Privacy Policy

Personal Information We Collect

In Short: We collect personal information that you provide to us and health data processed through our platform on behalf of our customers.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

• Account Information. We collect names, email addresses, company names, job titles, and account credentials.
• Payment Data. We may collect data necessary to process your payment if you subscribe to our services. All payment data is stored by our payment processor. We do not directly store full credit card numbers.
• API Usage Data. We collect technical logs related to API calls, including request metadata, timestamps, and error codes for operational and billing purposes.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Health Data Processing

In Short: We process health data on behalf of our customers as a data processor. We do not own, sell, or use this data for our own purposes.

As a data infrastructure platform, Biosigna processes health data from wearable devices and health trackers on behalf of our customers (medical device companies). This data may include:

• Wearable Data. Heart rate variability (HRV), sleep data, SpO2, activity metrics, stress levels, and other biometric signals from connected wearable devices.
• Device Usage Data. Treatment session data, device parameters, and usage patterns from our customers' medical devices.
• Matched Health Outcomes. Event-matched datasets combining device usage with health signals for analytics purposes.

Third-Party Health Integrations

Our platform connects to 500+ wearable devices and health data sources. When end-users (patients) connect their devices through our white-label UI or our customers' applications, we may access data through the following frameworks:

Apple HealthKit

We use Apple's HealthKit framework, which provides a central repository for health and fitness data on iPhone and Apple Watch. With explicit user consent, our platform can read health data including heart rate, sleep, activity, and other metrics. New data attributes may be added to the HealthKit framework and will require additional user consent.

Google Health Connect

We use Google's Health Connect SDK to access health and fitness data from Android devices and connected wearables. Data is only accessed with explicit user consent and is processed in accordance with this privacy policy.

Other Providers

We integrate with Oura, Garmin, Whoop, Polar, Fitbit, Samsung Health, Withings, and hundreds of other providers via their official APIs. Each integration requires explicit user authorization and adheres to the respective provider's data sharing policies.

How We Use Your Information

In Short: We process your information for purposes based on legitimate business interests, the fulfillment of our contract with you, compliance with our legal obligations, and/or your consent.

We use personal information collected via our Services for the following purposes:

• Service Delivery. To provide you with the Platform services, including data ingestion, normalization, matching, and analytics.
• Account Management. To facilitate account creation and logon, manage user accounts, and maintain service in working order.
• Communications. To send administrative information including product updates, service changes, and policy updates.
• Security. To protect our Services, detect fraud, and ensure the integrity of health data processing.
• Legal Compliance. To enforce our terms, comply with legal obligations, and respond to legal requests.
• Feedback and Support. To request feedback, respond to inquiries, and provide customer support.

Data Storage and Security

In Short: We aim to protect your data through enterprise-grade security measures and infrastructure.

• Encryption. All data is encrypted in transit (TLS 1.3) and at rest (AES-256). End-to-end encryption is available for sensitive health data streams.
• Infrastructure. Our infrastructure is hosted on SOC 2 Type II certified cloud providers with data residency options in the EU and US.
• Access Controls. We implement role-based access controls, audit logging, and regular security assessments. Employee access to health data is strictly limited and monitored.
• No Third-Party Sharing. We do not sell, rent, or share personally identifiable health data with third parties. If we use sub-processors, they are bound by Data Processing Agreements with equivalent security requirements.

Will Your Information Be Shared with Anyone?

In Short: We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfill business obligations.

We may process or share your data based on the following legal bases:

• Consent. We may process your data if you have given us specific consent to use your personal information for a specific purpose.
• Legitimate Interests. We may process your data when it is reasonably necessary to achieve our legitimate business interests.
• Performance of a Contract. Where we have entered into a contract with you, we may process your personal information to fulfill the terms of our contract.
• Legal Obligations. We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process.
• Business Transfers. We may share or transfer your information in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

Cookies and Tracking Technologies

In Short: We may use cookies and similar tracking technologies to collect and store your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. These are used for authentication, analytics, and improving service quality. You can configure your browser to refuse cookies, though this may affect certain features of our Services.

How Long Do We Keep Your Information?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law. Health data processed on behalf of our customers is retained in accordance with the terms of our Data Processing Agreement. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information.

How Do We Keep Your Information Safe?

In Short: We aim to protect your personal information through enterprise-grade organizational and technical security measures.

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. These include HIPAA-compliant infrastructure, SOC 2 Type II certification, GDPR compliance, end-to-end encryption, and regular third-party security audits. However, despite our safeguards, no electronic transmission over the Internet can be guaranteed to be 100% secure.

Do We Collect Information from Minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data. If you become aware of any data we may have collected from children under age 18, please contact us at privacy@biosigna.ai.

What Are Your Privacy Rights?

In Short: In some regions, such as the European Economic Area (EEA), United Kingdom (UK), and Turkey, you have rights that allow you greater access to and control over your personal information.

In some regions, you have certain rights under applicable data protection laws. These may include the right:

• To request access and obtain a copy of your personal information
• To request rectification or erasure
• To restrict the processing of your personal information
• If applicable, to data portability
• To object to the processing of your personal information
• To withdraw your consent at any time

If you are a resident in the EEA or UK and you believe we are unlawfully processing your personal information, you have the right to complain to your local data protection supervisory authority.

If you have questions or comments about your privacy rights, you may email us at privacy@biosigna.ai.

Account Information

If you would at any time like to review or change the information in your account or terminate your account, you can log in to your account settings and update your information. Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information to prevent fraud, troubleshoot problems, assist with investigations, enforce our Terms of Service, and/or comply with applicable legal requirements.

Opting out of email marketing: You can unsubscribe from our marketing email list at any time by clicking the unsubscribe link in our emails or by contacting us. You will still receive service-related emails necessary for account administration.

Controls for Do-Not-Track Features

Most web browsers include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.

Do California Residents Have Specific Privacy Rights?

In Short: Yes, if you are a resident of California, you are granted specific rights regarding access to your personal information.

California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes.

Biosigna Health Technologies Inc. has not disclosed or sold any personal information to third parties for a business or commercial purpose in the preceding 12 months. Biosigna Health Technologies Inc. will not sell personal information belonging to website visitors, users, and other consumers.

Do We Make Updates to This Notice?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this privacy notice from time to time. The updated version will be indicated by an updated “Revised” date and will be effective as soon as it is accessible. If we make material changes, we may notify you by prominently posting a notice or directly sending you a notification. We encourage you to review this privacy notice frequently.

How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may contact us:

How Can You Review, Update, or Delete Your Data?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it. To request to review, update, or delete your personal information, please email us at privacy@biosigna.ai.