Privacy Policy

Porcupine LLC ("Porcupine," "we," "us," or "our") is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website, use our platform, or interact with our medical imaging services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use our Services.

1. Information We Collect

1.1 Information You Provide Directly

We may collect the following information when you create an account, contact us, or use our Services:

• Name, email address, phone number, and institutional affiliation
• Professional credentials and licensure information
• Account credentials (username and password)
• Communications you send to us (support requests, feedback, inquiries)

1.2 Medical and Imaging Data

In the course of providing our medical imaging AI pipeline services, we may process medical images (including DICOM files, X-rays, CT scans, MRIs, and PET scans), associated metadata, and related clinical information. When such data constitutes Protected Health Information ("PHI") under HIPAA, we process it solely on behalf of and under the direction of covered entities pursuant to a Business Associate Agreement ("BAA").

1.3 Automatically Collected Information

When you access our website or Services, we automatically collect:

• IP address, browser type, and operating system
• Device identifiers and screen resolution
• Pages visited, timestamps, and referral URLs
• Interaction data such as clicks and scroll behavior

1.4 Cookies and Tracking Technologies

We use strictly necessary cookies to ensure proper website functionality. We may also use analytics cookies to understand how visitors interact with our website. We do not use cookies or tracking technologies to collect, transmit, or store Protected Health Information. You can manage cookie preferences through your browser settings.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: To provide, maintain, and improve our medical imaging platform and AI pipeline services
• Image processing: To process and analyze medical images through our AI models as directed by authorized healthcare providers
• Communications: To respond to your inquiries, provide technical support, and send service-related notifications
• Research and development: To improve our algorithms and services using de-identified or aggregated data in accordance with applicable law
• Security: To detect, prevent, and address fraud, security incidents, and technical issues
• Legal compliance: To comply with applicable laws, regulations, and legal processes, including HIPAA
• Analytics: To analyze usage patterns and optimize the performance of our Services

3. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

• Service providers: With third-party vendors who assist in operating our Services (e.g., cloud hosting, analytics), all of whom are bound by appropriate data protection agreements and, where applicable, Business Associate Agreements
• Healthcare providers: We return analysis results and processed imaging data to the healthcare providers who submitted them
• Legal requirements: When required by law, regulation, subpoena, court order, or governmental request
• Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, with appropriate protections for your data
• De-identified data: We may share aggregated or de-identified data that cannot reasonably be used to identify you, in accordance with HIPAA Safe Harbor or Expert Determination standards
• With your consent: For any purpose not described above, we will obtain your explicit consent before sharing your information

4. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and multi-factor authentication
• Comprehensive audit logging and continuous monitoring
• Regular security assessments and penetration testing
• SOC 2 Type II compliance across our infrastructure
• Employee training on data protection and HIPAA requirements
• Documented incident response procedures

While we strive to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.

5. Data Retention

We retain your information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Medical records and PHI are retained in accordance with applicable federal and state retention requirements. When data is no longer needed, we securely delete or de-identify it.

6. Your Privacy Rights

6.1 HIPAA Rights

If we maintain your Protected Health Information, you may have the following rights under HIPAA, which you can exercise by contacting us or the healthcare provider who submitted your data:

• Right to access and obtain a copy of your PHI
• Right to request amendment of your PHI
• Right to an accounting of disclosures of your PHI
• Right to request restrictions on certain uses and disclosures
• Right to request confidential communications
• Right to receive notification of a breach of your unsecured PHI

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you may have additional rights, including:

• Right to know what personal information we collect and how it is used
• Right to request deletion of your personal information
• Right to opt out of the sale or sharing of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

6.3 Exercising Your Rights

To exercise any of your privacy rights, please contact us at [email protected]. We will respond to verified requests within the timeframes required by applicable law (30 days for HIPAA requests, 45 days for CCPA requests).

7. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete such information promptly.

8. International Data Transfers

Our Services are operated in the United States. If you access our Services from outside the United States, your information may be transferred to and processed in the United States, where data protection laws may differ from those of your jurisdiction. By using our Services, you consent to such transfer and processing.

9. Business Associate Agreements

When Porcupine LLC processes PHI on behalf of a covered entity, we do so under a Business Associate Agreement that establishes the permitted uses and disclosures of PHI, requires appropriate safeguards, and ensures compliance with HIPAA. Healthcare providers seeking to engage our Services should contact us to execute a BAA prior to transmitting any PHI.

10. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated policy on this page with a revised effective date. For material changes, we will provide additional notice, such as an email notification or a prominent notice on our website. Your continued use of our Services after any changes constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

• Porcupine LLC
• Email: [email protected]

If you believe your privacy rights have been violated, you also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/ocr or by calling 1-800-368-1019.