1Who we are
CosmicIris Inc. is the data controller responsible for your personal information under this policy. We provide a cloud platform for multi-dimensional iridology, sclerology, and eye-based diagnostics used by licensed and student practitioners and their clinics.
If you are a practitioner or clinic using CosmicIris to manage patient records, you are typically the controller of your patients’ data, and we act as your processor (or “business associate” under HIPAA) under the terms of your agreement with us. This policy describes our own practices as a controller and, where relevant, our practices when acting on your behalf.
2Scope of this policy
This policy applies to information we process through our marketing website, our web and desktop applications, our APIs, and any related services that link to this policy. It does not apply to third-party websites, products, or services we do not control, even if they are accessible through the Services.
3Information we collect
We collect the following categories of information:
- Account & identity data. Name, email address, password (stored hashed), organization or clinic name, professional role, and, for the Student plan, enrollment-verification documents.
- Billing data. Billing contact details and subscription records. Payment-card details are processed by our payment provider and are not stored on our servers.
- Clinical & patient content. Iris and sclera images, diagnostic map overlays, annotations, findings, case notes, appointment records, and other content that you or your practitioners upload or create. This may include health-related information about identifiable individuals.
- Usage & device data. Log data, IP address, browser and device type, operating system, pages and features used, timestamps, and diagnostic and performance data.
- Cookies & similar technologies. Data collected through cookies and local storage, as described in Section 9.
- Communications. Information you provide when you contact support, respond to surveys, or otherwise communicate with us.
4How we use your information
We use information to:
- Provide, operate, maintain, and secure the Services;
- Authenticate users and manage accounts, subscriptions, and billing;
- Synchronize data in real time across a clinic’s authorized devices;
- Provide customer support and respond to your requests;
- Monitor, debug, and improve performance, reliability, and security;
- Develop and improve features and diagnostic tooling (see Section 5);
- Send service, security, and administrative communications;
- Comply with legal obligations and enforce our Terms of Use.
5Use of annotated data to improve our product
We may use user-annotated data — such as the labels, markings, corrections, collarette and sign annotations, and findings that practitioners create on the canvas — to improve our product internally. This includes refining our automatic detection, training and evaluating our computer-vision and machine-learning models, and improving the accuracy and usefulness of the Services.
Wherever practicable, we de-identify or aggregate data before using it for these purposes, and we apply technical and organizational safeguards to limit access. We use such data for our own internal product-improvement purposes; we do not sell it, and we do not share identifiable patient data with third parties for their own purposes. Where required by law or by your agreement with us, we will obtain the appropriate consent or rely on a valid legal basis before using this data. If you are a practitioner, you are responsible for ensuring you have any patient consents necessary for this use, and you may contact us to discuss opt-out options for your workspace.
6Legal bases for processing (GDPR)
Where the EU/UK General Data Protection Regulation applies, we rely on the following legal bases: performance of a contract (to provide the Services); legitimate interests (to secure, maintain, and improve the Services, balanced against your rights); compliance with a legal obligation; and consent (for example, for non-essential cookies or for processing special-category health data where consent is the applicable basis). You may withdraw consent at any time without affecting processing carried out before withdrawal.
7Health data & HIPAA
Clinical content may constitute protected health information (PHI). For customers in the United States subject to HIPAA, we make a Business Associate Agreement (BAA) available and process PHI only as permitted by that agreement and applicable law. We apply administrative, physical, and technical safeguards designed to protect health information and restrict access to authorized personnel on a need-to-know basis.
10Data retention
We retain personal information for as long as needed to provide the Services and for legitimate business or legal purposes. Clinical content is retained for the life of your account and deleted or returned in accordance with your agreement with us after termination, subject to backups that expire on a rolling basis and to any legal retention requirements.
11Data security
We use encryption in transit and at rest, access controls, network isolation, logging, and regular security reviews to protect information. No method of transmission or storage is completely secure, but we work to protect your information and to notify you and regulators of incidents where required by law.
12International data transfers
CosmicIris operates across multiple Google Cloud regions. Where you choose a data residency region (US, EU, or APAC), we store your primary clinical content in that region. Where personal data is transferred internationally, we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses.
13Your rights & choices
Depending on your location, you may have rights to access, correct, delete, or port your personal information; to object to or restrict certain processing; and to withdraw consent. To exercise these rights, contact us using the details in Section 16. If your data is managed by a clinic, we may direct your request to that clinic as the controller. You also have the right to lodge a complaint with your local data-protection authority.
14Children’s privacy
The Services are intended for professional and adult use and are not directed to children. We do not knowingly collect personal information from children except as patient content provided by a practitioner under an appropriate legal basis and consent.
15Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the effective date above and, where appropriate, provide additional notice. Your continued use of the Services after an update means you accept the revised policy.
16Contact us
If you have questions about this policy or our privacy practices, contact us at privacy@cosmiciris.app, or write to CosmicIris Inc., Privacy Office.
See also our Terms of Use.