GLOBAL PRIVACY AND PERSONAL DATA PROCESSING POLICY
THE FELLOWSHIP ACADEMY
Last updated: March 10, 2026
Effective as of: Date of registration or access to the Platform.
PRIVACY NOTICE: Your privacy and the security of your data are fundamental priorities for The Fellowship Academy. This document describes in full and transparent terms how we collect, use, store, share and protect your personal information when you interact with our technology ecosystem.
1. INTRODUCTION, ROLE OF CORPORATE ENTITIES, AND LEGAL BASES FOR PROCESSING
1.1. Scope, Nature of the Document, and Perfection of Consent:
This Global Privacy and Personal Data Processing Policy (hereinafter, the "Policy") constitutes an accessory, integral, and indivisible legal instrument of our General Terms and Conditions of Service. This document governs the collection, storage, use, transfer, and deletion of the personal information of every user (the "Specialist" or "User") who accesses the Platform. By checking the consent box ("clickwrap"), registering an Account, undergoing the Medical KYC process, or using the Platform, you grant your express, unequivocal, free, prior, and informed consent for the processing of your Personal Data and Sensitive Data, in strict compliance with the provisions of this document. If you do not agree with this Policy in its entirety, you must immediately cease any use of the Platform.
1.2. Identification of Roles, Corporate Separation, and Processing Agreements (DPA):
To ensure airtight compliance with applicable data protection regimes in multiple jurisdictions including, but not limited to, the General Data Protection Regulation of the European Union (GDPR), the California Privacy Rights Act (CPRA/CCPA), and Statutory Law 1581 of 2012 and its regulatory decrees in Colombia, the Parties recognize the following delimitation of responsibilities: ● The Data Controller: Fellowship Academy S.A.S., a company incorporated in the Republic of Colombia. It is the legal entity that exclusively determines the purposes, means, and scope of the processing of Personal Data, manages financial collection, and handles legal requirements and the exercise of the rights of the Data Subjects (ARCO/GDPR Rights). ● The Data Processor / Sub-processor: The Fellowship Group Corp., a corporation incorporated in the State of Delaware, USA. It acts as a provider of technological infrastructure and software licensee, limited to storing and processing information in encrypted databases under the strict and documented instructions of the Data Controller. ● Intra-Group Data Processing Agreement (DPA): The User acknowledges that the relationship between the Controller and the Processor is formally regulated by a Data Processing Agreement (DPA) that incorporates the Standard Contractual Clauses (SCCs) approved by the European Commission and competent authorities, guaranteeing an adequate level of protection for the cross-border transfer of their data from Colombia to the United States.
1.3. Lawful Basis of Processing:
The Fellowship Academy categorically rejects the arbitrary processing of information. Every personal data processing operation is executed under the strict protection of one or more of the following legal bases for lawfulness: 1. Execution of a Continuous Performance Contract: Processing is strictly necessary for the creation of your Account, the provision of the VOD streaming service, transactional payment processing, and the general execution of the Terms and Conditions. 2. Compliance with Legal and Regulatory Obligations: The processing, retention, and auditing of your medical credentials (KYC) and financial data is imperative to comply with Anti-Money Laundering and Counter-Terrorism Financing (AML/CFT) laws, corporate tax invoicing regulations, and to respond to subpoenas or binding requirements from judicial and health authorities. 3. Legitimate Interest and Integral Consent: For Users subject to the GDPR, we process telemetry data, IP, and activity logs to safeguard security (DDoS prevention) and investigate fraud under our Prevalent Legitimate Interest. However, for Users subject to the jurisdiction of the Republic of Colombia (Law 1581 of 2012), the processing of all personal data, including telemetry and security metadata, is based strictly and inexcusably on the Express, Prior, and Informed Consent granted by the User upon accepting this Policy. 4. Express and Specific Consent: Required exceptionally for the processing of special categories of data and for the sending of direct marketing communications.
1.4. Absolute Restriction for Minors (COPPA / GDPR Art. 8):
The Platform is designed exclusively for professionals and university students of legal age. We do not intentionally collect, solicit, or process personal data from minors under eighteen (18) years of age. If the Operator discovers that it has collected information from a minor without the verifiable consent of a legal guardian, such information will be purged and irrevocably deleted from our databases immediately, in accordance with the Children’s Online Privacy Protection Act (COPPA) of the USA and analogous legislation.
2. CATEGORIES OF COLLECTED DATA, MINIMIZATION, AND
MEDICAL CREDENTIALS EXAMINATION (MEDICAL KYC) To guarantee the integrity and security of our closed elite medical ecosystem ("Walled Garden"), the Operator collects only and exclusively the information strictly necessary, adequate, and relevant for the fulfillment of the purposes described in this Agreement. The collected data is classified into the following formal categories:
2.1. Identity, Verification, and Medical Profiling Data (Medical KYC):
Due to the critical, academic, and restricted nature of the Platform, the collection of this information constitutes an indispensable legal and contractual requirement ("suspensive condition") for the opening and maintenance of an Account. ● Basic Biographical Data (PII): Legal full name, institutional or personal email address, mobile phone number for multi-factor authentication (MFA), and jurisdiction of residence or professional practice. ● Sensitive Data and Professional Credentials: In accordance with Article 9 of the GDPR and Article 5 of Law 1581 of Colombia, we collect government identity documents (passport, ID card, DNI), medical degree diplomas, specialty certificates, proof of active enrollment (for students), medical licenses issued by ministries of health, and professional registration numbers. Legal notice: Although providing Sensitive Data is strictly optional and voluntary, your refusal will make it impossible to verify your suitability and, therefore, access to the Platform. ● Ephemeral Processing of Biometric Data (Liveness Checks): As a critical mechanism for the mitigation of fraud, identity theft (Spoofing), and compliance with AML (Anti-Money Laundering) regulations, the User expressly authorizes our authorized verification sub-processor, NOVACODIFY S.A.S. (and its underlying technology providers), to collect and process temporary facial mappings or liveness checks. The Fellowship Group Corp. and the Operator do not extract, process, or store raw biometric data on their own servers. This data is processed in an encrypted, temporary, and ephemeral manner by NOVACODIFY exclusively for validation purposes against the official document, after which the biometric vector is destroyed.
2.1.1. Face Data Collection, Use, Sharing, and Retention:
To ensure the security of our medical community and properly verify the professional identity of our users, we collect face data (such as selfies and liveness facial checks). This face data is used exclusively for identity verification (KYC process) and fraud prevention. We do not use face data for marketing, advertising, or tracking. The collected face data is shared with and securely processed by our authorized verification subprocessor, NOVACODIFY S.A.S., and its technology providers. Face data is retained only for as long as necessary to complete the identity verification process and to comply with mandatory Anti-Money Laundering (AML) audit requirements (as detailed in Section 5.3 of this policy), after which it is permanently and securely deleted from our active systems.
2.2. Financial, Transactional Data, and PCI-DSS Vault:
For the execution of the subscription contract, we process information related to your purchase history, subscription level, and billing status. ● Technological Isolation and Tokenization: The servers of the Operator and the Intellectual Property Owner are technically and logically segmented from the processing of raw financial data. We do not collect, process, or store full credit/debit card numbers (PAN) or security codes (CVV). Every transaction is processed, encrypted, and tokenized by third-party payment gateways audited under Level 1 of the Payment Card Industry Data Security Standard (PCI-DSS), or through the native systems of the app stores (Apple App Store In-App Purchases / Google Play Billing). The Operator only retains billing tokens, the last four (4) digits of your card, and the expiration date for technical support, fraud prevention, and accounting reconciliation purposes.
2.3. Technical Data, Telemetry, and Consumption Patterns (Automated Collection):
When interacting with the Platform, our architecture and that of our cloud infrastructure providers (enterprise-level providers for hosting and ultra-low latency transmission) automatically collect essential technical metadata for the provision of the service, network optimization, and compliance with cybersecurity measures: ● Network and Device Identifiers: IP addresses (used for copyright geo-fencing and cyberattack mitigation), User-Agent, unique device identifiers (UUID), browser type, operating system, and network metrics. ● Audit and Interaction Logs: VOD content viewing history, timestamps of connection to live broadcasts, latency reports, interactions with the graphical user interface (GUI), and automated application crash reports (crash logs).
2.4. User-Generated Content (UGC) and Absolute Restriction of Patient Data (PHI):
We collect the textual, graphic, or audiovisual content that you decide to publish voluntarily in discussion forums, live chats, or Q&A panels. ● Exclusion of "Business Associate" Relationship (HIPAA): The Fellowship Academy operates exclusively as a medical education platform among peers. You recognize and formally accept that The Fellowship Academy IS NOT a Covered Entity or a Business Associate under the US Health Insurance Portability and Accountability Act (HIPAA) or under analogous health legislation. Consequently, there is no Business Associate Agreement (BAA) between the Parties. ● Prohibition and User Regulatory Risk: It is strictly prohibited to upload, transmit, or request Protected Health Information (PHI) or identifiable personal data of patients. Any clinical case discussed for academic purposes must inexcusably comply with the "Safe Harbor" anonymization standard (Safe Harbor De-identification, removing the 18 direct identifiers). Any leak of PHI will be treated as a material breach of the contract and immediately purged from our servers, with the offending User assuming 100% of the civil, criminal, and administrative liability derived from said breach.
3. PURPOSES OF PROCESSING, USE OF INFORMATION, AND MATRIX OF AUTHORIZED SUB-PROCESSORS
3.1. Purpose Limitation Principle:
The Operator and the Intellectual Property Owner strictly adhere to the principle of purpose limitation. The Personal and Sensitive Data collected will not be processed, sold, rented, or marketed in a manner incompatible with the original purposes for which they were obtained. Your information is used exclusively, legitimately, and proportionally for the following corporate purposes: ● Provision and Execution of the Service: To create and manage your Account, enable secure access ("Single Sign-On" or multi-factor authentication) to the Platform, and provide interactive live streaming and video on demand (VOD) services. ● Credentials Audit (Closed Ecosystem): To process, contrast, and validate your medical status and professional credentials to ensure that the Platform remains a strictly academic environment restricted to verified healthcare professionals. ● Transaction Processing: To facilitate subscription billing, manage automatic renewal, issue tax receipts, and process refunds (where applicable according to law). ● Cybersecurity and Business Continuity: To monitor the network status, mitigate cyberattacks, prevent transactional fraud, detect unauthorized access, and enforce our Digital Rights Management (DRM) systems against piracy. ● Continuous Improvement and Telemetry: To analyze traffic patterns, diagnose application failures (crash analytics), and optimize latency and the quality of video codecs. ● Legal and Service Communications: To send critical notifications about Terms updates, security alerts, payment receipts, and essential operational communications (these communications cannot be deactivated or "opt-out" by the User, given their contractual nature).
3.2. Matrix of Technological Sub-processors and Data Transfer (Authorized Third Parties):
To ensure technical viability, global scalability, and the security of the Platform, the Operator relies on a network of mission-critical technological infrastructure providers ("Sub-processors"). By accepting this Policy, the User grants their express, prior, and informed authorization for their information to be shared with the following categories of third parties, strictly under the "need to know" principle (Need-to-Know basis): 1. Cloud Infrastructure and Storage (Cloud Hosting): The backend architecture, databases, and VOD library are hosted on Amazon Web Services (AWS) (or analogous enterprise-level providers). AWS processes the information in an encrypted manner (both in transit and at rest) and does not have logical access rights to personal data in clear text. 2. Communications Engine and Ultra-Low Latency Streaming: The real-time video transmission and the interactive area (chat) infrastructure are supported by Agora Inc. technology. Network telemetry and live interactions are processed by Agora exclusively to route the signal and guarantee Quality of Service (QoS), complying with international privacy standards. 3. Identity Validation and Medical Verification (KYC/AML): The processing, optical character recognition (OCR) of official documents, verification of liveness checks, and validation of medical licenses are delegated to our authorized Sub-processor, NOVACODIFY S.A.S., and its technological subcontractors. These entities act under strict confidentiality mandates and process biometric and documentary data in an ephemeral manner, only to issue an "Approved/Rejected" ("Pass/Fail") verdict to the Operator. 4. Payment Gateways and Financial Infrastructure: Transactions are processed by PCI-DSS Level 1 certified entities (such as Stripe) and the ecosystems of Apple Inc. (App Store) or Google LLC (Play Store).
3.3. Data Processing Agreements (DPAs) and Restrictions on Third Parties:
The Fellowship Academy does not sell or "monetize" the personal data of its Users. Sharing information with the Sub-processors listed in Section 3.2 does not constitute a "Sale" or a "Sharing" of data under the definition of the California CPRA or other analogous laws. ● All Sub-processors are legally and contractually bound to The Fellowship Academy through rigorous Data Processing Agreements (DPAs). These contracts expressly and absolutely prohibit the Sub-processors from retaining, using, or disclosing the Personal Data of Users for their own marketing purposes, cross-profiling, or training their own Artificial Intelligence models, limiting their actions to the documented instructions of the Operator.
3.4. Mandatory Disclosure, Legal Requirements, and Corporate Succession:
We reserve the imperative right to disclose your personal information, including your identity and activity logs, to non-affiliated third parties (such as government authorities, medical boards, or law enforcement) when the Operator determines, in good faith and after a rigorous legal analysis, that such disclosure is necessary to: 1. Comply with a subpoena, court order, search warrant, or binding legal requirement (Subpoena or Warrant). 2. Investigate, prevent, or take action regarding suspected fraud, money laundering (AML), patient privacy violations (PHI leak), or serious infringements of our Intellectual Property. 3. Protect and defend the rights, property, or physical and cyber security of The Fellowship Academy, its employees, the Creator Doctors, or the general public. ● Corporate Control Change (M&A): In the event of a merger, acquisition, restructuring, bankruptcy, or sale of all or a substantial part of the assets of The Fellowship Group Corp. or Fellowship Academy S.A.S., the Users’ Personal Data will constitute one of the commercial assets transferred to the successor or acquiring entity, subject to the continuity of the protection obligations established in this Policy.
4. CROSS-BORDER DATA TRANSFERS, SERVER LOCATION, AND INTERNATIONAL SAFEGUARDS
4.1. Global Nature of the Architecture and Express Consent to Transfer:
The Fellowship Academy operates on a global cloud computing technological infrastructure designed to guarantee service resilience and ultra-low latency transmissions. Consequently, the User recognizes, understands, and unequivocally accepts that their Personal Data, Sensitive Data (Medical KYC), and usage metadata will be transferred, transmitted, hosted, and processed outside of their country, state, or province of original residence. ● By creating an Account and using the Platform, the User expressly, freely, and irrevocably authorizes Fellowship Academy S.A.S. (Colombia) to export and transfer their data to The Fellowship Group Corp. (Delaware, USA) and to the data centers operated by our authorized Sub-processors located in the United States of America or other international jurisdictions.
4.2. Data Residency and Legislative Asymmetry:
The primary ecosystem of storage and the master databases of the Platform are physically located on secure servers within the United States of America. ● The User is fully aware that privacy, data protection, and government access to information laws in the United States (or in other destination jurisdictions) may differ substantially and offer a different standard of protection than that of their home jurisdiction (including the regulations of the European Union or the Republic of Colombia). ● Notwithstanding this legislative asymmetry, the Operator and the Intellectual Property Owner contractually guarantee that the processing of the transferred data will remain subject to the strict requirements and security measures stipulated in this Privacy Policy, regardless of its geographic location.
4.3. Legal Mechanisms and Safeguards for Transfer (Regulatory Approval):
To guarantee the uninterrupted lawfulness of cross-border data flows and comply with Article 26 of Law 1581 of 2012 (Colombia), Chapter V of the GDPR (Europe), and analogous regulations, The Fellowship Academy bases its international transfers on the following legal and compliance mechanisms: 1. Intra-Group Data Transfer Agreements (Intra-Group DPAs): The transfer of data between the commercializing entity (Colombia) and the technological parent (Delaware) is regulated by a binding contract that incorporates strict confidentiality and exclusive processing obligations. 2. Standard Contractual Clauses (SCCs): When the applicable law imperatively requires it for the export of data to countries that do not have an "Adequacy Decision," we implement the SCCs approved by the European Commission and the competent authorities in the Data Processing Agreements (DPAs) signed with our technological Sub-processors. 3. Exception for Contractual Necessity and Consent: The international transfer is also protected under the legal exception that said export of data is strictly necessary for the execution of the services contract signed for the benefit of the User, and has their affirmative and unequivocal consent.
4.4. Supplementary Security Measures Post-Transfer:
In strict compliance with international cybersecurity standards (and in attention to regulatory rulings such as "Schrems II" in the EU), all cross-border flows of data executed by The Fellowship Academy are protected through Supplementary Security Measures. This includes, without limitation, the application of military-grade encryption protocols and strong cryptographic encryption for both "in transit" data (Data in Transit, via TLS 1.3 or higher) and "at rest" data (Data at Rest, via AES-256 in the storage clusters). These technical measures are designed to make it impossible for unauthorized third parties or foreign government agencies to intercept information during its international transit.
5. RIGHTS OF DATA SUBJECTS (ARCO / GDPR), PROCEDURES, AND STRICT RETENTION POLICY
5.1. Consolidated Privacy Rights (ARCO, GDPR, and CPRA):
In strict compliance with Law 1581 of 2012 (Colombia), the General Data Protection Regulation (GDPR - Europe), and the California Privacy Rights Act (CPRA - USA), the Operator guarantees Users the free exercise of the following fundamental rights over their personal data: ● Right of Access and Portability: To request confirmation as to whether we are processing your data, obtain a copy of it, and, when technically feasible, request the transmission of said data to another controller in a structured and machine-readable format. ● Right of Rectification (Updating): To request the correction of inaccurate, incomplete, or outdated data. (Note: The alteration of medical credentials will require a new validation through NOVACODIFY). ● Right of Opposition and Limitation: To object to the processing of your data for specific purposes or request the temporary restriction of the processing while a legal challenge is resolved. ● Right of Deletion (Cancellation / "Right to be Forgotten"): To request the deletion of your personal data from our active systems, subject to the critical exceptions and retention mandates detailed in Section 5.3.
5.2. Request Procedure and Identity Authentication:
To exercise any of the mentioned rights, the User (or their duly accredited legal representative) must send a formal written request to the Operator’s Privacy and Compliance Officer via email: privacy@thefellowshipacademy.com. ● Anti-Fraud Measure (Identity Verification): To prevent social engineering and identity theft, the Operator reserves the absolute right to require reasonable additional information to verify the identity of the applicant before processing the request. ● Legal Response Times (SLAs): We will acknowledge receipt and provide a response in accordance with the imperative deadlines of your jurisdiction. For Users in Colombia: (i) Inquiries (requests for access/information) will be addressed in a maximum term of ten (10) business days; (ii) Claims (requests for deletion or rectification) will be addressed in a maximum term of fifteen (15) business days. These deadlines may be extended once as permitted by applicable law (e.g., 5 or 8 additional days, respectively), with prior notice to the User. For Users under the GDPR, the maximum period will be thirty (30) calendar days for any request.
5.3. Exceptions to the Right of Deletion and Mandatory Retention Policy (Data Retention Carve-outs):
The User acknowledges and expressly accepts that the Right of Deletion ("Right to be Forgotten") is not an absolute right. The Operator and the Intellectual Property Owner will retain, preserve, and block access to certain categories of data even after receiving a deletion request or after the termination of the Account, based on "Compelling Legitimate Grounds" and irrevocable legal mandates: 1. Fiscal, Accounting, and Transactional Retention (10 Years): By mandate of international tax laws and corporate regulations, all billing history, subscription receipts, payment tokens, and transactional identifiers will be retained for a period of no less than ten (10) fiscal years. 2. AML Compliance / Anti-Money Laundering Retention (5 Years): Identity verification records (Medical KYC processed via NOVACODIFY) and metadata associated with the opening of the Account will be kept for a minimum of five (5) years to comply with the auditing requirements of financial and health authorities. 3. Blacklists and Fraud Prevention (Indefinite Retention): If the User’s Account was suspended or terminated for violating the "Zero Tolerance Policy," committing Intellectual Property piracy, or leaking patient data (PHI), the Operator will indefinitely retain a cryptographic "hash" of their email, identity document, and IP address (Blacklisting). This constitutes a vital corporate legitimate interest to prevent the offender from evading the sanction by creating a new Account in the future. 4. Litigation and Legal Prescription: We will retain any information that is reasonably necessary to exercise, defend, or establish legal claims until the statutes of limitations for the applicable civil, criminal, or administrative actions have expired.
5.4. Data Blocking:
Once the legal retention periods described in Section 5.3 have ended, or when a valid deletion request proceeds, your personal data will be cryptographically destroyed or subjected to an irreversible process of mathematical anonymization. Data retained due to legal obligation will be logically "blocked," meaning it will only be accessible to the Compliance Officer and only to attend to requirements from competent authorities.
6. INFORMATION SECURITY, BREACH PROTOCOL (DATA BREACHES), AND RISK ALLOCATION
6.1. Technical and Organizational Security Measures (Industry Standard):
The Fellowship Academy recognizes the sensitivity of medical and financial profiling data. Therefore, the Operator and the Intellectual Property Owner implement, maintain, and continuously update an information security program based on technical, administrative, and organizational measures of an enterprise level ("Enterprise-Grade Security"), designed to protect your Personal Data against unauthorized access, alteration, disclosure, accidental loss, or unlawful destruction. ● Cryptographic Encryption: Every data transmission between your device and our cloud infrastructure is protected by strong cryptographic encryption protocols (TLS 1.3 or higher). Likewise, the data stored ("Data at Rest") on the servers of our Sub-processors is encrypted under the Advanced Encryption Standard AES-256. ● Logical Access Control: We restrict internal access to your personal data based strictly on the "least privilege" principle (Least Privilege) and the "need to know" (Need-to-Know), requiring our employees, contractors, and compliance officers to use Multi-Factor Authentication (MFA) and the signing of rigorous Non-Disclosure Agreements (NDAs).
6.2. No Absolute Security Warranty and Assumption of Risk:
Despite the implementation of robust security protocols and continuous audits, the nature of the internet ecosystem and cyber threats (including Zero-Day Exploits, Ransomware, and Advanced Persistent Threats - APT) prevent guaranteeing infallible security. ACCORDINGLY, THE USER EXPRESSLY ACKNOWLEDGES AND ACCEPTS THAT NO DATA TRANSMISSION SYSTEM OR CLOUD STORAGE SYSTEM IS 100% SECURE. ANY TRANSMISSION OF PERSONAL DATA OR MEDICAL DOCUMENTATION THROUGH THE PLATFORM IS DONE AT YOUR OWN AND EXCLUSIVE RISK. To the maximum extent permitted by applicable law, The Fellowship Group Corp. and Fellowship Academy S.A.S. disclaim all liability for breaches, interceptions, or data thefts derived from cyber force majeure events, malicious attacks by third parties, or vulnerabilities in the underlying infrastructure of our Sub-processors.
6.3. Incident Response Protocol and Breach Notification:
In the unlikely event that a proven security incident occurs that compromises the confidentiality, integrity, or availability of your unencrypted Personal Data ("Data Breach"), the Operator will activate its Incident Response Plan in the following manner: 1. Notification to Authorities: We will notify the competent supervisory authorities within the strict deadlines required by applicable legislation. 2. Notification to the User: If the Data Breach represents a high and imminent risk to your rights and freedoms (including the risk of identity theft or financial fraud), the Operator will notify you by email "without undue delay," as per legal requirements. The notification will include the nature of the breach, the compromised data, the mitigation measures adopted, and recommendations for the User to protect their identity.
6.4. Exclusive Responsibility of the User (End-User Security Compromise):
The Operator will not be responsible, under any circumstances, for unauthorized access to your Account or data leaks that result from the User’s negligence. This includes, without limitation: (i) the use of weak, recycled, or compromised passwords on other platforms; (ii) being a victim of social engineering attacks, Phishing, or Spear-Phishing; (iii) sharing your access credentials with colleagues, residents, or third parties; or (iv) accessing the Platform from unsecured public Wi-Fi networks or devices infected with malware or keyloggers. Any activity carried out from the User’s account after a compromise of their own credentials will be legally imputable to them.
6.5. Modifications to the Privacy Policy:
We reserve the right to modify this Privacy Policy at any time to reflect changes in our data practices, new legal requirements, or integrations of new Sub-processors. Any material change will be notified to you in advance through a prominent notice on the Platform or by email. Continued use of the Platform after such modifications come into effect will constitute your acknowledgment and tacit acceptance of the updated Policy.