Privacy Policy

1. Introduction and Scope

Fertility CDS ("we", "us", "our", "the Platform") is committed to protecting the privacy and security of personal information and protected health information (PHI) processed through our Clinical Decision Support platform.

This Privacy Policy applies to:

• Healthcare professionals ("Clinicians", "Users", "you") who create accounts and use the Platform
• Patient data entered into the Platform by Clinicians for clinical assessment purposes
• Visitors to our public website and marketing materials

By using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of information as described herein.

2. Data Controller and Processor Roles

2.1 Your Role as Data Controller

When you use the Platform to process patient data, you are the Data Controller (under GDPR/UK GDPR) or Covered Entity (under HIPAA). You are responsible for:

• Determining the purposes and means of processing patient data
• Obtaining valid consent from patients for data collection and processing
• Ensuring compliance with all applicable data protection laws in your jurisdiction
• Providing patients with transparent information about how their data will be used
• Honoring patient rights (access, rectification, erasure, portability, objection)

2.2 Our Role as Data Processor

Fertility CDS acts as a Data Processor (under GDPR/UK GDPR) or Business Associate(under HIPAA) when processing patient data on your behalf. We process patient data solely according to your instructions and for the purpose of providing the Platform services to you.

3. Information We Collect

3.1 Clinician Account Information

When you create an account, we collect:

• Name, professional title, and credentials
• Email address and phone number
• Clinic or institution name and address
• Professional license number (where required)
• Account credentials (username and encrypted password)
• Payment information (processed by third-party payment processors; we do not store full credit card numbers)

3.2 Patient Health Information

When you use the Platform to assess patients, you may enter the following types of health data:

• Demographics: Patient code/ID (no names), age, gender, BMI
• Medical History: Infertility duration, previous pregnancies, menstrual history, surgical history, chronic conditions
• Laboratory Results: Hormone levels (FSH, LH, AMH, testosterone, prolactin, TSH), semen analysis parameters, genetic test results
• Clinical Assessments: Physical examination findings, ultrasound results, risk stratification, clinical recommendations
• Treatment Plans: Recommended investigations, medications, procedures, referrals

Important: We strongly recommend using de-identified patient codes (e.g., "PT-2025-001") rather than patient names or national identifiers to minimize privacy risk. The Platform is designed to function without collecting directly identifiable patient information.

3.3 Usage and Technical Information

We automatically collect certain technical information when you use the Platform:

• IP address and device information (browser type, operating system, device ID)
• Log data (access times, pages viewed, features used, errors encountered)
• Cookies and similar tracking technologies (see Section 10 for details)
• Performance metrics (page load times, feature usage statistics)

3.4 Communications

We collect information from your communications with us, including:

• Support requests and customer service inquiries
• Feedback, survey responses, and feature requests
• Email correspondence and chat messages

4. Legal Basis for Processing (GDPR/UK GDPR)

Under GDPR and UK GDPR, we process personal data based on the following legal grounds:

Your Responsibility: As the Data Controller, you must ensure that you have a valid legal basis for processing patient data and that you have obtained appropriate consent or can rely on another lawful basis under GDPR/UK GDPR Article 9.

5. How We Use Information

5.1 To Provide the Platform Services

• Generate clinical decision support recommendations based on patient data you enter
• Perform risk stratification and evidence-based analysis
• Create printable clinical reports and documentation
• Store and retrieve patient assessments for your clinical use
• Provide analytics and trends across your saved reports

5.2 To Maintain and Improve the Platform

• Monitor Platform performance, uptime, and security
• Diagnose and fix technical issues
• Analyze usage patterns to improve features and user experience
• Develop new features and functionality
• Conduct quality assurance and testing

5.3 To Communicate with You

• Send account-related notifications (password resets, security alerts)
• Provide customer support and respond to inquiries
• Send service updates, guideline updates, and important announcements
• Send marketing communications (with your consent; you may opt out at any time)

5.4 For Legal and Compliance Purposes

• Comply with legal obligations and regulatory requirements
• Respond to lawful requests from government authorities
• Enforce our Terms of Service and protect our legal rights
• Prevent fraud, abuse, and security threats
• Conduct audits and maintain records as required by law

5.5 No Automated Decision-Making with Legal Effect

Important: The Platform does not engage in automated decision-making that produces legal effects or similarly significantly affects patients (as defined under GDPR Article 22). All clinical recommendations generated by the Platform are advisory only and must be reviewed, validated, and approved by a qualified healthcare professional before any clinical action is taken.

6. Data Sharing and Disclosure

6.1 We Do Not Sell Your Data

We do not sell, rent, or trade patient health information or clinician personal information to third parties for marketing or any other purpose.

6.2 Service Providers and Subprocessors

We may share information with trusted third-party service providers who assist us in operating the Platform, including:

• Cloud Hosting Providers: For secure data storage and infrastructure (e.g., AWS, Google Cloud, Microsoft Azure)
• Payment Processors: For processing subscription payments (e.g., Stripe, PayPal)
• Email Service Providers: For sending transactional and marketing emails (e.g., SendGrid, Mailchimp)
• Analytics Providers: For usage analytics and performance monitoring (e.g., Google Analytics, Mixpanel)
• Customer Support Tools: For providing technical support (e.g., Zendesk, Intercom)

All service providers are contractually bound to:

• Process data only according to our instructions
• Implement appropriate security measures
• Comply with HIPAA (for US users), GDPR (for EU users), and UK GDPR (for UK users)
• Execute Business Associate Agreements (BAAs) or Data Processing Agreements (DPAs) as required

6.3 International Data Transfers

The Platform may store and process data in multiple jurisdictions, including the United States, European Union, and United Kingdom. When we transfer personal data from the EU or UK to countries outside the European Economic Area (EEA), we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs for EU→US and UK→US data transfers
• Adequacy Decisions: We transfer data to countries recognized by the EU Commission or UK ICO as providing adequate data protection
• Binding Corporate Rules: Where applicable, we rely on approved binding corporate rules

6.4 Legal Disclosures

We may disclose information if required by law or in response to:

• Valid legal process (subpoenas, court orders, search warrants)
• Government or regulatory investigations
• Requests from law enforcement or public health authorities
• Emergencies involving imminent risk of harm to individuals

Where permitted by law, we will notify you before disclosing your information in response to legal process.

6.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on the Platform before your information is transferred and becomes subject to a different privacy policy.

7. Data Retention

7.1 Retention Periods

We retain information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law:

7.2 Secure Deletion

When data is deleted, we use secure deletion methods to ensure it cannot be recovered, including:

• Overwriting data with random patterns
• Cryptographic erasure (deleting encryption keys)
• Physical destruction of decommissioned storage media

8. Your Rights and Choices

8.1 Rights Under GDPR and UK GDPR (EU/UK Users)

If you are located in the European Union or United Kingdom, you have the following rights:

• Right of Access (Article 15): Request a copy of your personal data we hold
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete data
• Right to Erasure / "Right to be Forgotten" (Article 17): Request deletion of your data in certain circumstances
• Right to Restriction of Processing (Article 18): Request that we limit how we use your data
• Right to Data Portability (Article 20): Request a copy of your data in a structured, machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent (Article 7(3)): Withdraw consent for processing at any time (where consent is the legal basis)
• Right to Lodge a Complaint: File a complaint with your local data protection authority (see Section 8.4)

8.2 Rights Under HIPAA (US Users)

If you are a Covered Entity or Business Associate under HIPAA, you have the right to:

• Request a Business Associate Agreement (BAA) from us
• Request an accounting of disclosures of PHI
• Request restrictions on how PHI is used or disclosed
• Report suspected HIPAA violations to the HHS Office for Civil Rights

8.3 Rights Under CCPA/CPRA (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information (subject to certain exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information, so this right does not apply
• Right to Limit Use of Sensitive Personal Information: Request limits on use of sensitive personal information (health data)
• Right to Non-Discrimination: You will not be discriminated against for exercising your CCPA/CPRA rights

Note: CCPA/CPRA exempts certain health information covered by HIPAA. If you are a healthcare provider using the Platform to process patient PHI, the HIPAA exemption may apply.

8.4 How to Exercise Your Rights

To exercise any of the rights described above, please contact us:

• Email: dpo@fertilitycds.com (Data Protection Officer)
• In-app: Use the "Right to Erasure Request" feature in Settings → Security
• Mail: Fertility CDS, Data Protection Officer, [Address]

We will respond to your request within:

• GDPR/UK GDPR: 30 days (may be extended by 2 months for complex requests)
• CCPA/CPRA: 45 days (may be extended by 45 days with notice)
• HIPAA: 30 days for access requests; 60 days for amendment requests

8.5 Supervisory Authorities

If you are not satisfied with our response to your privacy request, you have the right to lodge a complaint with the relevant supervisory authority:

9. Data Security

We implement industry-standard technical and organizational measures to protect your information from unauthorized access, disclosure, alteration, and destruction:

9.1 Technical Safeguards

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
• Access Controls: Role-based access controls (RBAC) and multi-factor authentication (MFA) for administrative access
• Network Security: Firewalls, intrusion detection systems (IDS), and DDoS protection
• Secure Development: Regular security code reviews, penetration testing, and vulnerability scanning
• Data Minimization: We collect only the minimum data necessary to provide the Service

9.2 Organizational Safeguards

• Employee Training: All employees receive HIPAA, GDPR, and data security training
• Background Checks: Background checks for employees with access to sensitive data
• Confidentiality Agreements: All employees and contractors sign confidentiality agreements
• Incident Response Plan: Documented procedures for detecting, responding to, and reporting security incidents
• Audit Logging: Comprehensive audit logs of all data access and modifications

9.3 Compliance Certifications

• SOC 2 Type II certified hosting infrastructure
• ISO 27001 Information Security Management System (in progress)
• HIPAA-compliant infrastructure and Business Associate Agreements
• GDPR and UK GDPR compliant data processing practices

9.4 Breach Notification

In the event of a data breach affecting your information, we will notify you and relevant authorities in accordance with applicable law:

• GDPR/UK GDPR: Within 72 hours of becoming aware of the breach (to supervisory authority); without undue delay (to affected individuals)
• HIPAA: Within 60 days of discovery (for breaches affecting 500+ individuals); annually (for smaller breaches)
• State Laws: In accordance with applicable US state breach notification laws

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. We use cookies and similar technologies (web beacons, pixels, local storage) to enhance your experience and analyze Platform usage.

10.2 Types of Cookies We Use

10.3 Cookie Consent

When you first visit the Platform, you will see a cookie consent banner (required under GDPR, UK GDPR, and ePrivacy Directive). You can:

• Accept all cookies
• Reject non-essential cookies
• Manage your cookie preferences (choose which categories to enable)

You can change your cookie preferences at any time through the cookie settings link in the footer or by clearing your browser cookies.

10.4 Third-Party Cookies

Some cookies are set by third-party services we use (e.g., Google Analytics). These third parties have their own privacy policies governing their use of your information. We do not control third-party cookies.

11. Children's Privacy

The Platform is intended for use by healthcare professionals and is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at dpo@fertilitycds.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. We will notify you of material changes by:

• Posting the updated Privacy Policy on the Platform with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying an in-app notification upon your next login

Your continued use of the Platform after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated Privacy Policy, you must stop using the Platform and may request account deletion.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: