Legal

Privacy Policy

Your privacy is fundamental to how we build and operate Cardiomics.ai. This policy explains how we collect, use, and protect your information.

Effective Date: December 1, 2025

Last Updated: December 1, 2025

Summary: We collect only the data necessary to provide our services. Your research data is yours - we never sell it, share it with third parties for their marketing, or use it to train AI models without your explicit consent. You can export or delete your data at any time.

Table of Contents

  1. Information We Collect
  2. How We Use Your Information
  3. Research Data Handling
  4. Data Security
  5. Data Retention
  6. Data Sharing
  7. Your Rights
  8. Cookies & Tracking
  9. International Transfers
  10. Children's Privacy
  11. Changes to This Policy
  12. Contact Us

1. Information We Collect

Account Information

When you create an account, we collect:

  • Identity data: Name, email address, and profile photo (optional)
  • Professional data: Institution, department, role, and ORCID (optional)
  • Credentials: Password (stored using industry-standard hashing)
  • Billing data: Payment information processed securely through Stripe

Research Data

When you use our analysis tools, we process:

  • Uploaded files: Video recordings, images, and data files you submit for analysis
  • Analysis parameters: Settings and configurations you apply
  • Results: Generated metrics, waveforms, and analysis outputs
  • Annotations: Notes, labels, and metadata you add
  • Projects: Organization structures and sharing settings

Usage Information

We automatically collect:

  • Device data: Browser type, operating system, and device identifiers
  • Log data: IP address, access times, pages viewed, and referring URLs
  • Feature usage: Which tools and features you use and how often
  • Performance data: Error reports and diagnostic information

2. How We Use Your Information

We use your information for the following purposes:

  • Service delivery: To provide, maintain, and improve our analysis platform
  • Processing: To run your analysis jobs and generate results
  • Communication: To send service updates, security alerts, and support messages
  • Security: To detect, prevent, and respond to fraud or security incidents
  • Improvement: To understand usage patterns and improve our services
  • Legal compliance: To meet regulatory and legal obligations

What we DON'T do: We do not sell your personal information. We do not use your research data to train machine learning models without explicit consent. We do not share your data with third parties for their marketing purposes.

3. Research Data Handling

We understand that research data is sensitive and valuable. Here's how we handle it:

  • Ownership: You retain full ownership of all data you upload and results generated
  • Access: Only you and users you explicitly share with can access your data
  • Processing: Your data is processed solely to provide analysis services
  • Isolation: Each user's data is logically isolated from other users
  • No training: We do not use your research data to train our AI models without your explicit opt-in consent
  • Export: You can export all your data in standard formats at any time
  • Deletion: You can permanently delete your data at any time

4. Data Security

We implement comprehensive security measures to protect your information:

  • Encryption at rest: All data encrypted using AES-256
  • Encryption in transit: TLS 1.3 for all data transfers
  • Infrastructure: Hosted on SOC 2 Type II compliant cloud infrastructure
  • Access controls: Role-based access with principle of least privilege
  • Authentication: Multi-factor authentication available for all accounts
  • Monitoring: 24/7 security monitoring and intrusion detection
  • Auditing: Regular third-party security audits and penetration testing
  • Incident response: Documented procedures for security incident handling

For detailed security information, see our Security page.

5. Data Retention

We retain your data according to these principles:

  • Account data: Retained while your account is active and for 30 days after deletion request
  • Research data: Retained until you delete it or close your account
  • Usage logs: Retained for 12 months for security and debugging purposes
  • Billing records: Retained for 7 years for tax and legal compliance
  • Backups: Retained for 90 days, then permanently deleted

6. Data Sharing

We may share your information in limited circumstances:

  • Service providers: With vendors who help us operate (hosting, payment processing, support), under strict data protection agreements
  • Your collaborators: With users you explicitly share projects or data with
  • Legal requirements: When required by valid legal process or to protect rights and safety
  • Business transfers: In connection with a merger or acquisition, with continued privacy protections

We never sell your personal information or research data to third parties.

7. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data
  • Portability: Request your data in a machine-readable format
  • Restriction: Request restriction of processing in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • Withdrawal: Withdraw consent where processing is based on consent

To exercise these rights, contact us at privacy@cardiomics.ai. We respond to all requests within 30 days.

8. Cookies & Tracking

We use cookies and similar technologies for:

  • Essential cookies: Required for authentication and basic functionality
  • Preference cookies: Remember your settings and preferences
  • Analytics cookies: Help us understand how you use our platform (can be disabled)

We do not use cookies for third-party advertising. You can manage cookie preferences in your browser settings.

9. International Transfers

Your data may be processed in countries outside your residence, including the United States. When we transfer data internationally, we ensure appropriate safeguards including:

  • Standard Contractual Clauses approved by relevant authorities
  • Data processing agreements with all service providers
  • Technical measures to protect data regardless of location

10. Children's Privacy

Our service is designed for professional researchers and is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy periodically. When we make significant changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify you via email for material changes
  • Display a prominent notice on our platform

Your continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions or to exercise your rights, contact our Data Protection team:

We aim to respond to all inquiries within 30 days.