Privacy Policy

At Ethmoide ("we," "our," or "us"), we are committed to protecting your privacy and maintaining the confidentiality of your personal and health information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform, applications, and services (collectively, the "Services"). It also describes your rights regarding your data.

Because our Services involve healthcare technology, we adhere to applicable data protection laws, including the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR) where applicable, and other relevant regional privacy regulations.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy.

1. Information We Collect

We collect information in the following categories:

a. Information You Provide Directly

• Account Information: Name, email address, username, password, phone number, and professional credentials (e.g., medical license number, specialization) when you register.
• Profile Information: Healthcare role, institution affiliation, department, and profile photo.
• Patient Data: If you are a healthcare provider using our platform, you may input or upload patient records, clinical notes, diagnostic data, and related health information. This constitutes Protected Health Information (PHI) and is handled in accordance with Section 4.
• Communications: Messages, feedback, support requests, and survey responses you send us.

b. Information Collected Automatically

• Usage Data: Pages visited, features accessed, time spent, actions taken, and session duration.
• Device & Technical Data: IP address, browser type, operating system, device identifiers, screen resolution, and referring URLs.
• Log Data: Server logs, error reports, and performance metrics.
• Location Data: Approximate location inferred from IP address, or precise location if you grant permission.

c. Information From Third Parties

• Healthcare Systems: Data received from Electronic Health Record (EHR) systems, hospital management systems, or health information exchanges with which our platform integrates (subject to applicable authorizations).
• Identity Verification Services: Information used to verify professional credentials.
• Analytics Providers: Aggregated and de-identified analytics data.

2. How We Use Your Information

We use the information we collect to:

• Provide and operate our Services, including delivering clinical decision support, diagnostic tools, and healthcare workflow automation.
• Authenticate and secure your account and prevent unauthorized access.
• Personalize your experience and tailor features to your clinical role and preferences.
• Improve and develop our Services through analysis of aggregated, de-identified usage patterns.
• Communicate with you about updates, new features, security alerts, and support matters.
• Comply with legal obligations, including healthcare regulations, audit requirements, and court orders.
• Detect and prevent fraud, abuse, or security incidents.
• Conduct research using only de-identified or aggregated data, in accordance with applicable law and ethical guidelines.

We do not sell your personal information or PHI to third parties, and we do not use PHI for marketing purposes.

3. How We Share Your Information

We may share your information in the following limited circumstances:

a. Service Providers and Business Associates

We engage trusted third-party vendors (e.g., cloud hosting, analytics, identity verification) who process data on our behalf. These parties are contractually bound to handle data securely and solely for the purposes we specify. Where applicable, we execute Business Associate Agreements (BAAs) as required by HIPAA.

b. Healthcare Institutions

If you access our Services through your employer or healthcare institution, certain account and usage information may be shared with that institution's administrators.

c. Legal Requirements

We may disclose your information if required by applicable law, regulation, legal process, or governmental authority, or when we believe disclosure is necessary to protect the rights, property, or safety of Ethmoide, our users, or the public.

d. Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide notice if your information becomes subject to a different privacy policy.

e. With Your Consent

We may share your information for any other purpose with your explicit consent.

4. Protected Health Information (PHI) & HIPAA

Ethmoide operates as a Business Associate under HIPAA when processing PHI on behalf of Covered Entities (healthcare providers, health plans, and healthcare clearinghouses). In this capacity:

• We use and disclose PHI only as permitted or required by our BAA and HIPAA regulations.
• We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule to protect electronic PHI (ePHI).
• We do not use PHI for marketing or sell PHI under any circumstances.
• We report any breaches of unsecured PHI to the relevant Covered Entity in accordance with the HIPAA Breach Notification Rule.
• We support Covered Entities in fulfilling patient rights under the HIPAA Privacy Rule, including rights of access, amendment, and accounting of disclosures.

If you are a patient whose PHI has been processed through our platform, please contact the healthcare provider or institution through whom you accessed care for privacy-related requests. Patients may also direct inquiries to us at the contact information in Section 13.

5. Data Retention

We retain personal information for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Retention periods are determined based on:

• The duration of your account and active use of our Services.
• Applicable legal and regulatory obligations (e.g., medical records laws, tax laws).
• Legitimate business needs, such as resolving disputes and enforcing agreements.

PHI is retained in accordance with applicable state and federal medical records retention laws, and the terms of our BAA with the relevant Covered Entity. Upon lawful deletion request and subject to applicable legal obligations, we will securely destroy or de-identify your information.

6. Data Security

We implement a comprehensive, layered security program that includes:

• Encryption: All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege are enforced across our systems.
• Audit Logging: Comprehensive audit trails are maintained for all access to and modifications of sensitive data.
• Vulnerability Management: Regular penetration testing, security assessments, and patch management processes are in place.
• Incident Response: A documented security incident response plan is maintained and tested regularly.
• Employee Training: All staff with access to sensitive data undergo regular privacy and security training.

Despite our efforts, no security system is impenetrable. In the event of a data breach that affects your rights and freedoms, we will notify you and the appropriate regulatory authorities as required by law.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (pixels, local storage, session tokens) to:

• Essential Cookies: Enable core platform functionality, authentication, and security. These cannot be disabled.
• Analytics Cookies: Help us understand usage patterns to improve our Services (e.g., session duration, error rates). These may be disabled.
• Preference Cookies: Remember your settings and UI preferences. These may be disabled, though some features may be affected.

We do not use advertising or third-party behavioral tracking cookies. You can manage cookie preferences through your browser settings. Note that disabling certain cookies may impair the functionality of our Services.

8. Third-Party Links and Services

Our Services may contain links to third-party websites or integrate with external platforms (e.g., EHR systems, laboratory information systems). These third parties have their own privacy policies, and we do not control or assume responsibility for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through our platform.

9. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

Right of Access

Request a copy of the personal information we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete personal information.

Right to Erasure

Request deletion of your personal information, subject to legal and contractual obligations.

Right to Restriction of Processing

Request that we limit how we use your information in certain circumstances.

Right to Data Portability

Receive your personal data in a structured, machine-readable format where technically feasible.

Right to Object

Object to processing of your information for certain purposes, including direct communications.

Right to Withdraw Consent

Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us as described in Section 13. We will respond within the timeframe required by applicable law (typically 30 days). We may need to verify your identity before fulfilling your request.

If you are located in the European Economic Area (EEA) and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local Data Protection Authority (DPA).

10. Children's Privacy

Our Services are designed for use by healthcare professionals and are not directed at individuals under the age of 18. We do not knowingly collect personal information directly from minors. Patient data involving minors may be processed on behalf of Covered Entities as part of clinical care delivery, and such data is handled in strict accordance with applicable law, including HIPAA and the Children's Online Privacy Protection Act (COPPA) where applicable. If you believe we have inadvertently collected information from a minor in violation of applicable law, please contact us immediately.

11. International Data Transfers

Ethmoide operates globally. If you are accessing our Services from outside the country where our servers are located, your information may be transferred across international borders. When transferring personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate legal mechanisms including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions by the relevant data protection authority.
• Other legally recognised transfer mechanisms as applicable.

We take appropriate steps to ensure that recipients of your personal data afford an adequate level of protection consistent with this Privacy Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Notify you via email (to the address associated with your account) or via a prominent notice within the platform.
• Where required by law, obtain your renewed consent.

Your continued use of our Services following the effective date of any changes constitutes your acknowledgment of the updated Privacy Policy. We encourage you to review this policy periodically.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Office:

We aim to acknowledge all privacy-related enquiries within 5 business days and resolve them within 30 days, or within the timeframe required by applicable law.