Privacy Policy

(a) Employment

For processing the personal data of our employees, applicants, and contractors, we rely on:

• Performance of a Contract (Article 6(1)(b)): To manage the recruitment process, establish the employment relationship, administer payroll, and provide employee benefits.
• Legal Obligation (Article 6(1)(c)): To comply with applicable labor, health and safety, tax, and social security laws.
• Legitimate Interest (Article 6(1)(f)): To manage IT infrastructure, ensure network security, conduct performance evaluations, and maintain internal directories.

(b) Customer (e.g., Healthcare Institutions)

For processing the personal data of healthcare professionals and administrative staff at the healthcare institutions we serve, we rely on:

• Performance of a Contract (Article 6(1)(b)): To set up user accounts, deliver our software services, provide technical support, and manage billing and invoicing.
• Legitimate Interest (Article 6(1)(f)): To manage our client relationships, improve the user experience of our products, conduct security monitoring, and send service updates.
• Consent (Article 6(1)(a)): To send promotional materials or newsletters, where explicit consent is required by applicable electronic marketing laws.

(c) Business Partners / Vendors

For processing the personal data of our suppliers, consultants, and business partners, we rely on:

• Performance of a Contract (Article 6(1)(b)): To manage procurement, negotiate and execute agreements, and process payments.
• Legal Obligation (Article 6(1)(c)): To maintain accurate corporate accounting, audit, and tax records.
• Legitimate Interest (Article 6(1)(f)): To conduct due diligence, assess vendor performance, and manage our general business operations and communications.

(d) Health Data

Health data constitutes a special category of personal data under Article 9 of the GDPR. AIRS Medical processes health data in the course of the usage of AI-powered solutions on the following legal bases, as applicable:

Where AIRS Medical acts as a Data Processor: In most cases, AIRS Medical processes patient data on behalf of healthcare institutions under a Data Processing Agreement. The healthcare institution is responsible for establishing the appropriate legal basis for the initial collection and processing of patient data, which may include:

• Explicit consent of the data subject (Article 9(2)(a)); or
• Necessity for the provision of healthcare under Article 9(2)(h), where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, or the management of health systems and services.

Where AIRS Medical acts as a Data Controller: For activities where AIRS Medical determines the purposes and means of processing (e.g., product improvement, algorithm training using pseudonymised data), the applicable legal bases may include:

• Explicit consent of the data subject (Article 9(2)(a)); or
• Legitimate interest (Article 6(1)(f)) & Scientific research purposes (Article 9(2)(j)) : We may rely on our legitimate interest to improve and develop our medical AI software (Article 6(1)(f)), paired with the condition that processing is necessary for scientific research purposes (Article 9(2)(j)).This processing is subject to a legitimate interest assessment (balancing test) and strict technical safeguards, including data minimisation and pseudonymisation.

1. How Our AI-powered Products Work

AIRS Medical develops AI-powered software solutions designed to assist healthcare professionals in their clinical workflows, including medical image analysis and enhancement (e.g., MRI reconstruction) and generating patient-friendly reports.

Our AI products function as clinical decision-support tools and they do not make autonomous diagnostic or treatment decisions.

Our AI systems process the following categories of health-related data:

• MRI Scans provided by healthcare institutions
• Associated metadata: Patient identifiers (as provided by the healthcare institution), imaging parameters, scan dates, and device information necessary for processing.

Our AI algorithms analyse this data to generate enhanced or reconstructed images, annotations, or other outputs intended solely to support the clinical judgment of a qualified healthcare professional.

2. Human Oversight and the Role of Healthcare Professionals

AIRS Medical does not engage in solely automated decision-making as defined under Article 22 of the GDPR. All AI-generated outputs are designed to be reviewed and validated by a qualified healthcare professional before any clinical action is taken. This means:

• Clinical authority remains with the healthcare professional. The treating physician or radiologist retains full authority to accept, modify, or disregard any AI-generated output based on their independent clinical judgment and the patient's individual circumstances.
• AI outputs are recommendations, not decisions. Our products present findings or enhanced images as supplementary information. They do not issue diagnoses, prescribe treatments, or trigger clinical actions without human intervention.
• Healthcare professionals using our products are expected to exercise genuine clinical judgment. Healthcare professionals retain full clinical authority over all AI-generated outputs, including the ability to: (i) access the underlying source data alongside AI outputs; (ii) override, modify, or disregard any AI-generated result; (iii) consider additional clinical information not processed by the AI system; and (iv) discontinue use of the AI system entirely in any particular case.

3. Data Protection Impact Assessments

Where our AI-powered products process health data or other special categories of personal data in a manner that is likely to result in a high risk to the rights and freedoms of individuals, we conduct Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the GDPR. Our DPIAs evaluate the necessity and proportionality of the processing, assess risks to data subjects, and identify measures to mitigate those risks. We review and update our DPIAs on an ongoing basis to reflect changes in our processing activities or risk profile.

Regulatory Classification

AIRS Medical manufactures AI-powered products, some of which are regulated as medical devices under the EU Medical Devices Regulation (“MDR”, Regulation (EU) 2017/745). As the MDR is listed in Annex I of the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) ("AI Act"), such products are classified as high-risk AI systems under Article 6(1) of the AI Act. As the provider of these products, AIRS Medical is subject to the obligations set out in Chapter III of the AI Act.

Human Oversight and Transparency

In accordance with Articles 13, 14, and 50 of the AI Act, our products are designed to ensure sufficient transparency and effective human oversight. Where our products generate or modify content (e.g., including enhanced medical images or AI-translated reports) we implement measures to ensure that such outputs are identifiable as AI-generated or AI-modified. All AI-generated outputs are subject to review and validation by qualified healthcare professionals, as described in the "AI-Assisted Processing" section above.

Post-Market Monitoring

AIRS Medical operates a post-market monitoring system in accordance with the AI Act and the MDR, actively collecting and analysing relevant data to evaluate the continued compliance and performance of our AI systems throughout their lifecycle.

Your Rights

Under the Article 85 and 86 of the AI Act, individuals affected by high-risk AI systems may lodge a complaint with a national market surveillance authority and request a meaningful explanation of the role of the AI system in a decision-making procedure. For inquiries, please contact us at: [email protected] or [email protected] (DPO)