Privacy Policy

Last Updated: January 2025

ORaigent ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered operating room staff scheduling platform and related services (the "Service").

This policy complies with the EU General Data Protection Regulation (GDPR) and German Federal Data Protection Act (BDSG).

1. Data Controller

ORaigent GmbH
Munich, Germany
Email: privacy@oraigent.com
Phone: +49 15125072663

2. Information We Collect

2.1 Information You Provide Directly

Account Information: Name, email address, phone number, job title, organization name
Healthcare Staff Data: Staff names, qualifications, certifications, availability schedules, department expertise, shift preferences
Operational Data: Operating room schedules, surgery types, room assignments, equipment requirements
Communication Data: Messages, feedback, support requests, and correspondence with our team

2.2 Information Collected Automatically

Usage Data: Log files, IP addresses, browser type, device information, operating system
Cookies and Tracking: Session cookies, analytics cookies, preference cookies
Performance Data: System usage metrics, feature utilization, error logs

2.3 Sensitive Health Data

We may process limited health-related data including:

Staff sick leave status (for availability tracking)
Recovery day requirements (post-BD shift compliance)
Medical certifications and qualifications

Legal Basis: Processing is necessary for healthcare provision (Article 9(2)(h) GDPR) and with explicit consent where required.

3. How We Use Your Information

3.1 Service Provision

Automated staff scheduling and resource allocation
Constraint satisfaction and optimization algorithms
Real-time schedule adjustments and conflict resolution
Quality checking and compliance validation

3.2 Service Improvement

AI model training and optimization (anonymized data only)
Feature development and enhancement
Performance monitoring and error detection
User experience research and analytics

3.3 Communication

Service notifications and updates
Technical support and customer service
Security alerts and policy updates
Marketing communications (with consent)

3.4 Legal Compliance

Compliance with healthcare regulations
Response to legal requests and law enforcement
Protection of rights and safety
Audit and accounting purposes

4. Legal Basis for Processing (GDPR)

We process your data based on the following legal grounds:

Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service
Legitimate Interest (Article 6(1)(f)): Service improvement, fraud prevention, security
Legal Obligation (Article 6(1)(c)): Compliance with healthcare and data protection laws
Consent (Article 6(1)(a)): Marketing communications, optional features
Vital Interests (Article 6(1)(d)): Emergency healthcare situations
Public Interest (Article 6(1)(e)): Healthcare provision and public health

5. Data Sharing and Disclosure

5.1 We May Share Your Data With:

Service Providers: Cloud hosting (AWS/Azure EU regions), analytics providers, customer support tools
Healthcare Partners: Your organization's authorized personnel and departments
Legal Authorities: When required by law or to protect rights and safety
Business Transfers: In case of merger, acquisition, or asset sale (with notice)

5.2 We Do NOT:

Sell your personal data to third parties
Share data with advertisers
Transfer data outside the EU/EEA without adequate safeguards
Use health data for purposes other than service provision

6. Data Security

6.1 Technical Measures

End-to-end encryption (TLS 1.3+)
Database encryption at rest (AES-256)
Multi-factor authentication (MFA)
Role-based access control (RBAC)
Regular security audits and penetration testing
Intrusion detection and prevention systems

6.2 Organizational Measures

Staff security training and awareness programs
Data processing agreements with all processors
Incident response and breach notification procedures
Regular backup and disaster recovery testing
ISO 27001 security management framework

7. Data Retention

Account Data: Retained while your account is active
Operational Data: Retained for 3 years for historical analysis and compliance
Health Data: Deleted within 90 days after contract termination (unless legally required)
Backup Data: Retained for 30 days, then securely deleted
Legal/Audit Data: Retained as required by law (typically 10 years in Germany)

After the retention period, all data is securely deleted or anonymized.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

Request a copy of your personal data we hold.

8.2 Right to Rectification (Article 16)

Correct inaccurate or incomplete data.

8.3 Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your data (subject to legal obligations).

8.4 Right to Restrict Processing (Article 18)

Limit how we use your data in certain circumstances.

8.5 Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format.

8.6 Right to Object (Article 21)

Object to processing based on legitimate interests or direct marketing.

8.7 Right to Withdraw Consent (Article 7(3))

Withdraw consent at any time (doesn't affect prior processing).

8.8 Right to Lodge a Complaint

File a complaint with your supervisory authority:

German Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Website: www.bfdi.bund.de
Phone: +49 (0)228 997799-0

8.9 How to Exercise Your Rights

We will respond within 30 days (may extend by 2 months if complex).

9. Cookies and Tracking

9.1 Types of Cookies We Use

Cookie Type	Purpose	Duration
Essential	Session management, authentication	Session
Functional	Language preferences, user settings	1 year
Analytics	Usage statistics, performance monitoring	2 years
Marketing	Campaign tracking (with consent)	1 year

9.2 Managing Cookies

You can control cookies through your browser settings or our cookie consent tool. Note that disabling essential cookies may affect service functionality.

10. International Data Transfers

We primarily process data within the EU/EEA. If data is transferred outside the EU/EEA, we ensure adequate protection through:

EU Standard Contractual Clauses (SCCs)
Adequacy decisions by the European Commission
Binding Corporate Rules (BCRs)
Your explicit consent

11. Children's Privacy

Our Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us.

12. Automated Decision-Making and Profiling

Our AI-powered scheduling system makes automated decisions about staff assignments based on:

Qualifications and certifications
Availability and shift preferences
Department expertise
Historical performance data

Your Rights: You have the right to request human review of automated decisions and to express your point of view (Article 22 GDPR).

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via:

Email notification to your registered address
Prominent notice on our website
In-app notification

Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

Data Protection Officer (DPO):

ORaigent GmbH
Attention: Data Protection Officer
Munich, Germany
Email: dpo@oraigent.com
Phone: +49 15125072663

15. Additional Resources

← Back to Home