Data Protection

Privacy Policy

Your privacy and data security are fundamental to our healthcare cybersecurity mission.

Effective Date: January 1, 2025Last Updated: January 1, 2025

1. Introduction

CryptIoMT ("we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our cybersecurity risk management platform for medical devices.

By using CryptIoMT, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

Account Information

  • Name, email address, phone number
  • Organization name and role
  • Password (encrypted)

Device Data (Customer Data)

  • Medical device inventory (manufacturer, model, serial numbers)
  • Network information (IP addresses, subnets, VLANs)
  • Device specifications (OS version, firmware)
  • Risk assessments and classifications
  • Tags, notes, and custom fields
  • User-assigned ownership and department

Communication Data

  • Support requests and correspondence
  • Training session notes
  • Assessment request forms

2.2 Automatically Collected Information

Usage Data

Login times, features accessed, pages viewed, search queries, and actions taken (filters applied, reports generated).

Technical Data

IP address, browser type and version, device type and operating system, referral source.

Cookies and Tracking

  • Session cookies (required for functionality)
  • Analytics cookies (optional, can be disabled)
  • Authentication tokens

3. How We Use Your Information

Provide the Service

  • Authenticate users and manage accounts
  • Display device inventory and risk assessments
  • Generate CVE matches and vulnerability alerts
  • Create reports and compliance documentation
  • Facilitate expert consulting services

Improve the Service

  • Analyze usage patterns to enhance features
  • Identify and fix technical issues
  • Develop new functionality based on user needs

Communicate with You

  • Send service notifications and alerts
  • Provide technical support
  • Deliver scheduled reports and digests
  • Share security updates and best practices

Ensure Security & Compliance

  • Detect and prevent fraud or unauthorized access
  • Monitor for security threats and maintain audit logs
  • Comply with HIPAA, FDA, and other regulations
  • Respond to legal requests and enforce Terms of Service

4. Protected Health Information (PHI)

4.1 HIPAA Compliance

CryptIoMT may process data that is associated with or references Protected Health Information (PHI) under HIPAA.

Business Associate Agreement (BAA)

  • Healthcare organizations subject to HIPAA must execute a BAA with CryptIoMT
  • The BAA defines how we handle, protect, and use PHI
  • Contact compliance@cryptiomt.com to request a BAA

4.2 PHI Handling

We implement HIPAA-required safeguards including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and authentication
  • Audit logging of all PHI access
  • Regular security risk assessments
  • Workforce training on PHI handling
  • Incident response procedures

4.3 Minimum Necessary Standard

We access and use only the minimum amount of PHI necessary to provide the Service.

5. How We Share Your Information

We do NOT sell your personal information or Customer Data.

5.1 Service Providers

We share information with trusted third-party providers who assist in operating the Service:

Infrastructure & HostingConvex (database), Cloud providers
AuthenticationClerk (user auth)
AnalyticsError tracking & performance tools

All service providers are contractually obligated to protect your data and use it only for specified purposes.

5.2 Expert Consultants

When you engage our expert consulting services, your device data and risk assessments may be shared with CryptIoMT security consultants to provide tailored recommendations.

5.3 Legal Requirements

We may disclose information if required by law (court orders, subpoenas), for government investigations, to protect rights/safety, or to enforce our Terms of Service.

5.4 Business Transfers

If CryptIoMT is acquired or merged, your information may be transferred to the successor entity. You will be notified of any such change.

5.5 With Your Consent

We may share information for other purposes with your explicit consent.

6. Data Security

6.1 Security Measures

Technical Safeguards

  • Encryption in transit (TLS) and at rest (AES-256)
  • Multi-factor authentication
  • Role-based access controls
  • Regular security patches
  • Intrusion detection
  • Automated backups

Administrative Safeguards

  • Security policies and procedures
  • Employee background checks and training
  • Incident response plan
  • Regular risk assessments

Physical Safeguards

  • Secure data centers with 24/7 monitoring
  • Access controls and surveillance
  • Environmental controls (fire, flood, climate)

6.2 Data Breach Notification

In the event of a data breach involving PHI or personal information:

  • We will notify affected users within 72 hours of discovery
  • We will provide details of the breach and remediation steps
  • For PHI breaches, we will comply with HIPAA breach notification requirements

Report breaches to: security@cryptiomt.com

7. Data Retention

7.1 Active Accounts

We retain your information for as long as your account is active or as needed to provide the Service.

7.2 Deleted Accounts

  • Customer Data is retained for 30 days to allow export
  • After 30 days, data is permanently deleted unless legally required
  • Audit logs retained up to 7 years for compliance

7.3 Backup Retention

Backup copies may persist for up to 90 days after deletion.

8. Your Privacy Rights

8.1 Access and Portability

  • Access your personal information and Customer Data
  • Export your data in CSV or JSON format
  • Request a copy of your audit logs

8.2 Correction

You may update or correct inaccurate information through your account settings or by contacting support.

8.3 Deletion

You may request deletion of your account and data. We will comply within 30 days unless legally required to retain information.

8.4 Restriction and Objection

You may request restrictions on processing or object to certain uses of your information.

8.5 California Privacy Rights (CCPA)

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of sale (we do not sell data)
  • Right to non-discrimination for exercising privacy rights

8.6 European Privacy Rights (GDPR)

EU/EEA residents have rights under GDPR including data access, portability, erasure, and the right to lodge a complaint with a supervisory authority.

To exercise your rights, contact: privacy@cryptiomt.com

9. Cookies and Tracking Technologies

9.1 Types of Cookies

Essential Cookies (Required)

  • Authentication and session management
  • Security and fraud prevention
  • Load balancing

Analytics Cookies (Optional)

  • Usage statistics and feature adoption
  • Performance monitoring
  • Can be disabled in your browser

9.2 Cookie Management

You can control cookies through your browser settings. Disabling essential cookies may limit functionality.

Do Not Track: We currently do not respond to "Do Not Track" signals.

10. Third-Party Services and Links

10.1 External Data Sources

The Service integrates data from:

  • National Vulnerability Database (NVD)
  • CISA Known Exploited Vulnerabilities (KEV)
  • FDA Medical Device Safety Communications

These sources have their own privacy policies. We are not responsible for their practices.

10.2 External Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of external sites.

11. Children's Privacy

CryptIoMT is not intended for individuals under 18. We do not knowingly collect information from children. If we become aware of such collection, we will delete it immediately.

12. International Data Transfers

Your information may be transferred to and processed in the United States or other countries where our service providers operate. By using the Service, you consent to such transfers.

For EU/EEA users: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for international transfers.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

For material changes, we will notify you via:

  • Email to account administrators
  • In-app notification
  • Prominent website notice

Continued use after changes constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related questions or to exercise your rights:

CryptIoMT Privacy Team

Email: privacy@cryptiomt.com

Phone: 414-943-9726

For HIPAA/BAA inquiries: compliance@cryptiomt.com

For security incidents: security@cryptiomt.com

© 2025 CryptIoMT. All rights reserved.