Subtle Medical Privacy Policy

This outlines how Subtle Medical, Inc. (“Subtle,” “Company,” “we,” or “us”) collects, uses, and shares data collected from https://subtlemedical.com/ and any other websites we maintain, and through any of our services offered through these sites (our “Platform”). This privacy policy is incorporated herein by reference to Subtle’s Software-as-a-Service Subscription and License Agreement, which together with said document, any quotes and SaaS terms, comprise the entire agreement among the parties hereto (collectively, the “EUL Agreement” or “EULA”). By accessing or using any part of our Platform, you consent to the collection, use and sharing of your information by the Company as described in this privacy policy.

If we need, or are required, to contact you concerning any event that involves this privacy policy or your information we may do so using the contact information we have on file for you. The parties understand and agree that Subtle has the right to amend, update and/or modify this privacy policy in accordance with the terms of the EULA. This privacy policy covers all personal data that we collect as outlined below.

DATA WE COLLECT AND HOW WE USE IT

We may collect data from a variety of sources, for example:

  1. Directly from You: There may be situations where you provide data to us directly.
  2. From Third Parties: We may also obtain Information about you from third parties who have a right to provide us with that information based on a contractual relationship.
  3. Through the Use of the Subtle Medical Platform by our Customers: The AI image enhancement tools and other offerings provided by Subtle Medical are intended for use by medical providers. During the course of using these products, personal health data may be shared with Subtle Medical directly under the terms of our contract. We strive to minimize the amount of personal data and personal health data collected in this way by using pseudo-anonymization prior to the data leaving the customer’s network, so we do not generally maintain this type of data long term and in most cases will not be able to identify an individual from the datasets we receive through our solutions.
Category Examples Collected Source
Personal Information A real name, alias, signature, telephone number, postal address, unique personal identifier, online identifier, IP address, email address, account name, education, employment, employment history, financial information, medical/health information, or health insurance information. YES (1), (2), (3)
Protected classification characteristics Age, race, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex, gender identity, sexual orientation, and veteran or military status. PARTIAL (1), (2), (3)
Commercial information Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. NO N/A
Biometric information Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. NO N/A
Internet or other similar network activity Information on a consumer’s interaction with a website, application, or advertisement. YES (1), (2), (3)
Geolocation data Physical location or movements. NO N/A
Sensory data Audio, electronic, visual, thermal, olfactory, or similar information. NO N/A
Professional or employment-related information Current or past job history or performance evaluations. YES (1)
Non-public education information Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. NO N/A
Inferences drawn from other personal information Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. NO N/A

COLLECTION, TRACKING, AND USE OF COOKIES

When you visit Subtle’s website and/or cloud-based applications, Subtle may send one or more cookies – a small text file containing a string of alphanumeric characters – to your browser or mobile device. Subtle may also sometimes collect analytics information from visits you make to our websites and/or cloud-based applications to measure traffic, usage, and to help us provide better services. This information is sent by your browser or mobile device, including the pages and/or applications you visit and other information that assists us in improving our products and/or services. We may share this information with third party organizations that help us provide services to you.

HOW WE USE INFORMATION

PERSONAL INFORMATION

Data protection laws require us to have a legal basis for everything that we do with your personal information falling under one of the following categories:

  • Performance of a Contract with You: Where we need to perform a contract we are about to enter into or have entered into with you.
  • Legitimate Interests: We may use your personal information where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud and/or enable us to give you the best user experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
  • Legal Obligation: We may use your personal information where it is necessary for compliance with a legal obligation that we are subject to.
  • Consent: We rely on consent only where we have obtained your active agreement to use your personal information for a specified purpose, in relation to receiving marketing emails from us.
  • Vital Interests: We may process your personal information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

We use your personal information in a number of different ways and for different reasons – the tables below set out what we do and why:

What do we do?

Why do we do it?

Legal Basis

Identity and Contact Information

Identify you when you visit our website or you contact us for any reason.

So we can identify you.

Legitimate Interests: Necessary for us to be able to communicate with you.

Process any order of Subtle Medical services: manage payments, fees, charges and collect money owed to us.

So we can provide you with the services that are purchased.

Performance of a Contract: Services that are provided to you.

Legitimate Interests: Necessary to ensure the financial health of our business and to manage our financial transactions efficiently.

Send you service updates, and updates to this Privacy Policy and/or BAA, and DPA or other contractual documents as required.

So we can keep you informed of any changes to our terms and conditions and data processing.

Legitimate Interests: Necessary for the effective provision of our services.

Legal Obligation: Required by law to inform you of material changes to contractual or privacy obligations.

Send you information about Subtle Medical

So we can let you know about new products and services that we offer that you might be interested in.

Consent: Send marketing communications with your prior permission.

Legitimate Interests: Necessary to promote our business development efforts.

To send you surveys and to ask for feedback.

To offer you the opportunity to let us know how we are doing, or to let us know your views on another subject.

Legitimate Interests: Necessary to ensure we are providing the best service and to identify any areas of potential improvement.

Responding to your inquiries about our products or open job postings

To offer you the opportunity to learn more about our products and/or open positions.

Consent: When you reach out voluntarily, we respond based on your request and implied consent.

Legitimate Interests: Necessary for promoting our offerings and attracting qualified candidates.

Financial and Transaction Information

Take payments from you.

To facilitate payment for the Services that you purchase from us.

Performance of a Contract: We need to process payments in order to fulfill our agreement with you.

Legitimate Interest: Necessary to ensure that the company is compensated for our Services.

Keep a record of our transactions.

For accounting purposes.

Legal Obligation: Required by law to maintain accurate financial records for auditing and tax purposes.

Technical and Usage Information

Identify you when you visit our Website.

To provide you with the best possible user experience.

Legitimate Interests: Recognize users to optimize and personalize their experience.

Monitor visitors (cookies) to our website and analyze their use of the websites and perform tests on our IT systems.

To protect our websites and our IT systems from fraud or cyberattacks and to improve our websites and our services and our IT security.

Legitimate Interests: Need to safeguard our systems and users from security threats.

Legal Obligation: Comply with laws requiring IT security measures

Administer and protect our business and this website (including troubleshooting, verification, data analysis, testing, system maintenance, support, reporting and hosting of data).

For running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise).

Legitimate Interests: Necessary to run our business and to provide effective and secure administration and IT services, network security and to prevent fraud.

Legal Obligation: Compliance with applicable laws and regulations.

Use data analytics to improve our Websites, Services, marketing, customer relationships and experiences.

To define types of customers for our services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy.

Legitimate Interests: Necessary to enhance our business strategies and improve customer satisfaction.

Services

Operating and providing services through the Subtle Medical Platform

To deliver and maintain our SaMD services and ensure their proper functioning.

Legitimate Interests: Necessary to operate and improve the platform to provide reliable and secure medical services

Performance of Contract: To process data to fulfill our service agreements with users.

Providing maintenance, support, and customer service for Subtle Medical products.

To ensure our products function correctly and to assist customers with any issues or questions.

Legitimate Interests: Maintaining customer satisfaction and product quality.

Performance of Contract: Providing these services as part of our contractual obligations.

Marketing and Communications Information

We keep a record of your communication preferences (your “opt ins” and “opt outs”).

To ensure you only receive communications you want and to update our records if you change your preferences.

Legitimate Interests: Necessary to manage effective communication and promote our business responsibly.

Legal Obligation: Comply with regulations on electronic communications and marketing preferences.

Contacting you for direct marketing purposes

To provide you information on product offerings and services at Subtle Medical.

Legitimate Interests: Necessary to promote our business

Providing notices and announcements to you relating to Subtle Medical, the platform, or your information

To keep you informed of important company updates and changes

LegitimateInterests: Necessary to maintain transparent communication and keep customers up to date with relevant information.

All of Your Personal Information

We may share information with affiliates.

To support business operations, provide joint services, or improve customer experience.

Legitimate Interests: ensuring efficient internal administration and service delivery.

We may share information with business partners.

To collaborate on services or joint offerings that benefit users.

Legitimate Interest: Business interest in collaborating with partners to enhance user offerings.

We may share information with third party service providers.

To enable them to perform functions on our behalf, such as hosting, analytics, or customer support.

See subprocessor information within this privacy policy.

Legitimate Interest: Sharing data with trusted providers is necessary for efficient and secure business operations.

We may share information with law enforcement agencies.

To comply with legal obligations or respond to lawful requests.

Legal Obligation: Required by law to provide information when requested by competent authorities.

If we transfer ownership or control, we may transfer information to that third party.

To ensure continuity of services and business operations in the event of a merger, acquisition, or sale.

Legitimate Interest: Ensure business continuity during structural changes.

We may also use personal data we collect and obtain about you or from you to generate non-personal information. When we do so, we will take reasonable measures to ensure that the non-personal information is no longer personally identifiable and may not later be reasonably associated with, linked to, or used to identify you.

NON-PERSONAL INFORMATION

We may use and share the non-personal information we collect and obtain for any lawful business purpose without any duty or obligation of accounting or otherwise to you, provided that the information remains non-personal information. This will include, by way of example, sharing that non-personal information with third parties or developing products, services, and other offerings based on the non-personal information and providing those offerings to other users and third parties.

DATA SUBJECT RIGHTS

As a data subject, you have specific rights regarding your personal data we collect and process about you. We are committed to upholding these rights and the table below outlines your rights and how they apply:

 

Right

Description

Right of Access

You have the right to request access to your personal data and receive a copy of the personal data we hold on you.

Right to Rectification

You can ask to have inaccurate or incomplete personal data corrected.

Right to Erasure (“Right to be Forgotten”)

You can request to have your personal data deleted.

Right to Restrict Processing

You can ask us to limit how we use your data.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used format and transmit it to another controller.

Right to Object

You can object to processing for direct marketing unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.

Right to Lodge a Complaint to a Supervisory Authority

You can file a complaint with a data protection authority if you believe that your rights have been violated.

Right to Withdraw Consent

If we process your data based on your consent, you can withdraw that consent at any time.

Right to Non-Discrimination

We will not discriminate against you if you choose to exercise your data subject rights. If exercising specific rights will result in an impact to our ability to provide services due to technical limitations, we will inform you of these limitations.

Right to Know

You have the right to know what personal information is collected about you and how it is used, which is outlined at a high level in this privacy policy.

SECURITY

We are committed to protecting and securing your personal information and we will take all reasonable and appropriate steps to insure the safety and security of your personal information. This includes using industry standard security measures to protect the loss, misuse, and unintended alteration of the personal information under our control. Subtle Medical performs SOC 2 Type II + HIPAA audits and penetration tests annually, as well as quarterly access and device audits to ensure our controls are effective.

NOTIFICATION OF CHANGES

We may periodically make updates to this Privacy Policy. We always indicate the date the last changes were published. If changes are significant, Subtle Medical will provide a more prominent notice of the changes made. By using our SaaS Services or this website located at https://subtlemedical.com (together with any other websites maintained by Subtle Medical, Inc. that may be accessed through this website), you agree to the above Privacy Policy, and you agree to the End User License Agreement.

SUBPROCESSORS

At Subtle Medical, we may utilize subprocessors to perform activities including but not limited to the following:

  • Cloud Infrastructure Hosting
  • Internal Communications of Customer Cases
  • Presentation Creation
  • Data Storage
  • Ticketing System
  • Service Used for Support Calls

All subprocessors are evaluated prior to use and we ensure appropriate contractual agreements are in place with all subprocessors.

RETENTION POLICY

Subtle Medical may retain personal data for archival purposes, to meet legal obligations such as record retention requirements, to resolve disputes, or to enforce agreements. When Subtle Medical no longer has a business need to process the personal data, Subtle Medical may either delete or destroy the data, pursuant to applicable law. If Subtle Medical cannot delete or destroy any such personal data, then Subtle Medical will store, but not otherwise further process, that personal data until it is deleted or destroyed pursuant to Subtle Medical’s data retention policies.

CONTACT US

If you have any comments or inquiries about this Privacy Policy, if you would like to update information we have about you or to exercise your rights, you may contact us by sending an email to privacy@subtlemedical.com or through our Privacy Portal.