Product Privacy Policy

Introduction

This Product Privacy Policy (“Policy”) explains how Inquira Technologies B.V. (“Inquira Health,” “we,” “us,” or “our”) handles personal data in connection with our Conversational AI solutions, which may include both voice/phone call services and chat-based interactions. We provide these services to:

• Healthcare organizations (e.g. hospitals, clinics)
• Technical suppliers (e.g. EHR systems or other healthcare IT vendors)

In this context, we typically act as a Data Processor under the General Data Protection Regulation (GDPR), processing personal data on behalf of our customers (the “Data Controllers”).

Note for Patients / End-Users: If you have questions about the personal data processed through our services (e.g. via a hospital’s or EHR’s integration), please contact the healthcare organization or IT supplier that provided your data to us. They remain the primary Data Controller responsible for determining how and why your data is processed.

Note for U.S. Healthcare Organizations: For healthcare organizations subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Inquira Health acts as a “Business Associate” and the customer is the “Covered Entity.” This relationship is governed by a formal Business Associate Agreement (BAA) that we execute with each customer. This BAA ensures that any Protected Health Information (PHI) we handle is protected in accordance with HIPAA’s Privacy, Security, and Breach Notification Rules.

For general questions or requests, you may also reach us at support@inquira.health.

Our Role as a Data Processor

1. Data Controller: The organization (healthcare provider or technical supplier) that decides the purposes and means of processing personal data.
2. Data Processor: Inquira Health processes personal data strictly on behalf of and according to the instructions of the Data Controller. This relationship is governed by a Data Processing Agreement (DPA) or similar contractual arrangement.

Types of Data We Process

Depending on the workflow or integration designed by our customers, we may process:

1. Patient & User Identifiers
   • Name, phone number, email address, date of birth, patient ID, etc.
2. Interaction Data
   • Voice Calls: Call metadata (time, date, duration), transcripts (if generated for scheduling or intake), call recordings (if enabled).
   • Chat Sessions: Chat messages and metadata (timestamps, user identifiers), which may include personal or health-related information if shared by the user.
3. File Uploads in Chat
   • Users may optionally upload files (e.g. documents or images) during chat interactions. We store and process the content of these files solely to provide the requested service (e.g. extracting specific data points or sharing the file content with the Data Controller as part of the chat flow).
4. Appointment & Healthcare Information
   • Appointment dates, times, locations, clinician names, or other scheduling details.
   • Additional health-related data the Data Controller instructs us to collect or process (e.g. triage questions, symptom descriptions).

We do not determine the scope of personal data collected; our customers configure the workflows and decide what information is collected via call, chat, and file uploads.

Purpose of Processing

We process personal data solely to deliver the Conversational AI services requested by our customers, including but not limited to:

1. Scheduling Appointments: Automating booking, rescheduling, or confirmations.
2. Patient/Client Intake: Gathering demographic or medical history details when authorized.
3. General Support or Triage: Providing chat or voice assistance to address user questions or direct them to the right department.
4. Service Improvements: Using aggregated data to ensure quality control and enhance service reliability.
5. Customer Support: Troubleshooting or resolving technical issues related to our voice or chat services.

We do not process personal data for independent marketing or profiling. All processing is performed on our customers’ behalf, following their instructions.

Legal Basis (GDPR)

As a Data Processor, we rely on our customers’ legal bases for processing under GDPR. Common legal bases for healthcare providers or IT suppliers include:

• Patient Consent (if required by local regulations)
• Contractual Necessity (e.g. providing care, scheduling, or client services)
• Legal Obligations (compliance with healthcare regulations)
• Legitimate Interests (e.g. improving patient care, reducing administrative burden), provided this does not override the data subject’s rights

Data Storage & Retention

1. Retention: We store personal data for as long as instructed by our customer. Once the data is no longer needed or upon termination of our contract, we delete or anonymize the data, unless a longer retention is required by law or specific contractual obligations.
2. Deletion upon Request: If a Data Controller requests us to delete specific personal data (e.g. in response to a user exercising their right to erasure), we comply promptly, in line with our contractual obligations.

Subprocessors

We may engage trusted Subprocessors to assist in delivering our AI-based services (e.g. cloud hosting, telephony infrastructure, chat platform providers). Each subprocessor is vetted to ensure compliance with relevant data protection laws, and we enter into written agreements requiring them to process data only according to our instructions and with appropriate safeguards.

For more details, please see our Subprocessors List or contact us at support@inquira.health.

International Data Transfers

We are committed to maintaining data residency.

• For European Customers: Personal data is processed and stored exclusively within the European Union (EU) and is processed as per the Data Processing Agreement (DPA) signed with our customers.
• For U.S. Customers (HIPAA): Protected Health Information (PHI) is processed and stored exclusively within our designated U.S. data region. We do not transfer PHI outside of the United States.

This commitment to data residency applies to all patient, chat, and interaction data processed by Inquira.

Billing Information: The only instance of international data transfer involves customer billing information (e.g. for healthcare organizations or technology suppliers) to Stripe, for invoicing and payment processing. This may include details such as company name, billing address, and payment method. No patient or end-user information is transferred as part of this billing process. When a transfer does occur for billing purposes, we ensure appropriate legal safeguards, such as Standard Contractual Clauses (SCCs).

Security & Confidentiality

We take technical and organizational measures to secure personal data from unauthorized access, disclosure, alteration, or destruction. These may include:

• Encryption in transit and at rest
• Access Controls (role-based permissions, multi-factor authentication)
• Regular Security Assessments and penetration testing
• Staff Training on data privacy and security best practices

Inquira Health employees and authorized contractors are bound by confidentiality obligations regarding any personal data they handle. For additional information, visit our Trust Center.

Data Subject & Patient Rights

Since we act as a Data Processor (under GDPR) or Business Associate (under HIPAA), individuals who wish to exercise their privacy rights should contact the Data Controller or Covered Entity (i.e., the healthcare provider or IT supplier who is our customer).

• For GDPR: We will cooperate with our customers to help fulfill data subject requests (access, rectification, erasure, etc.) in accordance with our Data Processing Agreement (DPA).
• For HIPAA: We will assist our customers (Covered Entities) in meeting their obligations to honor patient rights, such as the right of access and the right to amend PHI, as specified in our Business Associate Agreement (BAA). We do not respond directly to patient requests.

Breach Notification

If we become aware of a personal data breach affecting the data we process on behalf of a customer, we will:

1. Notify the Data Controller without undue delay.
2. Provide the Data Controller with all necessary information to comply with any regulatory or legal requirements (e.g. notifying supervisory authorities or affected individuals).

Children’s Data

Our services may process children’s data only under the Data Controller’s instructions. For example, if a pediatric clinic uses our scheduling services or chat, they may send information about a child. We do not knowingly process children’s data outside of such instructions, and we rely on the Data Controller to ensure they have any necessary parental or guardian consent.

Changes to This Product Privacy Policy

We may update this Policy periodically to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we update the Policy, we will revise the “Last Updated” date. Significant changes may be communicated to our customers directly.