Legal

Privacy Policy

How NeuralCare AI collects, processes, and protects personal data in compliance with HIPAA, GDPR, CCPA, and NHS IG standards.

Legal
Terms of Service Privacy Policy Security Policy Cookie Policy

Last updated: January 1, 2025

1. Overview

NeuralCare AI Inc. ("NeuralCare," "we," "us") is committed to protecting the privacy of all individuals who interact with our platform, APIs, and websites. This Privacy Policy describes how we collect, use, and safeguard information in accordance with HIPAA, GDPR (EU/UK), CCPA, and NHS Information Governance standards.

2. Information We Collect

We collect the following categories of information:

  • Account information: Name, email address, organization name, and role provided during registration.
  • API usage data: Request metadata including timestamps, model IDs, inference latency, and error codes — not patient record content.
  • Federated gradient updates: Differentially private gradient aggregates from participating institutions. These cannot be used to reconstruct any individual patient record.
  • Website analytics: IP address, browser type, page views, and session duration, collected via privacy-preserving analytics.

3. Patient Data and HIPAA

NeuralCare AI processes Protected Health Information (PHI) solely as a Business Associate under a signed BAA. We do not use PHI for any purpose other than providing the Services contracted by the covered entity. Patient data processed through our FHIR API endpoints is encrypted at rest (AES-256) and in transit (TLS 1.3), and is not retained beyond the inference session unless explicitly configured by the customer.

4. GDPR Rights (EU/UK Users)

Data subjects in the EU and UK have rights including: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection. To exercise these rights, contact our Data Protection Officer at dpo@neuralcareai.tech. Our EU data processing is governed by Standard Contractual Clauses (SCCs) adopted by the European Commission.

5. Data Retention

Account data is retained for the duration of the customer relationship plus 3 years for audit purposes. API logs are retained for 90 days unless extended by customer configuration. Federated gradient aggregates are deleted after each training round.

6. Sub-processors

We use a limited number of sub-processors for infrastructure (cloud compute), authentication, and support tooling. All sub-processors are contractually bound to equivalent data protection standards. A current sub-processor list is available upon request.

7. Contact

Privacy queries: privacy@neuralcareai.tech
DPO: dpo@neuralcareai.tech