Privacy Policy

COLUMNA SPA (the “Company”) is committed to protecting the privacy and personal data of all users, patients, and visitors of the www.columna.org website, a medical information site specialized in spinal health operated by COLUMNA SPA under the clinical direction of Dr. Yoshiro Sato as Medical Director, which also offers clinical orientation teleconsultations.

This Policy describes how we collect, use, store, share, and protect your personal information — including sensitive health data — in compliance with Law 19.628 on privacy protection, Law 21.719 on personal data (effective from December 2026), Law 20.584 on patient rights and duties, Law 21.541 on telemedicine, and other applicable Chilean regulations.

1. Data controller

COLUMNA SPA is preparing to comply with the requirements regarding the Data Protection Officer set forth by Law 21.719 upon its entry into force (December 2026).

2. Data we collect

2.1 Identification and contact data

When you interact with the site or request teleconsultation, we may collect: full name, ID number, email address, phone, date of birth, gender, city, and address (where applicable for billing).

2.2 Sensitive health data

If you request teleconsultation or any of our medical services, we may collect:

• Clinical diagnosis, medical history, comorbidities, current medications
• Medical imaging (MRI, X-rays, CT scans) that you share for evaluation
• Symptoms and reasons for consultation described in forms or during the session
• Clinical notes generated during the teleconsultation by the assigned medical professional

Sensitive health data receives enhanced protection (Law 19.628 Art. 2 letter g, Law 21.719). Its processing requires explicit and informed consent, granted by accepting the terms of the operating platform we use for teleconsultation (see Section 4).

2.3 Browsing data

When you visit our site we automatically collect: IP address (anonymized by the analytics tool), browser and device type, operating system, language, screen resolution, pages visited, referrer URL, interaction events, and data generated by cookies (see Section 6).

2.4 Communication data

Content of emails, messages in contact forms, newsletter subscriptions, and communications with the team through the site’s official channels.

3. Purposes and legal basis for processing

Processing of your data is grounded in the following legal bases under Law 19.628 and Law 21.719:

Minimization principle: we only collect data strictly necessary for each specific purpose.

4. Health data and consent

The teleconsultation is provided through a Chilean telemedicine platform certified under Law 21.541, Decree 6/2021, and NT 237 of MINSAL. The electronic clinical record, scheduling, payment, and video consultation are managed within the operating platform.

Informed consent for the medical act and processing of your clinical data is granted by accepting the operating platform’s Terms and Conditions when you schedule your appointment. This consent covers the telemedicine modality, recording where applicable, clinical confidentiality, data transfers required for platform operation, and your patient rights.

4.1 Restricted access to clinical data

Sensitive health data is accessible only by:

• The Medical Director, Dr. Yoshiro Sato (responsible for the medical act)
• The authorized clinical team supporting the specific case (physical therapist, general practitioner, or other specialists assigned with your authorization)
• The operating platform, acting as data processor under contractual confidentiality obligations

Strict separation: sensitive clinical data is stored exclusively in the telemedicine operating platform. Not shared with social media, email marketing tools, or non-medical third parties, except in cases provided by law (judicial order · authorized referral · health reporting obligation).

4.2 Rights over your clinical record (Law 20.584)

Under Law 20.584 on patient rights and duties, you have the right to:

• Access your complete clinical record
• Request a full copy of the medical file
• Be informed about its content in understandable form
• Designate a third party to access your record on your behalf

These requests are handled by the treating team within a reasonable period in accordance with applicable regulations. To exercise these rights, write to Dr. Yoshiro Sato ([email protected]) with the subject “Clinical Record Request”.

5. Data processors and international transfers

COLUMNA SPA does not sell, rent, or commercialize your personal data. To operate the site and services, we share strictly necessary data with technology providers for the following purposes:

• Hosting, security, and CDN for the site
• Corporate email and anonymized analytics
• Form processing and automations
• Telemedicine operating platform (clinical record, video consultation, payments)
• Educational newsletter delivery

These providers act as data processors under contractual confidentiality obligations. The updated list of providers is available upon request to [email protected].

International transfers (Art. 28 Law 21.719): some providers process data abroad. These transfers are based on Standard Contractual Clauses (SCCs) and/or international security certifications (ISO 27001, SOC 2, or equivalent).

Sensitive clinical data is stored exclusively in the telemedicine operating platform (Chile) and is not transferred abroad. If you prefer to avoid international transfers for non-clinical data, you can reject non-essential cookies in the consent banner.

Your data may also be communicated to third parties when required by judicial order or competent authority, when you explicitly consent, or when necessary for a medical referral with your prior authorization.

6. Cookies and tracking technologies

Our site uses cookies to improve navigation, analyze site usage, and measure content effectiveness. Cookies are managed centrally through a web tag management tool.

Marketing pixel and health data: the pixel only registers general browsing events. It does not capture diagnoses, medical information, or content of clinical forms.

When you visit the site for the first time you’ll see a banner where you can accept all, only essential, or configure preferences. You can modify your choice at any time from the site configuration or by writing to [email protected].

7. Your rights over the data (ARCO+)

Under Law 19.628 and Law 21.719, you have the following rights over your personal data:

7.1 How to exercise your rights

1. Send an email to [email protected] with the subject “ARCO Request”
2. Include: full name, ID, right you wish to exercise, request description, and copy of ID for identity verification (will be deleted once your identity is validated)
3. Response time: 2 business days from receipt of complete request (Art. 12 Law 19.628)
4. In complex cases, the time may be extended up to 10 additional business days with prior notice
5. Exercising rights is free of charge

7.2 Limitations

• Clinical record deletion is subject to the 15-year legal retention period (Law 20.584 Art. 13, Decree 41/2012)
• Data required by legal obligation or for defense of legal claims cannot be deleted until applicable terms expire
• Cancellation of accounting and tax data follows Tax Code retention periods (6 years)

7.3 Right to file a complaint

If you consider that the processing of your data violates the regulations, you can file a complaint with:

• The Personal Data Protection Agency (when established under Law 21.719, December 2026)
• The Superintendence of Health if it affects your patient rights: www.supersalud.gob.cl · 600 6000 102
• Ordinary courts under Law 19.628

8. Security and breach notification

COLUMNA SPA implements technical and organizational measures to protect your data:

• HTTPS encryption (TLS 1.3) across the entire site
• Security headers: CSP, HSTS, X-Frame-Options, Permissions-Policy
• Multi-factor authentication (2FA) on administrative accounts
• Restricted access to sensitive data, role-based
• Encrypted backups and disaster recovery plan
• SPF / DKIM / DMARC configured against email spoofing
• Documented breach response protocol

8.1 Law 21.719 readiness (effective December 2026)

In anticipated compliance:

• Data Protection Officer (DPO): functions will be performed in accordance with the requirements set forth by Law 21.719 upon its entry into force (December 2026)
• Data Protection Impact Assessment (DPIA): to be completed before the law’s entry into force, documenting risks associated with sensitive health data
• Processing activity records in compliance with the law

8.2 Breach notification

In case of a breach that poses risk to your rights, COLUMNA SPA will:

• Notify the competent authority within the period established by applicable legislation
• Communicate the breach to affected data subjects if risk is high
• Document the incident in accordance with the law
• Coordinate with the telemedicine operating platform and other providers under their response protocols

9. Data retention

Once retention periods end, data is irreversibly deleted or anonymized. Clinical data may be anonymized for statistical or scientific research purposes under Law 20.120.

10. Minors

The site and medical services are directed at persons over 18 years of age. We do not accept patients under 14 years of age.

For patients between 14 and 17 years with medical indication, consent must be granted by the legal representative.

If we become aware that we have collected data from a minor under 14 without proper authorization, we will delete it immediately. To report such a situation, write to [email protected].

11. Changes to this policy

COLUMNA SPA may modify this policy to reflect changes in processing practices, new technologies, or legal modifications. Substantial changes will be notified through:

• Publication on the site with the new update date
• Prominent notice on the site for at least 30 calendar days
• Email to subscribers and active patients when changes affect their rights

If changes affect the processing of sensitive health data or introduce new purposes, we will request your explicit consent before applying them to your data.

12. Contact

Last updated: May 6, 2026