Privacy Policy

The following table outlines the categories of personal information we have collected and processed and disclosed with third parties for business operations over the past 12 months, based on your interactions with our services. It also specifies any data 'sold' to or 'shared' with third parties for targeted advertising, as those terms are defined under the CCPA, during the same period. Please note that we never knowingly sell or share the personal information of users under the age of 16.

Subject to applicable state laws, you may exercise the following rights regarding your personal information. We will respond to such requests within 45 days(or unless a shorter timeframe is required by applicable law, such as opt-out requests), except where a justified extension is required. If additional time is needed, we may extend the response period by an additional 45 days, provided we notify you of the extension and the reason for it within the initial 45-day period. To exercise the rights that may be available to you as described below, please contact us either by this online form or email address.

• Right to Know: The right to request that we disclose what personal information we collect, use, disclose, and sell.
• Right to Deletion: The right to request that we delete Personal information we have collected about you.
• Right to Data Portability: You can request a copy of your personal information from a business that can be transferred to another business in an readily usable format.
• Right to Correction: You have the right to correct inaccuracies in your Personal information.
• Right to Opt-Out: You have the right to opt-out of targeted advertising, the sale of your Personal information and profiling in furtherance of decisions that produce legal or similarly significant effects. You may request this right by contacting us through the methods stated above. Alternatively, you can opt out by using Global Privacy Control. We recognize and honor opt-out preference signals, such as the Global Privacy Control (GPC), as valid requests to opt out of the sale and sharing of your personal information and targeted advertising. When we detect a GPC signal from your browser, we will treat it as a valid opt-out request and apply it to the personal information associated with that browser. For more information about GPC, visit globalprivacycontrol.org
• Right to Non-discrimination: You have the right to be free from discrimination based on your exercise of your privacy rights.

Right to Limit Use of Sensitive Personal Information

Where required by applicable state laws, you have the right to request that we limit our use and disclosure of your Sensitive Personal Information to purposes that are necessary to provide the services you request. We will not collect or process your Sensitive Personal Information without first obtaining your explicit consent. To exercise this right, please contact us through the methods stated above. Please refer to our data category table above for specific examples of what constitutes sensitive information.

Right to appeal

In case we are unable to fulfill your request, we will let you know why. To the extent available under applicable law, if you disagree with our decision, you can ask us to reconsider by filing an appeal within a reasonable period after receiving our response. You may file an appeal by contacting us via this online form or emailing us at [email protected].

Shine the Light Law (CA only)

For residents of the state of California, you may ask us to stop sharing your information with third parties (including our affiliates) for their marketing by filling out a Privacy Contact Form.

Right to Explanation (MN only)

For residents of the state of Minnesota, you have the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future.You may also request to review the personal data used in the profiling and, if such data is inaccurate, to have it corrected and the profiling decision reevaluated.

Authorized Agents

As permitted by applicable state laws, you may designate an authorized agent to make a request on your behalf. To do so, you must provide the agent with written permission to submit the request. When an authorized agent submits a request on your behalf, we may require you to verify your own identity directly with us and explicitly confirm that you provided the authorized agent permission to submit the request.

We retain each category of personal information collected through our online channels and business operations for as long as necessary to fulfill the purposes for which it was collected, as described in this Privacy Policy, or as required by applicable law. To determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, and whether we can achieve those purposes through other means. When personal information is no longer necessary for these purposes, we securely delete or anonymize it.

Protected Health Information (PHI) is any information about health status, provision of care, or payment for care that can be linked to a specific individual. It includes past, present, or future physical/mental health records, created or transmitted by covered entities in any form (electronic, paper, or oral).

Our AI-powered image enhancement solutions and other offerings are designed for healthcare providers, who may share Protected Health Information (PHI) with us under the terms of our Business Associate Agreements (BAAs).

To ensure the highest level of data integrity and privacy, we maintain a comprehensive HIPAA Compliance Program. This program incorporates the administrative, physical, and technical safeguards required under HIPAA to protect Protected Health Information (PHI) throughout its lifecycle.

DATA MINIMIZATION

Consistent with the Privacy Policy, AIRS Medical processes only the minimum amount that is required for us to achieve the specific, intended purposes of the service while ensuring compliance with applicable privacy laws and regulations.

However, in accordance with HIPAA Standards, this data minimization principle does not apply to disclosures made to the Secretary of the U.S. Department of Health and Human Services when required to investigate or determine AIRS Medical’s or the Covered Entity’s compliance with HIPAA regulations.

For certain service offerings, our products may process PHI that includes patient identifiers necessary for clinical functionality. Where technically feasible, we apply de-identification or pseudonymization techniques during transmission and cloud processing. Any re-association of such data with identifiable information is performed only when necessary for clinical or treatment use by authorized personnel at the healthcare provider, and strictly within the scope permitted by our Business Associate Agreement and applicable HIPAA Standards

DISCLOSURE

Before disclosing any PHI as permitted under this policy, AIRS Medical will take reasonable steps to verify the identity of the requesting party and their legal authority to access such information. This verification process ensures that sensitive health data is only shared with authorized individuals or entities, in accordance with HIPAA standards.

BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITIES

Our processing of PHI is strictly governed by Business Associate Agreements (BAAs) entered into with our customers, ensuring that data is used only for the specific purposes authorized by the healthcare provider.

AIRS Medical uses and discloses PHI only for the purposes identified in a signed Business Associate Agreement (BAA) with a Covered Entity or as otherwise required by law. We do not use or disclose PHI in any manner that is not permitted by the HIPAA Privacy Rule.

Under our BAAs and in accordance with HIPAA standards, we are committed to the following duties:

• Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity;
• Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it
• Report to the Covered Entity any security incident, including a potential Breach of unsecured PHI, of which it becomes aware; and,
• Authorize termination of the contract by the Covered Entity, if the Covered Entity determines that AIRS has violated a material term of the Business Associate Agreement.

BUSINESS ASSOCIATE AGREEMENT WITH THIRD PARTIES

AIRS Medical may engage trusted third-party service providers. In such cases, these parties act as Subcontractors and are classified as Business Associates under HIPAA.

We do not disclose any Protected Health Information (PHI) to these partners unless a formal written agreement is in place.

AIRS Medical actively monitors the compliance of our Subcontractors. If we become aware of any pattern of activity or practice that constitutes a material breach of their privacy or security obligations, we will take immediate and reasonable steps to ensure the violation is cured or ended.

In accordance with our primary Business Associate Agreements (BAAs), we will notify the relevant Covered Entity of such incidents as required. Furthermore, if a Subcontractor fail to remediate a material breach, AIRS Medical maintains the right to terminate the contract to ensure the continued protection of Protected Health Information (PHI)

In accordance with HIPAA and our Business Associate Agreements (BAAs) with healthcare providers, we support patients in exercising their privacy rights.

• Right to Access and Amendment: You have the right to inspect, copy, and request amendments to your PHI maintained by your healthcare provider. As a Business Associate, AIRS Medical will cooperate fully with your healthcare provider to facilitate these requests as prescribed under our BAA.
• Right to an Accounting of Disclosures: You may request a list of certain disclosures we have made of your PHI for purposes other than treatment, payment, or healthcare operations.

Since your healthcare provider (the "Covered Entity") is primarily responsible for managing your medical records, we recommend submitting these requests directly to them. AIRS Medical’s Compliance Officer will work closely with your provider to process and fulfill such requests in a timely manner.

AIRS Medical implements rigorous administrative, technical, and physical safeguards to prevent any unauthorized use or disclosure of PHI. In our role as a Business Associate, we implement the following security framework:

• Continuous Risk Assessment: We conduct annual HIPAA risk assessments and SOC 2 Type II audits to proactively identify and remediate vulnerabilities. These assessments are updated whenever there is a material change in our operating environment or business practices.
• Access Control & 24/7 Monitoring: We enforce Role-Based Access Control (RBAC) and robust authentication, supported by proactive malware protection, firewall management, and continuous review of audit logs to ensure full accountability.We ensure timely incident remediation and continuous data vigilance through immediate investigations and mandatory, periodic HIPAA training for all workforce members.
• Advanced Encryption: All PHI is encrypted using industry-standard protocols both at rest and in transit across all networks and devices.
• Strict Device & Media Management: We track all hardware and ensure permanent data destruction according to NIST 800-88 standards before disposal.
• Proactive Resilience: Our technical defense is reinforced by routine penetration testing, quarterly internal audits

AIRS Medical maintains a proactive incident response framework to identify, investigate, and mitigate any potential security incidents. In the event of a breach of unsecured Protected Health Information (PHI), we fulfill our reporting obligations with the utmost transparency and urgency.

• Timely Notification: We notify the affected Covered Entity of any confirmed breach without unreasonable delay, and in no case later than sixty (60) calendar days after the discovery of the incident in accordance with HIPAA.
• Comprehensive Investigation: Upon detecting a potential incident, AIRS Medical conducts a thorough risk assessment to evaluate the nature of the data and the extent of the risk involved. We specifically determine whether the incident involves 'unsecured PHI' as defined under HIPAA; however, by maintaining NIST-standard destruction and robust encryption, we ensure that your PHI remains indecipherable to unauthorized parties. These rigorous safeguards are designed to prevent your data from being classified as 'unsecured,' thereby providing an additional layer of legal and technical protection.
• Collaborative Support: Our notification to the Covered Entity includes all essential information, such as the identity of affected individuals and the circumstances of the breach, to support the Covered Entity in their obligation to notify the affected parties.

AIRS Medical retains personal information only as long as necessary to fulfill the purposes outlined in our services or to comply with applicable laws, including HIPAA’s record retention requirements. When a business or legal necessity no longer exists, we ensure the secure deletion or permanent destruction of data.

• For certain products and service offerings, we may store patient information (PHI and DICOM images) in a cloud database for a limited period to provide product functionality and ensure proper use of the products. Such data stored temporarily in the cloud is retained only for the duration specified by the customer and is permanently deleted after that period.
• Paper PHI: After three (3) years, all paper PHI will be shredded before it is thrown away.
• HIPAA training record: Six (6) years
• Records of all investigations and follow-up actions in relation to breach, incident notification: Six (6) years

As a fundamental principle, AIRS Medical does not access, view, or interact with customer data, including Protected Health Information (PHI), except under the following limited and documented circumstances:

• Customer-Initiated Request: When a customer explicitly requests our assistance and authorizes access in writing (e.g., via email or through the terms of the executed agreement);
• Legal or Regulatory Obligation: When access is compelled by applicable law, regulation, or a valid request from a government authority; or
• Critical Incident Response: When an urgent security incident or service disruption necessitates immediate action to protect data integrity or ensure service continuity, in which case access is strictly limited to what is necessary to resolve the incident.

In all cases, access is restricted to the minimum number of authorized personnel required, and is limited to the purpose, scope, and duration specified by the customer or mandated by law. Where applicable, AIRS Medical will coordinate with the customer to ensure that any required data subject consent is obtained prior to access.

AIRS Medical maintains detailed access records (transparency logs) for any instance in which customer data is accessed. These logs are available to the customer upon request and will be provided within thirty (30) days of such request, subject to any restrictions imposed by applicable law.

In addition to federal HIPAA standards, AIRS Medical strictly adheres to the California Confidentiality of Medical Information Act (“CMIA”) for residents of California.

• Restricted Use and Non-Monetization: We do not sell, rent, or otherwise monetize any medical information or Protected Health Information (PHI) processed under our Business Associate Agreements (BAAs).
• Authorized Disclosures: Consistent with California Civil Code § 56.10, all disclosures of medical information are strictly limited to essential operations such as treatment and payment or instances of valid legal mandates (e.g., court orders, warrants, or subpoenas).
• Contractual Integrity: Acting in our capacity as a Business Associate under HIPAA (Contractor under CMIA), we fulfill our duty to preserve data confidentiality as required under California Civil Code § 56.101(a). We do not disclose information without explicit contractual authorization from the relevant healthcare provider. While certain disclosures compelled by law may proceed without an individual’s signed authorization, such actions are taken only when legally mandated and within the scope of our agreement with the Covered Entity.
• Extended obligations: We extend these confidentiality obligations to all subcontractors and service providers through formal written agreements, ensuring end-to-end protection of your data.