Privacy Policy — Ameda

Welcome to Ameda (hereinafter: "the System", "we", "us", "our"). This Privacy Policy describes how we collect, use, store, disclose, and delete personal information — particularly medical data — in connection with our services, and your rights as a data subject.

1. Who We Are & Role in Data Processing

We act as the Data Controller and process data under agreements and instructions from medical entities / physicians that provide us with data.

When we use third-party service providers (e.g., storage, computational processing), they act as Data Processors and are bound by contractual obligations to process data only per our instructions.

2. Types of Data Collected & Purposes of Processing

We receive medical data from medical entities, such as:

• Identifying information: name, age, national ID (or internal identifier)
• Medical data: medical history, diagnoses, treatments, medications, clinical assessments, etc.
• Technical / usage data: IP addresses, system logs, metadata for security and operational purposes

Purpose: to generate medical reports, provide analytical support to physicians, and present insights per agreement with the supplying medical entities.

We commit to collecting only the minimal data required to fulfill these purposes and refraining from unnecessary or excessive collection.

3. Legal Bases for Processing

Processing is based on one or more of the following legal bases (in accordance with Israeli law and Amendment 13, when applicable):

• Explicit consent of the data subject, when required
• Execution of an agreement or service between us and the medical entity / patient
• Compliance with legal or regulatory obligations
• Legitimate interest — only when balanced against the privacy rights of the data subject (especially with respect to medical data)

If processing is based on consent, the consent may be withdrawn at any time. Upon withdrawal, we will cease processing or delete the data, in accordance with our retention and deletion policy.

4. Geographical Storage & Data Residency

All personal and medical data we process is hosted on Google Cloud servers located in Israel (Region: Tel Aviv, "me-west1"). We use Google's "Israel Data Boundary and Support" to help ensure that data does not cross outside the country as part of storage or routine processing.

If in the future cross-border data transfer becomes necessary (for example, to a third-party service outside Israel), such transfer will only occur under strong encryption, binding agreements, and with explicit consent from the medical entity / data subject.

5. Data Security

We adopt technical and organizational measures to protect data security, including:

• Encryption in transit (TLS) and at rest
• Key management via Google Cloud KMS (customer-managed keys), with periodic key rotation
• Strict access control — only authorized personnel may access data
• Audit logs of access and modifications
• Secure backups with defined deletion policies
• Security reviews, penetration testing, internal security procedures
• Privacy by Design / Default — embedding protections into system architecture

6. Data Retention & Deletion

Our retention and deletion policy is structured as follows:

• We retain sensitive data only for the minimal time necessary to generate reports and maintain system operations
• Once data is no longer needed, we delete it permanently from active resources
• Backup copies are deleted in accordance with backup retention policies; any residual data becomes inaccessible
• Destruction or revocation of encryption keys serves as a de facto deletion — data without keys is unreadable
• We keep precise records of deletion actions: who, when, what was deleted
• Upon a valid request for deletion by a data subject, we verify identity and then remove data from all relevant resources

7. Data Subject Rights

As a user / data subject, you have the following rights (to the extent permitted by law):

• Right of Access — to see the personal information we hold about you
• Right to Rectification — to correct inaccurate or incomplete information
• Right to Deletion — in cases permitted by law
• Right to Object — to certain processing based on valid grounds
• Right to Data Portability — to receive your data in a structured, commonly used format (when applicable)
• Right to Withdraw Consent — if processing is based on consent, you may withdraw it at any time

We will respond to requests without undue delay, subject to legal and security constraints.

8. Security Breach Notification

If a security breach or unauthorized disclosure occurs and presents a high risk to privacy, we will:

• Perform an immediate risk assessment
• Notify the Israel Privacy Protection Authority (or relevant authority) in accordance with legal obligations
• Notify affected data subjects / medical entities as required by law
• Take measures to mitigate the breach, prevent recurrence, and learn from the incident
• Maintain full documentation of the incident: timeline, decisions, actions taken

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time (e.g., due to legal changes or technical improvements). For material changes, we will notify users in advance and allow them time to review revisions.

11. Contact & Inquiries

If you have questions, complaints, or requests regarding privacy, contact us at: privacy@quamm.ai. We will respond in good faith and with due diligence.

12. Privacy Requests Page

You may submit privacy-related requests (access, deletion, correction, objections) through our dedicated privacy requests page: Privacy Requests Page.