Ceevra Privacy Policy

Data Rights Request

Introduction

Ceevra, Inc. ("Ceevra," "we," "our," or "us") is committed to protecting the privacy and security of your personal data and protected health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you interact with our services, which include our website, mobile applications, and cloud-based platform that generates patient-specific 3D digital models from CT scans and MRIs for surgical planning ("Services").

This Privacy Policy is designed to comply with applicable privacy laws, including the Health Insurance Portability and Accountability Act ("HIPAA", applicable to the United States), the General Data Protection Regulation ("GDPR", applicable to the European Economic Area (“EEA”)), and applicable US state privacy laws.

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by the terms described in this Privacy Policy.

Our Role Under HIPAA (United States Users)

Throughout this Privacy Policy, we refer to information regulated by HIPAA as "Protected Health Information" or "PHI."

Ceevra may act in different capacities under HIPAA, depending on the specific circumstances:

  1. As a Business Associate: We act as a Business Associate to healthcare providers and hospitals (Covered Entities) by processing protected health information (PHI) to provide our Services. When we act as a Business Associate, we are bound by the terms of our Business Associate Agreements with these Covered Entities.
  2. As a Covered Entity: In some situations, Ceevra may act directly as a Covered Entity when providing Services. In these instances, we are directly responsible for complying with all HIPAA requirements regarding PHI.

In some situations, Ceevra provides Services by processing anonymized data only (i.e., without processing PHI). In those cases, Ceevra is neither a Business Associate nor a Covered Entity.

Information We Collect

Depending on how you interact with our Services, we may collect the following categories of information:

Personal data – All Users

  • Contact and Account Information: Name, email address, phone number, and other information you provide when creating an account or contacting us.
  • Technical Information: IP address, browser type, device information, operating system, and other technical identifiers when you use our website or applications.
  • Usage Information: How you use our Services, including features accessed, time spent on the platform, and interaction patterns.

Personal data – Healthcare Provider Users

  • Hospital/Facility Information: For healthcare providers, we collect information about your place of work and role.
  • Your Patients: We also collect information regarding which patients are under the care of healthcare providers.

Health Information

When using our 3D imaging services, we may collect and process:

  • Medical Imaging Data: CT scans, MRI images, and related medical imaging data provided to us for processing.
  • Reports: Radiology reports and pathology reports provided to us for processing.
  • Patient Identifiers: Medical record numbers, patient names, dates of birth, and other identifiers included with medical imaging data.
  • Clinical Information: Information related to the patient's diagnosis, treatment plan, and relevant medical history.
  • Orders: Information related to the order or request to use our services.

Depending on the situation, the Health Information specified above may be anonymized (no linkage to personally identifiable information), may be pseudo-anonymized (all personally identifiable information, including PHI in the United States, is replaced with artificial identifiers, limiting the ability to re-identify the data), or may contain personal data.

Health information which is personal data (i.e., excluding anonymized data) is considered "sensitive personal data" under GDPR and various privacy laws. Ceevra systems employ heightened protection of sensitive personal data.

How We Use your Information

We use the information we collect for the following purposes:

Core Service Functions

  • Providing Our Services: Processing medical images to create 3D models for procedural planning and visualization.
  • Customer Support: Addressing inquiries, troubleshooting issues, and providing technical assistance.
  • Account Management: Creating and managing user accounts and administering our platform.

Business Operations

  • Service Improvement: Analyzing usage patterns to improve and enhance our platform and algorithms.
  • Research and Development: Using de-identified or aggregated data to advance medical imaging technology.
  • Quality Assurance: Monitoring and improving the quality, safety, and efficacy of our Services.
  • Billing and Payment: Recordkeeping related to billing and payment for our Services.

Legal and Regulatory Requirements

  • Compliance: Meeting our obligations under applicable laws, regulations, and professional standards.
  • Security: Detecting and preventing security incidents and protecting against fraudulent or illegal activity.

Legal Basis for Processsing (GDPR)

For individuals covered by the GDPR, we process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to fulfill our contractual obligations to you and/or your medical provider.
  • Consent: Where you have provided explicit consent for specific processing activities.
  • Legitimate Interests: Where processing is in our legitimate interests and not overridden by your rights and freedoms.
  • Legal Obligation: Where processing is necessary to comply with legal obligations.
  • Vital Interests: In rare circumstances, to protect vital interests, such as in medical emergencies.

For processing of sensitive personal data, we rely on:

  • Explicit Consent: Where you have given explicit consent for the processing to us, to your medical provider, or both.
  • Healthcare Provision: Processing necessary for clinical medical use or management of healthcare systems.
  • Public Health: Where necessary for reasons of public health.

How We Share Your Information

We may share your information with the following categories of recipients:

Healthcare Providers and Covered Entities (HIPAA / United States)

  • We share PHI with the healthcare providers who ordered or will use our Services.
  • This sharing is governed by our Business Associate Agreements and applicable law.

Healthcare Providers (GDPR / EEA)

  • We share personal data with the healthcare providers who ordered or will use our Services.
  • This sharing is governed by Data Processing Agreements and applicable law.

Service Providers

  • We work with third-party service providers, such as cloud storage and processing providers.
  • Under GDPR, these service providers are considered “Sub-Processors.”
  • All service providers are bound by contractual obligations to keep personal data confidential and use it only for the purposes for which we disclose it to them.

Legal and Regulatory Authorities

  • We may disclose personal data if required to do so by law or in response to valid requests by public authorities or applicable regulatory or oversight agencies.

Business Transfers

  • If Ceevra is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction.

Data Security

We implement appropriate technical and organizational measures to protect the personal data and PHI we process. These measures include:

  • Encryption of sensitive data both in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Training for personnel with access to personal data and PHI
  • Physical safeguards for our facilities and systems
  • Incident response procedures

While we strive to use commercially acceptable means to protect your information, no method of transmission over the Internet or method of electronic storage is 100% secure so absolute security cannot be guaranteed.

Data Retention

We retain your personal data and PHI for as long as necessary to fulfill the purposes outlined in this Privacy Policy and our contracts with our healthcare provider customers, unless a longer retention period is required or permitted by law. The criteria used to determine our retention periods include:

  • The length of time we have an ongoing relationship with you
  • Our legal obligations under applicable law
  • Our legal obligations under applicable contracts
  • The applicable statute of limitations for potential legal claims
  • Guidelines issued by relevant data protection authorities
  • Business Associate Agreements and Data Processing Agreements we have signed with your healthcare provider

Unless otherwise specified in writing in an agreement with your or your healthcare provider, we retain anonymized copies of data indefinitely for the purposes specified in the “how we use your information section.”

Your Privacy Rights

Depending on your location and the applicable privacy laws, you may have the following rights regarding your personal data:

Rights for All Users

  • Access: The right to know what personal data we have collected about you.
  • Correction: The right to request correction of inaccurate personal data.
  • Information: The right to be informed about our data practices.

HIPAA Rights (for PHI)

If your information is protected under HIPAA, you have rights to:

  • Access your PHI
  • Request amendments to your PHI
  • Request an accounting of certain disclosures
  • Request restrictions on certain uses and disclosures
  • Request confidential communications
  • Receive notice of our privacy practices
  • Revoke a HIPAA authorization if you signed one

GDPR Rights (for EEA/UK Residents)

  • Erasure: The right to request deletion of your personal data.
  • Restriction: The right to request restriction of processing of your personal data.
  • Portability: The right to receive your personal data in a structured, commonly used format.
  • Objection: The right to object to processing of your personal data.
  • Automated Decisions: The right not to be subject to decisions based solely on automated processing.
  • Withdraw Consent: The right to withdraw consent at any time.

CCPA/CPRA Rights (for California Residents)

  • Deletion: The right to request deletion of personal data.
  • Opt-Out: The right to opt-out of the sale or sharing of personal data and limit use of sensitive personal data.
  • Non-Discrimination: The right not to be discriminated against for exercising privacy rights.

Other State Privacy Law Rights

Residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have various rights under their respective state privacy laws, which may include:

  • Right to confirm whether personal data is being processed
  • Right to access personal data
  • Right to correct inaccuracies
  • Right to delete personal data
  • Right to data portability
  • Right to opt-out of targeted advertising, sales, or profiling
  • Right to appeal a denial of a request

Exercising Your Rights

To exercise your privacy rights, you may fill out a data rights privacy form on our website at:

Data Rights Request Form

If you have any questions about privacy rights requests, you may contact us at:

We will respond to your request within the timeframe required by applicable law, which varies according to your location and the specific right you are exercising.

  • GDPR: Within one month (may be extended by two months in complex cases)
  • CCPA/CPRA: Within 45 days (may be extended by an additional 45 days)
  • Other State Laws: Generally within 45 days (may be extended according to specific state requirements)

Before fulfilling your request, we may need to verify your identity to protect your privacy and security. We may ask you to provide additional information for verification purposes.

For HIPAA-related requests concerning your PHI:

  • If we maintain your PHI as a Business Associate, we may direct your request to the relevant Covered Entity (healthcare provider).
  • If we maintain your PHI as a Covered Entity, we will process your request in accordance with HIPAA requirements.

Children's Privacy

When we process personal data of minors as part of providing our Services to healthcare providers, such processing is conducted in accordance with applicable laws, and typically based on parental/guardian consent obtained by the healthcare provider.

International Data Transfers

Ceevra is based in the United States. If you are accessing or using our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States:

  • We implement appropriate safeguards that comply with GDPR according to Data Processing Agreements and the Data Privacy Framework
  • We comply with the principles of data minimization, purpose limitation, and storage limitation
  • We provide mechanisms for data subjects to exercise their rights

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last Updated" date, and the updated version will be effective as soon as it is accessible.

If we make material changes to this Privacy Policy, we will notify you either through the email address you have provided to us or by placing a prominent notice on our website. We encourage you to review this Privacy Policy frequently to stay informed about how we are protecting your information.

United States State-Specific Privacy Notes

Notice for California Residents

In accordance with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), we provide the following additional information:

Categories of personal data Collected and Disclosed: In the preceding 12 months, we have collected and disclosed the categories of personal data described in the "Information We Collect" section of this Privacy Policy.

Sources of personal data: We collect personal data directly from you, from healthcare providers, from your use of our Services, and from third-party service providers.

Purpose of Collection: We collect personal data for the purposes described in the "How We Use Your Information" section of this Privacy Policy.

Categories of Third Parties: We share personal data with the categories of third parties described in the "How We Share Your Information" section of this Privacy Policy.

Sale or Sharing of personal data: We do not sell personal data as defined by the CCPA/CPRA. We may share personal data with third parties for business purposes as described in this Privacy Policy.

Sensitive personal data: We limit our use and disclosure of sensitive personal data to purposes that do not require additional notice or right to limit under California law.

Notice for Virginia Residents

In accordance with the Virginia Consumer Data Protection Act (VCDPA), we provide the following additional information:

Profiling: We engage in “Profiling” in connection with our 3D image processing. What this means is that we use a patient’s own medical image to generate a personalized 3D image for them.

Targeted Advertising: We do not engage in targeted advertising based on personal data obtained from our Services.

Sensitive Data Processing: We only process sensitive data, including health data, with your consent or as otherwise permitted by law.

Right to Appeal: If we decline to take action on your privacy rights request, you have the right to appeal our decision. Instructions for appealing will be provided in our response to your request.

Notice for Colorado, Connecticut, and Other State Residents

For residents of states with comprehensive privacy laws, including Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, Oregon, Rhode Island, Tennessee, Texas, and Utah:

Universal Opt-Out Mechanism: To the extent required by applicable state law, we honor user-enabled universal opt-out mechanisms (such as Global Privacy Control) as a valid request to opt-out of the sale of personal data or targeted advertising.

Data Protection Assessments: We conduct data protection assessments for processing activities that present a heightened risk of harm to consumers, as required by applicable state law.

Automated Decision-Making: Our processing of medical images to create 3D models involves automated processing techniques, but does not constitute “Automated Decision-Making.” Our 3D images are designed for use by health care professionals and are intended to assist the clinician who is responsible for making all final patient management decisions.

Contact Us

If you have any questions or concerns about this Privacy Policy, our data practices, or our compliance with HIPAA, GDPR, or US State Privacy regulations, please contact us at one of:

Email: support@ceevra.com

Phone: +1 (415) 325-4830

Mailing Address:
Ceevra, Inc., Attn: Privacy,
149 New Montgomery St., 4th Floor,
San Francisco, CA, 94105, USA

© Ceevra, Inc. 2017-2025  |  Support