GDPR Compliance

Last Updated: April 9, 2026

1. Understanding GDPR

The General Data Protection Regulation (GDPR), formally known as EU Regulation 2016/679, is one of the most comprehensive data protection laws in the world. It establishes strict rules for the processing of Personal Data of individuals within the European Economic Area (EEA).

Volumetryx Inc. (volumetryx.ai) is committed to upholding GDPR standards where applicable, ensuring that all data processing activities involving EEA individuals meet the regulation's requirements for transparency, security, and accountability.

2. How We Collect and Process Data

Volumetryx collects and processes data in two primary contexts:

• Website Interactions: When you visit our website, submit inquiries, or communicate with us through our online channels.
• Under Service Agreements: When we provide services to our clients, which primarily involves the processing of De-identified Data along with client account and contact information necessary for service delivery.

3. Data Collected Via Our Website

We collect Personal Data through our website via the following means:

• Online contact forms and inquiry submissions
• Email correspondence initiated by visitors or prospects
• Cookies and tracking technologies deployed on our website

This data is used for the following purposes:

• Responding to your requests and inquiries
• Providing information about our services
• Facilitating ongoing communications
• Improving website functionality and user experience

Lawful Bases: We process website data on the basis of legitimate interests (e.g., responding to inquiries, improving our services) and consent (e.g., for marketing communications and non-essential cookies).

4. Data Processing Under Service Agreements

Client Information (Controller Role)

Volumetryx acts as a Data Controller for the Personal Data of our client contacts, such as names, email addresses, job titles, and professional details necessary for account management and service delivery.

Lawful Bases: Contract performance (processing necessary to fulfill our service agreements) and legitimate interests (maintaining client relationships, communicating about services).

Medical Data Processing (Processor / De-identified Data Focus)

Our core service involves the analysis of De-identified Medical Data — imaging data from which all personal identifiers have been removed. Properly de-identified data falls outside the scope of GDPR, as it no longer relates to an identifiable natural person.

In cases where clients provide identifiable data for the purpose of de-identification, Volumetryx acts as a Data Processor under a Data Processing Agreement (DPA) in accordance with GDPR Article 28. In this capacity, we:

• Implement robust technical and organizational measures to ensure data security in accordance with GDPR Article 32
• Fulfill all processor obligations regarding security, breach notification, and cooperation with data subject rights requests
• Process data strictly in accordance with the client's documented instructions
• Ensure that personnel authorized to process the data are bound by confidentiality obligations

5. Data Security, Access, and Storage

Security Measures

Volumetryx implements appropriate technical and organizational safeguards as required by GDPR Article 32. These measures are designed to ensure a level of security appropriate to the risk, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Access Control

Access to Personal Data is restricted to authorized personnel only, on a need-to-know basis. All personnel with access to Personal Data are bound by strict confidentiality obligations, whether by contract or statutory duty.

Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, or support legitimate business needs. We conduct regular reviews of stored data and apply secure deletion or anonymization procedures when data is no longer required.

6. Tracking, Cookies, and Analytics

Our website uses cookies and similar tracking technologies for the following purposes:

• Essential website functionality and security
• Tracking and performance monitoring
• User experience improvement
• Website analytics and usage insights

We deploy a consent management tool to obtain your explicit opt-in consent before activating any non-essential cookies, in compliance with GDPR requirements.

We use Google Analytics for website analytics. You may opt out of Google Analytics tracking by using the Google Analytics Opt-out Browser Add-on or by adjusting your cookie preferences through our consent management tool.

We honor Global Privacy Control (GPC) signals transmitted by your browser as a valid expression of your privacy preferences.

7. Your GDPR Rights and Contacting Us

Under the GDPR, if you are an individual within the EEA, you have the following rights regarding your Personal Data:

• Right of Access: Request confirmation of whether we process your Personal Data and obtain a copy of it.
• Right to Rectification: Request correction of inaccurate or incomplete Personal Data.
• Right to Erasure: Request deletion of your Personal Data where there is no compelling reason for its continued processing.
• Right to Restriction of Processing: Request that we limit the processing of your Personal Data under certain circumstances.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Data Portability: Request your Personal Data in a structured, commonly used, and machine-readable format.
• Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights or for any questions regarding our GDPR compliance, please contact our Privacy Officer:

Privacy Officer, Volumetryx Inc.
Volumetryx Inc., Montreal, QC, Canada
contact@volumetryx.ai

We will respond to data subject requests within 30 days of receipt.

You have the right to lodge a complaint with your local data protection supervisory authority.

A Data Processing Agreement (DPA) is available upon request for all clients.

For the full details of our data processing practices, please refer to our Global Privacy Policy. Any updates to our GDPR compliance practices will be reflected there.