Privacy Policy

Last Updated: April 9, 2026

1. Introduction and Scope

Welcome to Volumetryx Inc., operating volumetryx.ai (the "Website", "Service"). Volumetryx ("we", "us", "our") is committed to protecting the privacy and security of information entrusted to us. This Global Privacy Policy ("Policy") outlines our practices regarding the collection, use, storage, disclosure, and other processing of Personal Information/Data when you interact with our Website, services, or communicate with us.

We strive to comply with applicable data protection laws in the jurisdictions where we operate, including Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25), the European Union's General Data Protection Regulation (GDPR), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

By using our services, you acknowledge you have read and understood this Policy.

Key Definitions

• Personal Information / Personal Data: Any information relating to an identified or identifiable natural person. This includes information Volumetryx collects directly from clients/users and potentially technical data linked to an individual.
• Sensitive Personal Information / Special Category Data: A subset of Personal Information that requires stricter protection, such as health information, genetic data, biometric data, racial or ethnic origin, religious beliefs, sexual orientation, or (under CCPA/CPRA) account log-in credentials, precise geolocation, contents of certain communications.
• De-identified Data: Information originally derived from Personal Information but processed using robust technical and procedural measures to remove or obscure identifiers such that it can no longer reasonably be used to identify an individual.
• Processing: Any operation performed on Personal Information/Data, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, dissemination, or destruction.

2. Our Commitment to De-identification

A core function of Volumetryx involves processing medical imaging data. Our primary operational goal is to work exclusively with De-identified Data. Where we receive potentially identifiable medical data from our clients for the purpose of de-identification and analysis, we treat it with the highest level of security and confidentiality consistent with its sensitive nature until the de-identification process is complete.

3. Privacy Officer / Data Protection Officer

Volumetryx has designated a Privacy Officer (also serving as Privacy Officer for GDPR purposes) responsible for overseeing compliance with this Policy and applicable privacy laws. Contact details are provided in Section 14.

4. Information We Collect, Purposes, and Lawful Bases

We collect and process different categories of information for specified purposes. Where GDPR applies, we rely on specific lawful bases for processing Personal Data:

Category	Examples	Purposes	Lawful Basis (GDPR)
Client Contact & Professional Info	Name, email, phone, job title, institution	Service delivery, account management, communication	Contract, Legitimate Interests, Consent
Account Information	Usernames, passwords (hashed), preferences	Access to services, account management, security	Contract, Legitimate Interests
Communication Info	Support requests, feedback, inquiries	Customer support, service improvement	Legitimate Interests, Consent
Technical & Usage Info	IP address, browser type, cookies, usage patterns	Website operation, security, analytics	Legitimate Interests, Consent
Marketing Info	Email (opt-in), marketing preferences	Promotional communications, updates	Consent (explicit opt-in)
De-identified Medical Data	Volumetric data from medical images	Core analytical services, R&D	N/A (not Personal Data)
Sensitive Personal Info	Health identifiers before de-identification	De-identification, security	Explicit Consent, Legal Obligation

Sources of Information: We collect information directly from you (e.g., forms, contact), automatically through technology (e.g., cookies), and potentially from our clients who provide data (primarily de-identified) for processing under agreements.

5. Cookies, Tracking Technologies, and Global Privacy Control

Our Website uses cookies and similar technologies. Essential cookies are necessary for functionality. For non-essential cookies (e.g., analytics, performance), we request your explicit opt-in consent before deployment, in line with GDPR and Law 25 requirements. You can manage your preferences through our consent management tool or your browser settings.

Global Privacy Control (GPC): For users whose browser signals the Global Privacy Control (GPC) or similar recognized opt-out preference signals under the CCPA/CPRA, we process such signals as a valid request to opt-out of the "sale" or "sharing" of Personal Information to the extent required by law.

6. Data Sharing and Disclosure

• No Sale or Sharing (CCPA/CPRA): We do not "sell" Personal Information as commonly understood or as defined by the CCPA/CPRA. We also do not "share" Personal Information for cross-context behavioral advertising.
• Service Providers: We engage trusted third parties (processors) to perform functions on our behalf. They are bound by contractual agreements to process data only for our specified purposes.
• De-identified Data: We share aggregated insights or results derived from De-identified Medical Data with our clients per our service agreements.
• Legal Requirements: We may disclose information if required by law, subpoena, or legal process.
• Business Transfers: In case of a merger, acquisition, or asset sale, information may be transferred, subject to confidentiality agreements.
• With Consent: We may share Personal Information with other third parties based on your explicit consent.

7. International Data Transfers

Your Personal Information may be processed and stored by us or our service providers in locations outside of your home jurisdiction. We implement appropriate safeguards:

• Transfers outside Quebec: We conduct Privacy Impact Assessments (PIAs) and ensure comparable protection.
• Transfers outside the EEA: We rely on Adequacy Decisions or Standard Contractual Clauses (SCCs) with supplementary measures.
• Other Transfers: We ensure compliance using appropriate contractual and security safeguards.

8. Data Security

We implement and maintain reasonable and appropriate technical, organizational, and administrative security measures designed to protect Personal Information against unauthorized access, disclosure, alteration, loss, or destruction. Measures include encryption, access controls, security assessments, staff training, and confidentiality agreements. However, no system is 100% secure.

9. Data Retention

We retain Personal Information only for as long as reasonably necessary to fulfill the purposes for which it was collected, provide our services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable legal and regulatory obligations. When no longer needed, Personal Information is securely deleted or properly anonymized/de-identified.

10. Your Privacy Rights

Depending on your jurisdiction (such as Quebec, the EU/EEA, or California), you may have the following rights:

• Right to Know / Access: Request information about the Personal Information we process.
• Right to Rectification / Correction: Request correction of inaccurate or incomplete data.
• Right to Erasure / Deletion: Request deletion of your Personal Information, subject to exceptions.
• Right to Restrict Processing (GDPR): Request limitation on processing under certain conditions.
• Right to Object (GDPR): Object to processing based on legitimate interests or for direct marketing.
• Right to Data Portability: Request a copy in a structured, machine-readable format.
• Right to Withdraw Consent: Withdraw previously given consent at any time.
• Right to Opt-Out of Sale / Sharing (California): We do not sell or share Personal Information as defined by CCPA/CPRA.
• Right to Non-Discrimination: You will not be discriminated against for exercising your rights.

How to Exercise Your Rights: Contact our Privacy Officer using the details in Section 14. We will verify your identity and respond within mandated timeframes.

Right to Lodge a Complaint:

• In Quebec: Commission d'accès à l'information du Québec (CAI)
• In the EU/EEA: Your local Data Protection Supervisory Authority
• In California: The California Privacy Protection Agency (CPPA)

11. Sensitive Personal Information / Special Category Data

We recognize that certain data requires heightened protection. Our primary work involves De-identified Data. If we process Sensitive Personal Information, we do so only for specified, legitimate purposes with enhanced security measures appropriate to its sensitivity.

We do not engage in automated decision-making or profiling.

12. Children's Privacy

Our services are not directed at children under the age of 16. We do not knowingly collect Personal Information from children without appropriate parental or guardian consent. If you believe we have inadvertently collected such information, please contact our Privacy Officer immediately.

13. Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. The "Last Updated" date at the top indicates the latest revision.

14. Contact Information

For any questions, concerns, requests to exercise your rights, or complaints regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer:

Privacy Officer, Volumetryx Inc.
Volumetryx Inc., Montreal, QC, Canada
contact@volumetryx.ai