INTRODUCTION AND SCOPE
Healioscan, Inc. (“Healioscan,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website healioscan.com and use our services.
This Privacy Policy applies to information we collect through our website and does not apply to information collected through our PAMLEE™ HUB clinical platform, which is governed by separate agreements and HIPAA Business Associate Agreements where applicable.
Please read this Privacy Policy carefully. By accessing or using our website, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy. If you do not agree with our policies and practices, please do not use our services.
CONTACT INFORMATION When you contact us, request information, create an account, or sign up for updates, we may collect:
USAGE DATA AND ANALYTICS We automatically collect certain information about your device and how you interact with our website:
COOKIE DATA AND TRACKING TECHNOLOGIES We use cookies, web beacons, and similar tracking technologies to collect information about your browsing behavior. This includes:
For more information about our use of cookies, please see our Cookie Policy.
DEVICE INFORMATION
CLINICAL DATA HANDLING – IMPORTANT Our public website does NOT collect, store, or process any Protected Health Information (PHI), patient data, or individually identifiable health information. We do not collect medical records, diagnostic images, test results, or any other clinical data through this website.
Any clinical data processed through PAMLEE™ HUB is handled separately under HIPAA-compliant systems and Business Associate Agreements, not through this public website.
If you inadvertently submit PHI or patient data through our public website contact forms, please notify us immediately at service@healioscan.com so we can delete it.
INFORMATION YOU PROVIDE TO US
LEGAL BASIS FOR PROCESSING (GDPR COMPLIANCE)
For users in the European Economic Area (EEA) and United Kingdom, we process your personal data based on the following legal grounds:
CONSENT When you provide explicit consent (e.g., subscribing to newsletters, accepting cookies)
CONTRACT PERFORMANCE When processing is necessary to fulfill a contract with you or take pre-contractual steps
LEGITIMATE INTERESTS When we have a legitimate business interest that does not override your rights:
LEGAL OBLIGATION When required to comply with applicable laws and regulations
HOW WE USE YOUR INFORMATION
SERVICE PROVISION AND IMPROVEMENT
issues COMMUNICATION AND SUPPORT
We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We may share your information in the following circumstances:
SERVICE PROVIDERS AND PROCESSORS We share information with third-party service providers who perform services on our behalf:
These service providers are contractually obligated to use your information only for the purposes we specify and to maintain appropriate security measures.
LEGAL REQUIREMENTS AND COMPLIANCE We may disclose your information if required to do so by law or in response to:
BUSINESS TRANSFERS In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have regarding your information.
WITH YOUR CONSENT We may share your information for any other purpose with your explicit consent.
AGGREGATE AND DE-IDENTIFIED DATA We may share aggregate, de-identified, or anonymized information that cannot reasonably be used to identify you, including for research, marketing, or analytics purposes.
EXPLICIT STATEMENT – DATA IS NEVER SOLD We do not and will never sell your personal information to third parties, data brokers, or advertising networks.
INTERNATIONAL DATA TRANSFERS
Healioscan is based in the United States, and your information will be processed and stored on servers located in the United States. If you are accessing our website from outside the United States, please be aware that your information may be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your country.
For users in the EEA, UK, or Switzerland, we implement appropriate safeguards for international transfers:
By using our services, you consent to the transfer of your information to the United States and other jurisdictions where we or our service providers operate.
DATA RETENTION POLICIES AND SCHEDULES
We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations.
CONTACT FORM SUBMISSIONS Retained for 2 years from submission date, then automatically deleted unless required for ongoing customer relationship or legal compliance.
ANALYTICS DATA Google Analytics data is retained for 26 months (default GA4 retention period), then automatically deleted. IP addresses are anonymized.
COOKIES
SUPPORT TICKETS Retained for 3 years after ticket closure for quality assurance and support continuity, then archived or deleted.
NEWSLETTER SUBSCRIPTIONS Retained until you unsubscribe or for 2 years of inactivity, whichever comes first.
ACCOUNT DATA Retained until you request account deletion. Following deletion request, data is removed within 30 days except where retention is required by law.
BUSINESS RECORDS Certain information may be retained longer to comply with legal, accounting, or regulatory requirements (typically 7 years for financial records).
SECURITY MEASURES
We implement appropriate technical and organizational security measures to protect your personal information:
ENCRYPTION STANDARDS
Despite our security measures, no system is completely secure. We cannot guarantee the absolute security of your information.
YOUR RIGHTS AND CHOICES
Depending on your location, you may have the following rights regarding your personal information:
RIGHT TO ACCESS PERSONAL DATA You have the right to request a copy of the personal information we hold about you. We will provide this information in a commonly used electronic format within 30 days of your verified request.
RIGHT TO CORRECTION/RECTIFICATION You may request that we correct any inaccurate or incomplete personal information we have about you.
RIGHT TO DELETION/ERASURE (“Right to be Forgotten”) You may request deletion of your personal information, subject to certain legal exceptions (e.g., records we must retain for compliance purposes). We will respond to deletion requests within 30 days.
RIGHT TO DATA PORTABILITY You have the right to receive your personal information in a structured, machine- readable format and to transmit it to another controller.
RIGHT TO WITHDRAW CONSENT Where we process your information based on consent, you may withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before withdrawal.
RIGHT TO OBJECT You have the right to object to processing of your personal information for:
RIGHT TO LODGE COMPLAINTS You have the right to lodge a complaint with a supervisory authority if you believe we have violated your privacy rights. For EU residents, you may contact your local data protection authority.
TO EXERCISE YOUR RIGHTS Email us at: service@healioscan.com Include “Privacy Rights Request” in the subject line and provide:
We may require additional information to verify your identity before processing your request. CHILDREN’S PRIVACY PROTECTIONS (COPPA COMPLIANCE)
Our website is not intended for children under the age of 18, and we do not knowingly collect personal information from children under 18.
If you are under 18 years of age, do not use our website or provide any information to us. If you are a parent or guardian and believe your child under 18 has provided us with personal information, please contact us immediately at service@healioscan.com.
Upon verification, we will delete such information from our systems within 30 days. We are committed to compliance with the Children’s Online Privacy Protection Act (COPPA) and similar laws worldwide.
CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA COMPLIANCE)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
RIGHT TO KNOW You have the right to request information about:
RIGHT TO DELETE You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
RIGHT TO OPT-OUT OF SALE OR SHARING While we do not sell personal information, you have the right to opt out if our practices change. We also do not share personal information for cross-context behavioral advertising.
RIGHT TO CORRECT You have the right to request correction of inaccurate personal information.
RIGHT TO LIMIT USE OF SENSITIVE PERSONAL INFORMATION If we collect sensitive personal information (as defined by CPRA), you have the right to limit its use.
RIGHT TO NON-DISCRIMINATION We will not discriminate against you for exercising your CCPA rights, including by:
TO EXERCISE CALIFORNIA RIGHTS Email: service@healioscan.com with “California Privacy Request” in the subject line We will respond within 45 days (may be extended once by 45 additional days if necessary)
CALIFORNIA “SHINE THE LIGHT” LAW California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. As stated above, we do not share personal information with third parties for their direct marketing purposes.
POLICY UPDATE NOTIFICATION PROCEDURES
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
We will notify you of material changes by:
We encourage you to review this Privacy Policy periodically. Your continued use of our services after we post changes constitutes your acceptance of the updated Privacy Policy.
For significant changes that materially affect your rights or how we use your information, we will provide at least 30 days’ advance notice and may require your explicit consent.
CONTACT INFORMATION FOR PRIVACY INQUIRIES
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Healioscan, Inc. Email: service@healioscan.com Subject Line: Privacy Inquiry Website: https://healioscan.com/privacy-policy
For California-specific requests: Include “California Privacy Request” in subject line For GDPR-related requests: Include “GDPR Request” in subject line For general privacy questions: Include “Privacy Inquiry” in subject line
We will respond to all privacy inquiries within 30 days. ACKNOWLEDGMENT
BY USING OUR WEBSITE AND SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND AGREE TO ITS TERMS.
PAMLEE™ DEMO DATA PROCESSING If you interact with public demonstrations of PAMLEE™ HUB technology on our website (such as sample image analysis or educational demos), we may temporarily process the data you submit for demonstration purposes only. Demo data is: (1) Processed in real-time and NOT permanently stored; (2) Automatically deleted within 24 hours of submission; (3) Used solely to generate AI outputs for your viewing; (4) NOT used for AI model training or improvement without your explicit consent; (5) Kept separate from any identifiable user information. DO NOT submit actual protected health information (PHI), real patient
data, or any identifiable medical information to public demos. Demo features are for educational illustration only, not clinical use.
ANONYMIZATION PROTOCOLS FOR HEALTH-RELATED DATA Any health-related information collected through our website (such as general health inquiries, research interests, or professional specialty information) is subject to strict anonymization protocols: (1) Direct identifiers (names, addresses, medical record numbers) are separated from health-related data; (2) Data is aggregated and de-identified before any analysis or research use; (3) Individual-level health information is never shared with third parties; (4) Geographic information is limited to state or country level (no precise locations); (5) Re-identification is technically and contractually prohibited. We apply HIPAA de-identification standards even to non-PHI health data as a best practice.
NO STORAGE OF SENSITIVE HEALTH DATA WITHOUT CONSENT Our public website does NOT collect, store, or process: (1) Protected Health Information (PHI) as defined by HIPAA; (2) Diagnostic images, medical scans, or clinical imaging data; (3) Patient medical records or electronic health records (EHRs); (4) Laboratory test results, genetic data, or pathology reports; (5) Prescription information or medication histories; (6) Individual health status, conditions, or treatment information. If you inadvertently submit sensitive health data through a contact form or other public website feature, please immediately notify us at service@healioscan.com with the subject line “PHI Removal Request” so we can delete it within 24 hours.
NO PHI COLLECTION UNLESS EXPLICITLY AUTHORIZED We do NOT collect protected health information (PHI) through our public website unless you have: (1) Entered into a HIPAA Business Associate Agreement (BAA) with Healioscan; (2) Provided explicit written authorization for PHI disclosure; (3) Confirmed that you have appropriate patient consent or legal authority to share the information; (4) Accessed HIPAA-compliant systems separate from our public website (e.g., PAMLEE™ HUB clinical platform under BAA). Our public website is NOT a HIPAA-compliant platform for PHI transmission. Use only authorized, encrypted channels for any PHI sharing.
HIPAA COMPLIANCE MEASURES (for authorized clinical systems) For healthcare professionals who have entered Business Associate Agreements and access PAMLEE™ HUB clinical systems (separate from this public website): (1) All PHI is encrypted in transit (TLS 1.3+) and at rest (AES-256); (2) Access controls include multi- factor authentication, role-based permissions, and audit logging; (3) PHI is stored on HIPAA-compliant servers with physical and technical safeguards; (4) We maintain required breach notification procedures (60-day notification timeline); (5) Business Associate Agreements are in place with all subcontractors who may access PHI; (6) Regular HIPAA security risk assessments are conducted; (7) Minimum necessary principle is applied to all PHI access. Our public website (healioscan.com) is NOT covered by these HIPAA protections.
ENCRYPTION STANDARDS FOR CLINICAL DATA For any clinical data processed through authorized PAMLEE™ HUB systems (not the public website): (1) All data transmission uses TLS 1.3 encryption with perfect forward secrecy; (2) Data at rest is encrypted using AES-256-GCM with hardware security modules for key management; (3) Encryption keys are rotated every 90 days; (4) End-to-end encryption is available for highly sensitive data transmissions; (5) Database-level encryption is implemented with column-level encryption for PHI fields; (6) Backup data is encrypted using the same standards as production data; (7) Encryption algorithms meet NIST FIPS 140-2 standards.
DATA RETENTION POLICIES FOR HEALTH-RELATED INFORMATION Health-related information collected through our website is retained according to these schedules: (1) General health inquiries (contact forms): 2 years, then
deleted; (2) Professional specialty information (for healthcare provider accounts): Retained while account is active + 1 year; (3) Research interests and collaboration inquiries: 3 years, then anonymized; (4) Demo interaction data: 24 hours, then automatically deleted; (5) AI-generated outputs from demos: Not stored beyond the user session; (6) Healthcare provider credentials: Retained while account active, deleted 30 days after account closure. For clinical data processed under BAA in PAMLEE™ HUB systems, retention follows HIPAA requirements and contractual agreements (typically 7 years post-patient encounter).
THIRD-PARTY AI SERVICE PROVIDERS DISCLOSURE PAMLEE™ HUB uses certain cloud infrastructure and AI computation services that may process data on our behalf: (1) Cloud hosting providers (AWS, Microsoft Azure, or Google Cloud) with HIPAA BAAs in place; (2) GPU computation providers for AI model inference; (3) Data storage and backup services with encryption and access controls; (4) Analytics services for system performance monitoring (no PHI). All third-party AI service providers: (1) Have executed HIPAA Business Associate Agreements; (2) Maintain SOC 2 Type II or ISO 27001 certification; (3) Implement encryption for all data at rest and in transit; (4) Are contractually prohibited from using Healioscan data for their own purposes; (5) Undergo regular security audits. We maintain a list of all subcontractors and data processors available upon request.
PATIENT RIGHTS UNDER HIPAA For individuals whose protected health information is processed through PAMLEE™ HUB clinical systems (not the public website) under a Business Associate Agreement with a covered entity: You have the following HIPAA rights: (1) Right to access your PHI and receive a copy within 30 days; (2) Right to request correction of inaccurate PHI; (3) Right to an accounting of PHI disclosures for the past 6 years;
(4) Right to request restrictions on PHI use and disclosure; (5) Right to request confidential communications;
(6) Right to be notified of breaches affecting your PHI; (7) Right to file a complaint with the Office for Civil Rights if you believe your rights were violated. To exercise these rights, contact the healthcare provider (covered entity) who submitted your information to PAMLEE™ HUB, not Healioscan directly.
AI MODEL TRAINING DISCLOSURE We may use anonymized, de-identified data from PAMLEE™ HUB usage to improve our AI models and algorithms, but ONLY under these conditions: (1) Data must be fully de-identified per HIPAA Safe Harbor or Expert Determination standards; (2) All 18 HIPAA identifiers are removed (names, dates, ZIP codes, etc.); (3) Re-identification is technically and contractually prohibited; (4) Healthcare providers covered by BAAs can opt out of data use for model training; (5) Individual patients can request exclusion through their healthcare provider. We NEVER use: (1) Raw identifiable patient data for training; (2) Data from public website demos for AI training without consent; (3) Data in violation of BAA or patient consent restrictions. Our AI models are trained primarily on publicly available research datasets and fully anonymized data.
OPT-OUT OPTIONS FOR DATA USAGE IN TRAINING Healthcare professionals and institutions can opt out of having anonymized data used for AI model improvement: (1) Contact service@healioscan.com with “Training Opt-Out Request” in subject line; (2) Include your institution name and account details; (3) Specify whether opt-out applies to all data or specific types; (4) We will implement opt-out within 30 days and confirm via email; (5) Opt-out preferences are maintained indefinitely unless you change them. Patients: Contact your healthcare provider to request opt-out of data use for research or model training. We honor all opt-out requests, though AI model performance may be reduced for future analyses if training data is limited.
ANONYMIZATION BEFORE ANY TRAINING USE Before ANY data is used for AI model training, improvement, or research purposes, we apply rigorous anonymization: (1) All HIPAA identifiers are removed using automated
and manual review processes; (2) Expert determination certifies data cannot be re-identified; (3) Dates are generalized (year only, or shifted by random offset); (4) Rare or unique characteristics are suppressed or generalized; (5) Small cell sizes (<5 cases) are aggregated or excluded; (6) Independent privacy experts review de-identification methods annually. Data is considered anonymized ONLY after these procedures and cannot be re-associated with any individual.
PROFESSIONAL USER DATA SEPARATION Data collected from healthcare professionals using PAMLEE™ HUB (professional users) is stored and processed separately from: (1) Public website visitor data; (2) Patient data processed by healthcare providers; (3) Marketing and contact information. Professional user data includes: (1) License numbers and professional credentials (encrypted); (2) Clinical specialty and practice information; (3) Usage patterns and feature preferences; (4) Support requests and training materials accessed; (5) Professional contact information. This data is used solely for: (1) Account management and access control; (2) Product improvement and feature development; (3) Professional education and support; (4) Compliance and audit purposes. Professional data is NOT sold, shared for marketing, or used for patient care decisions.
CLINICAL WORKFLOW INTEGRATION DATA HANDLING If PAMLEE™ HUB integrates with your institution’s clinical workflow systems (EHR, PACS, RIS), we collect integration data such as: (1) System compatibility and technical specifications; (2) Workflow efficiency metrics (time savings, case volume); (3) Integration error logs and performance data; (4) User feedback on clinical workflow; (5) Anonymized case mix and specialty distribution. This data helps us: (1) Improve system compatibility and reliability; (2) Optimize clinical workflow efficiency; (3) Reduce integration errors and downtime; (4) Provide better technical support. Integration data does NOT include patient PHI and is subject to separate data processing agreements with healthcare institutions.
SEPARATION OF PROFESSIONAL VS. PUBLIC USER DATA We maintain strict separation between: (1) PUBLIC WEBSITE USERS: General visitors, researchers, investors, media; data collected is minimal (analytics, contact forms, marketing preferences); stored in standard web hosting infrastructure; (2) PROFESSIONAL USERS: Licensed healthcare providers accessing PAMLEE™ HUB; data includes credentials, clinical usage, professional contact info; stored in HIPAA-compliant systems with enhanced security; (3) PATIENT DATA: PHI processed on behalf of healthcare providers under BAAs; highest level of protection; separate encrypted databases; strict access controls. These three categories are technically isolated with separate databases, access controls, and security measures. Cross-category data sharing is prohibited.
