental rights.

5.1 We share Personal Data with: (a) licensed medical practitioners registered on the Platform, solely to the extent necessary for clinical evaluation and Signal issuance; (b) licensed nursing professionals, solely to the extent necessary for appointment fulfillment and substance administration; (c) fulfillment and logistics partners, limited to encrypted shipping addresses and order identifiers; (d) payment processors, limited to transaction data necessary for payment authorization; (e) email service providers, limited to email addresses for transactional communications.

5.2 We may disclose Personal Data without Your consent when required by: (a) valid court orders, subpoenas, or governmental orders; (b) applicable law or regulation; (c) the protection of the Company’s legal rights, property, or safety; (d) the investigation of suspected fraud, terms of service violations, or illegal activity.

5.3 THE COMPANY SHALL NOT BE LIABLE FOR ANY DISCLOSURE REQUIRED BY LAW, REGULATION, OR JUDICIAL ORDER, NOR FOR ANY DOWNSTREAM USE OF DATA BY THIRD PARTIES ACTING OUTSIDE THE SCOPE OF THEIR CONTRACTUAL OBLIGATIONS TO THE COMPANY.

Personal Data is retained for: (a) the duration of the User’s active relationship with the Platform; (b) a minimum of ten (10) years following the last clinical interaction, as required by applicable medical record retention regulations; (c) such additional period as required by applicable tax, accounting, or regulatory requirements. Audit logs, transaction records, and compliance-related data are retained indefinitely.

Subject to applicable law and verification of identity, You may exercise the following rights by submitting a written request to privacy@besatas.com: (a) Access — obtain confirmation of whether Personal Data is being processed and request a copy; (b) Rectification — request correction of inaccurate or incomplete data; (c) Deletion — request deletion of data no longer necessary for the purposes collected, subject to mandatory retention periods; (d) Objection — object to processing based on legitimate interests.

The Company will respond to verified requests within fifteen (15) business days. The Company reserves the right to deny requests that are manifestly unfounded, excessive, or that conflict with legal retention obligations.

The Platform infrastructure may process and store data in multiple jurisdictions, including the United States and Colombia, for the purposes of cloud hosting, content delivery, fulfillment coordination, and disaster recovery. By using the Platform, You expressly consent to such international transfers. The Company implements appropriate contractual and technical safeguards to ensure data protection standards consistent with applicable law.

The Platform uses strictly necessary cookies for authentication, session management, and locale preferences. The Platform does not deploy third-party advertising cookies or cross-site tracking technologies. By using the Platform, You consent to the use of these strictly necessary cookies.

The Platform is not directed at, and does not knowingly collect Personal Data from, individuals under the age of eighteen (18). Age verification is enforced at the point of account creation. If the Company becomes aware that data has been collected from a minor, such data will be promptly deleted and the associated account terminated.

The Company reserves the right to modify this Policy at any time, with or without prior notice. The “Last Revised” date at the top of this Policy indicates the most recent revision. Continued use of the Platform following any modification constitutes Your binding acceptance of the revised Policy.

This Policy shall be governed by and construed in accordance with the laws of the State of Delaware, United States of America. Any disputes arising under or in connection with this Policy shall be subject to the exclusive jurisdiction of the state and federal courts located in the State of Delaware.

Data Controller: BE SATAS LLC
Privacy Inquiries: privacy@besatas.com