Privacy Policy

Introduction

At Merlin, we value our users’ privacy and are committed to protecting their personal data. This privacy policy aims to inform you about how we collect, use, and protect the information you provide when using our services. Merlin is a product of the company Kunan SA, and by using Merlin, you accept the terms of this privacy policy.

The protection of not only personal data but also all data flowing through our platform is our top priority.

In the Argentine Republic, the comprehensive protection of personal data is governed by Law No. 25,326, in effect since 2000.

Additionally, Annex I of Resolution 47/2018 of the Public Information Access Agency, «Recommended Security Measures for the Processing and Storage of Personal Data in Computerized Media,» describes the processes that must be considered to ensure compliance with the law.

Our goal is to provide services in accordance with current legislation and, at the same time, provide our clients with all the necessary tools to easily comply with the requirements of this regulation.

The data controller is the principal responsible for processing personal data. The essential prerequisite is the existence of an appropriate legal basis for processing personal data, which the data controller must have to perform this task, and gather the tools to ensure that such personal data are sufficiently protected. The data processor is a natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the data controller. What distinguishes the data controller from the data processor is that the data processor can only perform the processing operations entrusted by the controller or resulting from the activity entrusted by the controller.

KUNAN SA acts as a data processor, providing services to the data controller. In the context of Merlin, our clients act as data controllers. For example, our clients decide:

What information about their patients is transferred to their Merlin account, What messages, through our application, they wish to send to their patients.

The appointment of Merlin as the data processor by the controller is carried out by signing the acceptance of the general terms of use of our service contract.

Purpose of the Technological Product

Merlin is a conversational assistant designed to offer advanced appointment management and communication services for healthcare facilities. Our goal is to provide our clients, whether they are clinics, hospitals, or medical offices, with a powerful and easy-to-use tool that allows them to manage their appointment schedules, communicate efficiently with their patients, and optimize their administrative processes.

Personal Data Collected

Merlin collects a variety of personal data to provide our services effectively. This data may include, but is not limited to:

• First and Last Name
• Email Address
• Phone Number
• Medical appointment details, such as date, time, healthcare professional, specialty, location, and hospital.

In addition to this data, we may also collect non-personally identifiable information, such as interaction history with our service.

Where are Merlin’s servers located? For clients in the Argentine Republic, servers are located in Argentina and other countries in the region such as Brazil, Chile, Uruguay, and Amazon Web Services.

Methods of Data Collection

Personal data is collected applying the principle of data minimization, through various means including:

• Direct interactions with the conversational assistant, where the end user and/or healthcare institution operators actively provide information during appointment scheduling or communication with their doctor. The platforms used for this purpose are:
  • WhatsApp (https://www.whatsapp.com/legal/privacy-policy-eea)
  • Webchat
  • Physical kiosks
  • Slack (https://slack.com/intl/en-ar/trust/privacy/privacy-policy)

In this regard, it should be clarified that the end user of the assistant has other communication channels with the institution responsible for processing their personal data.

• Integration flows with healthcare facility management systems (HIS), allowing automatic synchronization of data between Merlin and other systems used by the client.

User Rights Over Their Data

We recognize and respect the rights of users over their personal data. These rights include:

• Right of Access: You have the right to access the personal information we have collected about you and to obtain details about how it is used.
• Right of Rectification: If the information we have about you is incorrect or outdated, you have the right to correct it.
• Right of Erasure: You may request the deletion of your personal data from our database if it is no longer necessary for the purposes for which it was collected.
• Right to Object: You have the right to object to the processing of your personal data in certain circumstances, such as direct marketing.
• Right to Data Portability: If requested, we can provide your personal data in a structured format so that you can transfer it to another data controller.

Sharing Collected Data

We understand the importance of protecting your privacy and commit not to share your personal data with third parties, except in the following circumstances:

• With your explicit consent.
• When necessary to comply with the law or protect our legal rights.
• With external service providers who help us provide our services, such as cloud storage providers or payment processors. In these cases, we ensure that these providers comply with strict privacy and security standards.

Data Security Measures

The security of your personal data is a priority for us. Therefore, we implement a series of technical and organizational measures to protect your data against loss, theft, or unauthorized access. These measures include:

• Data encryption to protect the transmission of sensitive information.
• Access controls to limit who can access information on our platforms.
• Regular monitoring of our security measures to detect and prevent potential security breaches.
• Periodic training of our staff on best practices for data security and privacy.

Data Retention Period

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal obligations. This may include:

• Keeping records of medical appointments to ensure proper follow-up of the patient’s medical history.
• Retaining certain data to comply with applicable laws and regulations, such as tax retention requirements.

Handling Data Security Breaches

In the event of a data security breach, we are committed to taking immediate action to protect your information and mitigate any negative impact. This may include:

• Notifying relevant authorities and affected individuals as required by applicable laws and regulations.
• Investigating the root cause of the breach and taking corrective actions to prevent similar incidents in the future.
• Providing assistance and resources to affected users to help them protect their personal information.

Questions and Contact

If you have any questions or concerns about our privacy policy or the handling of your personal data, please do not hesitate to contact our data protection officer at the following email: dpd@kunan.com.ar. We are here to help and address any issues that may arise.