Privacy Policy

Privacy Policy

Effective Date: 10 September 2025

1. Who we are

MediSphereXR ("we", "us", "our") provides a software platform for immersive 3D/XR viewing, collaboration, and case libraries for healthcare education and planning.

2. Scope

This Policy explains how we collect, use, share, and protect personal data when you:

  • Visit our websites and web dashboard;
  • Use our XR applications (e.g., Meta Quest);
  • Create an account or join an organization workspace;
  • Upload models/content (including DICOM and 3D files);
  • Communicate with us; or participate in trials and events.

3. Data we collect

  • Account & Identity Data: name, email, password hash, organization, role, team codes, SSO identifiers.
  • Usage & Log Data: app events, session metadata, device/OS/browser info, IP (approximate location), timestamps, crash reports.
  • Device & XR Data: headset type, controllers, performance metrics, optional microphone for in-session audio (not stored unless expressly enabled).
  • Content Data: models and files you upload (e.g., DICOM, STL/OBJ/FBX), annotations, labels, case metadata.
  • Support & Communications: messages, feedback, tickets.
  • Payment Data: handled by our payment processor (we do not store full card numbers).
  • Cookies/Similar Tech: to remember preferences, enable security, and analyze usage.

4. Purposes & legal bases

We use data to: Provide the service (contractual necessity); Secure and maintain (legitimate interests/legal obligations); Improve the product (legitimate interests with opt-outs where required); Communicate (consent/legitimate interests); and Comply with law (legal obligations).

5. Medical/clinical content & PHI

You are responsible for ensuring uploads are anonymized/de-identified as required by applicable law and contracts. For covered entities (e.g., HIPAA), we can execute a Business Associate Agreement (BAA) and provide controls to support compliance. We do not use customer content for advertising or for training general models.

6. Cookies & analytics

We use necessary cookies and, where permitted, analytics to understand how features are used. You can manage preferences via your browser and any in-product cookie banner (if present).

7. Sharing of data

We do not sell personal data. We may share with:

  • Service providers/sub-processors (hosting, storage, analytics, support, email/SMS, payments);
  • Organization admins (for workspace governance, billing, audit);
  • Legal/Compliance (if required by law); and in
  • Business transfers (merger, acquisition, reorg).

8. International transfers

Data may be processed in countries different from yours. Where required, we use Standard Contractual Clauses or other approved mechanisms.

9. Security

We implement administrative, technical, and organizational safeguards, including encryption in transit and at rest, role-based access controls and SSO/2FA, audit logs, and vulnerability management. No system is perfectly secure; we will notify you of certain incidents as required by law.

10. Retention

We may retain data to comply with legal obligations or resolve disputes. Data is retained for the following periods:

  • Account & workspace data: life of the account plus a limited period (e.g., 90 days) after closure unless law requires longer.
  • Logs/analytics: typically 12 months in aggregate form.
  • Backups: rolling cycles (e.g., 35 days).
  • Trial accounts: content may be deleted after trial expiry if not converted.

11. Your rights

All users of MediSphereXR, regardless of their geographic location, have the right to request the deletion of their personal data. In addition, depending on your local laws, you may also have rights to access, correct, port, restrict, or object to the processing of your data, and withdraw consent where applicable. To exercise these rights, including requesting deletion, please contact us at privacy@medispherexr.com. We will verify your identity and respond within the required timelines.

12. Children's privacy

MediSphereXR is not intended for children under 16 (or lower age as permitted by local law). We do not knowingly collect data from children without appropriate consent.

13. Third-party services

Our platform may link to third-party services (e.g., SSO, cloud storage). Their privacy practices are governed by their own policies.

14. Changes to this Policy

We may update this Policy and will indicate the Effective Date and, where material, provide notice via the service or email.

15. Contact

Email: privacy@medispherexr.com

Address: 6th Floor Angels Arcade, South Kalamassery, Kochi, Kerala, India 682022

16. Controller vs. Processor

For personal accounts, we are typically the Controller of account/usage data. For organization workspaces, the organization is the Controller of content data; we act as Processor under the applicable agreement.

17. Jurisdiction-specific notices

  • EU/UK: GDPR lawful bases listed above; complaints to your local data protection authority are available.
  • US (California): We do not "sell" personal information; limited "sharing" may occur for analytics. You may opt out where required.
  • India (DPDP 2023): You can withdraw consent where consent is the basis and request grievance reparation.
  • KSA (PDPL): Cross-border transfers use approved mechanisms; local hosting/residency can be discussed for the enterprise.