Privacy Policy

NanoSense ("we," "us," or "our") operates the NanoSense Medical RAG Intelligence Platform (the "Service"), accessible at nanosense.net and api.nanosense.net. This Privacy Policy describes how we collect, use, disclose, and protect information when you use our Service.

1. Information We Collect

1.1 Account Information

When you register for the Service, we collect your name, email address, organization name, and billing information. If you register through a partner (e.g., Tamartaw), the partner may provide us with your organizational information on your behalf.

1.2 API Usage Data

We collect metadata about your API requests, including timestamps, query modes selected, token counts, response times, and error codes. This data is used for billing, performance monitoring, and service improvement.

1.3 Clinical Query Content

Queries submitted to the /query endpoint may contain clinical questions and de-identified patient context. We process this data solely to generate responses and do not use query content for training machine learning models or for any purpose other than delivering the requested Service.

1.4 Protected Health Information (PHI)

Our Service is designed to operate with de-identified data. Customers are responsible for de-identifying patient data before transmitting it to our API, in accordance with the HIPAA Safe Harbor or Expert Determination methods (45 CFR §164.514). Where a Business Associate Agreement (BAA) is in place, PHI handling is governed by the terms of that agreement.

2. How We Use Information

We use collected information to:

• Provide, maintain, and improve the Service
• Process billing and enforce token budgets
• Monitor for security threats and unauthorized access
• Generate aggregate, anonymized analytics about Service usage
• Communicate with you about your account, updates, and support requests
• Comply with legal obligations, including HIPAA requirements

3. Data Sharing and Disclosure

We do not sell your information. We may share information with:

• Infrastructure providers: Amazon Web Services (AWS) hosts our infrastructure under their BAA and SOC 2 controls.
• AI model providers: Query content is transmitted to third-party AI model providers (e.g., Anthropic, OpenAI) for response generation. These providers process data under their data processing agreements and do not retain query data for model training.
• Partners: If you access the Service through a partner integration (e.g., Tamartaw), usage metadata may be shared with that partner as described in their privacy policy.
• Legal requirements: We may disclose information if required by law, subpoena, or government request, or to protect the safety and rights of our users.

4. Data Security

We implement industry-standard security measures, including:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest
• Field-level encryption for sensitive identifiers (HMAC-SHA256)
• WAF (Web Application Firewall) protection on all endpoints
• HIPAA-compliant audit logging with tamper-evident trails
• Role-based access control (RBAC) with per-tenant isolation
• Automated vulnerability scanning and penetration testing

For full details, see our Security Whitepaper.

5. Data Retention

We retain data in accordance with our Data Retention Policy:

• Clinical query logs: 6 years (HIPAA requirement)
• Audit logs: 10 years
• Billing records: 7 years
• Account information: Duration of the account plus 90 days after termination

Upon account termination, we cryptographically erase tenant-specific data within the timelines specified in our retention policy.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your information (subject to legal retention requirements)
• Export your data in a machine-readable format
• Object to or restrict certain processing activities

To exercise these rights, contact us at privacy@nanosense.net.

7. HIPAA Compliance

NanoSense is designed to support HIPAA compliance for Covered Entities and Business Associates. We offer Business Associate Agreements (BAAs) to customers who require them. Our BAA template is available for review. HIPAA does not preempt state privacy laws that provide greater protection.

8. Cookies and Tracking

The nanosense.net website uses only essential cookies for session management. We do not use third-party advertising trackers, social media pixels, or cross-site tracking technologies. The API (api.nanosense.net) does not use cookies.

9. Children's Privacy

The Service is intended for use by healthcare organizations and developers. We do not knowingly collect personal information from individuals under 18. If you believe a minor has provided us with personal information, please contact us immediately.

10. International Data Transfers

Our infrastructure is hosted in the United States (AWS us-east-1). If you access the Service from outside the United States, your information will be transferred to and processed in the United States. We rely on Standard Contractual Clauses and our data processing agreements to provide appropriate safeguards for international transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. For material changes affecting PHI handling, we will provide at least 30 days' advance notice via email.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: