Privacy Policy

1. Introduction

GreyDx.AI ("we," "our," or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered clinical decision support platform and related services (collectively, the "Services").

As a Singapore-based healthcare technology company, we comply with the Personal Data Protection Act 2012 (PDPA) and are working towards compliance with international standards including HIPAA and GDPR.

2. Information We Collect

2.1 Patient Health Information

When healthcare providers use our Services, we may collect and process:

• Patient demographics (name, age, gender, contact information)
• Medical history and clinical notes
• Symptoms, diagnoses, and treatment information
• Laboratory results and vital signs
• Screening and assessment data

2.2 Healthcare Provider Information

We collect information about healthcare professionals using our platform:

• Professional credentials and registration numbers
• Contact information and practice details
• Account credentials and authentication data
• Usage patterns and interaction with our AI diagnostic tools

2.3 Technical and Usage Data

We automatically collect certain technical information:

• Device information (IP address, browser type, operating system)
• Log data and system activity
• Performance metrics and error reports
• Feature usage and interaction patterns

3. How We Use Your Information

We use the collected information for the following purposes:

• Clinical Decision Support: To provide AI-powered diagnostic suggestions and clinical insights
• Service Delivery: To operate, maintain, and improve our platform and features
• Patient Management: To facilitate patient registration, consultation workflows, and screening processes
• AI Model Training: To improve our machine learning models using de-identified data
• Security and Compliance: To detect fraud, ensure platform security, and maintain regulatory compliance
• Communication: To send service updates, technical notices, and support messages
• Analytics: To understand usage patterns and optimize user experience

4. Data Security Measures

We implement enterprise-grade security measures to protect your data:

• Encryption: End-to-end AES-256 encryption for data in transit and at rest
• Access Controls: Role-based access controls and multi-factor authentication
• Audit Trails: Complete logging of all data access and modifications
• PHI Protection: Automatic detection and protection of Protected Health Information
• Infrastructure Security: Secure cloud hosting with regular security audits
• Data Segregation: Logical separation of data between different healthcare organizations

5. PDPA Compliance (Singapore)

As a Singapore-based organization, we comply with the Personal Data Protection Act 2012 (PDPA):

• Consent: We obtain appropriate consent before collecting, using, or disclosing personal data
• Purpose Limitation: Personal data is collected for reasonable purposes and used only for those purposes
• Notification: We inform individuals about the purposes for which their data is collected
• Access and Correction: Individuals can request access to and correction of their personal data
• Accuracy: We take reasonable steps to ensure personal data is accurate and complete
• Protection: We implement appropriate security arrangements to protect personal data
• Retention: Personal data is retained only as long as necessary for legal or business purposes
• Transfer: We ensure adequate protection when transferring personal data outside Singapore

6. International Data Protection Standards

We are actively working towards compliance with international healthcare data protection standards:

6.1 HIPAA (United States)

We are implementing technical, physical, and administrative safeguards aligned with the Health Insurance Portability and Accountability Act (HIPAA) requirements for protecting electronic Protected Health Information (ePHI).

6.2 GDPR (European Union)

We are working towards compliance with the General Data Protection Regulation (GDPR), including implementing data subject rights, privacy by design principles, and appropriate data processing agreements.

7. Data Sharing and Disclosure

We do not sell your personal information. We may share information in the following circumstances:

• Healthcare Providers: With authorized healthcare professionals within your organization
• Service Providers: With trusted third-party service providers who assist in operating our platform
• Legal Requirements: When required by law, court order, or government regulation
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• Consent: With your explicit consent for specific purposes

All third-party service providers are contractually obligated to maintain the confidentiality and security of your data.

8. Your Rights

You have the following rights regarding your personal data:

• Access: Request access to your personal data we hold
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal obligations)
• Portability: Request a copy of your data in a structured, machine-readable format
• Withdrawal of Consent: Withdraw consent for data processing where applicable
• Objection: Object to certain types of data processing

To exercise these rights, please contact us at info@greydx.ai.

9. Data Retention

We retain personal data for as long as necessary to:

• Provide our Services and fulfill the purposes described in this policy
• Comply with legal, regulatory, and professional obligations
• Resolve disputes and enforce our agreements
• Maintain business records and audit trails

Healthcare data is typically retained for a minimum of 7 years in accordance with medical record retention requirements, unless a longer retention period is required by law or you request earlier deletion.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

• Maintain user sessions and authentication
• Remember user preferences and settings
• Analyze platform usage and performance
• Improve user experience and functionality

You can control cookie settings through your browser preferences. Note that disabling certain cookies may affect platform functionality.

11. Third-Party Services

Our platform is designed to integrate with Electronic Health Record (EHR) systems and other healthcare IT platforms. When you use these integrations:

• Data may be shared with your chosen EHR system according to your integration settings
• Third-party systems have their own privacy policies and data practices
• We are not responsible for the privacy practices of third-party systems
• We recommend reviewing the privacy policies of any integrated systems

12. Children's Privacy

Our Services are designed for use by healthcare professionals and are not directed to individuals under 18 years of age. While our platform may process health information about pediatric patients as part of clinical care, we do not knowingly collect personal information directly from children. Healthcare providers are responsible for obtaining appropriate consent from parents or guardians when treating pediatric patients.

13. International Data Transfers

Your data is primarily stored and processed in Singapore. If we transfer data to other countries, we ensure appropriate safeguards are in place, including standard contractual clauses, adequacy decisions, or other legally approved transfer mechanisms to protect your data in accordance with applicable laws.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending email notifications to registered users
• Displaying prominent notices within our platform

Your continued use of our Services after changes become effective constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: