29 Sept 2025

29 Sept 2025

29 Sept 2025

Privacy Policy

This Privacy Policy describes how Descrai collects, uses, and protects your information in compliance with GDPR (for EEA/UK/Switzerland users) and HIPAA (for U.S. users handling PHI).

1. Data We Collect

  • Account Data: name, email, institution

  • Device Data: smart glasses usage, logs

  • Experiment Data: audio, video, metadata

  • PHI (Optional): only if explicitly processed under a signed BAA

  • Integration Data: ELN/LIMS connections

  • Payment Data: billing information

2. Data Use

We process data only to:

  • Provide and improve the Services

  • Generate experimental documentation

  • Enable integrations (ELNs, LIMS)

  • Comply with legal and regulatory obligations

3. Data Storage & Security

  • All data encrypted in transit (TLS 1.2+) and at rest (AES-256).

  • PHI stored in HIPAA-compliant infrastructure.

  • Access logged and restricted by least-privilege principles.

4. GDPR Lawful Bases

We process personal data under one or more of the following legal bases:

  • Contract: to provide Services you’ve subscribed to

  • Consent: where you opt in for certain features

  • Legal Obligation: compliance with law or regulations

  • Legitimate Interests: improving Services, research, and security

5. Data Sharing

We may share data with:

  • Cloud hosting providers (under GDPR-compliant agreements)

  • Payment processors (PCI-DSS compliant)

  • ELNs/LIMS (only when you enable integrations)

  • Legal authorities (only when required)

We do not sell data.

6. Data Retention

  • Research data: retained until deleted by you.

  • PHI: retained only as required by HIPAA or contractual obligations.

  • Account data: retained while active, or as legally required.

7. Your Rights

  • GDPR: right of access, rectification, erasure, portability, restriction, objection.

  • HIPAA: right to access your PHI, request amendments, and receive an accounting of disclosures.

8. Breach Notification

If a data breach occurs, we will notify affected users within 72 hours (GDPR) or without unreasonable delay, and no later than 60 days (HIPAA).

9. International Transfers

If you are in the EEA/UK, we rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

10. Contact

To exercise rights or request compliance information, contact:
Ramiz Nathani, ramiz@descrai.io

For EU/UK users, you may also contact your local Data Protection Authority.