Privacy Policy


The Privacy Policy of Once Medical (we, us, our) is designed to regulate the privacy matters of Once Medical (Platform) and is based on the Personal Data legislation. This Privacy Policy is based on data protection principles and requirements adopted by virtue of the European General Data Protection Regulation 2016/679 (GDPR) with California Consumer Privacy Act 2019 (CCPA) and Brazil’s Lei Geral de Proteção de Dados 2020 (LGPD).

This Privacy Policy may be updated from time to time and you will be informed about any such updates. More details concerning the collection or processing of Personal Data may be requested from us at any time.


All the terms listed below shall also have meaning assigned to them in GDPR and LGPD.

PERSONAL DATA means data allowing to identify the natural person directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, etc.;

PROCESSING means any operation or set of operations that is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or destruction;

DATA SUBJECT is an identified or identifiable natural person who can be identified, directly or indirectly, based on particular Personal Data.


  1. Once Medical shall be considered a data owner and data controller in relationships with Data Subject. We acknowledge the privacy of natural persons and make efforts to protect them against any unlawful Processing by applying relevant technical and organizational measures to protect Personal Data of natural persons in accordance with the effective legislation. Although we will make reasonable efforts to ensure safe Processing, we cannot guarantee it to be 100% secure and risk-free.
  2. We process personal data in a way that assures appropriate level of security, including protection against unauthorized Processing, destruction, accidental loss, or damage, while applying suitable organizational and technical measures under industry standards and in compliance with the following principles: (1) lawfully, fairly and transparently; (2) Processing is specified, explicit and only for legitimate purposes; Processing is adequate, relevant and limited to necessary purpose; accurate and kept up to date; limitation of the storage for periods not longer than necessary; Processing is held in a manner that ensures appropriate security of the Personal Data.
  3. We Processes Personal Data only when one of the conditions below applies: (1) it is required for the performance of agreement with the Data Subject; (2) it is required for compliance with the law or our legal obligation; (3) Data Subject has provided us with consent for Processing of their Personal Data for one or more specific purposes; (4) Personal data is Processed for our Legitimate Purpose.
  4. When it comes to California consumers, we will not discriminate against your rights granted by CCPA. Unless permitted by the CCPA, we will not: (1) reject your request for goods or services on the basis of discrimination; (2) provide to California based consumers different prices for goods or services, including through granting discounts or other benefits; (3) render to California based consumers different level or quality of goods or services in comparison to our other clients.
  5. Notwithstanding the aforementioned, we may, at our own discretion, offer California based consumers certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will contain written terms that describe material aspects.
  6. We do not knowingly Process Personal Data that related to, or reveal, racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic or biometric data, or data concerning the health, sex life or sexual orientation of the natural person.
  7. We apply the following principles in order to protect your privacy: (a) we will not sell or lease your Personal Data to third parties; (b) any Personal Data that you provide to us will be secured with industry-standard safety protocols and technology.

Contact data

Email, address and/or mobile phone number

Financial data

Bank account and payment card details, tax identifiers (like VAT number)

Third-party account data

Third-party account identifiers, third party account login credentials

Identity data

First name, last name, username

Marketing data

Preferences in receiving marketing from us

Communication data

Messages you send to us

Technical data

Internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system

We process Personal Data under the following legal basises:

  1. On the basis of consent Art. 6 (1) (a) GDPR; Art 7 (I) LGPD.
  2. For other legitimate interests, unless those interests are overridden by Data Subject’s or fundamental rights and freedoms that require protection of personal data. For example, we rely on our legitimate interest when it comes to (1) diagnostic analytics to assess the number of visitors, posts, page views, reviews for further optimization of our Platform; (2) optimization of our visitors’ experience; (3) fraud prevention; (4) network and information security, (5) analysing customer satisfaction.

Purpose/ Activity

Type of data

Lawful basis for Processing

To register Data Subject account

Identity data, contact data, third party account data

to perform our contractual obligations with you

To provide our services

Identity data, contact data, financial data, marketing data, communication data

(1) to perform contract with Data Subject;

(2) as necessary for our legitimate interest in recovering debts

To manage our relationship with Data Subject

Identity data, contact data, profile data, marketing data

(1) to perform our contract with You;

(2) as necessary to comply with our legal obligations

To deliver relevant content/advertisements to Data Subject and measure or understand the effectiveness of our advertising

Identity data, contact data, profile data, marketing data, technical data

(1) as necessary for our legitimate interests in studying how customers use our products/services, to develop them;

(2) to grow our business and to inform Data Subject about our marketing strategy

To use data analytics to improve our platform, services, marketing, customer relationships and experiences

technical data

to keep our PLATFORM updated and relevant, to develop our business and to inform our marketing strategy

To make suggestions and recommendations about goods or services that may be of interest to Data Subject, including promotional offers

Identity data, contact data, technical data, profile data

as necessary for our legitimate interests to develop our products/services and grow our business


We may disclose Personal Data to the following categories of persons:

Service providers

acting as data processors or data controllers/joint data controllers based in the EEA but also around the world who provide software development services, marketing services, IT and system administration services. This includes following categories:

1. Hosting services providers

2. Payments processors

3. Analytics Services providers

4. E-mail campaigns automation services providers

5. Affiliates tracking services providers

Professional advisors

acting as data processors or data controllers/joint data controllers including lawyers, bankers, auditors and insurers based in the EEA but also around the world, who provide consultancy, banking, legal, insurance, and accounting services

Tax services, regulators and other authorities

acting as processors or joint controllers based in the EEA who require reporting of Processing activities in certain circumstances

Third parties

third parties, who may or whom we may purchase. We may share your Personal Data as part of change in control, merge or sale, or in preparation for any of these events.


market researchers, fraud prevention agencies

When service providers are located outside EEA, we either enter into a data processing agreement with standard (“model”) contractual clauses, or ensure that the transfer is pursuant to another valid mechanism under GDPR.

You retain at all times the possibility to object replacement of data controller, contractors or subprocessors that handle your personal data or to terminate the contract with us.


  1. Rights of the data subject
  2. Right to rectification. Data Subject has the right to request to rectify, without undue delay, any incorrect data pertaining to the respective Data Subject.
  3. Right to limitation of processing. Data Subject can limit the use of Personally Data collected.
  4. Right of access. User may request a copy of Personal Data collected during the use of Platform.
  5. Objecting to or restricting the use of Personal Data. Data Subject can ask to stop using all or some portion of Personal Data or limit the use thereof by requesting its erasure as described above or sending a request at
  6. The right to lodge a complaint with a supervisory authority. User has the right to lodge a complaint with a competent data protection supervisory authority, in particular in the EU Member State where Data Subject resides, work or where the alleged infringement has taken place.
  7. The right to data portability. Data Subject can receive Personal Data in a machine-readable format by sending a respective request at
  8. Execution of rights
  9. Upon Data Subject request we will provide the information free of charge. However, we may charge a reasonable fee if the Data Subject request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with the Data Subject request in these circumstances.
  10. Data Subjects exercise their rights by filing a written request containing as a minimum the following information: (1) name, postal address, email address and other data allowing identification of the respective natural person; (2) description of the request; (3) signature, date, correspondence address and mobile number.
  11. The filing of the request is free of charge.
  12. Upon the filing of a request by an authorized person, the notarised power of attorney must be attached to the request.
  13. In case of death of the natural person, his / her heirs exercise his / her rights and the certificate of heirs shall be attached to the request.
  14. We will review and pronounce on the request within 1 month as of its filing. This period may be extended by further two months, if necessary, for example, if Data Subject request is particularly complex or when Data Subject has made a number of requests. We will inform Data Subject as to any such extension within 1 month as of receipt of the request, stating the reasons for the delay.
  15. We will provide an answer to the requesting person taking into account their preferred form for the provision of the information (orally or in writing – as a hard copy of electronically).
  16. Where data do not exist or law forbids their provision, access to the requesting party to such data is refused.
  17. If the requesting party is not satisfied with the response received and/or believes that their rights related to Personal Data protection were violated, they are entitled to exercise their right to defense.


  1. Access to Specific Information and Data Portability Rights
  2. California Consumers have the right to request information about what information was Processed over the past 12 months. Once we receive your request and confirm that you are consumer, we will disclose to you:
  • The categories of sources for Personal Data we collected about you.
  • The Personal Data we collected about you (also called a data portability request).
  1. All other information is already disclosed herein. For the avoidance of doubts, we do not sell California based consumers Personal Data.
  2. Deletion Request Rights
  3. California Consumers have the right to request the deletion of Personal Data Processed, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete Personal Data from our records, unless Personal Data is necessary for us or our service provider(s) to (1) complete the transaction for which we collected the Personal Data, provide a good or service that Consumer requested, take actions reasonably anticipated within the context of our ongoing business relationship with Consumer, or otherwise perform our contract; (2) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities; (3) debug products to identify and repair errors that impair existing intended functionality; (4) exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law; (5) comply with a legal obligation; make other internal and lawful uses of that information that are compatible with the context in which Consumer provided it.
  4. Exercising Access, Data Portability, and Deletion Rights
  5. To exercise the access, data portability, and deletion rights described above, you should submit a verifiable consumer request to Only consumers based in California, or a person registered with the California Secretary of State that Data Subject authorize to act, may make a verifiable consumer request related to Personal Data.
  6. Consumers can make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must: (1) provide sufficient information that allows us to reasonably verify the consumer is the person about whom we collected Personal Data; and contain description allowing us to properly understand, evaluate, and respond to it.
  7. We cannot respond to the request or provide the consumer with Personal Data if we cannot verify the consumer identity or authority to make the request and confirm the relation of Personal Data.
  8. Response Timing and Format
  9. The verifiable consumer request shall be responded within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing. The responding is free of charge unless it is excessive, repetitive, or manifestly unfounded.
  11. If you are Data Subject from Brazil, according to Art 18 of LGPD we allow you exercise the following rights:
  12. The right to confirmation of the existence of the processing;
  13. The right to access the data;
  14. The right to correct incomplete, inaccurate or out-of-date data;
  15. The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
  16. The right to the portability of data to another service or product provider, by means of an express request;
  17. The right to delete personal data processed with the consent of the data subject;
  18. The right to information about public and private entities with which the controller has shared data;
  19. The right to information about the possibility of denying consent and the consequences of such denial; and
  20. The right to revoke consent.
  21. You can execute your rights by sending email to
  22. We will provide you with a response within:
  23. Response to the right of access request will be provided within 15 days from the moment we received your request and verify your identity.
  24. Other requests will be executed within reasonable time, but not more than 30 days from the moment we received your request and verified your identity.
  25. Upon Data Subject request we will provide the information free of charge. However, we may charge a reasonable fee if the Data Subject request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with the Data Subject request in these circumstances.
  26. Upon the filing of a request by an authorized person, the notarised power of attorney must be attached to the request.
  27. In case of death of the natural person, his / her heirs exercise his / her rights and the certificate of heirs shall be attached to the request.
  28. PLACE

Personal Data is processed at our operating offices and in any other places where the parties involved in the processing are located. It may be necessary to transfer collected Personal Data to countries outside of the European Union for Processing purposes.


Personal Data shall be processed and stored for as long as required by the purpose they have been collected for. Personal Data collected for purposes related to the performance of a contract shall be retained until such a contract has been fully performed. Personal Data collected for the purposes of our legitimate interests shall be retained as long as needed to fulfill such purposes. Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after the expiration of the retention period.


We do not knowingly Process any Personal Data from persons under 18 years of age. If you learn that anyone younger than 18 has provided us with Personal Data, please contact us at


Our Platform contains links to other websites, services, and web addresses. This privacy policy applies only to our Platform, not those external websites, services and web addresses that we link to. We are not responsible for these external websites and services and their privacy policies, practices and compliance with the law.



DATA CONTROLLER ADDRESS: Unit B, 3/F, Kai Wan House 146, Tung Choi Street Mongkok, Kowloon, Hong Kong




Cookies are small text files sent by us to your computer or mobile device. They are unique to your account or your browser. Session-based cookies last only while your browser is open and is automatically deleted when you close your browser. Persistent cookies last until you or your browser deletes them or until they expire. To find out more about cookies, visit

We use cookies to analyze trends, administer the website, track users’ movements around the website, and to gather our website audience. Most of our cookies are session-based, which is stored for a certain period of time.

See below for the types of cookies we use and their respective purposes.

Cookies type


Functionality cookies (Necessary cookies)

We use functionality cookies that support certain functionalities of our website, prevent failures and errors.

Security cookies (Necessary cookies)

We use cookies to enable and support our security features, and to help us detect malicious activity.

Advertising cookies

We use advertising cookies for targeting advertising, measurement of the advertising effectiveness, distinguishing users of third party platforms, showing the correct version of the website. We may use cookies to help us deliver marketing campaigns and track their performance.

For this purpose we use:

Statistics cookies

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

We use Statistic cookies to recognize visitors who chat with us, identify user’s device, identify what information has been seen by the user, minimize the blocking of legitimate users.

For this purpose we use:

Some people prefer not to allow cookies, which is why most browsers give you the ability to manage cookies to suit you. In some browsers, you can set up rules to manage cookies on a site-by-site basis, giving you more fine-grained control over your privacy. What this means is that you can disallow cookies from all sites except those that you trust. By doing so, you may not be able to access all or parts of our website.