Privacy Policy

3.1. Information Collected from Individual Customers and Website Users

‍We may collect the following types of Personal Information:

• Identity and Contact Information:
  - First name, last name.
  - Email address, phone number.
  - Company/practice name, number of practices.
  - Job title, industry, speciality location/country.
  - Login credentials (encrypted).
  
• Technical and Usage Information:
  - Browser type and version.
  - Operating system.
  - IP address, time of visit, approximated geographic location.
  - Information about how you use our Website or services.
• Subscription/Device Information:
  - Product type, tier type, plan type, quota.
  - Device name, date added, browser name, device status.
• Marketing and Communications Preferences:
  - Your preferences in receiving marketing from us and third parties.
  - Your communication preferences.

3.2 Information Collected from End Users of Enterprise Customers

‍We may collect the following types of Personal Information:

• End User Details: First name, last name, email address.
  
• Geo-Location Details: IP address, city, country code, country, latitude, longitude, region code, region name, time zone, postcode.
• Licence Activation Details:
  - Licence ID, creation date, last updated date, expiration date.
  - Hostname, operating system, OS version.
  - Last synced date, offline status, app version, release version, release channel, release platform.
  - Lease expiration date, VM name, container information.
• Device Details:
  - Hostname of the device, hashed username.
  - Hashed fingerprint generated using hardware components.
  - CPU model, cores, threads, base speed.
  - Total RAM details.
  - Integrated GPU model, VRAM, vendor.
  - Discrete GPU model, VRAM, vendor, driver version.
  - Storage drive type, name, vendor, size, firmware revision.
  - Storage partition details.
  - Operating system platform, architecture, distribution, version.
  - Hypervisor, remote session details.

3.3 Special Categories of Personal Information

‍In the course of providing our services, we may process special categories of Personal Information, including health information related to your patients (if you are a healthcare provider):

Patient Health Information:

• Identifiers:
  - Medical record number (MRN), first name, last name.
  - Gender, date of birth, age (derived from date of birth).
  - Email address, phone number.
  
• X-ray and Photo Information:
  - File name, X-ray type, date created, date modified.
  - Findings, measurements, comments, date uploaded.

4. How We Use Your Information

‍We may use your Personal Information in the following ways:

• Providing Services: To deliver, support, and administer our services to you or your organisation.
  
• Personalisation: To personalise your experience and better respond to your individual needs.
  
• Improvement: To improve our services based on feedback and information received from you.
  
• Customer Service: To respond to your customer service requests and support needs effectively.
  
• Communications: To send you service-related communications, including updates, security alerts, and support messages.
  
• Marketing: To send you promotional materials and newsletters, where you have consented to receive such communications.
  
• Legal Compliance: To comply with legal obligations, including regulatory requirements and lawful requests by public authorities.
  
• Research and Development: To develop and improve our AI models, algorithms, and services, ensuring that patient data used for this purpose is de-identified or anonymised as required by law.
  

4.1 Legal Bases for Processing (EEA/UK Users)

‍For individuals in the European Economic Area (“EEA”) and the United Kingdom (“UK”), our legal bases for processing your Personal Information include:

• Consent: Where you have given explicit consent.
  
• Contractual Necessity: Processing is necessary to perform a contract with you.
  
• Legal Obligation: Compliance with a legal obligation.
  
• Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, provided your rights do not override those interests.
  

4.2 Marketing Communications

‍We will obtain your explicit consent before sending marketing communications. You have the right to withdraw consent at any time by contacting us or using the unsubscribe link in our communications.

5. Disclosure of Your Information

‍We may share your Personal Information in the following circumstances:

5.1 Service Providers

‍We engage trusted third-party service providers to perform functions and provide services to us, including:

• Hosting and maintaining our servers and Website.
  
• Data storage and management.
  
• Email management.
  
• Payment processing.
  
• Customer service.
  
• Analytics and marketing support.
  

‍These third parties may have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

5.2 Compliance with Laws

‍We may disclose your Personal Information:

• To comply with legal obligations, court orders, or legal processes.
  
• To respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.
  
• To protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others.
  

5.3 Business Transfers

‍In the event of a merger, acquisition, financing, or sale of assets, your Personal Information may be transferred to a third party as part of that transaction, subject to this Privacy Policy.

5.4 Affiliates

‍We may disclose information to our corporate affiliates, who will treat the information in accordance with this Privacy Policy.

5.5 Compliance with Data Protection Laws

‍We require third-party providers processing Personal Information on our behalf to comply with applicable data protection laws, including entering into data processing agreements where required. We take reasonable steps to ensure:

• Appropriate security measures are implemented.
  
• Personal Information is processed only per our instructions.
  
• Confidentiality obligations are imposed on all third-party providers.
  

6. Unsolicited Personal Information

‍If we receive unsolicited Personal Information about you, whether directly from you or from a third party (including from a Customer), we will, to the extent required by law, de-identify or destroy such information. We may implement automated procedures to detect and de-identify any potential Personal Information before collecting it.

7. Data Retention

‍We retain your Personal Information only for as long as necessary to fulfil the purposes for which it was collected, including:

• To provide our services.
  
• To comply with legal, regulatory, tax, accounting, or reporting requirements.
  
• To resolve disputes and enforce our agreements.
  

7.1 Health Information Retention

• Australia: Health records are retained for at least seven (7) years from the last date of entry in the record, or until the patient turns 25, whichever is longer.
  
• EU/UK: Retention periods for health data comply with local regulations and professional guidelines.
  
• United States (HIPAA): PHI is retained for a minimum of six (6) years from the date of its creation or the date when it last was in effect, whichever is later.
  

‍When we no longer need your Personal Information, we will securely delete or anonymise it.

8. Data Security

‍We implement appropriate technical and organisational measures to protect your Personal Information against unauthorised access, alteration, disclosure, or destruction. These measures may include:

• Access controls:
  ‍- Restricting access to Personal Information to authorised personnel.
  - Implementing access permissions and authentication measures.
  - Monitoring access activities.
  
• Security systems: Using security systems to detect and prevent unauthorised access, vulnerabilities and malware.
  
• Encryption: Encrypting Personal Information at rest and during transmission where appropriate.
  
• Physical Security: Securing data centres with appropriate access controls.
  
• Incident Response Plan: Having procedures in place to handle potential data breaches.
  

8.1 Data Breach Notification

‍In the event of a data breach involving Personal Information, especially health information, we will:

• Australia: Comply with the Notifiable Data Breaches scheme under the Australian Privacy Act, notifying the Office of the Australian Information Commissioner (“OAIC”) and affected individuals when required.
  
• EU/UK GDPR:
  ‍- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals.
  - Inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
  
• HIPAA:
  - Comply with the HIPAA Breach Notification Rule, notifying the U.S. Department of Health and Human Services (“HHS”) and affected individuals as required.
  - Notify prominent media outlets if the breach involves more than 500 residents of a state or jurisdiction.
  

9. International Data Transfers

‍Eyes of AI is based in Australia and utilises servers located in Australia and the United States. Your Personal Information may be transferred to, stored, and processed in countries other than your own.

9.1 Data Transfer Mechanisms

‍We ensure that international data transfers comply with applicable data protection laws by:

• EU/UK GDPR:
  - Using Standard Contractual Clauses (“SCCs”) approved by the European Commission.
  - Transferring data to countries deemed by the European Commission to provide an adequate level of data protection.
  
• Australian Privacy Act: Taking reasonable steps to ensure overseas recipients do not breach the Australian Privacy Principles.
  
• HIPAA: Ensuring that PHI is transferred and stored in compliance with HIPAA requirements.
  
• Additional Safeguards: Implementing supplementary measures where necessary, such as encryption and pseudonymisation.
  

9.2 Data Localisation Requirements

‍Some countries may have data localisation laws requiring Personal Information to be stored within their borders. We comply with such requirements where applicable.

10. Your Rights

‍Depending on your location and subject to applicable laws, you may have the following rights regarding your Personal Information:

• Access: Request access to your Personal Information.
  
• Correction: Request correction of inaccurate or incomplete Personal Information.
  
• Erasure: Request deletion of your Personal Information.
  
• Restriction: Request restriction of processing your Personal Information.
  
• Objection: Object to processing your Personal Information for certain purposes.
  
• Data Portability: Request transfer of your Personal Information to another organisation.
  
• Withdraw Consent: Withdraw consent where processing is based on consent.
  

10.1 Exercising Your Rights

‍To exercise your rights, please contact us at info@eyesofai.com. We may need to verify your identity before processing your request. We will respond within the timeframes required by law.

10.2 HIPAA Rights

‍For individuals whose PHI we process under HIPAA, you have additional rights, including:

• Right to Receive an Accounting of Disclosures: Obtain a list of certain disclosures of your PHI.
  
• Right to Request Confidential Communications: Request that we communicate with you in a certain way or at a certain location
  
• Right to Amend: Request amendments to your PHI if you believe it is incorrect or incomplete.
  

11. Cookies and Similar Technologies

‍We use cookies and similar technologies to enhance your experience on our Website. A cookie is a small text file stored on your device when you visit a website.

11.1 Types of Cookies We Use

• Essential Cookies: Necessary for the Website to function correctly.
  
• Analytics Cookies: Help us understand how visitors interact with our Website.
  
• Marketing Cookies: Used to deliver relevant advertisements to you.
  

11.2 Third-Party Analytics

‍We use third-party analytics services, including Google Analytics, Hotjar, and Bitly, which may collect information such as:

• User Interaction Data: Heatmaps, session recordings, clicks, scrolls.
  
• Device Information: Device type, screen resolution, operating system, browser type.
  
• Geographic Location: Derived from anonymised IP addresses.
  
• Session Data: Time spent on pages, navigation patterns.
  
• Engagement Metrics: Bounce rates, referral URLs, marketing channel sources.
  
• Demographics: Age range, gender, language preferences, internet connection speed.
  
• User Feedback: Collected from tools like Hotjar.
  

11.3 Managing Cookies

‍Most web browsers allow you to control cookies through their settings preferences. You can choose to block or delete cookies, but this may affect the functionality of our Website.

12. Marketing Emails and Advertising

12.1 Email Communications

‍By providing your email address, you consent to receive emails from us, including newsletters, promotions, and updates. You can opt out at any time by clicking the unsubscribe link in the email or contacting us directly.

12.2 Targeted Advertising

‍We may use your email address and other Personal Information for customer audience targeting on platforms like LinkedIn and Facebook to display custom advertising to specific audiences who have opted in to receive communications from us. Target segments may include:

• Location (e.g., country).
  
• Industry (e.g., dentists, medical and diagnostic laboratories).
  
• Fields of study (e.g., dentistry, orthodontics).
  

12.3 Use of Health Data in Marketing

‍We will only use health data for marketing purposes if we have obtained your explicit consent, in compliance with HIPAA, the Australian Privacy Act, EU GDPR, and UK GDPR. You may withdraw your consent at any time.

13. Children’s Privacy

‍Our services are not intended for individuals under the age of 18. We do not knowingly collect Personal Information from children. If you are under 18, please do not use our services or provide any Personal Information.

14. Changes to This Privacy Policy

‍We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. We will notify you of any significant changes by updating the “Last Updated” date at the top of this policy and, where required, provide additional notice (e.g., by email or prominent notice on our Website).

15. Contact Us

‍If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

• Email: info@eyesofai.com
  
• Postal Address:
  Eyes of AI
  Level 57, 25 Martin Place,
  Sydney, NSW 2000
  Australia
  

16. Additional Information for Specific Regions

16.1 Australia

‍We comply with the Australian Privacy Principles under the Australian Privacy Act 1988 (Cth). If you are in Australia and have a complaint about our handling of your Personal Information, you may contact the OAIC:

• Website: www.oaic.gov.au
  
• Phone: 1300 363 992
  

16.2 EEA and UK

‍If you are located in the EEA or the UK, you have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.

• EU Supervisory Authorities: List of Supervisory Authorities
  
• UK Information Commissioner’s Office (“ICO”):
  - Website: www.ico.org.uk
  - Phone: 0303 123 1113
  

‍Data Protection Officer (“DPO”)

‍For EEA/UK data subjects, you may contact our Data Protection Officer at: info@eyesofai.com

16.3 United States (HIPAA Compliance)

‍For individuals whose PHI we process under HIPAA, any concerns or complaints regarding our HIPAA compliance can be directed to our Privacy Officer: info@eyesofai.com

17. Policy Maintenance and Review

‍This policy will be reviewed regularly and updated as necessary to ensure compliance with legal obligations and best practices. All changes will be documented and retained for at least six (6) years from the date last in effect.