In this Privacy Policy:

• “Customer” means a company, organisation, or individual that signs up to use Eyes of AI services.
• “End User” means an individual authorised by a Customer to use our services.
• “Personal Information” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws, including the Australian Privacy Act, EU GDPR, UK GDPR, and HIPAA.
• “Protected Health Information (PHI)” means individually identifiable health information transmitted or maintained in any form or medium, as defined under HIPAA.
• “Sensitive Information” means a subset of Personal Information that includes health information, biometric data, and other information requiring additional protection under applicable laws.

We collect Personal Information when you:

• Visit our Website.
• Join our mailing list.
• Purchase or use our services as an individual Customer.
• Use our services as part of an enterprise Customer organisation.
• Respond to a survey or fill out a form.
• Interact with us in person or electronically (including via our Website, social media, chats, emails, messages, and other electronic communication formats).

3.1. Information Collected from Individual Customers and Website Users

We may collect the following types of Personal Information:

3.2 Information Collected from End Users of Enterprise Customers

We may collect the following types of Personal Information:

3.3 Special Categories of Personal Information

In the course of providing our services, we may process special categories of Personal Information, including health information related to your patients (if you are a healthcare provider):

We may use your Personal Information in the following ways:

• Providing Services: To deliver, support, and administer our services to you or your organisation.
• Personalisation: To personalise your experience and better respond to your individual needs.
• Improvement: To improve our services based on feedback and information received from you.
• Customer Service: To respond to your customer service requests and support needs effectively.
• Communications: To send you service-related communications, including updates, security alerts, and support messages.
• Marketing: To send you promotional materials and newsletters, where you have consented to receive such communications.
• Legal Compliance: To comply with legal obligations, including regulatory requirements and lawful requests by public authorities.
• Research and Development: To develop and improve our AI models, algorithms, and services, ensuring that patient data used for this purpose is de-identified or anonymised as required by law.

4.1 Legal Bases for Processing (EEA/UK Users)

For individuals in the European Economic Area (“EEA”) and the United Kingdom (“UK”), our legal bases for processing your Personal Information include:

• Consent: Where you have given explicit consent.
• Contractual Necessity: Processing is necessary to perform a contract with you.
• Legal Obligation: Compliance with a legal obligation.
• Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, provided your rights do not override those interests.

4.2 Marketing Communications

We will obtain your explicit consent before sending marketing communications. You have the right to withdraw consent at any time by contacting us or using the unsubscribe link in our communications.

We may share your Personal Information in the following circumstances:

5.1 Service Providers

We engage trusted third-party service providers to perform functions and provide services to us, including:

• Hosting and maintaining our servers and Website.
• Data storage and management.
• Email management.
• Payment processing.
• Customer service.
• Analytics and marketing support.

These third parties may have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

5.2 Compliance with Laws

5.3 Business Transfers

In the event of a merger, acquisition, financing, or sale of assets, your Personal Information may be transferred to a third party as part of that transaction, subject to this Privacy Policy.

5.4 Affiliates

We may disclose information to our corporate affiliates, who will treat the information in accordance with this Privacy Policy.

5.5 Compliance with Data Protection Laws

We require third-party providers processing Personal Information on our behalf to comply with applicable data protection laws, including entering into data processing agreements where required. We take reasonable steps to ensure:

• Appropriate security measures are implemented.
• Personal Information is processed only per our instructions.
• Confidentiality obligations are imposed on all third-party providers.

If we receive unsolicited Personal Information about you, whether directly from you or from a third party (including from a Customer), we will, to the extent required by law, de-identify or destroy such information. We may implement automated procedures to detect and de-identify any potential Personal Information before collecting it.

We retain your Personal Information only for as long as necessary to fulfil the purposes for which it was collected, including:

• To provide our services.
• To comply with legal, regulatory, tax, accounting, or reporting requirements.
• To resolve disputes and enforce our agreements.

7.1 Health Information Retention

• Australia: Health records are retained for at least seven (7) years from the last date of entry in the record, or until the patient turns 25, whichever is longer.
• EU/UK: Retention periods for health data comply with local regulations and professional guidelines.
• United States (HIPAA): PHI is retained for a minimum of six (6) years from the date of its creation or the date when it last was in effect, whichever is later.

When we no longer need your Personal Information, we will securely delete or anonymise it.

We implement appropriate technical and organisational measures to protect your Personal Information against unauthorised access, alteration, disclosure, or destruction. These measures may include:

• Access controls:
  • Restricting access to Personal Information to authorised personnel.
  • Implementing access permissions and authentication measures.
  • Monitoring access activities.
• Security systems: Using security systems to detect and prevent unauthorised access, vulnerabilities, and malware.
• Encryption: Encrypting Personal Information at rest and during transmission where appropriate.
• Physical Security: Securing data centres with appropriate access controls.
• Incident Response Plan: Having procedures in place to handle potential data breaches.

8.1 Data Breach Notification

In the event of a data breach involving Personal Information, especially health information, we will:

• Australia: Comply with the Notifiable Data Breaches scheme under the Australian Privacy Act, notifying the Office of the Australian Information Commissioner (“OAIC”) and affected individuals when required.
• EU/UK GDPR:
  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals.
  • Inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
• HIPAA:
  • Comply with the HIPAA Breach Notification Rule, notifying the U.S. Department of Health and Human Services (“HHS”) and affected individuals as required.
  • Notify prominent media outlets if the breach involves more than 500 residents of a state or jurisdiction.

Eyes of AI is based in Australia and utilises servers located in Australia and the United States. Your Personal Information may be transferred to, stored, and processed in countries other than your own.

9.1 Data Transfer Mechanisms

We ensure that international data transfers comply with applicable data protection laws by:

• EU/UK GDPR:
  • Using Standard Contractual Clauses (“SCCs”) approved by the European Commission.
  • Transferring data to countries deemed by the European Commission to provide an adequate level of data protection.
• Australian Privacy Act: Taking reasonable steps to ensure overseas recipients do not breach the Australian Privacy Principles.
• HIPAA: Ensuring that PHI is transferred and stored in compliance with HIPAA requirements.
• Additional Safeguards: Implementing supplementary measures where necessary, such as encryption and pseudonymisation.

9.2 Data Localisation Requirements

Some countries may have data localisation laws requiring Personal Information to be stored within their borders. We comply with such requirements where applicable.

Depending on your location and subject to applicable laws, you may have the following rights regarding your Personal Information:

• Access: Request access to your Personal Information.
• Correction: Request correction of inaccurate or incomplete Personal Information.
• Erasure: Request deletion of your Personal Information.
• Restriction: Request restriction of processing your Personal Information.
• Objection: Object to processing your Personal Information for certain purposes.
• Data Portability: Request transfer of your Personal Information to another organisation.
• Withdraw Consent: Withdraw consent where processing is based on consent.

10.1 Exercising Your Rights

To exercise your rights, please contact us at info@eyesofai.com. We may need to verify your identity before processing your request. We will respond within the timeframes required by law.

10.2 HIPAA Rights

For individuals whose PHI we process under HIPAA, you have additional rights, including:

• Right to Receive an Accounting of Disclosures: Obtain a list of certain disclosures of your PHI.
• Right to Request Confidential Communications: Request that we communicate with you in a certain way or at a certain location.
• Right to Amend: Request amendments to your PHI if you believe it is incorrect or incomplete.

We use cookies and similar technologies to enhance your experience on our Website. A cookie is a small text file stored on your device when you visit a website.

11.1 Types of Cookies We Use

• Essential Cookies: Necessary for the Website to function correctly.
• Analytics Cookies: Help us understand how visitors interact with our Website.
• Marketing Cookies: Used to deliver relevant advertisements to you.

11.2 Third-Party Analytics

We use third-party analytics services, including Google Analytics, Hotjar, and Bitly, which may collect information such as:

• User Interaction Data: Heatmaps, session recordings, clicks, scrolls.
• Device Information: Device type, screen resolution, operating system, browser type.
• Geographic Location: Derived from anonymised IP addresses.
• Session Data: Time spent on pages, navigation patterns.
• Engagement Metrics: Bounce rates, referral URLs, marketing channel sources.
• Demographics: Age range, gender, language preferences, internet connection speed.
• User Feedback: Collected from tools like Hotjar.

11.3 Managing Cookies

Most web browsers allow you to control cookies through their settings preferences. You can choose to block or delete cookies, but this may affect the functionality of our Website.

12.1 Email Communications

By providing your email address, you consent to receive emails from us, including newsletters, promotions, and updates. You can opt out at any time by clicking the unsubscribe link in the email or contacting us directly.

12.2 Targeted Advertising

We may use your email address and other Personal Information for customer audience targeting on platforms like LinkedIn and Facebook to display custom advertising to specific audiences who have opted in to receive communications from us. Target segments may include:

• Location (e.g., country).
• Industry (e.g., dentists, medical and diagnostic laboratories).
• Fields of study (e.g., dentistry, orthodontics).

12.3 Use of Health Data in Marketing

We will only use health data for marketing purposes if we have obtained your explicit consent, in compliance with HIPAA, the Australian Privacy Act, EU GDPR, and UK GDPR. You may withdraw your consent at any time.

Our services are not intended for individuals under the age of 18. We do not knowingly collect Personal Information from children. If you are under 18, please do not use our services or provide any Personal Information.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. We will notify you of any significant changes by updating the “Last Updated” date at the top of this policy and, where required, provide additional notice (e.g., by email or prominent notice on our Website).

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

• Email: info@eyesofai.com
• Postal Address:
  Eyes of AI
  Level 57, 25 Martin Place,
  Sydney, NSW 2000
  Australia

16.1 Australia

We comply with the Australian Privacy Principles under the Australian Privacy Act 1988 (Cth). If you are in Australia and have a complaint about our handling of your Personal Information, you may contact the OAIC:

• Website: www.oaic.gov.au
• Phone: 1300 363 992

16.2 EEA and UK

If you are located in the EEA or the UK, you have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.

• EU Supervisory Authorities: List of Supervisory Authorities
• UK Information Commissioner’s Office (“ICO”):
  • Website: www.ico.org.uk
  • Phone: 0303 123 1113

Data Protection Officer (“DPO”): For EEA/UK data subjects, you may contact our Data Protection Officer at: info@eyesofai.com

16.3 United States (HIPAA Compliance)

For individuals whose PHI we process under HIPAA, any concerns or complaints regarding our HIPAA compliance can be directed to our Privacy Officer at: info@eyesofai.com

This policy will be reviewed regularly and updated as necessary to ensure compliance with legal obligations and best practices. All changes will be documented and retained for at least six (6) years from the date last in effect.