PRIVACY POLICY
Introduction
Our Privacy Policy explains how LizAI Inc. (hereafter referred to as “LizAI”) and its affiliates collect, use, disclose, and protect personal data. We are committed to protecting the privacy, security and integrity of your personal data.
LizAI respects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. LizAI collects, processes, and uses personal data in a manner that is consistent with the laws of countries in which the organization does business. Furthermore, data is only collected for specified, explicit and legitimate purposes detailed in initial agreements and contracts in which the data subject provides consent. Data is not further processed in a manner that is incompatible with those purposes.
To the extent permitted by applicable law, by using LizAI’s products or services and providing LizAI with personal data, you agree to the practices described in this Privacy Policy and to updates posted here from time to time.
If you are based in the European Economic Area (“EEA”) or United Kingdom (“U.K.”), this Privacy Policy serves as notice of how LizAI treats personal data for which LizAI is a controller and/or processor. LizAI adheres to the EU-U.S. DPF Principles, as set forth by the U.S. Department of Commerce, regarding the processing of personal information transferred from the European Union to the United States in reliance on the EU-U.S. DPF, and from the United Kingdom (and Gibraltar) to the United States in reliance on the UK Extension to the EU-U.S. DPF. LizAI similarly adheres to the Swiss-U.S. DPF Principles when processing personal information transferred from Switzerland in reliance on the Swiss-U.S. DPF. To learn more about the DPF program, and to view the scope of LizAI’s certification, please visit https://www.dataprivacyframework.gov (opens in a new tab or window) and to view the scope of LizAI’s certification.
Please note that this is a master privacy policy and some of its provisions only apply to individuals in certain jurisdictions.
Definition of Personal data
Personal data means any information that identifies, relates to, describes, references, or is reasonably capable of being associated with an identified or identifiable natural person.
Purposes of Data Processing
We process data only after the data subject has either explicitly consented to the specific processing activities or in order for us to fulfil our contractual obligations in the course of providing the data subject with services the data subject has requested. When we are not the controllers of the data and enter into contractual arrangements to process data controlled by a third party, the data controller must specify the legal basis that applies to such processing.
3.1. Non - HR Data
We may use Personal Data for a variety of purposes, including but not limited to the following:
To provide and maintain our Services: We use your Personal Data to ensure that our services are operating efficiently and to address any issues that arise.
To improve and develop our Services and new features: Personal Data helps us to enhance and innovate our services, conduct research, and develop new features that benefit our users.
To communicate with you: We may use your information to send you updates, notifications, and marketing communications about our services and events. This includes information about new features, promotions, and other relevant updates.
To prevent fraud, criminal activity, or misuse of our Services: We are committed to protecting the integrity and security of our services. Personal Data is used to detect and prevent fraudulent activities, unauthorized access, and other forms of misuse.
To protect the security of our systems and Services: Ensuring the safety and security of our systems and services is a priority. Personal Data is utilized to monitor and safeguard against potential security threats.
To comply with legal obligations: We may need to use your Personal Data to fulfill legal requirements and to protect the rights, privacy, safety, or property of our users, ourselves, our affiliates, or any third party.
Aggregated or De-Identified Information: We may aggregate or de-identify Personal Data so that it can no longer be used to identify you. This anonymized data is used to analyze the effectiveness of our services, enhance and add new features, conduct research, and for other similar purposes. Additionally, we may share or publish aggregated information, such as general user statistics, with third parties. This information is collected through our services, cookies, and other means as described in this Privacy Policy. We will maintain and use this de-identified information in an anonymous form and will not attempt to re-identify it, except as required by law.
3.2. HR Data
LizAI receives information concerning Employees. The purposes for which LizAI collects and uses Employees Personal Data to assess an individual as a candidate, and once you are an Employee for compensation, payroll, and benefit planning and administration (e.g. salary, tax withholding, tax equalization, awards, insurance and pension), workforce development, education, training, performance management, problem resolution (e.g., internal reviews, grievances), internal investigations, auditing, compliance, risk management and security purposes, Employee communications and as required or expressly authorized by laws or regulations applicable to LizAI’s business or by government agencies that oversee or regulate our business. As an employee of LizAI, your personal data may be forwarded internally to your managers, other business units or divisions, and any of the various corporate functions. Your Personal Data may also be shared with various third parties and third-party agents in the normal course of business. As an employee of
LizAI, you may have rights to access and/or limit disclosures of certain types of personal data. For any questions directly related to this please contact info@lizai.co.
Personal data we collect
4.1. Non – HR Data
Third party data provision
In order to enable us to provide our services to Clients, we are provided with personal data from Clients for which they act as the controller and that data may include medical reports and records, patient ID number, name, age, sex and other.
Any such data is collected following the explicit consent of the data subject for the specific processing purposes.
In certain circumstances, where a Client does not provide the personal data which is required, we will not be able to perform our obligations under the contract with them or may not be able to provide them with our services. We will make it clear if and when this situation arises and what the consequences of not providing the information will be for the Client.
We may additionally obtain information about you from third party data providers and information services.
Other sources of data
We collect personal data from various external sources, including publicly available data on the internet, primarily to develop the models that drive our Services. Additionally, we receive information from our trusted partners. For instance, security partners provide data to protect against fraud, abuse, and other security threats to our Services. Similarly, marketing vendors supply us with information about potential customers for our business services.
4.2. Personal Data You Provide
When you create an account or communicate with us, we collect various types of Personal Data to ensure we can provide and enhance our Services effectively. Here’s a detailed look at the categories of Personal Data we collect:
Account Information: When you create an account with us, we gather information associated with your account to facilitate your use of our Services. This includes your name, contact information (such as email address and phone number), account credentials (username and password), payment card information, and transaction history. Collectively, we refer to this data as “Account Information.” This information is essential for account management, processing transactions, and providing customer support.
User Content: As you use our Services, we collect the Personal Data contained in the input you provide, any files you upload, and the feedback you offer. This category, known as “User Content,” allows us to tailor our Services to your needs, improve our offerings, and ensure a personalized user experience.
Communication Information: If you reach out to us for any reason, we collect your name, contact details, and the contents of your messages. This “Communication
Information” enables us to respond to your inquiries, address your concerns, and provide effective support.
Social Media Information: We maintain pages on various social media platforms such as Instagram, Facebook, Medium, X, YouTube, and LinkedIn. When you interact with our social media pages, we collect the Personal Data you choose to provide, such as your contact details. This “Social Media Information” helps us engage with our community and understand user preferences. Additionally, the social media companies hosting our pages may provide us with aggregated information and analytics about our social media activities, helping us improve our social media presence and interactions.
Other Information You Provide: We also collect any other information you may provide to us in various contexts. This can include data you submit when participating in our events or surveys, or information you provide to verify your age or identity. This category, referred to as “Other Information You Provide,” helps us tailor our services, ensure compliance with regulations, and enhance user engagement.
By collecting this comprehensive range of Personal Data, we aim to create a seamless, personalized, and secure experience for all users of our Services. Each category of data plays a critical role in our ability to understand and meet your needs effectively.
4.3. Personal data LizAI May Automatically Collect
When you visit, use, or interact with our Services, we receive various types of information collectively referred to as “Technical Information.” This includes the following categories:
Log Data: This encompasses the information automatically sent by your browser or device whenever you use our Services. Log data typically includes your Internet Protocol (IP) address, browser type and settings, the date and time of your request, and your interactions with our Services. This data helps us understand your activity on our platform and can be used to diagnose and fix technical issues.
Usage Data: We may automatically collect detailed information about how you use our Services. This includes the types of content you view or engage with, the features you use, and the actions you take. Additional data such as your time zone, country, dates and times of access, user agent and version, the type of computer or mobile device you use, and your computer connection details are also collected. This information helps us analyze user behavior to improve and personalize our Services.
Device Information: We collect data about the devices you use to access our Services. This includes the name of the device, the operating system it runs, device identifiers, and the browser you are using. The specifics of the information collected can vary depending on the type of device and its settings, but it generally helps us optimize the Services for different devices and troubleshoot device-specific issues.
Cookies and Similar Technologies: To enhance your experience and ensure the smooth operation of our Services, we use cookies and similar technologies. These tools allow us to remember your preferences, understand how you use our Services, and personalize your experience.
Each of these types of Technical Information plays a crucial role in helping us maintain and improve the quality, security, and functionality of our Services. By understanding how users
interact with our platform, we can make informed decisions about updates and new features, ensuring that we continue to meet your needs effectively.
4.4. Disclosure of Personal data to Third Parties
We may disclose your personal data to other parties, including:
Our affiliates and/or business partners with whom we jointly offer services.
Service providers necessary to allow us to provide Clients with the requested services
Life sciences industry companies, analytics companies and other third parties with whom we have business relationships
Government regulators
Our legal advisors and parties involved in a legal process
To an entity involved in the sale of our business
Third parties to whom you or your agents authorize us to disclose your personal data in connection with products or Services we provide
In certain cases, we may or will anonymize or de-identify your Personal Data. “Anonymous Information” means information which does not enable identification of an individual user, such as aggregated information about the use of our services. We may use Anonymous Information and/or disclose it to third parties without restrictions (for example, in order to improve our services and enhance your experience with them).
Personal data is only shared by LizAI with third parties who require it for specific business purposes.
Data is transferred only for the scope of purpose it was initially intended and not for any other reasons. Where applicable, these third parties must agree to abide by the same level of privacy protection as required by Data Privacy Framework principles.
Service providers may include data centers who store employee contact information such as name, email, phone number of a select group of employees as part of the approved access list. The employees in the list have limited access to the data center to provide maintenance of servers. These typically involve members of the IT department and the individuals responsible for conducting third party vendor audits.
4.5. Onward Transfers
LizAI has in place appropriate safeguards in accordance with applicable legal requirements to provide adequate protections for any personal data transferred from the EEA, Switzerland, or the UK to the United States. LizAI uses and the European Commission ‘Standard Contractual Clauses’ and has incorporated them into our Data Processing Agreements as well.
LizAI complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. LizAI has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S.
DPF. LizAI has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the Data Privacy Framework website.
4.6. Cookies Statement
LizAI may use cookies, SDKs, tracking pixels and similar technologies, which are small files that a website or mobile application stores on your device that recognizes the user’s browser or device and captures and remembers certain information.
We use these technologies to recognize you when you visit our website and to optimize the functionality of our website and services.
4.7. Legislation
EU, EEA and UK
Within the EEA and the UK, LizAI processes personal data under the GDPR (2016/679) and UK Data Protection Act. To ensure personal data is processed securely and in line with the applicable regulations, each data controller of LizAI enters into a Data Processing Agreement (DPA) with LizAI which defines how patient data is processed securely.
United States of America (USA)
To ensure data processing of US citizens, LizAI complies with the Health Insurance Portability and Accountability Act (HIPAA). Additionally, a Business Associate Agreement (BAA) is entered into between LizAI and each data controller to define how LizAI is allowed to process personal data on behalf of the data controller.
Security
LizAI applies strict technical and organisational measures to protect data it is processing. Among other measures, lizAI performs the following actions:
Pseudonymising personal data where possible, meaning that patient data processed by LizAI cannot be directly linked to individuals;
Application of state-of-the-art encryption techniques, meaning that if data was accessed, the data is illegible;
Application of access control and restrictions, meaning that access to data is controlled and limited to authorized users only;
Implementation of additional organisational controls such as security training programs, confidentiality agreements, logging of user activities and many more.
At LizAI, all patient data is processed in a fully automated manner, and manual access to such data is only permitted when specifically requested by clients of LizAI. To ensure that our technical and organisational measures are adequate and address the risks associated, LizAI has installed an Information Security Management System according to the ISO 27001 management standard (EN-
ISO / IEC 27001:2013 Information technology – Information Security Management Systems – Requirements).
Retention and deletion
Personal data is not held and/or stored longer than necessary and not longer than required to perform the purposes for which the data was collected, depending on the legal basis for which that data was obtained and/or whether additional legal/regulatory oligations mandate that we retain your personal data. At the end of the retention period, LizAI will delete any personal data in a manner designed to ensure that it cannot be reconstructed or read.
Rights
As required by applicable laws, and subject to any permitted exceptions and limitations, we will comply with any verified consumer request you submit with respect to your personal data. You may exercise these rights by contacting LizAI. Alternative options may also be presented on our website.
7.1. Rights of Individuals in EEA, Switzerland and the U.K.
This section of our Privacy Policy is intended to comply with the GDPR and applies only to individuals whose data is collected and/or processed by LizAI from within the EEA, Switzerland, or the U.K.
LizAI is the controller and/or processor (as defined under the GDPR) of personal data it collects regarding data subjects in the EEA, Switzerland, or the U.K.
Subject to applicable law, you may be able to exercise any of the following rights in relation to your personal data:
Right to know what information we have about you: This is known as the "right of access" and gives you the right to find out what, if any, personal data we have about you, how we process it, and to request a copy of the personal data.
Right to correct your information: This is known as the "right of rectification" and gives you the right to ask that we correct or complete any personal data we have about you.
Right to delete your information: This is known as the "right to erasure" or "right to be forgotten" and gives you the right to ask us to delete your personal data.
Right to change how we use your information: This is known as the "right to restrict processing" and gives you the right to ask us to change how we use your personal data in certain circumstances, such as where you contest the accuracy of the data or object to us using it in a certain way.
Right to move your information: This is known as the "right to data portability" and gives you the right to ask to receive your personal data from us in a structured, commonly used and machine-readable format or to have it transmitted to another controller.
Right to stop us from using your information: This is known as the "right to object" and gives you the right to ask us to stop using your personal data when applicable.
Rights relating to how we use your information to categorize you or make decisions about you: This is known as the "right in relation to automated decision-making and profiling": You have the right to be free from decisions we may make that are based solely on automated processing of your personal data, including profiling, if they produce a significant legal
effect on you, unless such decision-making or profiling is necessary for entering into or performing a contract between you and us, or is made with your explicit consent.
Right to withdraw consent: If we rely on your consent to use your personal data, you have the right to withdraw that consent at any time. This will not affect our use of your data before we received notice that you wished to withdraw your consent.
Right to file a complaint with the supervisory authority: If you have a concern about our privacy practices, including the way we handled your personal data, you can report it to the supervisory authority that is authorized to hear those concerns in your jurisdiction, although we invite you to contact us with any concern as we would be happy to try and resolve it directly.
You may exercise these rights by contacting us, and we will respond to your requests in the time period stated by applicable law. Alternatively, if you have questions about this privacy notice, our data collection and processing practices, or your rights, please contact us at info@lizai.co.
Data integrity
LizAI does not process information that is incompatible with the original purposes for which it has been collected unless subsequently authorized by the individual.
Recourse
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-
9.1. Non HR Data
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-
U.S. DPF, LizAI Inc. commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolutionfor more information or to file a complaint. The services of JAMS are provided at no cost to you.
9.2. HR Data
LizAI has further committed to cooperate with EU data protection authorities with regard to unresolved DPF complaints concerning human resources data transferred from the EU in the context of the employment relationship. Data Subjects with inquiries or complaints regarding this DPF Notice we recommend first to contact LizAI atinfo@lizai.com.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-
U.S. DPF, LizAI Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our
handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
Arbitration
Under certain conditions, more fully described on the DPF website (available here), you may also be able to invoke binding arbitration to determine whether a participating organization has violated its obligations under the DPF principles as to that individual and whether any such violation remains fully or partially unremedied (“residual claims”) after you approached us and you used the independent recourse mechanism. The International Centre for Dispute Resolution-American Arbitration Association (“ICDR-AAA”) was selected by the U.S. Department of Commerce to administer arbitrations pursuant to and manage the arbitral fund. Please visit ICDR-AAA’s website for more information.
Notification of Policy Changes
We may update this Privacy Policy from time to time. Any updated version of this Privacy Policy will be effective as of the date set forth therein.
General Information
12.1.
The Federal Trade Commission has jurisdiction over LizAI’s compliance with the EU-
U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
12.2.
LizAI is required to disclose personal data in response to lawful requests by public authorities, including those necessary to meet national security or law enforcement requirements.
12.3.
LizAI acknowledges the potential liability in cases of onward transfers to third parties of personal data of EU or Swiss individuals received pursuant to Data Privacy Framework.