Privacy Policy

1. Introduction

MyoSkel AI ("we," "us," or "our") operates a medical education SaaS platform designed for orthopedic surgical residents. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you access or use our website and services. We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and other applicable data protection laws.

2. Information We Collect

We collect the following categories of personal data:

• Identity Data: Full name
• Contact Data: Email address
• Professional Data: Post-Graduate Year (PGY) level, affiliated institution, and scheduled examination date
• Usage Data: Information about how you interact with our platform, including study progress, quiz results, and feature usage
• Technical Data: IP address, browser type, device information, and cookies

3. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases as defined by Article 6 of the GDPR:

• Consent: You provide explicit consent when creating an account and opting in to communications.
• Contractual Necessity: Processing is necessary for the performance of our service agreement with you.
• Legitimate Interests: We may process data for analytics and platform improvement where it does not override your fundamental rights.
• Legal Obligation: We may process data to comply with applicable laws and regulations.

4. How We Use Your Information

• To provide, maintain, and personalize our AI-driven medical education services
• To create and manage your account and authenticate your identity
• To adapt study content to your PGY level, institution, and exam schedule
• To communicate with you regarding account activity, updates, and support
• To analyze usage patterns and improve platform performance and content
• To comply with legal and regulatory obligations

5. HIPAA Compliance

While MyoSkel AI is primarily an educational platform and does not function as a healthcare provider, we recognize that certain user data may be considered Protected Health Information (PHI) under HIPAA. Accordingly, we implement the following safeguards:

• Administrative Safeguards: Role-based access controls, workforce training, and security management processes
• Technical Safeguards: AES-256 encryption at rest, TLS 1.2+ encryption in transit, audit logging, and automatic session termination
• Physical Safeguards: Our cloud infrastructure providers maintain SOC 2 Type II and HIPAA-compliant data center certifications
• Business Associate Agreements (BAAs): We execute BAAs with all third-party service providers who may access or process PHI on our behalf

6. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following circumstances:

• Service Providers: With trusted third-party vendors who assist in operating our platform (e.g., hosting, analytics, email delivery), subject to data processing agreements
• Legal Requirements: When required by law, regulation, legal process, or enforceable governmental request
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate notice to affected users
• With Consent: When you have provided explicit consent for a specific disclosure

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of processing under certain conditions
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at info@myoskelai.com. We will respond within 30 days.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law. When your data is no longer needed, we will securely delete or anonymize it. You may request deletion of your account and associated data at any time by contacting us.

9. International Data Transfers

If your data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on an adequacy decision. All transfers comply with Chapter V of the GDPR.

10. Cookies and Tracking Technologies

We use essential cookies required for platform functionality and authentication. We may also use analytics cookies to understand usage patterns. You can manage your cookie preferences through your browser settings. For more details, refer to our cookie banner upon first visit.

11. Security Measures

We implement industry-standard technical and organizational measures to protect your data, including encryption in transit and at rest, regular security assessments, intrusion detection systems, and access controls. Despite these measures, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

12. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will take immediate steps to delete that information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on our website with an updated effective date. Your continued use of the platform after such changes constitutes acceptance of the revised policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: