Privacy Policy

1. Introduction and Scope

This Privacy Policy explains how HAICONEX SYSTEMS, LLC ("HAICONEX," "we," "us," or "our") collects, uses, shares, and protects information when you use HAI, our cloud-hosted clinical decision support platform (the "Service").

This policy applies to all users of the Service, including:

• Physician Users — licensed healthcare professionals who use HAI for clinical decision support
• Patient Users — individuals who create accounts to manage their health profiles, share case information with physicians, and view diagnostic results

We are committed to protecting the privacy and security of your information. HAI processes sensitive health information, and we treat this responsibility with the highest standard of care, in compliance with applicable laws including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), the EU General Data Protection Regulation (GDPR), and other applicable data protection legislation. HAICONEX is actively pursuing SOC 2 Type II certification under the AICPA Trust Services Criteria, and our data handling practices are designed to satisfy the Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria of that framework.

This Privacy Policy should be read alongside our End User License Agreement (EULA), which governs your use of the Service and includes additional terms regarding HIPAA compliance (EULA §9) and data security (EULA §10).

2. Definitions

• "Personal Information" or "Personal Data": Any information that identifies, relates to, or could reasonably be linked to you as an individual. This includes names, email addresses, professional credentials, and health information.
• "Protected Health Information (PHI)": As defined under HIPAA (45 C.F.R. § 160.103), individually identifiable health information that is created, received, transmitted, or maintained by the Service and that relates to an individual's past, present, or future physical or mental health condition; the provision of healthcare; or the payment for the provision of healthcare.
• "Electronic Protected Health Information (ePHI)": PHI that is created, received, maintained, or transmitted in electronic form, subject to the HIPAA Security Rule (45 C.F.R. Part 164, Subparts A and C).
• "Covered Entity": As defined under HIPAA (45 C.F.R. § 160.103), a health plan, healthcare clearinghouse, or healthcare provider that transmits any health information in electronic form in connection with a covered transaction.
• "Business Associate": As defined under HIPAA (45 C.F.R. § 160.103), a person or entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity. HAICONEX acts as a Business Associate with respect to Physician Users who are Covered Entities.
• "Business Associate Agreement (BAA)": A written contract between HAICONEX and a Covered Entity that establishes the permitted and required uses and disclosures of PHI by HAICONEX, consistent with 45 C.F.R. § 164.504(e).
• "Security Incident": As defined under the HIPAA Security Rule (45 C.F.R. § 164.304), the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system that processes ePHI.
• "Breach": As defined under the HIPAA Breach Notification Rule (45 C.F.R. § 164.402), the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI, subject to the exceptions enumerated in 45 C.F.R. § 164.402.
• "De-Identified Data": Information from which all identifying information has been removed such that it cannot reasonably be used to identify an individual, in accordance with either the Expert Determination Method (45 C.F.R. § 164.514(b)(1)) or the Safe Harbor Method (45 C.F.R. § 164.514(b)(2)) under HIPAA. De-Identified Data is not PHI and is not subject to the HIPAA Privacy or Security Rules.
• "Data Controller": The entity that determines the purposes and means of processing personal data. HAICONEX acts as the Data Controller for all Personal Data and PHI processed through the Service, as HAI is offered directly to individual users rather than through healthcare institutions.
• "Data Processor": An entity that processes personal data on behalf of the Data Controller. HAICONEX's hosting, infrastructure, and LLM providers act as Data Processors on our behalf, subject to contractual data protection obligations.
• "Subprocessor": Any third-party service provider engaged by HAICONEX that processes ePHI or other User data on HAICONEX's behalf in connection with the delivery of the Service.
• "Diagnostic Session" or "Case": A single instance of clinical reasoning conducted through HAI, including all associated patient data, clinical inputs, panel deliberations, and outputs.
• "SOC 2": The System and Organization Controls 2 framework developed by the American Institute of Certified Public Accountants (AICPA), defining criteria for managing customer data based on the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

3. Information We Collect

3.1. Information from Physician Users

3.2. Information from Patient Users

3.3. Information Collected Automatically

3.4. Information We Do Not Collect

• We do not collect biometric data
• We do not collect financial information (payment processing is handled by third-party payment processors operating under their own privacy policies and PCI-DSS obligations)
• We do not collect precise geolocation data beyond what is inferred from your IP address for security purposes
• We do not collect data from social media accounts
• We do not collect data about your browsing activity outside the Service

4. How We Use Your Information

We use the information we collect only for the following purposes, consistent with the Minimum Necessary Standard under HIPAA (45 C.F.R. § 164.502(b)) and the data minimization principle under GDPR (Article 5(1)(c)):

4.1. Providing the Service

• Processing clinical inputs through our Virtual Doctor Panel to generate diagnostic reasoning, differential diagnoses, and test recommendations
• Maintaining patient health profiles for use across Diagnostic Sessions
• Enabling secure case sharing between Patient Users and Physician Users
• Running the intelligence stack modules (Bayesian analysis, test selection, clinical memory, evidence retrieval, risk assessment) that feed into each diagnostic round

4.2. Safety and Quality

• Operating the Clinical Risk and Safety Engine (CRSE) to detect high-risk conditions and enforce clinical safety rules
• Tracking diagnostic reasoning traces for audit and quality assurance
• Monitoring for consecutive safety failures and escalating as appropriate

4.3. HIPAA Compliance

• Maintaining audit logs as required by HIPAA regulations (45 C.F.R. § 164.312(b))
• Supporting patient rights requests including accounting of disclosures (45 C.F.R. § 164.528), access requests (45 C.F.R. § 164.524), and amendment requests (45 C.F.R. § 164.526)
• Enabling access tracking for compliance auditing and HIPAA Security Rule compliance
• Verifying Physician User credentials and maintaining records as required by our BAA obligations
• Supporting Breach investigation, notification, and documentation obligations under 45 C.F.R. Part 164, Subpart D

4.4. SOC 2 Compliance and Security Operations

• Operating continuous security monitoring, SIEM alerting, and anomaly detection controls consistent with the SOC 2 Security criterion
• Conducting access reviews, privilege auditing, and change management reviews
• Performing risk assessments and vulnerability management activities
• Maintaining records and evidence supporting HAICONEX's SOC 2 Type II audit

4.5. System Improvement (De-Identified Data Only)

• Analyzing De-Identified, aggregated diagnostic data to improve system accuracy and reliability
• Evaluating the performance of reasoning algorithms and intelligence stack modules
• Benchmarking diagnostic accuracy against clinical case standards
• We never use identifiable patient data or PHI for system improvement, model training, or research without explicit consent

4.6. Account Administration

• Authenticating users and managing sessions
• Verifying Physician User credentials and licensure status
• Processing subscription and billing activities
• Communicating service updates, security alerts, and administrative notices

5. Legal Basis for Processing

5.1. United States — HIPAA and HITECH Act

Where PHI is involved, our processing is governed by HIPAA (45 C.F.R. Parts 160 and 164) and the HITECH Act (42 U.S.C. § 17921 et seq.), which extended and strengthened HIPAA's privacy and security requirements. Specifically:

• Treatment, Payment, and Health Care Operations (TPO): PHI may be used and disclosed for treatment purposes as part of clinical decision support, consistent with 45 C.F.R. § 164.506
• HIPAA Authorization: Where required, HAICONEX obtains written authorization before using or disclosing PHI for purposes beyond TPO (45 C.F.R. § 164.508)
• Business Associate Relationship: HAICONEX acts as a Business Associate with respect to Physician Users who are Covered Entities. HAICONEX will enter into a BAA with each such Physician User as required by HIPAA (45 C.F.R. § 164.504(e)). The BAA governs HAICONEX's obligations regarding the use and disclosure of PHI, including the direct liability provisions established by the HITECH Act and the Omnibus Rule (78 Fed. Reg. 5566)
• Minimum Necessary: HAICONEX applies the Minimum Necessary Standard when using, disclosing, or requesting PHI, limiting access and use to the amount reasonably necessary to accomplish the intended purpose
• De-identification: Data used for system improvement is De-Identified in accordance with 45 C.F.R. § 164.514(b) before use
• Sanctions: HAICONEX maintains and applies a sanctions policy for workforce members who fail to comply with HIPAA privacy and security policies, consistent with 45 C.F.R. § 164.308(a)(1)(ii)(C) and 45 C.F.R. § 164.530(e)

5.2. European Union — GDPR

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data under the following legal bases:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service you requested
• Legitimate Interest (Article 6(1)(f)): Processing for system security, fraud prevention, audit logging, and service improvement, where our interests do not override your fundamental rights and freedoms
• Consent (Article 6(1)(a)): Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal requirements, including HIPAA and applicable state law
• Health Data (Article 9(2)(a) and (h)): Processing of special category health data is based on your explicit consent and/or is necessary for the provision of healthcare or treatment

5.3. Other Jurisdictions

If you are located in a jurisdiction with data protection laws not specifically addressed above, HAICONEX will comply with applicable local requirements. Where local law provides protections greater than those described in this policy, the more protective provisions apply.

6. Data Sharing and Third Parties

6.1. LLM Providers (Subprocessors)

HAI uses large language model (LLM) providers to power its diagnostic reasoning. When a Diagnostic Session is active, clinical data from that session is sent to the selected LLM provider for processing. HAICONEX evaluates all LLM providers as Subprocessors and, where the provider processes ePHI, requires execution of a Business Associate Agreement before engagement.

Safeguards for all LLM providers:

• Only the clinical data necessary for the active Diagnostic Session is sent to the LLM provider (Minimum Necessary)
• All data is transmitted over encrypted channels (TLS 1.2 or higher)
• HAICONEX contractually prohibits all LLM providers from using API inputs for their own model training or product improvement
• HAICONEX conducts a security and privacy assessment of each LLM provider before engagement and on a periodic basis thereafter
• The specific LLM provider used for a session is logged and can be disclosed upon request

6.2. Subprocessor Management

HAICONEX maintains a current list of approved Subprocessors used to deliver the Service. The list is available to Covered Entities upon request by contacting compliance@haiconex.com. Before engaging any new Subprocessor that will process ePHI:

• HAICONEX conducts a security assessment of the prospective Subprocessor
• A data processing agreement, including a BAA where required by HIPAA, is executed
• Covered Entity Physician Users are notified of material Subprocessor changes at least thirty (30) days in advance

6.3. Case Sharing Between Users

When a Patient User shares a case with a Physician User:

• A time-limited sharing token is generated (default expiration: 72 hours)
• The Physician User can access the shared case data for the duration of the token
• Sharing tokens automatically expire and cannot be reused or reassigned to a different Physician User
• Patient Users can revoke sharing tokens before expiration through their account settings

6.4. We Do Not Sell Your Data

HAICONEX does not sell, rent, or trade your Personal Information or PHI to any third party for marketing, advertising, or any other commercial purpose. This commitment is absolute and without exception. This prohibition extends to monetization schemes that exchange data for other value.

6.5. Other Disclosures

We may disclose your information in the following limited circumstances:

• Legal Process: In response to valid subpoenas, court orders, warrants, or other legal process, as required by law; where permitted, we will attempt to notify you before disclosure
• Safety: To prevent imminent harm to individuals or public safety, where permitted by HIPAA (45 C.F.R. § 164.512(j)) and applicable law
• Business Transfers: In connection with a merger, acquisition, or sale of substantially all assets, subject to the successor's agreement to honor this Privacy Policy and any applicable BAA, and subject to notification to affected Users
• Service Providers: To hosting providers, infrastructure services, and payment processors who assist in operating the Service, subject to contractual data protection obligations and, where applicable, BAAs
• HHS Oversight: To the Secretary of the U.S. Department of Health and Human Services (HHS) as required for HIPAA compliance review and enforcement purposes (45 C.F.R. § 164.504(e)(2)(ii)(I))

7. Data Retention

We retain your information only as long as necessary for the purposes described in this policy and as required by law. HAICONEX applies a formal data retention schedule reviewed at least annually.

7.1. Deletion Requests

You may request deletion of your personal data at any time (see Section 9). Upon receiving a valid deletion request:

• Personal account data will be deleted within thirty (30) days
• PHI will be De-Identified or deleted, subject to legal retention requirements
• HIPAA audit logs and breach records will be retained for the minimum required period regardless of deletion requests
• De-Identified Data that cannot be linked back to you is not subject to deletion requests

7.2. Secure Destruction

Upon expiration of the applicable retention period, HAICONEX destroys PHI and ePHI using methods that render the data unreadable and irrecoverable, consistent with NIST SP 800-88 (Guidelines for Media Sanitization) and HIPAA requirements. HAICONEX documents all destruction activities and can provide written certification of destruction to Covered Entity Physician Users upon request.

8. Data Security and SOC 2 Compliance

We implement comprehensive technical and organizational measures to protect your information, consistent with the HIPAA Security Rule (45 C.F.R. Part 164, Subparts A and C) and the AICPA SOC 2 Trust Services Criteria.

8.1. SOC 2 Commitment

HAICONEX is actively pursuing SOC 2 Type II certification against all five Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy. Our security controls are designed and operated to satisfy these criteria. Upon request, HAICONEX will provide Covered Entity Physician Users with a copy of its current SOC 2 Type II report summary or a third-party audit attestation letter, subject to applicable non-disclosure obligations.

8.2. Technical Safeguards

8.3. HIPAA Audit Middleware

HAICONEX's HIPAA audit middleware records:

• HTTP method and URL path for each request
• Timestamp with timezone awareness
• Associated case ID where applicable
• User identifier and role

The audit middleware is specifically designed to never log request bodies, response bodies, or query string parameters, as these may contain PHI. This design ensures a complete access audit trail without exposing sensitive health data in logs. Audit logs are written to a tamper-evident log store and protected from modification by operational personnel.

8.4. HIPAA Security Rule Safeguards

HAICONEX implements the administrative, physical, and technical safeguards required under the HIPAA Security Rule:

Administrative Safeguards (45 C.F.R. § 164.308):

• Security management process including annual risk analysis and risk management plan
• Assigned Security Official responsible for HIPAA Security Rule compliance
• Workforce training on HIPAA privacy and security policies upon hire and at least annually thereafter
• Sanctions policy for workforce HIPAA violations
• Information access management based on role and minimum necessary
• Security incident response procedures (see Section 8.6)
• Contingency plan including data backup, disaster recovery, and emergency mode operation procedures
• Periodic technical and non-technical evaluation of security policies

Physical Safeguards (45 C.F.R. § 164.310):

• Facility access controls for data center environments managed by HAICONEX's hosting providers
• Workstation use and security policies for remote and on-site personnel
• Device and media controls governing the receipt, movement, and disposal of hardware and electronic media containing ePHI; media sanitized per NIST SP 800-88 before disposal or reuse

Technical Safeguards (45 C.F.R. § 164.312):

• Unique user identification for all accounts; no shared credentials permitted
• Emergency access procedures for obtaining ePHI during system failures
• Automatic session logoff after configurable period of inactivity
• Encryption of ePHI in transit and at rest as described in Section 8.2
• Audit controls and tamper-evident audit log storage
• Integrity controls to verify that ePHI is not improperly altered or destroyed

8.5. Vulnerability Management and Penetration Testing

• Automated vulnerability scans of Service infrastructure are conducted continuously and reviewed weekly
• Third-party penetration tests are conducted at least annually by qualified security assessors
• Identified vulnerabilities are triaged by severity and remediated within defined timelines:
  • Critical (CVSS 9.0–10.0): within 48 hours
  • High (CVSS 7.0–8.9): within 14 days
  • Medium (CVSS 4.0–6.9): within 30 days
  • Low (CVSS < 4.0): within 90 days
• Penetration test reports and remediation records are maintained and available to Covered Entity Physician Users upon request under non-disclosure

8.6. Security Incident Response

HAICONEX maintains a formal Security Incident Response Plan (IRP) consistent with the HIPAA Security Rule (45 C.F.R. § 164.308(a)(6)) and the SOC 2 Security criterion. The IRP covers identification, containment, eradication, recovery, and post-incident review. HAICONEX's security team is on-call 24/7 to respond to reported Security Incidents. To report a Security Incident, contact security@haiconex.com.

8.7. Breach Notification

In the event of a Breach of PHI affecting your information:

• Individual Notification: Affected individuals will be notified without unreasonable delay, and no later than sixty (60) calendar days after discovery of the Breach, consistent with 45 C.F.R. § 164.404. Notification will be provided by first-class mail to the last known address, or by email if you have specified email as your preferred notification method.
• Covered Entity Notification: The applicable Covered Entity Physician User will be notified without unreasonable delay and no later than sixty (60) calendar days after discovery, consistent with 45 C.F.R. § 164.410.
• HHS Notification: HAICONEX will notify the Secretary of HHS in accordance with 45 C.F.R. § 164.408. Breaches affecting 500 or more individuals will be reported to HHS immediately; smaller Breaches will be logged and submitted annually.
• Media Notification: Breaches affecting 500 or more individuals in a state or jurisdiction will be reported to prominent media outlets in that state or jurisdiction, consistent with 45 C.F.R. § 164.406.
• GDPR Notification: For users subject to the GDPR, HAICONEX will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of a personal data breach, and will notify affected individuals without undue delay where the Breach poses a high risk to their rights and freedoms (Articles 33–34 GDPR).

Breach notifications will include the information required by 45 C.F.R. § 164.404(c), including the nature of the Breach, the types of PHI involved, steps you should take to protect yourself, the steps HAICONEX is taking to investigate and mitigate the Breach, and contact information for obtaining further assistance.

8.8. Availability and Business Continuity

HAICONEX targets 99.5% Service availability, measured monthly, exclusive of scheduled maintenance windows. To support this commitment:

• Regular encrypted backups of all User data and ePHI are taken and stored in a geographically separate location
• Backup integrity is verified through periodic restore testing
• Disaster recovery procedures are documented, tested at least annually, and designed to achieve defined recovery time objectives (RTOs) and recovery point objectives (RPOs)
• Scheduled maintenance is communicated to Users at least twenty-four (24) hours in advance via in-Service notification or email

8.9. Change Management

HAICONEX follows a formal change management process for modifications to systems and infrastructure that process or store ePHI, consistent with the SOC 2 Change Management criterion (CC8). Changes are reviewed, approved, and tested in a non-production environment before deployment. Change records are retained and available for audit review.

8.10. Organizational Safeguards

• Access to production data is restricted to authorized personnel on a need-to-know basis, reviewed at least quarterly
• All HAICONEX workforce members complete HIPAA privacy and security training upon hire and at least annually thereafter
• Personnel with access to ePHI or security systems are subject to background checks consistent with applicable law
• HAICONEX maintains a formal sanctions policy for workforce members who fail to comply with HIPAA or HAICONEX's privacy and security policies
• An annual risk assessment is conducted and documented consistent with 45 C.F.R. § 164.308(a)(1)(ii)(A)

9. Your Rights

9.1. Rights for All Users

Regardless of your location, you have the following rights:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information, subject to legal retention requirements
• Data Portability: Request your data in a structured, commonly used, machine-readable format
• Withdraw Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing
• Complaint: Lodge a complaint with us or with a relevant supervisory authority

9.2. HIPAA-Specific Rights (United States)

If your information includes PHI, you have additional rights under the HIPAA Privacy Rule. These rights may be exercised by contacting privacy@haiconex.com.

To exercise any of these rights, contact privacy@haiconex.com. You will not be charged a fee for exercising your rights unless a request is manifestly unfounded or excessive.

9.3. GDPR-Specific Rights (EEA/UK/Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the GDPR:

• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data where there is no compelling reason for continued processing (Article 17)
• Right to Restriction: Request restriction of processing in certain circumstances (Article 18)
• Right to Object: Object to processing based on legitimate interest or for direct marketing purposes (Article 21)
• Right to Data Portability: Receive your data in a structured, machine-readable format and transmit it to another controller (Article 20)
• Right Not to be Subject to Solely Automated Decision-Making: HAI's diagnostic outputs are always reviewed by a Physician User before clinical action is taken. However, you may request meaningful human review of any automated processing that produces legal or similarly significant effects (Article 22)
• Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority. HAICONEX commits to cooperate with supervisory authority investigations.

9.4. Exercising Your Rights

To exercise any of these rights, contact us at privacy@haiconex.com or through the Service's account settings. We will respond to verified requests within:

• HIPAA: Thirty (30) days, with one thirty-day extension upon notice
• GDPR: One (1) month, with a possible two-month extension for complex or numerous requests, with notice within the first month

We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive.

10. International Data Transfers

10.1. Data Location

HAI is hosted in the United States (Texas). If you are accessing the Service from outside the United States, your data will be transferred to the United States for processing. HAICONEX implements appropriate safeguards to ensure that such transfers comply with applicable data protection law.

10.2. Transfer Mechanisms

For transfers of personal data from the EEA, UK, or Switzerland to the United States, HAICONEX relies on:

• Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms (2021 SCCs) that provide adequate safeguards for international data transfers
• UK International Data Transfer Agreement (IDTA): For transfers from the United Kingdom, as approved by the UK Information Commissioner's Office
• Supplementary Measures: Additional technical measures (including end-to-end encryption and access controls) implemented where necessary to ensure the effectiveness of the applicable transfer mechanism, particularly in light of the legal landscape in the destination country

10.3. Adequacy and Safeguards

HAICONEX assesses the data protection landscape in each destination country and implements supplementary technical and organizational measures where necessary to ensure that your data receives a level of protection essentially equivalent to the protections available in your jurisdiction.

10.4. LLM Provider Data Transfers

When clinical data is processed by a third-party LLM provider, the data may be transferred to and processed in the jurisdiction where the provider's infrastructure is located. HAICONEX ensures that all LLM providers operate under appropriate data protection safeguards, including applicable SCCs, BAAs, and contractual prohibitions on use of submitted data for model training.

11. Children's Privacy

HAI is not intended for use by individuals under the age of eighteen (18). HAICONEX does not knowingly collect Personal Information from children under 18.

If you are a parent or guardian and believe that your child has provided Personal Information to the Service without your consent, please contact us at privacy@haiconex.com. HAICONEX will take steps to remove such information and terminate the child's account within thirty (30) days of receiving a verified request.

Patient Users under 18 may only use the Service with the express consent and direct supervision of a parent or legal guardian, who must create and manage the account on the minor's behalf and accept responsibility for all data provided in connection with that account.

12. Artificial Intelligence and LLM Disclosures

12.1. How AI Processes Your Data

HAI uses artificial intelligence, including large language models (LLMs), to provide clinical decision support. During a Diagnostic Session:

1. Clinical inputs (symptoms, observations, test results) provided by the Physician User are combined with intelligence stack outputs (Bayesian probabilities, test utilities, clinical memory, evidence citations)
2. This combined data is formatted into a structured prompt and sent to the configured LLM provider
3. The LLM generates responses simulating a panel of five specialist perspectives (the Virtual Doctor Panel)
4. HAI's system parses, validates, and extracts structured diagnostic outputs from the LLM response
5. The Physician User reviews all outputs and makes independent clinical decisions

Only the data necessary for the active Diagnostic Session is included in the prompt (Minimum Necessary Standard). No persistent patient profiles or historical PHI from prior sessions are transmitted to the LLM provider beyond what is relevant to the current session.

12.2. Transparency

• You may request information about which LLM provider processed a specific Diagnostic Session by contacting privacy@haiconex.com
• The reasoning trace for each session is logged and available for review by authorized users through the Diagnostic Reasoning Trace Engine (DRTE)
• HAICONEX discloses the LLM providers it uses in Section 6.1 of this policy and updates this disclosure when material changes are made to provider selection

12.3. No Training on Your Data

HAICONEX does not use your identifiable Personal Information or PHI to train, fine-tune, or improve AI or machine learning models, whether operated by HAICONEX or any third party. HAICONEX contractually requires all LLM providers to not use data submitted through HAI's API for their own model training, fine-tuning, or product improvement purposes.

De-Identified, aggregated data may be used for system evaluation, benchmarking, and model quality assessment, but this data cannot be linked back to any individual.

12.4. AI Limitations

AI systems, including the LLMs used by HAI, have inherent limitations. Outputs may be incorrect, incomplete, or reflect biases present in training data. HAICONEX's design ensures that all AI-generated diagnostic outputs are presented to a licensed Physician User for independent review before any clinical action is taken. The Service implements bias detection through the Dr. Challenger agent and cognitive bias flagging within the Virtual Doctor Panel. For clinical disclaimers, see Section 6 of our EULA.

12.5. Automated Decision-Making

HAI's diagnostic outputs constitute decision support, not autonomous decisions. No clinical determination made by the Service takes effect without the independent review and professional judgment of the treating Physician User. HAICONEX does not make final medical determinations about individuals using automated means.

13. Cookies and Tracking Technologies

13.1. Cookies We Use

HAI uses a minimal set of cookies, limited to those strictly necessary for the functioning of the Service:

13.2. What We Do Not Use

• We do not use third-party tracking cookies
• We do not use advertising cookies or pixels
• We do not use social media tracking widgets
• We do not use analytics cookies that track individual users across sessions or across sites
• We do not participate in cross-site tracking or advertising networks
• We do not use fingerprinting or other persistent tracking techniques

13.3. Your Cookie Choices

Because HAICONEX uses only strictly necessary cookies, these do not require consent under most cookie laws (including the EU ePrivacy Directive). If you disable cookies in your browser, the Service will not function correctly, as session authentication depends on cookie support.

14. Changes to This Privacy Policy

14.1. Notification of Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, SOC 2 audit scope, or other factors. When we make material changes, we will:

• Post the revised Privacy Policy on the Service with an updated "Last Updated" date
• Send notice to the email address associated with your account at least fifteen (15) days before material changes take effect
• Where required by law (including HIPAA or GDPR), obtain your consent before applying material changes to the processing of your data
• For changes required by new legal obligations (including amendments to HIPAA, the HITECH Act, or applicable state privacy law), HAICONEX may implement changes with less than fifteen (15) days' notice where immediate compliance is required, provided HAICONEX notifies Users as promptly as practicable

14.2. Review and Acceptance

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acknowledgment of the changes. If you do not agree with a revised Privacy Policy, you must stop using the Service and may request deletion of your data as described in Section 7.1.

15. Contact Information

Data Protection Officer

For GDPR-related inquiries, to exercise your data protection rights, or to contact our Data Protection Officer:

Data Protection Officer, HAICONEX SYSTEMS, LLC
Email: privacy@haiconex.com
Address: Argyle, TX 76226

Privacy and HIPAA Inquiries

For questions about this Privacy Policy, to exercise your HIPAA rights, or to request a copy of our Notice of Privacy Practices:

Email: privacy@haiconex.com
Address: Argyle, TX 76226

Security Incidents

To report a Security Incident or suspected Breach:

Email: security@haiconex.com

BAA and Compliance Inquiries

For Business Associate Agreement requests and SOC 2 report requests:

Email: compliance@haiconex.com

General Contact

Email: info@haiconex.com
Address: Argyle, TX 76226

Regulatory Complaints

If you are not satisfied with our response to a privacy concern, you may file a complaint with:

• United States (HIPAA): The U.S. Department of Health and Human Services (HHS), Office for Civil Rights — https://www.hhs.gov/hipaa/filing-a-complaint/
• European Union: Your local data protection supervisory authority (a list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en)
• United Kingdom: The Information Commissioner's Office (ICO) — https://ico.org.uk/make-a-complaint/

HAICONEX will not retaliate against any User for exercising their privacy rights or filing a complaint with a supervisory authority.