Privacy Policy

1. Introduction

Lux Cognitiva™ Technologies Inc. ("we", "our", "us") is committed to protecting the privacy and security of personal information. This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our website, use our CuraNexus™ platform, or interact with our services.

We are building our platform and practices to align with the Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial health privacy legislation, and the UK General Data Protection Regulation (UK GDPR) where applicable. Formal compliance verification is part of our roadmap.

2. Information We Collect

Information you provide directly

• Name, email address, company name, and role when you request a demo or contact us
• Information submitted through forms on our website
• Communications you send to us via email or other channels

Information collected automatically

• Browser type and version
• Pages visited and time spent on our site
• Referring website or source
• Device type and screen resolution
• IP address (anonymised where possible)

Clinical data (CuraNexus platform users)

• Patient health information is processed only within the CuraNexus platform environment
• All clinical data remains on your infrastructure — we do not access, store, or process patient health information on our marketing website
• Clinical data processing is governed by the service agreement and data processing agreement with your subscribing organisation

3. Legal Basis for Processing

We process personal information on the following legal bases:

• Consent — when you submit a demo request or contact form, or opt in to marketing communications
• Contractual necessity — when processing is necessary to provide our services under your subscription agreement
• Legitimate interest — for website analytics, security monitoring, and improving our services, where these interests are not overridden by your rights
• Legal obligation — when processing is required to comply with applicable laws

For health data (special category data under UK GDPR Article 9), processing is carried out on the basis of explicit consent or as necessary for the provision of health care services, subject to the conditions set out in your organisation's data processing agreement.

4. How We Use Your Information

• To respond to your inquiries and demo requests
• To provide, maintain, and improve our services
• To send you information about our products (only with your consent, in compliance with CASL and UK regulations)
• To comply with legal obligations
• To protect our rights and prevent misuse
• To conduct security assessments and vulnerability monitoring

5. Automated Decision-Making and AI

The CuraNexus platform includes an AI clinical assistant that processes patient data to generate clinical documentation suggestions. This AI:

• Does not make autonomous clinical decisions — all AI-generated suggestions require human review and approval by a qualified clinician
• Runs on your infrastructure — patient data is not transmitted to external AI services
• Is rate-limited and identity-enforced — all AI interactions are scoped to the authenticated user and their permitted patient data
• Is subject to audit logging — all AI interactions are recorded

You have the right to request human intervention in any decision that may significantly affect you, and to challenge the basis of any automated processing.

6. Data Sharing

We do not sell personal information. We may share information with:

• Service providers who assist in operating our business (including hosting infrastructure and email delivery services), bound by contractual obligations to protect your data
• Legal authorities when required by law, regulation, legal process, or enforceable governmental request
• Business transfers in the event of a merger, acquisition, or sale of assets, with prior notice to affected individuals where practicable

For subscribing organisations, data processing arrangements are documented in a separate Data Processing Agreement (DPA) that sets out sub-processors, security measures, and audit rights.

7. Data Security

We implement appropriate technical and organisational measures to protect personal information, including:

• Encryption in transit (TLS)
• Role-based access controls
• Audit logging of all data access
• Regular security assessments
• Multi-tenancy with full data isolation between organisations

Our infrastructure is hosted in Canadian data centres. We conduct periodic security reviews and maintain documented incident response procedures.

8. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by UK GDPR) or as soon as feasible (as required by PIPEDA)
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights
• Document the breach, its effects, and the remedial actions taken

9. Data Retention

We retain personal information only as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Contact and demo form submissions: 24 months unless you request earlier deletion
• Account data: Duration of the service relationship plus 30 days for data export
• Clinical data: As defined in your organisation's service agreement and applicable healthcare records retention requirements
• Website analytics data: 12 months
• Legal and compliance records: As required by applicable law

10. Your Rights

Depending on your jurisdiction, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your information (subject to legal retention requirements)
• Restrict or object to certain processing activities
• Data portability — receive your data in a structured, commonly used format
• Withdraw consent for marketing communications at any time
• Request human intervention in automated decision-making
• Lodge a complaint with a supervisory authority

To exercise these rights, contact us at privacy@luxcognitiva.com. We will respond within 30 days (or one calendar month under UK GDPR).

11. Supervisory Authorities

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the relevant supervisory authority:

• Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
• Ontario: Information and Privacy Commissioner of Ontario (IPC) — ipc.on.ca

12. International Transfers

Our primary data processing occurs in Canada. For UK-based users, Canada has been granted an adequacy decision under UK GDPR, meaning your data benefits from equivalent protection when processed in Canada.

We do not transfer personal data to jurisdictions without adequate data protection. If this changes, we will implement appropriate safeguards (such as the UK International Data Transfer Agreement) and update this policy.

13. Children's Privacy

CuraNexus is a business-to-business clinical platform. We do not knowingly collect information from individuals under the age of 18 through our website. If you believe we have inadvertently collected such information, please contact us and we will promptly delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last Updated" date and, where practicable, by email. We encourage you to review this policy periodically.

15. Contact Us

If you have questions about this Privacy Policy or our data practices:

Lux Cognitiva Technologies Inc.
Privacy Inquiries
2086 Pine St, Burlington, Ontario L7R 1G2, Canada
Email: privacy@luxcognitiva.com

See also: Terms of Service · Cookie Policy