Privacy Policy

1. Information We Collect

Test Images and Data

VynScan captures digital images of drug test strips for analysis. These images may contain visual indicators that could be associated with individuals being tested. Image metadata, including timestamps and device identifiers, are collected during the analysis process.

Device Data

When VynScan devices are used, the Company collects:

• Device identifier and serial number
• Software version and firmware information
• Device location and facility association
• Usage statistics and performance metrics

User Account Information

For users who create accounts to access VynScan results, the Company collects:

• Name and email address
• Job title and role
• Facility or organization affiliation
• Authentication credentials

Facility Data

For nursing homes and other facilities using VynScan, the Company may collect information about:

• Facility name and location
• Number of tests conducted
• Facility administrator and authorized user information

Automatically Collected Information

The Company may automatically collect:

• IP addresses and device information
• Usage patterns and interaction data
• Error logs and system diagnostics

2. How We Use Information

VynMed uses collected information for the following purposes:

• Test Analysis: To perform automated analysis of drug test strips and generate accurate results.
• Quality Assurance: To validate the accuracy of test readings and maintain system reliability.
• Product Improvement: To enhance VynScan's algorithms, user interface, and overall performance through analysis of usage patterns and results.
• Security: To detect and prevent fraud, unauthorized access, and security threats.
• Compliance: To comply with applicable healthcare regulations, including HIPAA and facility-specific policies.
• Customer Support: To provide technical assistance and resolve issues.
• Legal Obligations: To respond to lawful requests from regulators and law enforcement.

3. HIPAA Compliance Pathway

Protected Health Information (PHI) Handling

When VynScan processes information that constitutes PHI under HIPAA:

• PHI is processed only for the purposes specified in the BAA.
• The Company implements administrative, physical, and technical safeguards to protect PHI.
• PHI is not used for any purpose other than providing VynScan services unless explicitly authorized in writing.
• The Company does not sell PHI.

Individual Rights

Covered entities (healthcare facilities) using VynScan remain responsible for honoring patient requests to access, amend, or receive an accounting of disclosures of their PHI. The Company will cooperate with reasonable requests to support these rights.

4. Data Storage & Security

Encryption

The Company employs industry-standard encryption protocols:

• In Transit: All data transmitted between VynScan devices, applications, and servers is encrypted using TLS 1.2 or higher.
• At Rest: Data stored in VynMed's systems is encrypted using AES-256 or equivalent encryption standards.

Access Controls

The Company implements:

• Role-based access controls (RBAC) to limit data access to authorized personnel only.
• Multi-factor authentication for user accounts and administrative access.
• Regular access reviews to ensure data is accessed only on a need-to-know basis.
• Audit logs to track access to sensitive data.

Infrastructure Security

VynMed's data storage infrastructure includes:

• Secure data centers with physical access controls.
• Regular security updates and patch management.
• Intrusion detection and prevention systems.
• Regular security audits and penetration testing.

5. Data Retention

The Company retains data for as long as necessary to provide VynScan services and comply with applicable legal and regulatory requirements. Specifically:

• Test images and results are retained for the duration of the service agreement between the facility and VynMed, unless a longer retention period is required by law or facility policy.
• User account information is retained while the account is active. Upon account deletion, personal information is securely deleted within 30 days, except where retention is required by law.
• Audit logs and security data are typically retained for 12 months or longer as required by regulatory standards.
• Facilities may request data deletion in accordance with applicable laws and the service agreement.

6. Third-Party Sharing

Data Sale Policy

VynMed does not sell, rent, or share personal information or PHI with third parties for marketing or commercial purposes.

Limited Sharing for Service Operation

The Company may share information with trusted third parties only as necessary to provide VynScan services:

• Service Providers: Cloud infrastructure providers, data storage services, and technical support vendors who have signed data processing agreements ensuring equivalent data protection.
• Facility Administrators: Authorized users at the healthcare facility may access test results and facility data in accordance with their permissions and facility policies.
• Legal Compliance: VynMed may disclose information when required by law, court order, or government request, provided the Company notifies the affected party unless legally prohibited.

Data Processing Agreements

All third-party service providers who handle data sign Data Processing Agreements (DPAs) that:

• Limit data use to the specific purposes outlined in the agreement.
• Require equivalent security measures.
• Restrict further data sharing without consent.
• Include audit rights for VynMed and its clients.

7. Your Rights

Access

Subject to applicable laws and regulations, individuals or authorized representatives may request access to their personal information or PHI that VynMed processes. Requests should be directed to the contact information provided in Section 10.

Correction

If inaccuracies are identified in personal information, individuals may request correction. The Company will work to verify and correct such information promptly.

Deletion

Individuals may request deletion of their personal information, subject to legal retention requirements and ongoing service obligations. The Company will honor deletion requests where feasible and will securely dispose of data no longer needed.

Data Portability

Where applicable under data protection regulations, individuals may request that their data be provided in a structured, commonly used, and machine-readable format.

Exercising Your Rights

To exercise any of these rights, please contact VynMed using the contact information in Section 10. The Company will respond to requests within the timeframes required by applicable law, typically within 30 days.

8. Children's Privacy

VynScan is not directed to children under 13 years of age. The Company does not knowingly collect personal information from children under 13. If the Company becomes aware that personal information from a child under 13 has been collected, it will take immediate steps to delete such information. Parents or guardians who believe their child has provided information to VynMed should contact the Company immediately at [email protected].

9. Changes to This Policy

VynMed may update this Privacy Policy from time to time to reflect changes in practices, technology, legal requirements, or other factors. The Company will notify users of material changes by updating the "Last updated" date at the top of this policy and, where applicable, by providing notice through VynScan or other communication channels.

Continued use of VynScan following changes to this Privacy Policy constitutes acceptance of the updated policy. Users are encouraged to review this policy periodically to stay informed about how VynMed protects their information.

10. Contact Information

For questions about this Privacy Policy, data requests, or to exercise your privacy rights, please contact:

The Company will respond to inquiries within 10 business days and will work to address any concerns regarding privacy and data protection.

By using VynScan, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree with any part of this policy, please discontinue use of VynScan.