Privacy Policy

Scienza Health, Inc. ("Scienza," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website at scienzahealth.com or use our healthcare technology services (collectively, the "Services").

As a health technology company handling sensitive health data, we comply with applicable laws, including the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and other applicable data privacy laws.

If you are a covered entity or business associate under HIPAA, please refer to our Business Associate Agreement (BAA), which governs our handling of Protected Health Information (PHI).

By using our Services, you consent to the practices described herein. If you do not agree, please do not use our Services.

1. Information We Collect

We collect information in several ways to provide and improve our Services. This includes:

a. Personal Information You Provide

• Contact and Account Information: Name, email address, phone number, mailing address, and account credentials when you register, request a demo, or contact us.
• Health-Related Information: If you are a patient or user of our Gia™ platform, we may collect sensitive health data such as medical history, voice biomarkers (e.g., speech patterns, vocal characteristics), cognitive screening results, and other health indicators.
• Payment Information: Billing details (e.g., credit card numbers) processed securely via third-party providers; we do not store full payment card details.
• Other Voluntary Information: Feedback, survey responses, or communications you send us.

b. Automatically Collected Information

• Usage Data: IP address, browser type, device identifiers, pages visited, time spent, and referring URLs when you access our Website or Services.
• Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to track user behavior, personalize content, and analyze trends. For details, see our Cookie Policy below.
• Sensor and Device Data: In connection with our Services, we may collect environmental data from IoT sensors (e.g., temperature, humidity, air quality) and health data from Samsung Galaxy devices (Samsung Health platform, Galaxy Watch) with user consent.

c. Information from Third Parties

• Partners and Integrations: Data from healthcare providers, EHR systems (e.g., Epic), Samsung Galaxy devices (Samsung Health platform, Galaxy Watch), or APIs (e.g., ElevenLabs for voice processing) as part of our service delivery.
• Public Sources: Aggregated data from public databases for research purposes, anonymized to protect privacy.

We limit collection to what is necessary for our Services and do not collect data from children under 13 without verifiable parental consent.

2. How We Use Your Information

We use your information for legitimate business purposes, including:

• Providing Services: To operate Gia™, perform cognitive screenings, automate documentation and billing, and deliver personalized health insights (e.g., using AI/ML for biomarker analysis).
• Improving and Personalizing: Analyze usage to enhance features, train AI models (with anonymized data), and customize experiences.
• Compliance and Security: Detect fraud, ensure regulatory compliance (e.g., HIPAA audits), and maintain data integrity.
• Communications: Send service updates, alerts, or marketing materials (with opt-in consent).
• Research and Analytics: Aggregate de-identified data for health research, subject to IRB approval and data minimization.
• Legal Obligations: Respond to subpoenas, court orders, or regulatory requests.

For sensitive health data (PHI), we process only as permitted under HIPAA (e.g., treatment, payment, operations) or with explicit consent under GDPR/CCPA.

3. How We Share Your Information

We do not sell your personal information. Sharing occurs only as necessary:

• Service Providers: With vendors (e.g., AWS for hosting, ElevenLabs for voice processing) bound by contracts ensuring confidentiality and compliance.
• Business Partners: With healthcare providers or integrators (Samsung Galaxy devices, Samsung Health platform, Samsung Knox security) under BAAs or data processing agreements.
• Legal and Safety Reasons: To comply with laws, respond to authorities, or protect rights/safety (e.g., public health reporting).
• Business Transfers: In mergers/acquisitions, with notice and consent where required.
• With Your Consent: For any other purpose you approve.

For PHI, sharing is limited to HIPAA-permitted uses. Under CCPA, we do not "sell" or "share" data for cross-context advertising. International transfers use Standard Contractual Clauses or equivalent safeguards.

4. Data Security

We implement strict security measures to protect your information, including:

• Encryption (AES-256) for data at rest and in transit.
• Access controls, firewalls, and regular vulnerability scans.
• Employee training on data protection.
• Incident response plans, with notification within 72 hours for breaches under GDPR/HIPAA.

While no system is impenetrable, we use reasonable safeguards aligned with industry standards (e.g., NIST for cybersecurity).

5. Your Privacy Rights

Depending on your location, you have rights including:

• Access: Request details of your data.
• Correction/Rectification: Update inaccurate information.
• Deletion/Erasure: Request removal, subject to legal exceptions (e.g., HIPAA retention).
• Opt-Out of Sale/Sharing: We do not sell data, but you can opt out of targeted advertising.
• Limit Sensitive Data Use: Restrict processing of sensitive PHI.
• Portability: Receive your data in a transferable format.
• Object/Withdraw Consent: Stop processing where based on consent or legitimate interests.
• Non-Discrimination: No penalties for exercising rights.

To exercise rights, contact us at support@scienzahealth.com or via our Website form. We respond within 30-45 days (extendable under law), free of charge (up to twice/year under CCPA). Verification may require ID. For GDPR, contact our DPO at dpo@scienzahealth.com. For CCPA, submit requests via +1 (888) 400-1409 or form; we honor global privacy controls.

6. California AI Law Compliance

In compliance with California's AI transparency laws, including AB 2013 (AI Training Data Transparency Act) and AB 3030 (Healthcare AI Disclosure), we maintain the following practices:

a. AI Training Data Transparency (AB 2013)

Detailed information about the data used to train our AI systems is available on our AI Training Data Transparency page, including data sources, collection methods, and processing procedures.

b. AI-Generated Communications (AB 3030)

Communications generated by our Gia™ AI platform that contain clinical or health-related information include prominent disclosures indicating the content was generated or assisted by AI. For questions about AI-generated content, contact support@scienzahealth.com or call 1 (888) 400-1409.

c. Human Oversight

Our AI systems operate under our 5-layer governance framework with mandatory human oversight for all clinical decisions. AI outputs are designed to assist, not replace, qualified healthcare professionals.

7. Cookies and Tracking Technologies

We use cookies for functionality, analytics, and marketing. Categories:

• Essential: For site operation (no consent needed).
• Performance/Analytics: Track usage (e.g., Google Analytics, anonymized).
• Functional: Personalize content.
• Targeting: If enabled, for ads (opt-out via settings).

Manage preferences via our Cookie Banner. For details, see our Cookie Policy. We respect Do Not Track signals.

8. Children's Privacy

Our Services are not for children under 13 (or 16 under GDPR). We do not knowingly collect data from minors without parental consent. If discovered, we delete such data promptly.

9. International Data Transfers

Data may be transferred to the US or other countries. We use safeguards like Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions to protect your information during international transfers.

10. Retention of Your Information

We retain data as needed for Services, legal obligations (e.g., 6-10 years for health records under HIPAA), or business purposes. De-identified data may be retained indefinitely for research. You may request deletion subject to legal requirements.

11. Changes to This Privacy Policy

We may update this Policy; changes are posted here with the effective date. Continued use constitutes acceptance. For material changes, we notify via email or Website notice.

12. Contact Us

For questions or rights requests: