MVision Ai

Privacy Policy

This privacy policy is drafted by MVision AI, a medical software company.

Contact

By post:

Europe & Global:
MVision AI (HQ)
Paciuksenkatu 29, 6th floor
00270, Helsinki, Finland

USA:
MVision AI Inc.
21750 Hardy Oak Blvd, Suite 104
San Antonio, Texas,
78258-4946 USA

Data Protection Officer: dataprotection@mvision.ai

About this Privacy Notice

At MVision AI, we take the protection of your personal data very seriously. We have implemented strong data privacy and security safeguards to ensure that you’re protected to the best extent we can.

The purpose of this privacy notice is to explain to you what personal data MVision AI collects, how MVision AI uses and stores this personal data and with whom MVision AI may share it.

The GDPR applies globally to all MVision’s processing worldwide, including its subsidiaries and affiliated companies. The MVision HQ and its decision-making body is registered in Finland. MVision applies the GDPR to all the processing of personal data in the context of its business activities, regardless of where the data subject is located or where the processing takes place.

At the bottom of this privacy notice, a HIPAA section applies parallel to this GDPR section, and must be read alongside the GDPR section. They do not replace each other.

Where requirements differ, concerning HIPAA, or other applicable national or international laws, the most stringent requirement to protect the respective data is implemented.

What personal data is collected?

Generally, you can visit MVision AI’s website without entering any personal data. Pursuant to your consent, we collect information you voluntarily provide to us, for example, via website, online, electronically, by telephone or social media messaging, or in-person inquiries, questions or provided feedback, such as: your name, address, personal or work e-mail address, company role or affiliation, phone number, or other personal data related to your inquiry, or engagement.

We also collect online analytical information, based on our legitimate interest,, through a website visit, or via social media, such as: data through cookie information (please read our cookie policy), account logs, website visits and potentially a whole or part of IP-address, social media information, such as hashtags, messages, references when you mention us via social media platforms, or when you share or engage with our messages or posts, and actions and reactions to our marketing campaigns, outreach emails, or through events. Our purpose is to understand our market reach, the type of individuals interested in our products and tools (e.g. role, need, market gap assessment), so we can make effective business decisions to distribute our medical devices.

As a result of our operative tools, we collect, or may have access, based on a contractual service agreement with clinics, to patient data which include pseudonymised or anonymised images, and additional data from the site or health specialist necessary to return the best result to your physician.

Related to our internal research and development of tools, we collect anonymised patient images, which have been anonymised in such a way that re-identification is irreversable, taken into consideration by all means reasonably likely to be used.

When you visit the website, you may voluntarily choose to provide us with information about yourself (such as your name, address, e-mail address and phone number) that we need to correspond with you or to give you access to information. Unless permitted by applicable data protection laws, MVision AI will not collect any personal data about you unless you voluntarily choose to provide us with it (e.g. registration, completion of contact forms or e-mails). You have the right to withdraw your consent at any time.

MVision AI strives to have in place appropriate technical and organizational means to protect your information. However, you understand that in providing your personal data over public networks, you do so at your own risk.

Any patient-related data is collected via a contractual written agreement with an official health clinic. Such data includes images for analysis and clinic references. Any patient references with a permission to retain are anonymized within 24 hours upon receival.

Who collects your personal data?

Where MVision is a contracted service provider, the health clinic collects the patient’s personal data via the patient visit at the hospital. MVision is the Data Processor and the clinic is and remains, at all times, the Data Controller.

Where MVision collects anonymised images from the clinic, the clinic remains at all times the Data Controller. Anonymised images are not subject to data protection regulations, because no identity can be rendered from the information. Where images are contractually permitted to be used for research and development, but a link to re-identification has not (yet) been irreversibly deleted, MVision is Data Controller of this data.

Where MVision is obtaining patient data, as a service provider, or for research and development, the clinic is responsible for the legal basis for obtaining and sharing this information with MVision, and informing the patient on the use of MVision tools throughout the service.

Concerning any other personal data, collected via the website, social media, or in-person or digital events or engagements, as detailed above, MVision is a Data Controller.

All patient-related personal information is collected by your health clinic. MVision acts as a data processor for any such data.

For any other personal data, such as website visitors or partner and affiliation information, MVision acts as a data controller.

For which purposes are your personal data collected and processed?

As a processor MVision collects, processes and uses your personal data to achieve the contractual purpose of the contract and to provide the health clinic with accurate analysis of patient images.

Throughout the service, MVision processes the personal data from the clinic to gain insight on the use of its tools, accounts created, logins, changes made in the platform, billing, and other usage information to assess how the tool is used, monitor volume, and maintain implemented security measures, based on its legitimate interest to provide a secure service of high-quality.

Data used for research and development, serves the legitimate purpose of training an expertise and highly accurate artificial intelligence algorithm, which serves the basis of the MVision’s registered medical device. For reasons of clarity, personal data is never used to train, validate, or improve our machine learning models unless expressly and lawfully permitted, or required by law.

Furthermore, MVision may be involved by a clinic to process personal data and engage, based on a public interest purpose as a collaborator in scientific publications.

Concerning general inquiries, feedback, questions, and other engagements, MVision processes your voluntarily provided personal data to respond to your inquiry (  MVision AI collects, processes and uses your personal data as a data controller for the purposes of providing you with information that respond to your enquiry (such as information about our products and/or services).

We process your personal data, obtained through in-person engagements via events, or via outreach, social media, or otherwise, for the legitimate purpose to sell you our product because we believe, based on your role, provided, or published information, you may have an interest in our services.

We process personal data from partners, marketing affiliates, distributors, and other companies to explore mutual business collaboration, such as distribution of our product.

We process personal data from potential job applicants for potential employment. (Note that if you are employed, the internal HR privacy policy applies to you.)

If you have provided consent to be tracked, such as via cookies, we register your preferences to show you the consented content. Cookies are only placed on your device after you have provided specifically your consent, which you can at any time withdraw via the Cookie policy, or via your browser settings.

We also process data to comply with legal obligations, such as the European Medical Device Regulation, and other applicable laws.

Who has access to your personal data and to whom is your personal data transferred?

Any access to your health-related personal data is restricted to authorized users, specialised and expertise-vetted staff, and only on a need-to-know. All internal access to any personal data is monitored and following strict standard operational procedures.

MVision only shares personal data with the sub-processors as detailed below. These are, for health-related data, always contractually agreed upon. . MVision AI does not distribute or sell your personal data to third parties, without specific permission to do so.

MVision shall process Personal Data in the region most relevant to the Customer’s and data subjects’ location. Related to our Service, the Cloud platform service runs in the following geographical locations:

Customer regionService locationCloud service provider
EUGermanye.g., Microsoft Azure, Google Cloud
SwitzerlandSwitzerlande.g, Microsoft Azure, Google Cloud
UKUKe.g., Microsoft Azure, Google Cloud
FranceFrancee.g., Microsoft Azure, Google Cloud
USAUSAe.g., Microsoft Azure, Google Cloud
Australia, New ZealandAustraliae.g., Microsoft Azure, Google Cloud
TurkeyGermanye.g., Microsoft Azure, Google Cloud

Any international transfers of Personal Data outside the Union/ EEA shall be conducted under legal transfer tools and bases of Chapter V of the General Data Protection Regulation (EU) 2016/679.

For sales and marketing data (partners, affiliates, customer outreach, etc.) we use LinkedIn and Hubspot and refer to their privacy policy.

How long may we retain your personal data?

We process personal data at any time, upon the discretion of the physician, for the duration of the contract we have with the customer. When MVision receives an image, the data remains for a maximum of 24 hours in the MVision servers. After this period the clinic has received the results, and the original image is deleted from the MVision server. No copies are retained.

Anonymised information is processed at least for the period required to maintain the technical documentation under MDR Article 10(8) and the EU AI Act.

Customer information concerning orders, billing, and operational logs concerning the processing activity and technical specifications, such as, the type of model used for the services, are retained per legal obligation for 10 years. Where possible, these data are anonymised, and retained separately with need-to-know access-only.

We retain potential resumes for a maximum of one year, and with your consent we extend this each year.

Marketing and sales information is kept for a maximum of two years, and extended upon consent or active engagement.

Cookies are kept according to the expiration date. We refer to the cookie policy for more information. You have the right and possibility to change your preferences or withdraw your consent at any time.

We further store your personal data only as long as needed for the fulfilment of the purposes for which it has been collected or as required by law.
After that, the personal data will be effectively deleted or made anonymous.

What are your rights and how can you exercise them?

  • You have the right of access to your personal data and the right to request rectification of incorrect, incomplete or irrelevant data.
  • You have the right to object to processing of your personal data and to obtain the erasure of your personal data.
  • You have also the right to restrict processing of your personal data.
  • When processing of your personal data is based on consent, you also have at any time, the right to withdraw your consent for further processing of your personal data. You understand that the personal data that was disclosed by MVision AI prior to your request to abolish further disclosure is no longer under the control of MVision AI.

If you are a patient and we act as a data processor, we refer to your data controller for exercising your data protection rights. MVision shall assist your data controller to the best of its abilities. If the data we hold about you is anonymous data, we are unable to re-identify you from the dataset.

If you have any queries about your personal data or if you want to exercise your rights, please contact our Data Protection Officer by e-mail or by letter addressed to the contact information stated at the top of this notice, or to be found on our website under ‘contact us’.

We shall respond to your data subject right request as soon as possible but not later than 30 days.

How can I keep up with modifications with this privacy notice?

MVision AI reserves the right to modify this privacy notice without explicit prior notice. Your only notice of such modification shall be the posting of the modified privacy notice on this web site. The user is therefore encouraged to review this privacy notice frequently.

Complaints

In case of disagreement relating to the processing of your personal data, you have the right to lodge a complaint with the Finnish Data Protection Authority or the data protection authority in your country of residence.

—–

Concerning Clients, Partners, and Individuals under HIPAA:

This section applies to Protected Health Information, “PHI”, processed by MVISION AI Inc. an MVision subsidiary registered in the United States of America and with its headquarters and main decision-making body based in Finland, and which contact information can be found at the top of this document.

This section supplements, and does not replace, the GDPR section of this Privacy Policy, which continues to apply to all personal data processed by MVision, and any of its subsidiaries. Where the same data is subject to both GDPR and HIPAA, and their requirements differ, MVision applies the most protective standard.

What PHI is collected?

For purposes of this section, “PHI” means individually identifiable health information that is transmitted or maintained in any form (electronic, paper, or oral) and that relates to:

  • the past, present, or future physical or mental health of an individual;
  • the provision of healthcare to an individual; or
  • the past, present, or future payment for healthcare provided to the individual,
    and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

We refer to the section “what personal data is collected” at the beginning of this document which elaborates globally on all the PHI collected following MVision’s processing activities.

Who collects your personal data?

The Health, Insurance, Portability and Accountability Act of 1996 and its implementing regulations (45 C.F.R. Parts 160 and 164), as amended by the HITECH Act and the HIPAA Omnibus Rule, “HIPAA”, regulate how PHI may be used and disclosed in the United States. When MVision processes PHI in connection with the services, on behalf of a US Covered Entity, such as a US healthcare provider, as a Business Associate.

MVision, as a Business Associate, only uses and discloses PHI as permitted or required, and in accordance by:

  • the Business Associate Agreement (“BAA”) in place with the relevant Covered Entity
  • HIPAA requirements and obligations (and without conflict, European GDPR requirements and obligations)
  • other applicable US federal and state laws

How does MVision Use and Disclose PHI?

Mvision uses and discloses PHI only as permitted by the applicable law and agreement, respectively BAA and HIPAA, and is limited to the following purposes:

  • providing the services to the covered entity;
  • operating, maintaining, and securing the services including monitoring system performance, applying security updates, investigating incidents, and providing technical support;
  • as required by law, including response to lawful subpoenas, court orders, or requests from regulators with jurisdiction over MVision AI Inc, and
  • management and administration of MVision and to carry out its legal responsibilities, where permitted under 45 C.F.R. § 164.504(e)(4).

PHI is not Used or Disclosed:

  • MVision, nor any of its subsidiaries or affiliates, sell PHI;
  • MVision does not use or disclose PHI for marketing without a HIPAA-compliant authorization;
  • MVision does not use PHI to train, validate, or improve AI/ML models for any purpose other than expressly permitted by the BAA, or after de-identification in accordance with 45 C.F.R. § 164.514(b); or
  • attempt to re-identify individuals from the data, except as expressly permitted under the BAA and applicable law.

Subcontractors

When MVision engages subcontractors that create, receive, maintain, or transmit PHI on its behalf, it requires those subcontractors to enter into written agreements imposing obligations at least as restrictive as those imposed on MVision, under applicable BAA, in accordance with 45 C.F.R. §164.504 (e) (2) (ii) (D).

Data Minimisation

Consistent with 45 C.F.R. § 164.502 (b), MVision makes reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose. The designed architecture, where the data is de-identified through removal or re-coded identifiers, and images are deleted within 24 hours upon receipt for processing, is a structural application of this principle.

Safeguards

MVision implements administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of electronic PHI (“ePHI”) it creates, receives, maintains or transmits, in accordance with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C). Our systems are developed with specific security controls to protect any personal health information, such as access-based use of our systems and network, and strictly monitored security protection measures against any illegal activity. These include, but are not limited to:

  • written security procedures pursuant to a security risk analysis, reviewed periodically;
  • role-based access controls, multi-factor authentication, and least-privilege principles;
  • mutual authentication and encryption of ePHI in transit (TL 1.2 or higher) and encryption of ePHI at rest using industry-standard algorithms;
  • logical segregation of pseudonymized PHI from any data that could be used for re-identification;
  • logging, monitoring, and audit controls over systems containing ePHI;
  • documented system logs to support the 24-hour retention limit
  • workforce training on HIPAA and information security, with sanctions for non-compliance;
  • vendor risk management and subcontractor BAAs; and
  • a documented incident response and breach notification process.

Breach notification

If MVision discovers a Breach of Unsecured PHI, pursuant to 45 C.F.R. § 164.402, it will notify the affected Covered Entity, with all information required and possible at that moment, without unreasonable delay and in any event within the timeframe required by the applicable BAA and 45 C.F.R. §164.410 (which states an outer limit of 60 calendar days from discovery).

The Covered Entity remains responsible for notifying the affected individuals, the US Department of Health and Human Services, and (where applicable) the media, in accordance with 45 C.F.R. §§164.404, 164.406, and 164.408.

Individual Rights

Under HIPAA, individuals exercise their rights regarding PHI through their Covered Entity, namely the hospital or clinic who has collected the patient data. These rights include:

  • the right to access and obtain a copy of PHI, and confidential communications related to the PHI;
  • the right to request amendment of PHI;
  • the right to receive an accounting of disclosures, or request restrictions on use and disclosure;
  • the right to receive a paper copy of the Covered Entity’s Notice of Privacy Practices; and
  • the right to file a complaint with the Covered Entity or with the US Department of Health and Human Services, Office for Civil Rights (“OCR”)

MVision does not hold any re-identification information concerning the data received for processing, and the data received is only for 24 hours in MVision’s control, MVision is generally unable to identify which records correspond to a particular individual without information held by the Covered Entity.

MVision will not retaliate against any individual for exercising HIPAA rights or filing a complaint.

Cross-Border Transfers

PHI processed in connection with MVision’s services in the United States, is, by default, processed and stored on infrastructure located in the United States. MVision transfers PHI outside the United States (for example for global support or technical assistance) only as permitted by the applicable BAA and applicable law, and applies appropriate technical and organizational safeguards, including encryption and access controls to protect the data in transit and at the destination.

Contact

For questions about this section, or MVision’s HIPAA practices, please contact our Data Protection Officer by e-mail or by letter addressed to the contact information stated at the top of this notice, or to be found on our website under ‘contact us’.

To file a complaint regarding alleged HIPAA non-compliance, individuals may also contact the US Department of Health and Human Services, Office for Civil Rights, at https://www.hhs.gov/ocr/.

This privacy policy is last updated: 01 May 2026