Privacy Policy

1. Data Controller

Pixacare acts as data controller with respect to user data (healthcare professionals) and as data processor within the meaning of the GDPR with respect to patient data, processed on behalf of the healthcare professional or healthcare institution.

2. Data Collected

2.1 User data (healthcare professionals)

When you register and use the Application, we collect:

• First and last name
• Email address
• Medical specialty
• Phone number (optional)

2.2 Patient data

In the context of patient care, the healthcare professional may enter the following data through the Application:

• Patient's first name, last name, and date of birth
• Patient identification number (MRN, admission number, NIP)
• Medical photographs and videos
• Measurements and analyses produced by artificial intelligence (wound surface area, tissue composition)
• Patient consent, clinical questionnaires, wound healing reports, eCRF data

This data is collected with the patient's written consent, obtained by the healthcare professional in accordance with applicable regulations.

2.3 Technical data collected automatically

The Application automatically collects certain technical data required for its operation, security, and service improvement:

• IP address
• Device model, operating system version, and Application version
• Device identifier (device token)
• Connection and activity logs (audit trail)
• Push notification token (Expo Push Token)
• Session cookies (web version only)

3. Purposes and Legal Bases for Processing

4. Third-Party Services and Integrated SDKs

The Application integrates the following third-party services, which are necessary for its operation:

Firebase App Distribution is used solely for internal distribution of test builds and is not active in production. None of these services have access to medical photographs or patient clinical data.

5. Application Permissions

The Application requests the following permissions on your device:

Each permission is requested at the time of its first use. You may revoke these permissions at any time in your device settings, which may limit certain features of the Application.

6. Local Storage on Device

When network connectivity is insufficient, photographs and data pending synchronization are temporarily stored on your device. This data:

• is retained only until successful synchronization with Pixacare servers;
• is automatically deleted from local storage after synchronization (via a "hard sync" mechanism and automatic local cleanup);
• is protected by the native encryption mechanisms of your device's operating system (iOS / Android).

7. Hosting and Data Transfers

Data is hosted exclusively with providers certified as Health Data Hosts (HDS):

• OVH — primary hosting for customers in France and the European Union. Servers located in France.
• Microsoft Azure — hosting for international customers. Servers located within the European Economic Area (EEA).

No personal data is transferred outside the European Economic Area without the prior written consent of the Data Controller, in accordance with Article 11.2.6 of our GTC.

8. Data Retention Periods

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: obtain confirmation that your data is being processed and receive a copy of it.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion of your data under the conditions provided by law.
• Right to data portability: receive your data in a structured, machine-readable format.
• Right to restriction of processing: request suspension of processing under certain circumstances.
• Right to object: object to the processing of your data on legitimate grounds.
• Right to withdraw consent: withdraw your consent at any time, without affecting the lawfulness of prior processing.
• Post-mortem directives: define how your data should be handled after your death.

To exercise these rights, send your request to gdpr@pixacare.com, including your first name, last name, address, phone number, and the subject of your request. A copy of a government-issued ID may be required.

Your request will be processed within a maximum of 30 days (extendable by 2 months in complex cases).

You also have the right to lodge a complaint with the CNIL (French data protection authority): www.cnil.fr.

10. Deleting Your Data

You may request deletion of your account and all associated personal data by following the procedure below:

1. Send an email to gdpr@pixacare.com with your first name, last name, the email address associated with your account, and the subject line "Account Deletion Request".
2. Pixacare verifies your identity (a copy of a government-issued ID may be requested).
3. Your medical data is returned to you as an encrypted ZIP file sent by email. The password is transmitted through a separate channel (SMS or phone call).
4. All your data is permanently deleted from our servers within 30 days of the data return.

11. Data Security

Pixacare implements appropriate technical and organizational measures to ensure the security, confidentiality, and integrity of your data:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of data at rest on hosting servers
• Strong authentication: minimum 12-character password with optional biometric authentication
• HDS-certified hosting (Health Data Host)
• ISO 13485 certification (quality management system for medical devices)
• ISO 27001 certification (hosting provider — information security)
• CE Class I and Class IIa marking (AI modules) — medical device
• PGSSI-S compliance
• Single Sign-On (SSO) via SAML / OAuth / OIDC and two-factor authentication (2FA)
• Full audit trail of all access and processing operations
• No data transfers outside the European Economic Area

12. Cookies

The mobile Application does not use cookies. The web version of Pixacare uses strictly necessary session cookies required for the Application to function (authentication, session maintenance). No advertising or tracking cookies are used.

13. Minors' Data

The Application is primarily intended for healthcare professionals. As part of the remote monitoring module, patients may interact with the service (receiving an SMS and taking follow-up photographs). This interaction is initiated and supervised by the treating healthcare professional. Patients do not have access to a user account and cannot use the Application outside of this framework.

For minor patients, the remote monitoring module is only activated with the consent of their legal guardian. The data collected (follow-up photographs) is subject to the same security, hosting, and retention rules as all medical data processed by Pixacare.

14. Policy Updates

Pixacare reserves the right to update this privacy policy at any time. In the event of a material change, users will be notified by email or via an in-app notification at least 30 days before the new provisions take effect.

The date of the last update is indicated at the top of this document. We encourage you to review this page regularly.

15. Contact

For any questions regarding this policy or the processing of your personal data: