Privacy Policy

1. Introduction

Welcome to Cardio AI. We are committed to protecting your privacy and ensuring the security of your personal and health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered cardiovascular diagnostic platform and services.

By accessing or using Cardio AI's services, you agree to the terms of this Privacy Policy. If you do not agree with our policies and practices, please do not use our services.

🏥 Healthcare Data Protection

As a healthcare technology platform, Cardio AI is committed to the highest standards of data protection and privacy, including full compliance with HIPAA (Health Insurance Portability and Accountability Act) and other applicable healthcare privacy regulations.

2. Information We Collect

2.1 Protected Health Information (PHI)

When you use our platform, we may collect the following types of health information:

Patient Demographics: Name, date of birth, gender, contact information, medical record numbers
Medical History: Past diagnoses, procedures, medications, allergies, family history
Clinical Data: Vital signs, laboratory results, ECG data, imaging studies (CT, MRI, echocardiography)
Diagnostic Results: AI-generated risk assessments, diagnostic predictions, clinical recommendations
Device Data: Information from connected medical devices, wearables (heart rate, blood pressure, activity data)

2.2 Account and Usage Information

Account Information: Username, password, email address, professional credentials
Usage Data: Platform interactions, features accessed, search queries, session duration
Technical Data: IP address, browser type, device information, operating system
Communication Data: Support tickets, feedback, correspondence with our team

2.3 Automatically Collected Information

Log files and analytics data
Cookies and similar tracking technologies
Performance and error reports
Security and fraud detection data

3. How We Use Your Information

3.1 Primary Purposes

Clinical Care: Provide AI-powered cardiovascular diagnostic analysis and risk assessment
Treatment Support: Generate clinical recommendations and decision support
Care Coordination: Facilitate communication between healthcare providers
Quality Improvement: Monitor and improve diagnostic accuracy and platform performance

3.2 Secondary Purposes

Research and Development: Improve AI algorithms and develop new diagnostic capabilities (using de-identified data)
Platform Operation: Maintain, secure, and optimize our services
Compliance: Meet legal and regulatory requirements
Communication: Send important updates, security alerts, and service notifications
Support: Respond to inquiries and provide technical assistance

Important: We will never use your health information for marketing purposes without your explicit consent.

4. HIPAA Compliance

⚕️ HIPAA Business Associate

Cardio AI operates as a HIPAA Business Associate for healthcare providers and covered entities. We execute Business Associate Agreements (BAAs) with all healthcare organizations that use our platform.

📋 HIPAA Notice of Privacy Practices

For a complete description of how we use and disclose your protected health information (PHI), your rights under HIPAA, and our responsibilities, please review our comprehensive Notice of Privacy Practices.

📄 View HIPAA Notice of Privacy Practices

You may also request a paper copy of this notice at any time by contacting our Privacy Officer at privacy@cardioailive.com or calling (614) 356-7890.

4.1 HIPAA Safeguards

Administrative Safeguards: Privacy and security policies, workforce training, designated privacy and security officers
Physical Safeguards: Secure data centers, controlled facility access, workstation security
Technical Safeguards: Encryption, access controls, audit logs, secure transmission protocols

4.2 Permitted Uses and Disclosures

Under HIPAA, we may use and disclose PHI without authorization for:

Treatment, payment, and healthcare operations
Required by law disclosures
Public health activities
Health oversight activities
Judicial and administrative proceedings (when required by court order)

4.3 Patient Rights Under HIPAA

Right to access your health information
Right to request corrections to your health information
Right to an accounting of disclosures
Right to request restrictions on uses and disclosures
Right to receive confidential communications
Right to receive a Notice of Privacy Practices

Note: For detailed information about each of these rights and how to exercise them, please refer to our HIPAA Notice of Privacy Practices.

5. Data Security

We implement industry-leading security measures to protect your information:

5.1 Encryption

Data at Rest: AES-256 encryption for all stored data
Data in Transit: TLS 1.3 encryption for all data transmissions
End-to-End Encryption: For sensitive communications and data exchanges

5.2 Access Controls

Multi-factor authentication (MFA) for all user accounts
Role-based access control (RBAC) limiting data access to authorized personnel
Automatic session timeouts and password policies
Regular access reviews and audit logging

5.3 Infrastructure Security

HIPAA-compliant cloud infrastructure (AWS/Azure)
SOC 2 Type II certified data centers
Network segmentation and firewalls
Intrusion detection and prevention systems
Regular security assessments and penetration testing
24/7 security monitoring and incident response

5.4 Data Backup and Recovery

Automated daily backups with encryption
Geographic redundancy for disaster recovery
Regular backup restoration testing
Business continuity and disaster recovery plans

🔒 Security Incident Response

In the unlikely event of a data breach, we will notify affected individuals and relevant authorities within 72 hours as required by HIPAA and applicable regulations. Our incident response team follows established protocols to contain, investigate, and remediate security incidents.

6. Information Sharing and Disclosure

6.1 We Share Information With:

Healthcare Providers:

Your treating physicians and care team members
Consulting specialists and referral providers
Healthcare facilities involved in your care

Business Associates:

Cloud infrastructure providers (with BAAs in place)
Data analytics and research partners (using de-identified data only)
Third-party service providers supporting platform operations

Legal Requirements:

Law enforcement or government agencies (when legally required)
Legal proceedings (pursuant to valid court orders or subpoenas)
Regulatory authorities (FDA, HHS, state health departments)

6.2 We Do NOT:

❌ Sell your personal or health information to third parties
❌ Share your information for marketing purposes without consent
❌ Disclose your data to unauthorized parties
❌ Use your health information for non-healthcare purposes

6.3 De-identified Data

We may use and share de-identified data (data that cannot reasonably be used to identify you) for research, algorithm development, quality improvement, and other purposes. De-identified data is not subject to the same protections as PHI under HIPAA.

7. Your Privacy Rights

7.1 Access and Portability

Request a copy of your personal and health information
Receive your data in a portable, machine-readable format
Direct transmission of your data to another provider

7.2 Correction and Amendment

Request corrections to inaccurate information
Add supplementary statements to your health records

7.3 Deletion and Restriction

Request deletion of your personal information (subject to legal retention requirements)
Request restrictions on how we use and disclose your information
Object to certain data processing activities

7.4 Consent Withdrawal

Withdraw consent for uses requiring authorization
Opt-out of non-essential communications

7.5 State-Specific Rights

California Residents (CCPA/CPRA):

Right to know what personal information is collected
Right to delete personal information
Right to opt-out of sale of personal information
Right to non-discrimination for exercising privacy rights

To Exercise Your Rights: Contact our Privacy Office at privacy@cardioailive.com

8. Data Retention

We retain your information for different periods based on the type of data and legal requirements:

8.1 Health Records

Medical Records: Minimum 6 years from last patient contact (or longer as required by state law)
Minor Patient Records: Until age of majority plus applicable retention period
Diagnostic Images: 7-10 years as required by applicable regulations

8.2 Other Data

Account Information: Duration of active account plus 3 years
Usage Logs: 2 years for security and audit purposes
De-identified Research Data: Indefinitely for scientific purposes

8.3 Secure Deletion

When retention periods expire, we securely delete or anonymize data using industry-standard methods to prevent unauthorized recovery.

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

Essential Cookies:

Authentication and session management
Security and fraud prevention
Platform functionality

Analytics Cookies:

Platform usage and performance monitoring
Error detection and debugging
User experience optimization

9.2 Your Cookie Choices

You can control cookies through your browser settings. Note that disabling certain cookies may limit platform functionality. We do not use cookies to track PHI or create individual patient profiles for non-healthcare purposes.

9.3 Do Not Track

We respect Do Not Track (DNT) browser signals. When DNT is enabled, we limit non-essential tracking.

10. International Data Transfers

Cardio AI primarily operates in the United States. If you access our services from outside the U.S., your information may be transferred to and processed in the United States or other countries where our service providers operate.

10.1 Data Transfer Safeguards

Standard Contractual Clauses (SCCs) for EU data transfers
Adequacy decisions and appropriate safeguards
Compliance with GDPR for European users
Privacy Shield principles (where applicable)

10.2 GDPR Rights (EU/EEA Users)

European users have additional rights under GDPR, including:

Right to data portability
Right to restrict processing
Right to object to processing
Right to lodge a complaint with supervisory authorities

11. Children's Privacy

Our platform may be used to provide care to patients of all ages, including children under 13. When treating pediatric patients:

Parental/guardian consent is required for minors
We comply with COPPA (Children's Online Privacy Protection Act)
Special protections apply to pediatric health information
Parents/guardians have the right to review and request deletion of their child's information

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

We will update the "Last Updated" date
We will notify you via email or platform notification
For material changes affecting PHI, we will obtain consent where required
Previous versions will be archived and available upon request

Your continued use of our services after changes become effective constitutes acceptance of the updated Privacy Policy.

13. Contact Us

Privacy Office

For privacy-related questions, concerns, or to exercise your rights, please contact our Privacy Office:

Email: privacy@cardioailive.com

Phone: +1 614-967-8728

Mail:
Cardio AI Privacy Office
Dublin, Ohio
United States

Security Concerns

To report security vulnerabilities or incidents:

Email: security@cardioailive.com

General Inquiries

Email: info@cardioailive.com

Website: www.cardioailive.com