Clinytix CDSS - Privacy Policy

This Privacy Policy explains how Clinytix ("Company," "we," "our," or "us") collects, uses, stores, and protects information in connection with the Clinytix CDSS platform. By using the platform, you agree to the practices described in this Policy. If you do not agree, you must not use the platform.

Contents

Information We Collect
How We Use Information
Patient Data and Clinical Documents
AI Processing and the No-Training Commitment
Data Anonymisation and PHI Protection
Data Storage and Security
Data Sharing and Third Parties
Data Retention
Cookies and Analytics
Your Rights
Healthcare Data Compliance
Cross-Border Data Transfers
Children's Privacy
Changes to This Policy
Contact and Data Controller

1. Information We Collect

We collect three categories of information:

a) Account and Registration Data

When you create an account or subscribe to Clinytix CDSS, we collect: name, email address, professional role and specialty, institution name, billing and payment details (processed by our payment provider — we do not store full card numbers), and plan/subscription information.

b) Platform Usage Data

We collect information about how you interact with the platform, including: login timestamps and session duration, features accessed, analysis runs initiated, documents uploaded (metadata only — see Section 3 for patient document handling), and error and diagnostic logs. This data is used to operate, maintain, and improve the platform.

c) Patient and Clinical Data (uploaded by you)

Physicians upload clinical documents and enter patient information as part of normal platform use. This data is owned by you. How we handle it is described in detail in Sections 3, 4, and 5.

2. How We Use Information

Purpose	Data used	Basis
Providing and operating the platform	Account data, usage data, clinical data	Contract performance
Processing AI specialist analysis	Clinical documents (anonymised)	Contract performance
Billing and subscription management	Account data, billing data	Contract performance; legal obligation
Platform security and fraud prevention	Account data, usage data	Legitimate interests
Sending service and account notifications	Email address	Contract performance
Responding to support enquiries	Account data, content of support request	Legitimate interests
Aggregated, de-identified platform analytics	Usage data (no patient data)	Legitimate interests

We do not use your information for unsolicited marketing communications without your explicit consent, which may be withdrawn at any time.

3. Patient Data and Clinical Documents

Clinical documents and patient data uploaded to Clinytix CDSS are your data. You are the data controller for any patient information you input into the platform. Clinytix acts as a data processor on your behalf, processing patient data solely to deliver the clinical decision-support services you have requested.

We do not:

Access patient data for any purpose other than providing and operating the platform services you have subscribed to;
Share, sell, or disclose patient data to any third party except as strictly necessary to operate the AI analysis services (see Section 7);
Use patient data for internal research, product development, or any purpose not directly related to delivering your requested analysis.

You are responsible for ensuring that you have the legal authority and patient consent required under applicable law to upload and process patient data using Clinytix CDSS, and for ensuring that your use of the platform complies with all applicable data protection and healthcare privacy laws in your jurisdiction.

4. AI Processing and the No-Training Commitment

Your patient data is never used to train AI models. Clinytix CDSS sends clinical documents to third-party AI service providers solely to generate the specialist analysis you requested. This processing is governed by data processing agreements that explicitly prohibit the use of submitted data for model training, fine-tuning, or any purpose beyond generating the requested output for the current session.

Specifically:

No patient data, clinical documents, or AI-generated analysis outputs are retained by any AI service provider for training purposes;
AI processing is transactional — documents are submitted per session and are not stored or indexed by the AI provider;
Clinytix itself does not use patient data or AI outputs to train, adapt, or improve any model;
Aggregate, fully anonymised and de-identified platform performance metrics (not patient data) may be used for internal platform improvement.

5. Data Anonymisation

Clinytix CDSS incorporates a built-in anonymisation layer that de-identifies patient data prior to transmission to external AI services. This process is designed to ensure that no personally identifiable information is transmitted to external AI providers in a form that could identify an individual patient.

The anonymisation layer operates on:

Patient demographics included in the analysis context (name, date of birth, contact details);
Any free-text fields submitted as part of the analysis prompt.

Uploaded clinical documents are processed in their original format (PDF, JPEG, PNG) by the AI vision system. Where such documents contain patient-identifying information embedded in the document content, you are responsible for de-identifying those documents prior to upload where required by applicable law.

6. Data Storage and Security

All data is stored on secure, access-controlled servers. We implement the following technical and organisational measures to protect your data:

Encryption in transit (TLS 1.2 or higher) for all data transmitted to and from the platform;
Encryption at rest for stored clinical documents and database records;
Access controls limiting data access to authorised personnel on a need-to-know basis;
Audit logging of all access to patient data and AI-generated outputs within the platform;
Regular security reviews and vulnerability assessments.

No method of electronic storage or transmission is 100% secure. In the event of a data breach that poses a risk to your rights, we will notify you in accordance with applicable legal requirements.

7. Data Sharing and Third Parties

We share data only in the following limited circumstances:

AI service providers: Anonymised clinical data is transmitted to our AI service providers solely to generate specialist analysis outputs. This is governed by data processing agreements that prohibit use of data for training. See Section 4.
Payment processors: Billing data is processed by our payment provider. We do not store full payment card details.
Infrastructure providers: Cloud hosting and database services used to operate the platform may process account and usage data as data processors under our direction.
Legal obligations: We may disclose data where required by law, court order, or regulatory authority, or where necessary to protect the rights, property, or safety of Clinytix, its users, or the public.

We do not sell, rent, or trade any personal data or patient data to third parties for commercial purposes.

8. Data Retention

We retain data for the following periods:

Data type	Retention period
Account and registration data	Duration of account + 12 months
Billing and transaction records	7 years (statutory requirement)
Uploaded clinical documents	Duration of account; deleted within 30 days of account closure on request
AI-generated analysis outputs	Duration of account; deleted within 30 days of account closure on request
Platform usage and audit logs	12 months from creation
Support correspondence	3 years from last interaction

Upon account termination, you may request a full export of your clinical data and analysis outputs within 30 days. After this period, data will be permanently deleted unless retention is required by law.

9. Cookies and Analytics

The Clinytix CDSS platform application uses strictly necessary session cookies to maintain your authenticated session. No third-party advertising or behavioural tracking cookies are used within the clinical platform.

The Clinytix marketing website (clinytix.ai) may use analytics cookies to understand aggregate visitor behaviour. You can control cookie preferences through your browser settings.

10. Your Rights

Subject to applicable law, you have the following rights regarding your personal data held by Clinytix:

Access: Request a copy of the personal data we hold about you;
Correction: Request correction of inaccurate or incomplete data;
Deletion: Request deletion of your personal data, subject to legal retention obligations;
Portability: Request your data in a structured, machine-readable format;
Objection: Object to processing based on legitimate interests;
Withdrawal of consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, use our contact page. We will respond within 30 days. Note that these rights apply to your own personal data as an account holder; requests relating to patient data should be directed through the relevant data controller (typically the treating physician or institution).

11. Healthcare Data Compliance

Clinytix CDSS is designed with healthcare data protection principles in mind. All data handling within the platform follows the minimum-necessary principle — we access and process only the data required to deliver the service you have requested.

Technical safeguards include encryption, access controls, and audit logging as described in Section 6. Users are responsible for configuring and operating the platform in a manner consistent with their institutional data governance policies and all applicable data protection obligations in their jurisdiction.

Where your organisation requires a formal data processing agreement with Clinytix prior to using the platform with patient data, please contact us to arrange this before commencing use.

12. Cross-Border Data Transfers

AI processing of anonymised clinical data involves transmission to our AI service provider's infrastructure, which may be located in a different country from the one in which you are based. Such transfers are subject to our data processing agreements with those providers, which require appropriate safeguards to protect the data.

If you have concerns about cross-border data transfers, please contact us before using the platform so we can advise on the applicable measures in place.

13. Children's Privacy

Clinytix CDSS is a professional platform for licensed healthcare professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. Patient records may relate to minor patients in the course of legitimate clinical care — such records are handled subject to the same data protection standards as all other patient data.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the platform, our practices, or applicable law. Material changes will be communicated via email to your registered address at least 14 days before taking effect. We encourage you to review this Policy periodically. Your continued use of the platform after a change takes effect constitutes your acceptance of the updated Policy.

15. Contact and Data Controller

Clinytix is the data controller for account and usage data collected through the platform. For any privacy-related questions, requests, or complaints, please use our contact page.

If you believe your data protection rights have not been upheld, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.