Privacy Policy

1. Introduction

Natoe Inc., a Delaware corporation doing business as Natoe AI (“we,” “us,” or “our”), with principal offices located at 29399 US Highway 19 N, Suite #150, Clearwater, Florida 33761, operates the website www.natoe.ai and provides teleradiology services, including remote radiology reading and interpretation services, primarily to healthcare facilities in the State of Florida (collectively, the “Services”). This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our website or use our Services.

Natoe AI is a teleradiology company that provides remote diagnostic imaging interpretation services to healthcare facilities in the State of Florida. We are committed to protecting the privacy and security of all information entrusted to us, including Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Important: This Privacy Policy governs how we handle information collected through our website and general business operations. For information about how we use and disclose your Protected Health Information in connection with healthcare services, please refer to our separate HIPAA Notice of Privacy Practices, which is available on our website and provided to patients as required by law.

2. Information We Collect

2.1 Information You Provide to Us

We may collect the following categories of information that you voluntarily provide:

• Contact information: name, email address, phone number, and mailing address of healthcare professionals and facility administrators who use our Services.
• Account credentials: usernames and passwords for accessing our teleradiology platform.
• Professional information: medical license numbers, board certifications, National Provider Identifier (NPI) numbers, and professional qualifications of radiologists and referring physicians.
• Business information: facility name, address, billing information, and contractual details of healthcare organizations using our Services.
• Communications: correspondence you send to us, including emails, support tickets, and inquiries.

2.2 Protected Health Information (PHI)

In the course of providing teleradiology services, we receive and process Protected Health Information, including but not limited to:

• Patient demographic information (name, date of birth, medical record number).
• Diagnostic imaging studies (X-rays, CT scans, MRIs, ultrasounds, and other medical images).
• Clinical history and ordering physician notes relevant to imaging interpretation.
• Radiology reports and interpretations.

The use and disclosure of PHI is governed by HIPAA, our Business Associate Agreements with healthcare facilities, and our HIPAA Notice of Privacy Practices. Please refer to that separate document for detailed information about PHI handling.

Natoe may de-identify PHI in accordance with 45 CFR §164.514 using the Safe Harbor or Expert Determination method. De-identified information is not subject to this Privacy Policy or HIPAA. Any de-identification activities are conducted in compliance with HIPAA standards and are used solely for internal quality improvement, AI model development, and operational analytics.

2.3 Information Collected Automatically

When you visit our website, we may automatically collect:

• Device and browser information: IP address, browser type and version, operating system, and device identifiers.
• Usage data: pages visited, time spent on pages, links clicked, and referring URLs.
• Log data: server logs recording access times, error logs, and diagnostic information.

2.4 Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your experience. Currently, we use only essential cookies for basic website functionality:

• Essential cookies: Required for website functionality, such as session management and security.

We do not currently use third-party analytics, advertising, or tracking cookies. You can control cookie preferences through your browser settings. Disabling essential cookies may affect website functionality.

3. How We Use Your Information

Data Minimization: We collect only the minimum information necessary to provide our Services in compliance with HIPAA and applicable regulations.

We use the information we collect for the following purposes:

• To provide, maintain, and improve our teleradiology services.
• To process and deliver radiology interpretations and reports to referring healthcare facilities.
• To manage user accounts and authenticate access to our platform.
• To communicate with healthcare facilities regarding service delivery, technical support, and billing.
• To comply with legal and regulatory obligations, including HIPAA, state licensing requirements, and healthcare regulations.
• To ensure the security and integrity of our systems and data.
• To conduct quality assurance, peer review, and credentialing activities.
• To respond to legal processes, law enforcement requests, or to protect the rights, property, or safety of our company, our users, or the public.

3.1 AI and Automated Decision-Making

Natoe AI employs artificial intelligence and machine learning technologies to support clinical decision-making and workflow operations. These AI systems are used for:

• Interpretation assistance: Providing analysis and decision support to radiologists during the diagnostic process.
• Case triage and prioritization: Identifying urgent or priority cases to route to radiologists efficiently.
• Quality assurance: Assisting in quality control and consistency checks of radiology interpretations.
• Workflow operations: Automating administrative and operational processes such as case routing and scheduling.

Important: All AI systems serve as decision-support tools only. Final clinical interpretations, diagnoses, and clinical decisions are made exclusively by board-certified radiologists. AI does not make autonomous clinical decisions, and all diagnostic determinations are subject to radiologist review and approval.

Our AI clinical decision support tools have received FDA 510(k) clearance for their intended uses. Natoe maintains documentation of FDA clearance status for all AI/ML tools used in clinical workflows.

4. How We Share Your Information

Natoe AI does not sell, rent, or trade your personal information to third parties. We may share information in the following limited circumstances:

4.1 Healthcare Operations

We share radiology reports and related PHI with referring healthcare facilities and ordering physicians as part of treatment, payment, and healthcare operations, consistent with HIPAA and applicable Business Associate Agreements.

4.2 Service Providers

We maintain our software stack on dedicated server infrastructure hosted at a third-party data center facility. While the software, systems, and data management are entirely under Natoe’s control, the physical server hardware is housed at a third-party hosting provider’s facility. This hosting provider is bound by a Business Associate Agreement and appropriate physical security, confidentiality, and access control requirements. The hosting provider does not have logical access to PHI; physical access to server hardware is restricted and monitored. Beyond this hosting arrangement, we do not use third-party cloud storage providers for PHI. Any other service providers who may have incidental access to systems are bound by appropriate confidentiality and security agreements.

4.3 No International Data Transfers

All Protected Health Information and personal data collected by Natoe is stored and processed exclusively within the United States. We do not transfer, store, or make data accessible from outside the United States.

4.4 Legal Requirements

We may disclose information when required to do so by law, regulation, subpoena, court order, or other legal process, or when we believe disclosure is necessary to protect our rights, the safety of others, or to investigate fraud.

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

5. Data Security

We implement robust administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of all information, including PHI. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256 or equivalent).
• Role-based access controls limiting data access to authorized personnel.
• Multi-factor authentication for platform access.
• Regular security assessments, vulnerability scans, and penetration testing.
• Comprehensive audit logging and monitoring of system access.
• Physical security controls for server infrastructure.
• Workforce training on HIPAA security and privacy requirements.
• Incident response and breach notification procedures in compliance with HIPAA.

While we strive to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.

6. Data Retention

We retain information for as long as necessary to fulfill the purposes described in this Privacy Policy and to comply with our legal obligations:

• Protected Health Information: Retained in accordance with HIPAA requirements, applicable state medical records retention laws, and our agreements with healthcare facilities. Radiology reports and images are retained for a minimum of seven (7) years, or longer as required by the laws of the State of Florida or any other state in which the patient received care.
• Account information: Retained for the duration of the business relationship and for a reasonable period thereafter for legal and audit purposes.
• Website usage data: Retained for up to twenty-four (24) months for analytics and operational purposes.

7. Your Rights and Choices

7.1 HIPAA Rights

If you are a patient whose PHI we process, you have specific rights under HIPAA, including the right to access, amend, and request an accounting of disclosures of your PHI. These rights are described in detail in our HIPAA Notice of Privacy Practices.

Response Timelines: We will respond to valid HIPAA data subject rights requests within thirty (30) calendar days, or within sixty (60) calendar days if an extension is necessary.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

• The right to know what personal information we collect, use, and disclose.
• The right to request deletion of your personal information.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of personal information.
• The right to non-discrimination for exercising your privacy rights.
• The right to limit use and disclosure of sensitive personal information (if applicable).

No Sale or Sharing: We do not engage in the “sale” of personal information as defined by CPRA §1798.140(t). We also do not engage in the “sharing” of personal information for cross-context behavioral advertising as defined by CPRA §1798.100(q). We do not engage in profiling as defined by CPRA that produces legal effects or similarly significant effects.

Deletion Exemptions: Certain personal information may be exempt from deletion requests, including PHI governed by HIPAA (exempt under CCPA §1798.105(d)), records required to be maintained by law, and information necessary to complete transactions or enforce agreements.

Response Timelines: We will respond to valid California resident requests within forty-five (45) calendar days. This period may be extended up to ninety (90) days when reasonably necessary.

Identity Verification: Before fulfilling any privacy rights request, we will verify the identity of the requestor using reasonable methods appropriate to the nature of the request. Verification methods may include confirmation of account information, verification of email address, or other means consistent with CCPA/CPRA regulations. We will not fulfill requests if we cannot reasonably verify the requestor’s identity.

Governing Law for California Residents: Notwithstanding the Delaware governing law provision in Section 11, California law shall apply to California residents with respect to their rights under CCPA/CPRA.

Please note: PHI that is governed by HIPAA is generally exempt from CCPA/CPRA. These rights apply to personal information not otherwise covered by HIPAA.

7.3 Other State Privacy Laws

Residents of other states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, and others) may have similar rights. We will honor valid requests consistent with applicable law. To exercise any privacy rights, please contact us using the information provided in Section 12 below.

8. Children’s Privacy

Our website is not directed to individuals under the age of 13, and we do not knowingly collect personal information from children under 13 through our website. If we learn that we have inadvertently collected personal information from a child under 13, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us.

Note: In the course of providing teleradiology services, we may process diagnostic imaging studies of minors as part of healthcare treatment. Such processing is conducted in accordance with HIPAA and applicable state laws governing minors’ health information.

8.1 Workforce Member Privacy

Natoe employs radiologists and other healthcare professionals who use our Services and systems to provide teleradiology services. This includes radiologists working remotely using personal devices (BYOD arrangements). Workforce member data, including performance metrics, audit logs, and device information, is handled as workforce data under HIPAA and is subject to additional workforce privacy and security safeguards. Radiologists and workforce members are provided with a separate Workforce Privacy Notice upon engagement that details how their employment-related information, device activity, and performance data are collected, used, and protected.

9. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party websites you visit.

10. Do Not Track Signals

Some web browsers transmit “Do Not Track” signals. Our website does not currently respond to “Do Not Track” signals. However, you may manage your cookie preferences through your browser settings as described in Section 2.4.

11. Governing Law and Jurisdiction

Natoe Inc. is incorporated in the State of Delaware, with principal offices in Clearwater, Florida. This Privacy Policy and any disputes arising from or relating to it shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws principles. To the extent that healthcare-specific privacy laws of the State of Florida or other states in which we provide teleradiology services impose additional requirements, we will comply with those requirements as applicable.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the “Effective Date” at the top of this policy and, where required by law, provide additional notice (such as posting a prominent notice on our website).

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

If you have questions or concerns about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy concern, please contact us:

Natoe Inc.
Doing business as Natoe AI
Attn: Pragya Goyal, Privacy Officer
29399 US Highway 19 N, Suite #150, Clearwater, Florida 33761
Email: [email protected]
Phone: +1 (656) 241-6730

For complaints related to HIPAA or the handling of your Protected Health Information, you also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights.