Privacy Policy
This privacy notice for Upvio (“we”, “us”, or “our”) describes how and why we collect, store, use and share your personal data when you use our software technology and services (together, the “Services”). It also explains your rights in relation to your personal data and how to contact us or supervisory authorities should you have a complaint.
We collect, use and are responsible for certain personal data about you. Upvio is a “controller” of your personal data. This is a legal term, and it means that we make decisions about how and why we use your personal data, and who has access to it. We are responsible for making sure your personal data is used in accordance with data protection laws.
Organization’s that use, access, store, and transmit your personal data are defined as “processors”. We will therefore be a controller and a processor of your personal data. Anyone we share your personal data with have responsibilities under data protection laws as well as contractual obligations under terms that we will have put in place with them. We are responsible for the secure treatment of your personal data, and that at all times, anyone who accesses it does so in accordance with data protection laws.
When we collect your personal data, we will need to ensure that we comply with the data protection laws that apply in the country in which we provide you with our Services. Details about your rights and the laws that apply to our collection and processing of your personal data are set out in Schedule 1.
In summary…
- We collect and use your personal data strictly in adherence with data protection laws and only in order to provide you with our Services. This can include customer communications, complying with legal obligations, and to improve and monitor the performance of our software, apps, and Services as set out in Schedule 3.
- You have a number of rights in relation to your personal data as set out in Schedule 1 under ‘Your rights’.
- We comply with data protection laws that apply to the country in which you reside and where we provide our Services as set out in Schedule 1 under ‘Applicable data protection laws’.
- We have appointed a data protection officer to monitor compliance of our practices. Please see Schedule 2 ‘Our Data Protection Officer’ for their contract details.
- We may disclose some of your personal data, to third parties in order to provide the Services to you.
- We do not routinely disclose sensitive data, called ‘special category personal data’ to third parties unless it is necessary to provide our Services to you.
- We have measures in place to safeguard your personal data when we transfer it to different parts of the world.
- We take steps to minimise the amount of personal data we hold about you and to keep it secure
- We do not intend to collect and process any personal data of any person who is considered a child, and in all circumstances, where a person is under the age of 13 years of age.
- We delete your personal data when we no longer need it, and we have policies in place to govern when that is.
- We are happy to answer your questions about any of the above – please send them to [privacy @ upvio . com]
Key terms
It would be helpful to start by explaining some key terms used in this policy:
Data Protection Officer
We are required to appoint a data protection officer to monitor our compliance with data protection laws in the countries where we collect personal data. We have appointed a data protection officer to ensure that our compliance with country specific data protection laws is maintained.
The details of our appointed data protection officer are set out in Schedule 2.
What types of personal data do we collect and where do we get it from?
We have developed and provide access to organisations and businesses throughout the world (including healthcare providers, wellness service providers and other organisations) our software known as Upvio, our software known as VitalsAI, our mobile app, our AI enabled modules known as (i) Vitals AI (a camera-based tool that provides physiological and wellness insights); and (ii) Empathic AI (a computer-vision based tool that provides emotional / behavioural insights) (together, the ‘AI Tools’). There may also be other Services we provide that are not listed here but where we do so, the provisions contained within this policy shall apply to our collection and use of your personal data.
We collect, use, store and transfer different kinds of personal data about you which is vital for us to provide you with our Services. For further information about the types of personal data we collect and where we obtain it from, please see Schedule 3.
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we will not be able to provide our Services to you.
We will make it clear to you where disclosure of your personal data is optional. The provisions of this Privacy Policy apply when we obtain your personal information from other people or organizations (such as from public sources, or third-party service providers).
If any of the personal information that you have provided to us changes, please inform us by contacting [privacy @ upvio . com]
Children’s personal data
Our Services are not intended for children, and we do not knowingly collect personal information relating to children.
If you have provided us with information relating to children, please contact us so that we can review the circumstances of such collection (or processing, as applicable).
How we use your personal data
We will only use your personal data when the law allows us to. We have set out the different purposes for which we process your personal data in Schedule 3 under ‘Legal purpose for processing personal data’.
Where our processing is based on your consent, you can withdraw your consent at any time by contacting [privacy @ upvio . com]. Please note that if you do this, it won’t affect any of the processing we have already done prior to the withdrawal of your consent.
We also process certain categories of personal data where we have a lawful legitimate interest for doing so. Legitimate interest processing occurs when we have a business or commercial reason to use your personal data, you’re your interests and fundamental rights do not override those interests.
Special category personal data
We ensure that we comply with the applicable data protection laws within the jurisdiction in which such data is collected. As data protection laws differ country-to-country, we have outlined the specific rules that apply to you below, according to the country in which you receive our Services in Schedule 1. We have also outlined the types of special category personal data we collect in Schedule 3.
In certain circumstances, our Services may be used by US business customers that are subject to HIPAA (for example, HIPAA “Covered Entities” or “Business Associates”). Where applicable, and to the extent we process Protected Health Information (PHI) on behalf of such a customer, we will handle that PHI in accordance with HIPAA and the applicable contractual arrangements (including any HIPAA Business Associate terms), and as described in our HIPAA Privacy and Security Policy.
Outside of those HIPAA-specific deployments, HIPAA may not apply to our processing activities.
Use of the camera on any telecommunications device or mobile telephone
Permission will be requested to use the camera on your device or the device of your patients or the device in which you consume our Services in order to enable in order to enable certain features of our Services, including the AI Tools.
Vitals AI
When you (or your patients/end users) use Vitals AI, Vitals AI uses a standard digital video camera to conduct a short facial scan (typically around 30 seconds) for the purpose of extracting physiological signal features using remote photoplethysmography (rPPG) and related computer vision techniques.
For Vitals AI, we process a live stream video stream (and/or a short sequence of frames) from the device camera for the purpose of extracting signal features, and derived measurements and outputs generated from that processing (such as heart rate, heart rate variability, breathing rate and other wellness indicators, together with scan/session metadata such as time, duration, device type, and signal quality indicators).
Empathic AI
When enabled within the Services, Empathic AI may analyse visual inputs (for example, facial expressions and other non-identifying visual cues captured via the device camera) to generate emotional and/or behavioural insights. Empathic AI outputs are probabilistic and may be affected by factors such as lighting, positioning and movement.
What we store / do not store
We process raw video frames in real-time to extract signal features. As part of our standard operating design for Vitals AI, raw video frames are not stored or made accessible as part of the Services. Instead, we store and use only the derived measurements/outputs and limited scan/session metadata, unless:
- storage is required to comply with law; or
- storage is necessary for security, fraud prevention, or troubleshooting (and in that case, we will limit what is collected and retain it only for as long as necessary for that purpose); or
- you separately instruct and authorise us (for example, as part of an agreed support process).
You may disable the app’s (or platform’s) access to the camera on your device, although that will mean that camera-based features (including the AI Tools) will no longer be available.
The personal data we process using the camera for the AI Tools (including any biometric and/or health-related personal data derived from the scan) is processed and collected under your explicit consent, which you have given, by using our AI Tools and/or our app or platform features.
You may withdraw your consent at any time, by disabling the camera and/or by contacting us at [privacy @ upvio . com].
You can also request that we restrict our processing of your biometric data, or request a copy of such data, by contacting [privacy @ upvio . com].
Important information about the AI Tools (Vitals AI and Empathic AI)
The AI Tools are designed to provide general wellness and insight outputs. They are not intended to be used, and must not be used, for clinical diagnosis, medical decision-making, treatment selection, or emergency use.
In particular, you:
- must not rely on any AI Tool output as a substitute for professional medical advice, diagnosis, or treatment.
- must not use any AI Tool if you suspect a medical emergency (you should contact relevant emergency services).
- acknowledge that AI Tools may be affected by external factors (including lighting, movement, camera quality and signal artefacts), and may be inaccurate, incomplete, or unavailable.
You are responsible for ensuring that your use of the AI Tools complies with applicable law, obtaining any consents required from patients/end users, and ensuring that the AI Tools are used only for permitted purposes as set out in the applicable customer contract terms.
To improve accuracy and reduce bias, we may process limited derived features from the results of the AI Tools (for example, tonal characteristics of the signal such as skin tone-related features) solely for the purposes of fairness testing, bias reduction and performance calibration across diverse users and environments. These derived features are not used to identify you and are not stored or used as standalone identifiers.
What marketing activities do you carry out?
We do not use personal data of your customers or your end users to carry out any marketing.
If you are one of our business customers, we may use your personal data to send you updates by email, text message, telephone, or post about our Services, including exclusive offers, promotions, or new Services.
We have a legitimate interest in using your personal data for marketing purposes. This means we do not usually need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.
You have the right to opt out of receiving marketing communications at any time by:
- contacting us at [privacy @ upvio . com], or
- using the ‘unsubscribe’ link in our emails if one is provided.
We may ask you to confirm or update your marketing preferences if you ask us to provide further Services in the future, or if there are changes in data protection laws or regulation within the country that you reside. We will always treat your personal data with the utmost respect and never sell or share it with other organizations for marketing purposes.
Who we share your personal data with?
We only share personal data in accordance with data protection laws. We do not share special category personal data unless we have a lawful basis for doing so, or where such transfer is permitted under applicable data protection law.
We share personal data with:
- Companies within the Upvio group
- Our professional advisors (such as lawyers or auditors) and in each case, only where such disclosure is subject to the highest level of security and confidentiality
- Third parties we use to help deliver our Services to you, such as healthcare providers and hospitals that provide Services to you
- Law enforcement agencies, courts, tribunals, and regulatory bodies where we are compelled to do so to comply with our legal and regulatory obligations
- Our bank, insurers, and brokers, but only where it is absolutely necessary and required in order for us to continue providing Services to you
We will not share your personal data with organizations unless we are satisfied, they take appropriate measures to protect your personal data. We impose contractual obligations (including standard contractual clauses or clauses designated by jurisdictional supervisory authorities) on organizations to ensure they protect your personal data. We will not share your personal data with any other third party who has not signed an agreement with us to protect your personal data.
Who we share your personal data with - in more detail
In providing the Services to you, we may share your personal data with the following who are subject to strict contractual obligations to ensure confidentiality and security:
- Amazon Web Services, 410 Terry Avenue North, Seattle, WA 98109-5210, USA
- Heroku, 415 Mission Street, Suite 300, San Francisco, CA 94105, USA
- Cloudflare, 101 Townsend St, San Francisco USA
- Tawk.to Inc., 187 East Warm Springs Rd, SB298 Las Vegas, NV, 89119, USA
- Matomo, 150 Willis, Wellington, 6011, New Zealand
- InnoCraft, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand
- Auth0 (Okta, Inc.), 10800 NE 8th St, Bellevue, USA
- Google Inc., 1600 Amphitheatre Parkway in Mountain View, California, USA
- Stripe Inc., 354 Oyster Point Blvd South San Francisco, CA 94080, USA
- Hotjar Ltd, Dragonara Business Centre 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141 Malta
- Plivo, 601 S Congress Ave, Austin, USA
- Mailgun Technologies Inc., 112 E Pecan St. #1135 San Antonio Texas 78205 USA
- Bugsnag, 110 Sutter St, Suite 1000. San Francisco, CA 94104 USA
- Mongo DB, Paramount Plaza, 1633 Broadway 38th Floor, New York, USA
- Pipedrive Ireland Limited, 4th Floor, 7/8 Wilton Terrace, Dublin, Ireland
- Webflow, 398 11th Street, Floor 2, San Francisco, CA 94103, USA
- Papertrai Inc., 625 Broadway Suite 20-4242, Seattle, USA
- Advanced Health Intelligence Limited, 71-73 South Perth Esplanade Unit 5 South Perth, Western Australia 6151
- Third-party providers of rPPG / biometric signal processing technology and related analytics components (used as part of Vitals AI), who act as our service providers/processors and are subject to strict contractual obligations to ensure confidentiality and security (for commercial and security reasons, we do not publish the names of these providers in this Privacy Policy. However, we maintain an up-to-date list of these providers and will make it available on request and/or where we are required to do so under applicable law, including where disclosure is required to respond to a valid data subject access request)
- Third-party providers of rBCG/micro-movement and head induced cardiac ejection technology and related analytics components who act as our service providers/processors and are subject to strict contractual obligations to ensure confidentiality and security (for commercial and security reasons, we do not publish the names of these providers in this Privacy Policy. However, we maintain an up-to-date list of these providers and will make it available on request and/or where we are required to do so under applicable law, including where disclosure is required to respond to a valid data subject access request.
Where do we hold or store your personal data?
Your personal data is securely held at our dedicated data servers, which are located according to your preference, or depending on your location. If you would like more information regarding where your personal data is stored, please contact us.
How long will we keep your personal data?
We do not keep your personal data for longer than we need it for the purpose for which it is used.
Different retention periods apply for different types of personal data. For further information about the periods we retain your personal data, please see our Retention Policy.
Following the end of the of the relevant retention period, we will securely delete or anonymise your personal data.
Where in the world is your personal data transferred to?
We do not routinely transfer your personal data to anyone else once we have collected it unless it is necessary for us to provide our Services to you. In such circumstances, we transfer your personal data to recipients that are established in countries other than your own.
If you reside in the EU or the UK and it is necessary to transfer your personal data outside of the EU or the UK, we will not make the disclosure unless the following apply:
- The country to which the personal data is to be transferred ensures an adequate level of protection of your personal data
- We have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient alongside any additional documents (such as standard contractual clauses, international data transfer agreement, or an addendum, as applicable)
- The transfer is necessary for one of the reasons specified under data protection laws that apply, such as the performance of a contract between us and you
- You explicitly consent to the transfer.
A list of the organizations that we disclose personal data to in order to provide our Services is set out in the section ‘Who we share your personal data with—in more detail’ above.
If you would like further information about data transferred outside of the country we provided our Services to you, please contact us at [privacy @ upvio . com]
What are your rights and how can you exercise them?
We have set out your rights in Schedule 1 under ‘Your rights’. You have these rights, and they apply as soon as we collect any of your personal information. Should you wish to exercise any of your rights, please contact us at [privacy @ upvio . com]
How do we keep your personal data secure?
We have appropriate security measures in place to prevent personal data from being used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it and apply encryption to any special category personal data. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality. For transparency, we maintain an information security programme and controls designed to align with recognised security standards and assurance frameworks, including ISO/IEC 27001 and SOC 2 (Trust Services Criteria). We are working towards obtaining, and where obtained will maintain, ISO/IEC 27001 certification and a SOC 2 Type II independent audit/attestation (or a materially equivalent assurance). If you require confirmation of our current certification/attestation status, please contact us at [privacy @ upvio . com].
We also have procedures to deal with any suspected or actual data security breach. In certain circumstances, we will notify you and any applicable regulator of a suspected or actual data security breach where we are legally required to do so.
How to raise a complaint
Please contact us if you have any queries or concerns about our use of your personal data.
You have the right to lodge a complaint with the supervisory authority responsible for the protection of personal data according to where you reside:
- Australia: Office of the Australian Information Commissioner (OAIC)
- United States: The relevant authority depends on the state in which you reside. Please contact us should you be unsure which data protection authority applies to you.
- United Kingdom: The Information Commissioner's Office (ICO)
- European Union: The relevant data protection authorities in each EU member state, with the lead authority being the one in the country where the main establishment of the data controller is located. The European Data Protection Board have oversight of each authority. Please contact us should you be unsure which data protection authority applies to you.
- New Zealand: Office of the Privacy Commissioner
- Singapore: Personal Data Protection Commission (PDPC)
Updates to this privacy notice
We may update this privacy notice from time to time to reflect changes to our processes, procedures, and categories of personal data. When we make material changes, we will update you via email and we will publish revised versions of this notice on our website https://www.upvio.com
Do you need extra help?
If you would like this notice in another format (for example audio, large print, braille) please contact us at [privacy @ upvio . com]
SCHEDULE 1
Applicable data protection laws
The below table outlines the data protection laws that apply according to the country in which you reside, and includes any successor legislation, and all other legislation and regulatory requirements in force from time to time in your country.
|
The country in which you reside |
Applicable data protection laws |
|
Australia |
|
|
New Zealand |
|
|
United States |
|
|
European Union* |
|
|
United Kingdom |
|
|
Singapore |
|
|
Rest of the world |
|
*consisting of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxemburg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Your rights
If you would like to exercise any of the rights applicable to you as set out in the table below, please contract [privacy @ upvio . com]. Please note that your rights may be subject to limitations and conditions, as set out in the data protection laws within your jurisdiction.
|
The country in which you reside |
Your rights |
|
Australia |
|
|
New Zealand |
|
|
United States |
|
|
European Union* |
|
|
United Kingdom |
|
|
Singapore |
|
|
Rest of the world |
Your rights may differ depending on the country in which you reside, and we will abide by the rights afforded to you in your country under applicable data protection law. |
SCHEDULE 2
Our Data Protection Officer
We are required under data protection laws to appoint a Data Protection Office. We have set out the details of our nominated Data Protection Officer in the table below.
|
Data Protection Officer |
|
|
Name |
Mark Qualie |
|
Address |
Level 8, 905 Hay St, Perth, Western Australia, 6000 |
|
Email address |
[privacy @ upvio . com] |
SCHEDULE 3
Categories of personal data
The personal data that we collect will depend on whether you are users of our core Upvio platform, our Vitals AI product (camera-based scan), our Empathic AI product (computer-vision insights), or other Services.
Where you use Vitals AI and/or Empathic AI, we process camera-derived personal data (including special category personal data where applicable) to provide scan/insight outputs. As part of our standard operating design for Vitals AI, raw video frames are processed in real-time and are not stored or made accessible as part of the Services; instead, we process and store derived outputs and scan/session metadata, subject to the “What we store / do not store” section in this Privacy Policy.
The table below sets out the categories of personal data we may collect and where we collect your personal data from.
|
Types of personal data |
Where/Who we collect it from |
|
Your contact details, including:
|
|
|
Personal information, including:
|
|
|
Identity information, including:
|
|
|
Sensitive personal information (also known as special categories of personal data), including:
|
|
|
System and Platform usage and communication information, including:
|
|
|
Information collected during the administration activities of our business, including:
|
|
Legal purpose for processing personal data
The below table sets the lawful basis that allows us to process your personal data. Whilst a lawful basis for processing is not applicable in all of the countries in which we collect personal data, we apply the highest possible standards to protect you, so we will always ensure that where we process your personal data, we have a lawful basis for doing so.
|
Purpose/Activity |
Lawful basis |
||||
|
Consent provided by you |
Necessary to perform a contract between us |
Necessary to comply with our legal obligations |
Necessary to protect your vital interests |
For our legitimate interests or those of a third party |
|
|
Providing Services to you |
X (where your consent is required) |
|
X |
|
X |
|
The provision of Vitals AI (including processing camera stream data to extract physiological signal features, generating scan outputs, and presenting results to you) |
X (where your consent is required) |
X |
|
|
|
|
The provision of Empathic AI (where enabled) (including analysing visual inputs to generate emotional/behavioural insight outputs and presenting those outputs to you) |
X (where your consent is required) |
X |
|
|
|
|
Quality assurance, safety, security, monitoring and audit logging for the AI Tools (including detecting misuse, fraud prevention, and maintaining the integrity and availability of the Services and use of AI Tools |
X (where your consent is required) |
|
|
|
X |
|
Algorithm improvement and validation (where permitted), using de-identified data and/or aggregated data to improve accuracy, robustness and fairness of the AI Tools |
X (where your consent is required) |
|
|
|
X |
|
To share your personal data with third parties where the sharing is required in order to provide the Services to you |
X (where your consent is required) |
|
|
|
X |
|
Conducting checks to identify you and verify your identity Other activities necessary to comply with professional, legal and regulatory obligations that apply to our business |
|
|
X |
|
X |
|
To enforce legal rights or defend or partake in legal proceedings, including to respond to a request from any government body or regulator |
|
|
X |
|
X |
|
Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies and our professional advisers |
|
|
X |
|
|
|
Ensuring business policies are adhered to, e.g., policies covering security and internet use |
|
|
|
|
X |
|
Operational reasons, such as maintaining records, improving efficiency, training, quality control and managing our staff |
|
|
|
|
X |
|
Ensuring the confidentiality of sensitive information |
X |
|
X |
|
X |
|
Statistical analysis to help us manage our business, e.g., in relation to the provision of mediation Services to our clients |
X |
|
|
|
X |
|
Preventing unauthorised access and modifications to systems |
|
|
X |
|
X |
|
Protecting the security of systems and data used to provide the Services |
|
|
X |
|
X |
|
Updating and enhancing your records |
|
X |
X |
|
|
|
Statutory returns |
|
|
X |
|
|
|
Ensuring safe working practices, staff administration and assessments |
|
|
X |
|
|
|
Preventing and detecting fraud against you or us
|
|
|
X |
|
X |
|
Collection, processing, storage, and transfer of any special category personal data |
✔ X |
|
|
|
|
SCHEDULE 4
California Consumer Privacy Act of 2018 (‘CCPA’) Privacy Notice
The CCPA defines a "resident" as:
- every individual who is in the State of California for other than a temporary or transitory purpose, and
- every individual who is domiciled in the State of California who is outside the State of California for a temporary or transitory purpose.
All other individuals are defined as "non-residents.”
If this definition of "resident" applies to you, we will adhere to the rights and obligations that you are provided under the CCPA regarding your personal data.
Verification Process for Individual Rights Requests
We have reasonable methods in place for verifying rights requests for individuals who choose to exercise these rights, such as a request to know or delete their personal data.
The process described here applies to our role as a business, not as a service provider to our customers. We are unable to respond to requests in our role as a service provider to our customers. We encourage you to submit any such requests directly to the business with whom you interact or have a direct relationship with to use our Services.
For requests we receive as a business, we will match the identifying information provided by you to the personal information we already maintain to verify your identity. At minimum, we will ask for your name, email address, country, and state or province.
When verifying requests, our verification standards vary depending on the sensitivity of the request. If we cannot verify your identity, we may deny your request. In some cases, we may require additional information, in which case we will contact you.
If you are an authorized agent making a request to know or delete, we also require you to email [privacy @ upvio . com]
- provide us with a copy of your written authorization to confirm your right to make the request and direct the requesting individual to verify their identity directly with us or, if applicable
- provide a copy of your power of attorney to exercise these rights on behalf of another.
SCHEDULE 5
AI regulatory alignment
We recognise that AI systems can raise heightened expectations around transparency, fairness and accountability, particularly where outputs may influence health‑related decisions. We therefore adopt a risk‑based approach to AI governance and data protection, and we contractually prohibit uses that would be inappropriate or unlawful (including use for clinical diagnosis, treatment decisions, or emergency reliance).
AI regulation and guidance continue to evolve globally and can differ by jurisdiction and sector. The table below is a non‑exhaustive overview of selected AI‑related laws / frameworks and key regulators in jurisdictions where we operate, together with a high‑level summary of our compliance approach. This table is provided for transparency and does not override our contractual terms or your organisation’s own legal obligations.
|
Jurisdiction |
AI laws and legal framework (non-exhaustive) |
Key Regulators |
Our Approach (expert-level, high-level wording suitable for Privacy Policy) |
|
United States |
State law: Utah AI Policy Act (consumer disclosure obligations); California (Bot disclosure & data transparency laws) Federal: Executive Order 14179 (Removing barriers to AI innovation); FTC consumer protection / unfair or deceptive practices enforcement |
FTC; State Attorneys General (and other sector regulators as applicable) |
Transparency & notices: We provide clear, user-facing notices where required/appropriate that (i) our services use AI to generate or assist in generating wellness/insight outputs and (ii) users may be interacting with AI-enabled functionality, consistent with emerging state disclosure requirements and consumer protection expectations. Claims governance (FTC-style substantiation): We aim to ensure product statements about capabilities/accuracy are not misleading, are appropriately qualified (including limitations and intended-use statements), and are supported by internal validation and monitoring processes. Biometric / sensitive data: Where our processing involves biometric/sensor-related personal data, we implement consent-based controls where required, and we support data subject rights handling through documented processes (access, deletion, withdrawal of consent, etc.). Security & auditability: We apply privacy-by-design and security controls (including encryption in transit and access controls) and maintain audit logging/monitoring appropriate to the environment. Prohibited reliance/use controls: We position the tools as wellness/insight technology and restrict/prohibit clinical diagnosis, treatment decisioning, or emergency reliance through contractual and policy controls (and, where appropriate, product UX prompts). |
|
European Union (including Italy) |
EU AI Act (Regulation (EU) 2024/1689); GDPR (Arts. 13–15 transparency; Art. 22 automated decision-making); revised EU Product Liability framework |
European Commission / European AI Office; EU/Member State DPAs; EDPS |
AI Act risk-based governance: We take a risk-based approach to AI governance and monitor whether particular deployments could trigger EU AI Act obligations (including transparency, logging, human oversight and (where applicable) provider/deployer controls). We implement controls proportionate to risk and intended use. Prohibited/restricted use prevention: Where EU restrictions/prohibitions may apply in certain contexts (for example, sensitive “emotion recognition” or similar high-risk contexts), our contractual terms prohibit such uses, and we implement operational controls designed to prevent misuse. GDPR (special category) alignment: We maintain GDPR-aligned transparency notices and, where required, use explicit consent and other safeguards for biometric/sensor-related data. We also support data subject rights and implement DPIA-style risk assessment where appropriate for high-risk processing. Explainability (layered): We provide “layered” explanations proportionate to context and audience, covering: (i) rationale (what the output means at a high level), (ii) responsibility (who to contact), (iii) data (what categories are used and why), (iv) fairness (bias mitigation), (v) safety/performance (limitations/robustness), and (vi) impact (intended benefits and limitations). Product safety & liability readiness: We maintain documentation, testing, monitoring and incident-handling practices intended to support safe deployment and appropriate reliance limitations, consistent with evolving product liability expectations for software/AI-enabled services. |
|
United Kingdom |
UK GDPR & Data Protection Act 2018; Data (Use and Access) Act 2025; ICO guidance on AI & data protection / explainability; principles-based AI regulation via sector regulators |
ICO; CMA; DRCF (and other sector regulators as applicable) |
UK GDPR governance: We implement UK GDPR-aligned privacy governance (lawfulness, fairness, transparency, security, data minimisation, retention controls and rights handling), including appropriate safeguards where sensitive/biometric-like data is involved. Explainability as a core control: We align our external-facing transparency and internal governance with recognised UK explainability guidance (including the distinction between process-based and outcome-based explanations, and the six explanation types). We provide a clear path for questions and human review where appropriate. Automated decisioning posture: We design outputs as wellness/insight information rather than clinical decisioning, and we restrict prohibited reliance/uses contractually and operationally. Data (Use and Access) Act 2025 monitoring: We monitor UK developments and update our governance and documentation where relevant (including around data access, provenance and lawful sourcing expectations that may affect AI development and deployment). Security & audit: We maintain security controls and audit logging/monitoring intended to support accountability and incident response. |
|
Australia |
Privacy Act 1988 (and reforms as applicable); Online Safety Act 2021 (where relevant); Australian Government AI Ethics Principles / governance guidance |
OAIC; eSafety Commissioner |
Privacy Act / APPs: We implement privacy-by-design, data minimisation, purpose limitation, and rights-handling processes consistent with Australian privacy expectations, including appropriate handling for sensitive information where applicable. Consent & user control (where needed): We use consent-based controls for camera/biometric features where required, including practical withdrawal mechanisms (e.g., disabling camera permissions) and contact channels for rights requests. AI ethics alignment: We maintain AI governance practices aimed at safety, fairness, accountability and transparency (including bias monitoring and documentation of limitations) aligned with widely recognised ethical AI themes. Online safety (where applicable): Where platform features could expose users to harmful content or abuse, we implement reporting/moderation and access controls appropriate to the context (noting the Online Safety Act focus). |
|
Singapore |
Personal Data Protection Act (PDPA); IMDA / PDPC Model AI Governance Framework (and GenAI-related governance guidance) |
PDPC; IMDA |
PDPA compliance controls: We implement purpose limitation, notification/consent where required, reasonable security arrangements, retention limitation and rights-handling processes consistent with the PDPA. Model AI Governance Framework alignment: We align internal AI governance to recognised Singapore frameworks (governance structure, risk assessment, dataset governance, explainability/transparency, human oversight, documentation and monitoring). Transparency & explainability: We provide clear explanations of what is processed and what outputs represent (including key limitations), and we maintain a contact channel for questions/concerns. |
|
Middle East (UAE – DIFC) |
DIFC Data Protection Law No. 5 of 2020 (incl. requirements relevant to sensitive data and cross-border transfers); UAE AI/ethics governance developments (non-exhaustive) |
DIFC Commissioner of Data Protection; AI & Advanced Technology Council (AIATC) |
DIFC DP Law baseline: For DIFC-context deployments, we apply a governance posture aligned to GDPR-style principles reflected in DIFC requirements (transparency, lawful basis, security, rights handling, retention controls and appropriate cross-border transfer safeguards where relevant). Sensitive data handling: Where processing may be treated as sensitive (e.g., health/biometric-adjacent), we apply enhanced controls such as consent-based processing where required, strict access controls, and minimisation. Accountability & logging: We maintain documentation and audit logging/monitoring intended to support accountability, incident response and regulatory queries. Use restrictions: We reinforce non-medical positioning and prohibit clinical diagnosis /treatment /emergency reliance through contractual and policy controls. |
|
Middle East (KSA) |
Personal Data Protection Law (PDPL) and implementing regulations / cross-border transfer rules (as applicable) |
SDAIA |
PDPL monitoring & controls: We monitor SDAIA guidance and PDPL developments and implement baseline data protection controls appropriate to KSA deployments (transparency, lawful basis/consent where required, rights handling, retention limitation and security). Transfer & hosting posture: Where cross-border transfer requirements apply, we implement appropriate governance/contractual safeguards and assess deployment/hosting models accordingly. Security & auditability: We apply security-by-design, access controls and audit logging/monitoring intended to support accountability and incident response in regulated environments. Transparency & explainability: |