LEGAL

Privacy Policy

How OSAZ protects your data and respects your privacy

Last Updated: February 25, 2026

Introduction

OSAZ, Inc. (“OSAZ,” “we,” “us,” or “our”) operates the OSAZ digital health platform, including the Vision API, Clinical Connector, and Data & Research products. This Privacy Policy describes how we collect, use, disclose, and protect information, including Protected Health Information (PHI), when you use our products, services, and website.

This policy applies to all users of our platform, including enterprise customers, pilot participants, developer partners, and website visitors. By using our services, you acknowledge the practices described in this policy.

Information We Collect

Account Information — Name, email address, organization, professional role, and contact details provided during registration or inquiry.

Health and Diagnostic Data — Skin images, diagnostic outputs, clinical metadata, and related health information submitted through our platform. This data is classified as Protected Health Information (PHI) under HIPAA when associated with identifiable individuals.

Usage Data — Feature usage patterns, session duration, interaction logs, and platform analytics collected automatically during your use of our services.

Device and Technical Data — Browser type, operating system, IP address, device identifiers, and similar technical information collected automatically.

How We Use Your Information

Delivering and maintaining our diagnostic and platform services
Improving AI model accuracy using only de-identified and aggregated data
Fulfilling compliance and regulatory obligations under HIPAA, GDPR, and applicable laws
Platform analytics, performance monitoring, and security
Communicating service updates, security notices, and account-related information

PHI is never used for marketing, advertising, or profiling. We do not sell personal data or Protected Health Information to third parties under any circumstances.

Data Protection & Security

AES-256-GCM encryption for all Protected Health Information at rest
TLS 1.2 or higher enforced for all data in transit, with TLS 1.3 preferred
Multi-factor authentication (MFA) required for all accounts accessing PHI
Role-based access controls (RBAC) following the principle of least privilege
Immutable audit logging of all PHI access events, retained for six years
Regular penetration testing and vulnerability assessments by third-party security firms
15-minute idle session timeout for systems handling PHI

Data Retention & Deletion

Protected Health Information — Retained for a minimum of six years per HIPAA requirements, or longer if required by applicable state law.
Audit Logs — Retained for six years in immutable, tamper-evident storage.
Account Data — Retained while your account is active and for a reasonable period thereafter to fulfill legal obligations.
Usage and Technical Data — Retained for up to 24 months for analytics and platform improvement.

You may request deletion of your personal data by contacting us at privacy@osaz.com. We will process deletion requests within 30 days, except where retention is required by law or regulation.

Your Rights

GDPR Commitment

OSAZ is committed to full compliance with the General Data Protection Regulation (GDPR) for all data subjects in the European Union and European Economic Area. We process personal data only on lawful bases, respect all data subject rights, and maintain appropriate safeguards for international data transfers. For GDPR inquiries, contact our Data Protection Officer at privacy@osaz.com.

Your Rights Under US Law

Right to access your personal information
Right to correct inaccurate data
Right to request deletion of your data
Right to data portability
Right to opt out of certain data processing activities
Rights under CCPA, CPRA, and applicable state privacy laws

Your Rights Under GDPR

Right to be informed about how your data is processed
Right of access to your personal data
Right to rectification of inaccurate data
Right to erasure (“right to be forgotten”)
Right to restrict processing
Right to data portability
Right to object to processing
Rights related to automated decision-making and profiling
Right to lodge a complaint with a supervisory authority

Children's Privacy

Our services are not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 13, please contact us at privacy@osaz.com.

International Data Transfers

OSAZ primarily processes data in the United States. For data subjects in the European Union, European Economic Area, or other jurisdictions with data transfer restrictions, we implement the following safeguards:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements (DPAs) with all service providers handling personal data
Adequacy decision references where applicable
Technical measures including encryption and access controls that travel with the data

Our operations in Lagos, Nigeria do not process Protected Health Information without appropriate cross-border data transfer safeguards in place.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you via email to the address associated with your account and through a prominent notice on our platform at least 30 days before the changes take effect. We encourage you to review this policy periodically. Prior versions are available upon request.