Privacy Policy

NeuroTrax Corporation (“we,” “us,” or “our”) is committed to protecting the privacy and security of your Personal Information (“PI”) and Protected Health Information (“PHI”). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our cognitive testing software and related services (the “Services”).

This policy applies to all users of our Services, including clinicians and their patients, and complies with the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA).

We collect various types of information when you use our Services, including:

• Protected Health Information (“PHI”):
  • Patient names, dates of birth, medical history, cognitive test results, and other health-related data collected through our Services.
  • Clinician names, contact information, and professional credentials.
• Personal Information (“PI”):
  • Contact information (e.g., name, email address, phone number).
  • Account credentials (e.g., username, password).
  • Usage data (e.g., IP address, browser type, device information, activity logs).
  • Information collected through cookies and similar tracking technologies.
• California Specific Information:
  • Any of the above information that is associated with a California resident.

We use your information for the following purposes:

• To provide and improve our Services:
  • Administering cognitive tests and generating reports.
  • Analyzing data to enhance the accuracy and effectiveness of our Services.
  • Providing technical support and troubleshooting.
• To comply with legal obligations:
  • Meeting HIPAA, GDPR, and CCPA/CPRA requirements.
  • Responding to legal requests and court orders.
• To communicate with you:
  • Sending important updates, notifications, and administrative messages.
  • Responding to your inquiries and requests.
• For research and development:
  • Anonymized and aggregated data may be used for research and development purposes.
• Security:
  • To maintain the security of our systems and data.

For users in the European Economic Area (EEA), we process your PI and PHI based on the following legal grounds

• Contractual Necessity: Processing is necessary to provide the Services you requested.
• Legal Obligation: Processing is necessary to comply with legal obligations.
• Legitimate Interests: Processing is necessary for our legitimate interests (e.g., improving our Services, ensuring security), provided your rights and interests are not overridden.
• Consent: In certain cases, we rely on your consent to process your PI and PHI.

We may disclose your information to:

• Clinicians: only have access to data they have entered for their own patients.
• Service Providers: We may engage third-party service providers to assist with data storage, processing, and other services. These providers are contractually obligated to protect your information.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.
• Legal Requirements: We may disclose your information when required by law or to protect our rights.
• Business Associates: As defined within HIPAA, we may disclose PHI to business associates that have signed business associate agreements (BAAs) with us.

We implement appropriate technical and organizational measures to protect your information from unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit and at rest.
• Access controls and authentication procedures.
• Regular security assessments and audits.
• HIPAA compliant security measures.
• In the event of a data breach involving your PI or PHI, NT will notify affected individuals and relevant authorities without undue delay, and in accordance with applicable law (e.g., HIPAA Breach Notification Rule, GDPR Article 33).

We retain PI and PHI for as long as reasonably necessary to provide the Services and comply with legal obligations. Where applicable, this includes:

• PHI: Retained for a minimum of 6 years under HIPAA.
• Usage Data: Retained for 12-24 months, depending on the nature and purpose.
• Anonymized data: May be retained indefinitely for research and analytics.

• HIPAA Rights:
  • Right to access and obtain a copy of your PHI.
  • Right to request corrections to your PHI.
  • Right to request restrictions on the use or disclosure of your PHI.
  • Right to receive a notice of privacy practices.
  • Right to an accounting of disclosures.
• GDPR Rights:
  • Right to access your PI.
  • Right to rectify inaccurate PI.
  • Right to erase your PI (right to be forgotten).
  • Right to restrict processing of your PI.
  • Right to data portability.
  • Right to object to processing of your PI.
  • Right to withdraw consent.
• CCPA/CPRA Rights:
  • Right to know what PI we collect, use, disclose, and sell.
  • Right to delete your PI.
  • Right to correct inaccurate PI.
  • Right to opt-out of the sale or sharing of your PI.
  • Right to limit the use and disclosure of sensitive PI.
  • Right to non-discrimination.
• To exercise your data rights under HIPAA, GDPR, or CCPA/CPRA, please contact us at akiva.davis@neurotrax.com or submit a request via. We will respond within the timeframes required by applicable law.

• California residents have the right to request information about the categories of PI we collect, the purposes for which we use it, and the categories of third parties with whom we share it.
• We do not “sell” personal information as defined by the CCPA/CPRA.

Our Services are not intended for use by children under the age of 13. We do not knowingly collect PI from children under 13. If we become aware that we have collected PI from a child under 13, we will take steps to delete it.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on our website or by other means. Your continued use of the Services after such changes constitutes your acceptance of the new Terms.

NeuroTrax Corporation
1130 Creekside Parkway, Unit 111989
Naples, FL 34108-1180
akiva.davis@neurotrax.com
Tel (US toll-free): 1-855-NEUROTRAX

• HIPAA: NT will maintain appropriate administrative, physical, and technical safeguards to protect PHI as required by HIPAA.
• GDPR: NT will process personal data in accordance with GDPR, including having a legal basis for processing, implementing appropriate security measures, and respecting data subject rights.
• Data Controller/Processor: For GDPR purposes, NT acts as a “Data Controller” when determining the purposes and means of processing personal data. In some cases, such as when providing Services to clinicians, NT may act as a “Data Processor,” processing data on behalf of the clinician or healthcare provider.
• Data Processing Agreements: NT will enter into Data Processing Agreements (DPAs) where necessary under GDPR.
• Business Associate Agreements: NT will enter into Business Associate Agreements (BAAs) with covered entities as required by HIPAA.
• Data Storage Jurisdiction: Personal and health data may be stored and processed in the United States or in jurisdictions where NT or its third-party providers operate. NT ensures appropriate safeguards are in place for international data transfers in accordance with applicable laws. If you access the Services from outside the United States, you understand that your information may be transferred to, stored, and processed in the U.S. or other jurisdictions. By using our Services, you consent to such transfers in accordance with this Privacy Policy.