Usage Policy

Table of Contents

  • Part 1: General Privacy Policy
  • 1. Introduction
  • 2. About PrimumAi
  • 3. Scope of this Policy
  • 4. Data We Collect
  • 4.1 Identity and Contact Data
  • 4.2 Technical Data
  • 4.3 Usage Data
  • 4.4 Health Data
  • 4.5 Communications Data
  • 5. Purpose and Legal Basis for Processing
  • 6. Data Collection Methods
  • 7. Data Sharing and Subprocessors
  • 7.1 Key Subprocessors
  • 7.2 Internal Staff and Contractors
  • 8. International Data Transfers
  • 9. Security Measures
  • 9.1 Encryption
  • 9.2 Access Control
  • 9.3 Monitoring and Auditing
  • 9.4 Incident Response
  • 10. Data Retention
  • 11. User Rights Under GDPR
  • 12. Data Subject Requests Procedure
  • 13. Complaints and Dispute Resolution
  • Part 2: Data Sharing, Cookies, and Legal Framework
  • 1. Data Sharing and Disclosure
  • 3. Cookies and Tracking Technologies
  • 4. Security and Data Breach Response
  • 5. User Rights and Support
  • 7. Legal Disclosures and Protections
  • Part 3: Operational Policies, Risk Management, and Compliance Monitoring
  • 1. Operational Policies
  • 2. Risk Management Framework
  • 3. Compliance Monitoring
  • 4. Employee Responsibilities
  • 8. Policy Review and Updates

PRIMUMAI PRIVACY AND COOKIES POLICY

Effective Date: [01/01/2025]

PART 1 - GENERAL PRIVACY POLICY

PrimumAi Limited (“PrimumAi,” “we,” “us,” or “our”) is committed to protecting the privacy of all individuals whose data we process. We operate in full compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679, and this Privacy Policy is designed to ensure transparency, clarity, and adherence to the highest legal and ethical standards in handling personal and healthcare-related data.This document sets out how PrimumAi collects, processes, retains, and protects personal data and explains the rights of data subjects under GDPR. It also provides safeguards to minimise risks to the company in cases where updates or omissions might occur, ensuring the framework remains robust and defensible.
1. About PrimumAi
PrimumAi LimitedAddress:Apartment 31, Block B02 Roselawn, Knocksinna Court, Blackrock, Co. Dublin, A94 A4T8Email: harsh@primumai.eu.Data Protection Officer (DPO):harsh@primumai.euPrimumAi is a Dublin-based healthcare technology company specialising in Practice Management Solutions (PMS) designed to streamline healthcare operations. Our platform integrates AI-driven tools to assist healthcare providers while maintaining strict adherence to privacy and security laws.
2. Scope of this Policy
This policy applies to:
  • Users of PrimumAi PMS: Healthcare providers, administrators, and staff.
  • PatientsIndividuals whose data is managed through our PMS.
  • VisitorsIndividuals whose data is managed through our PMS.
It governs all personal data collected, processed, and stored by PrimumAi as a data controller or data processor.
3. Data We Collect
We process various categories of personal data to deliver our services effectively and securely. These include:A. Identity and Contact Data
  • Names, job titles, professional affiliations.
  • Email addresses, phone numbers, and other professional contact details.
B. Technical Data
  • IP addresses, browser types, operating systems, device identifiers, and geolocation data.
  • Login credentials and access logs for system security and auditing purposes.
C. Usage Data
  • Information about interactions with our PMS, such as frequency of access, pages visited, and features used.
D. Health Data
  • Patient information, medical histories, diagnoses, treatment plans, and any data necessary for healthcare operations.
E. Communications Data
  • Records of communications, including emails, chat logs, and support requests, for operational and legal purposes.
PrimumAi processes personal data for the following purposes, adhering strictly to GDPR’s lawful processing requirements:A. Performance of Contract
  • To provide healthcare management services as agreed upon with healthcare providers.
B. Legal Compliance
  • To meet obligations under EU laws, including healthcare and taxation regulations.
C. Legitimate Interests
  • To improve our services, ensure security, and prevent fraud, provided these interests do not override individual rights.
D. Consent
  • For specific activities requiring explicit consent, such as marketing communications or certain types of data processing.
E. Vital Interests
  • To protect the vital interests of patients or other individuals in emergency scenarios.
5. Data Collection Methods
PrimumAi collects personal data through:1. Direct Interactions:
  • Users providing data via account creation, customer support, or system usage.
2. Automated Technologies:
  • Cookies, server logs, and usage tracking to optimise performance and identify system issues.
3. Third-Party Sources:
  • External service providers such as AWS Analytics for performance and analytics data.
6. Data Sharing and Subprocessors
We share data with trusted third parties only when necessary and always under GDPR-compliant agreements:Key Subprocessors:
  • AWS Ireland Limited
  • Microsoft Ireland Operations Limited
Conditions for Sharing:
  • Subprocessors operate under Data Processing Agreements (DPAs) to ensure equivalent data protection standards.
  • Shared data is minimised to the necessary scope and is encrypted to prevent unauthorised access.
PrimumAi does not sell personal data to any third party.
7. Data Transfers Outside the EU
PrimumAi ensures that personal data remains within the European Economic Area (EEA) whenever possible. If a transfer outside the EEA is required:Adequacy Decisions:
  • We transfer data only to countries approved by the European Commission as having adequate data protection standards.
Standard Contractual Clauses (SCCs):
  • For transfers to non-adequate countries, we implement SCCs to ensure GDPR-compliant protections.
8. Security Measures
We implement a robust security framework to protect personal data:A. Encryption
  • Data is encrypted at rest and in transit using AES-256 encryption protocols.
B. Access Control
  • Role-based access (RBAC) ensures that only authorised personnel can access sensitive data.
  • Multi-factor authentication (MFA) adds an extra layer of protection.
C. Monitoring and Auditing
  • Continuous system monitoring and regular audits help identify and mitigate potential security risks.
D. Incident Response
  • In the event of a data breach, we will notify affected parties and the Data Protection Commission (DPC) within 72 hours, as required by GDPR.
9. Data Retention
PrimumAi follows GDPR’s principles of data minimisation and storage limitation:
  • Patient Data: Retained for 14 days after termination of the healthcare provider’s contract unless otherwise required by law.
  • Usage Data: Retained for the duration of the contract and archived for analysis or legal compliance, as necessary.
  • Technical Logs: Stored for up to 12 months for auditing and security purposes.
After the retention period, data is securely deleted or anonymised.
10. User Rights Under GDPR
PrimumAi ensures that all users have full control over their personal data by providing the following rights:
  • A. Right to Access: Users can request a copy of their personal data.
  • B. Right to Rectification: Users can request corrections to inaccurate or incomplete data.
  • C. Right to Erasure: Users can request deletion of data when it is no longer necessary or when processing is based solely on consent.
  • D. Right to Restriction: Users can request limited processing in specific cases, such as data disputes.
  • E. Right to Data Portability: Users can request their data in a structured, machine-readable format.
  • F. Right to Object: Users can object to data processing for marketing purposes or other legitimate interests.
For all requests, users should contact harsh@primumai.eu. Requests are typically processed within one month, with extensions for complex cases.
11. Data Subject Requests Procedure
PrimumAi has established a standardized process for handling data subject requests:
  • 1. Identity Verification: Ensure that the requester is authorized to access the data.
  • 2. Assessment: Evaluate the request to determine its validity under GDPR.
  • 3. Action and Notification: Take necessary action (e.g., data correction, erasure) and notify the requester of completion.
12. Complaints and Dispute Resolution
PrimumAi encourages users to resolve any concerns directly with us. If you are not satisfied with our response, you have the right to file a complaint with the Data Protection Commission (DPC):

PART 2 - DATA SHARING, COOKIES, AND LEGAL FRAMEWORK

1. Data Sharing and Disclosure
PrimumAi is committed to transparency in how we share personal data. While we prioritize keeping data within our secure systems, some data may be shared with trusted third parties under strict agreements to ensure GDPR compliance.1.1. Subprocessors and Partners
  • AWS Ireland Limited – Compliance: AWS is GDPR-compliant and operates under a Data Processing Agreement (DPA).
  • Microsoft Ireland Operations Limited – Compliance: Microsoft adheres to GDPR and provides Standard Contractual Clauses (SCCs) for international data transfers.
1.2. Internal Staff and ContractorsData may be accessed by authorised PrimumAi employees or contractors for maintenance, support, or compliance audits. All personnel are bound by confidentiality agreements and undergo regular GDPR training.
2. International Data Transfers
While PrimumAi aims to process and store all data within the European Economic Area (EEA), some data transfers to non-EEA countries may occur. These transfers are governed by the following safeguards:
  • Adequacy Decisions: Data is transferred only to countries recognised by the European Commission as having adequate data protection laws.
  • Standard Contractual Clauses (SCCs): Where adequacy decisions are not applicable, SCCs are used to maintain GDPR-equivalent protections.
  • Encryption Standards: All transferred data is encrypted during transit to prevent unauthorised access.
PrimumAi ensures that all subprocessors receiving data outside the EEA adhere to these safeguards and conduct regular audits to verify compliance.
3. Cookies and Tracking Technologies
Cookies are a vital part of the user experience on the PrimumAi PMS and website. They help us provide secure, efficient, and personalised services.3.1. Types of Cookies Used
  • Essential Cookies: Required for the basic operation of our PMS, including secure login and session management.
  • Performance Cookies: Collect anonymized data on how users interact with the PMS to identify areas for improvement.
  • Preference Cookies: Store user settings such as language preferences to provide a tailored experience.
3.2. Cookie Management
  • Cookie Banner: When users access our website or PMS for the first time, a banner informs them of our cookie practices and allows them to manage preferences.
  • Browser Settings: Users can adjust cookie permissions via their browser settings. This may, however, affect the functionality of certain PMS features.
4. Security and Data Breach Response
PrimumAi employs a robust security framework to protect personal data against loss, unauthorized access, and cyber threats.4.1. Security Measures
  • Encryption: All data is encrypted using industry-standard AES-256 encryption at rest and TLS 1.2 for data in transit.
  • Access Control: Role-based access controls (RBAC) ensure that only authorized personnel can access sensitive data.
  • Firewalls and Intrusion Detection: Multi-layered firewalls and real-time intrusion detection systems monitor for potential threats.
  • Regular Penetration Testing: Audits are conducted annually to identify and mitigate vulnerabilities.
4.2. Data Breach Protocol
  • 1. Incident Detection: Security monitoring tools detect unusual activities or breaches.
  • 2. Immediate Action: Contain and mitigate the breach to minimise its impact.
  • 3. Notification: Notify affected users and the Data Protection Commission (DPC) within 72 hours, as mandated by GDPR.
  • 4. Investigation and Reporting: Conduct a detailed investigation and provide a full report to the DPC and affected users, outlining the breach’s scope, cause, and mitigation measures.
5. User Rights and Support
PrimumAi is dedicated to upholding the rights of all data subjects as outlined in GDPR. This includes ensuring that users have full control over their data and access to support when needed.5.1. Data Subject Rights
  • Access: Request access to their data and information on how it is processed.
  • Correction: Request corrections to inaccurate or incomplete data.
  • Erasure: Request deletion of their data (“right to be forgotten”) under specific conditions.
  • Restriction: Request restriction of processing when data accuracy or legality is contested.
  • Portability: Request a copy of their data in a structured, machine-readable format.
  • Objection: Object to data processing for direct marketing or legitimate interests.
  • Withdraw Consent: Where data processing is based on consent, users may withdraw this consent at any time.
5.2. Request ManagementTo exercise these rights, users can contact our Data Protection Officer (DPO) at harsh@primumai.eu. Requests are acknowledged within 48 hours and resolved within one month, as per GDPR guidelines.
6. Accountability and Audit Framework
PrimumAi demonstrates GDPR compliance through regular audits, documentation, and employee training programs.6.1. Compliance Monitoring
  • Internal Audits: Conducted quarterly to ensure all data processing activities align with GDPR requirements.
  • External Assessments: Independent third-party audits are performed annually to verify compliance.
6.2. Record Keeping
  • Categories of processed data: Detailed documentation of all data types processed.
  • Data retention schedules: Timelines for how long different categories of data are kept.
  • Subprocessor agreements and safeguards: Agreements with subprocessors outlining their obligations and safeguards for data protection.
6.3. Employee TrainingAll staff with access to personal data receive mandatory GDPR training. Training covers:
  • Data protection principles: Fundamental concepts of data privacy and protection.
  • Incident response protocols: Procedures for responding to and managing data breaches or security incidents.
  • Secure handling of sensitive information: Best practices for ensuring the confidentiality and integrity of personal data.
While PrimumAi prioritizes the confidentiality of user data, legal obligations may require data disclosures:
  • Regulatory Compliance: Data may be disclosed to the Data Protection Commission (DPC) or other legal authorities upon request.
  • Legal Defense: In the event of a legal dispute, PrimumAi may disclose data as necessary to defend against claims or protect the rights of the company.
Liability Limitation
PrimumAi implements all reasonable safeguards to protect personal data but is not liable for circumstances beyond its control, such as user negligence or third-party breaches.
8. Complaints and Resolution
PrimumAi encourages users to contact us directly for any complaints or concerns regarding data privacy. However, users may also escalate complaints to the Data Protection Commission (DPC):Data Protection Commission (DPC)

PART 3 - OPERATIONAL POLICIES, RISK MANAGEMENT, AND COMPLIANCE MONITORING

1. Operational Policies
PrimumAi implements structured operational policies to ensure the secure, compliant, and efficient management of personal data within its Practice Management Solution (PMS). These policies are designed to reduce risks and ensure adherence to GDPR and other relevant regulations.1.1. Data Access Policy
  • Role-Based Access Control (RBAC): Access to personal data is restricted based on job roles and responsibilities.
  • Multi-Factor Authentication (MFA): All employees and contractors must use MFA for accessing the PMS and sensitive systems.
  • Access Auditing: Regular reviews of access logs to identify unauthorized or unusual activity.
1.2. Data Handling Policy
  • Data Minimization: Only collect and process data necessary for specific, legitimate purposes.
  • Secure Transfers: Use encrypted channels (TLS 1.2 or higher) for data transfer.
  • Data Anonymization: Anonymize data whenever possible to reduce privacy risks, particularly for analytics and reporting purposes.
1.3. Retention and Disposal Policy
  • Retention Schedules: Define specific retention periods for all categories of data:
    • Patient records: Retained for 14 days post-contract termination unless otherwise required.
    • System logs: Retained for up to 12 months for auditing and troubleshooting.
  • Secure Disposal: Implement secure deletion protocols, such as data wiping for data at the end of its lifecycle.
2. Risk Management Framework
PrimumAi adopts a proactive approach to identify, evaluate, and mitigate risks related to data privacy, security, and compliance.2.1. Risk Assessment Process
  • Quarterly Risk Assessments: Conduct regular assessments to identify potential vulnerabilities in data handling, storage, and processing.
  • Data Protection Impact Assessments (DPIAs): Required for any new processing activities involving sensitive data to evaluate their impact on data subjects’ rights.
2.2. Mitigation Strategies
  • Incident Response Plans
  • Employee Training
  • Regular Penetration Testing
2.3. Contingency Plans
  • Business Continuity Plan (BCP): Ensures critical PMS operations continue during disruptions.
  • Data Recovery Protocols: Regular backups of sensitive data to secure locations, with recovery testing conducted quarterly.
3. Compliance Monitoring
PrimumAi employs a robust compliance monitoring system to ensure adherence to GDPR, mitigate risks, and provide accountability in all data processing activities.3.1. Internal Audits
  • Frequency: Quarterly audits are conducted by the Data Protection Officer (DPO) to review compliance with GDPR principles.
  • Scope:
    • Review of access logs and permissions.
    • Assessment of subprocessors’ compliance.
    • Analysis of retention schedules and deletion protocols.
  • Documentation: Detailed records of all audits are maintained for regulatory review.
3.2. External Audits
  • Annual Audits: Third-party audits are conducted to ensure independent verification of PrimumAi’s GDPR compliance.
  • Focus Areas:
    • Data security and encryption practices.
    • Subprocessor agreements and safeguards.
    • Incident response readiness.
4. Employee Responsibilities
PrimumAi emphasizes individual accountability for compliance and data security across all staff and contractors.4.1. Employee Roles
  • Data Protection Officer (DPO): Oversees data privacy practices, manages data subject requests, and liaises with regulatory authorities.
  • Compliance Manager: Ensures all operational processes align with GDPR and monitors adherence to internal policies.
  • IT and Security Team: Implements technical safeguards and responds to security incidents.
4.2. Training and Awareness
  • Onboarding Training: All new employees must complete GDPR and data security training within their first month.
  • Ongoing Education: Annual refresher courses on data privacy and secure data handling are mandatory for all staff.
4.3. Consequences for Non-ComplianceFailure to adhere to PrimumAi’s data protection policies may result in disciplinary action, including termination of employment or contracts.
5. Accountability and Documentation
PrimumAi maintains comprehensive documentation to demonstrate compliance with GDPR and other applicable regulations. These records ensure transparency and provide a defensible position in the event of regulatory inquiries or incidents.5.1. Records of Processing Activities (RoPA)
  • Maintained as required by Article 30 of GDPR.
  • Includes:
    • Categories of personal data processed.
    • Data flows and transfer mechanisms.
    • Retention schedules and deletion procedures.
5.2. Subprocessor Agreements
  • Data Processing Agreements (DPAs): Detailed agreements with all subprocessors outlining their GDPR compliance obligations.
  • Regular Reviews: Annual reviews of sub-processor compliance, including audits and certifications.
5.3. Data Breach Reports
  • Incident Logs: Comprehensive records of all breaches, including cause, resolution, and preventive measures.
  • Regulatory Submissions: Breach notifications sent to the Data Protection Commission (DPC) are documented for reference.
6. Data Subject Rights Management
PrimumAi ensures efficient handling of data subject requests to uphold users’ rights under GDPR.6.1. Rights Supported
  • Access Requests: Users can request information on how their data is processed and a copy of their personal data.
  • Correction Requests: Data subjects can request updates to inaccurate or incomplete data.
  • Deletion Requests: Users can request erasure of their data in cases where processing is no longer necessary or lawful.
  • Restriction and Objection: Data subjects can limit data processing or object to processing for legitimate interests or direct marketing.
6.2. Request Handling Workflow
  1. Submission: Data subjects submit requests via email to harsh@primumai.eu.
  2. Identity Verification: Requesters’ identities are verified to prevent unauthorized access.
  3. Processing: Requests are processed within 30 days, with extensions for complex cases.
  4. Notification: Users are informed of the outcome and actions taken.
7. Supervisory Authority and Complaints
PrimumAi is registered with the Data Protection Commission (DPC) in Ireland, which acts as the primary supervisory authority for GDPR compliance.7.1. Contact Information for the DPC7.2. Escalation ProcessIf users are dissatisfied with PrimumAi’s handling of a complaint, they may escalate the matter to the DPC. PrimumAi is committed to cooperating fully with the DPC to resolve issues promptly and transparently.
8. Policy Review and Updates
PrimumAi reviews and updates this Privacy and Cookies Policy regularly to ensure it remains aligned with evolving legal requirements and business practices.8.1. Update Frequency
  • Major updates are implemented annually.
  • Interim updates are made as necessary to address changes in regulations, technologies, or subprocessors.
8.2. Notification of ChangesSignificant changes to this policy will be communicated to users via email and posted prominently on our website.

Let’s Connect With Us

Get StartedContact Us
Logo_color
By doctors who’ve felt the grind, for doctors who deserve the time.
Resources
FAQsContact Us
Contact
+353 (0) 83 870 7132
support@primumai.eu
Roselawn Knocksinna court Blackrock Co. Dublin
Social
Instagram
Twitter
LinkedIn
Copyright © PrimumAi 2024 | Built by PrimumAi
Terms and Conditions|Privacy Policy