Legal

Privacy Policy

How personal data is processed on the ESUS platform — aligned with GDPR, HIPAA, and Argentine Ley 25.326.

Last updated: April 21, 2026 · Effective from the same date.

1. Controller identity and legal status

This Privacy Policy governs how personal data is processed on the ESUS platform (esus.health) and its related APIs. The service is currently operated by a natural person acting as sole Data Controller: Juan Manuel Panozzo Zenere, National ID (DNI) 37.466.299, domiciled in Concordia, Province of Entre Ríos, Argentine Republic, contactable at privacy@esus.health. A Limited Liability Company (the "LLC") is in the process of being formed to operate ESUS Health. Upon incorporation, all rights, obligations, contracts, and data-processing responsibilities under this Policy will be transferred to the LLC as successor in interest, under the same terms and safeguards described herein. The transition will be notified to users at least thirty (30) days in advance in writing, and this Policy will be updated with the LLC's registered details.

2. Scope and our role (Controller / Processor)

This Policy applies to (i) the public website and its subdomains and (ii) the authenticated platform surfaces (dashboard and API). Depending on the type of data, our role differs:

  • For account and identity data (name, email, organization, billing metadata), we act as a Data Controller.
  • For Protected Health Information (PHI) and other patient data that your organization submits to the FHIR API, your organization is the Data Controller (and, where applicable, the Covered Entity under HIPAA). We act as a Data Processor / Business Associate and process that data strictly under your written instructions and under the terms of the applicable Data Processing Agreement (DPA) and, for HIPAA, Business Associate Agreement (BAA). DPAs and BAAs are available on request for Pro and Enterprise plans.

3. Information we collect

We collect only what is necessary to operate the service. Categories of data are:

  • Account and identity data — name, email, password hashed with Argon2id, organization name, role within your organization, billing information, profile picture when you sign in with a third-party identity provider.
  • Service usage data — API requests, resource counts, rate-limit events, error logs, audit events — scoped to the organization that generated them.
  • Customer content — data (including PHI) that your organization submits to the FHIR API. Processed on your behalf and under your instructions.
  • Technical data — IP address, user-agent, session metadata, and country/city-level geolocation derived from IP, used for security, anomaly detection, and fraud prevention.
  • Communications — records of support correspondence, security disclosures, and other communications you initiate with us.

4. Legal bases for processing

Processing is based on one or more of the following legal grounds, depending on the activity:

  • Performance of a contract — operating the platform you subscribed to (Art. 6(1)(b) GDPR; Ley 25.326 Art. 5.2.a).
  • Legitimate interests — security, fraud prevention, and product improvement, balanced against your rights and freedoms (Art. 6(1)(f) GDPR).
  • Legal obligation — compliance with HIPAA, tax, accounting, and other applicable law (Art. 6(1)(c) GDPR).
  • Consent — for optional features such as product-update emails; consent can be withdrawn at any time (Art. 6(1)(a) GDPR; Ley 25.326 Art. 5.1).
  • Vital interests — only where necessary to protect the life or physical integrity of a data subject, in rare PHI-related contingencies (Art. 6(1)(d) GDPR).

5. How we use your information

We use personal data to authenticate users and authorize access to an organization's resources; operate the FHIR API and enforce quotas; send transactional communications (verification codes, password resets, security and billing notices); detect abuse and investigate security incidents; comply with legal, tax, and regulatory obligations; and improve the platform through aggregated, de-identified analytics. We do not sell personal data. We do not use PHI for marketing, advertising, or model training.

6. How we protect your data

Security is a product-level commitment. The full posture is documented in our Security & Architecture Whitepaper. Key controls:

  • Encryption at rest — AES-256-GCM field-level encryption for PHI with HKDF-SHA256 derivation and per-tenant keys.
  • Encryption in transit — TLS 1.2+ everywhere; HSTS preload on the public surface.
  • Authentication — passwords hashed with Argon2id; 15-minute JWT sessions with refresh tokens stored in HttpOnly cookies; strict HS256 verification.
  • Authorization — RBAC plus attribute-based policies with deny-overrides semantics and consent-aware evaluation.
  • Tenant isolation — Row-Level Security at the database layer; one customer's data is never accessible to another.
  • Auditability — every access to a FHIR resource is written to an HMAC-signed, append-only audit log retained in line with HIPAA §164.312(b).
  • Secrets management — production secrets held in an enterprise-grade secret manager with fail-closed boot.

7. PHI and HIPAA

When your organization processes Protected Health Information through ESUS:

  • We act as a Business Associate under 45 CFR §160.103.
  • A Business Associate Agreement (BAA) governs the relationship and is available on request.
  • We implement the Administrative, Physical, and Technical Safeguards required by the HIPAA Security Rule (45 CFR §§164.308, 164.310, 164.312).
  • In the event of a breach involving unsecured PHI, we notify your organization without unreasonable delay and within the timelines required under 45 CFR §164.410.

8. Subprocessors and international data transfers

We engage a limited number of vetted subprocessors for hosting, storage, email delivery, observability, and payment processing. A current list — including the nature of processing and the hosting region for each — is available on request at privacy@esus.health. Because the Controller is based in the Argentine Republic and subprocessors may be located in the European Economic Area, the United States, and other jurisdictions, international transfers may occur. These transfers rely on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or equivalent safeguards, and on adequacy decisions where available — the Argentine Republic has been recognized as a country with an adequate level of protection by European Commission Decision 2003/490/EC.

9. Data retention

We retain personal data only for as long as necessary for the purposes described in this Policy, and in line with applicable legal retention obligations:

  • Account data — retained for the lifetime of your organization; deleted or anonymized within thirty (30) days of account termination, except where longer retention is legally required.
  • Audit logs — retained for at least six (6) years in line with HIPAA §164.316(b)(2).
  • Customer content (including PHI) — retained and deleted per your organization's instructions under the DPA/BAA. On termination and at your instruction, data is returned or destroyed within thirty (30) days.
  • Security and anomaly logs — retained for up to twelve (12) months, unless required longer for an active investigation.
  • Billing and tax records — retained for the period required by applicable tax and accounting law (generally ten years under Argentine law).

10. Your rights

Subject to the applicable law (GDPR, Argentine Ley 25.326, CCPA/CPRA, HIPAA), you may have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data, subject to legal retention obligations.
  • Restrict or object to specific processing activities.
  • Data portability — receive your data in a structured, commonly used, machine-readable format.
  • Withdraw consent at any time, where processing is based on consent.
  • Not be subject to solely automated decision-making producing legal or similarly significant effects.
  • Lodge a complaint with a supervisory authority — in Argentina, the Agencia de Acceso a la Información Pública (AAIP); in the EEA, your local Data Protection Authority; in California, the California Privacy Protection Agency.

11. Children's privacy

ESUS is not directed to individuals under the age of sixteen (16) and we do not knowingly collect personal data from them. Where a parent or guardian believes a minor has provided personal data to us directly, contact privacy@esus.health and we will promptly delete it. PHI processed through the FHIR API may include data of minor patients; in that case, children's-data obligations rest with the Covered Entity (your organization) as Controller.

12. Automated decision-making and profiling

We do not make decisions based on solely automated processing that produce legal or similarly significant effects on individuals. Automated anomaly-detection systems that flag suspicious IP addresses are reviewed by a human before any account-level action is taken.

13. Breach notification

In the event of a personal-data breach that presents a risk to the rights and freedoms of data subjects, we will:

  • Notify affected customers without undue delay and, where feasible, within seventy-two (72) hours of becoming aware (Art. 33 GDPR).
  • Notify relevant supervisory authorities where required by law.
  • For PHI, follow the HIPAA Breach Notification Rule (45 CFR §§164.400–414).

14. Changes to this Policy

We may update this Policy from time to time. Material changes are notified by email to the address on file and/or by a prominent notice on the platform, at least thirty (30) days before taking effect. The current version is always available at this URL, with the 'Last updated' date at the top.

15. Contact

The Data Controller is Juan Manuel Panozzo Zenere (DNI 37.466.299), Concordia, Entre Ríos, Argentine Republic, pending incorporation of ESUS Health LLC, successor in interest. For privacy inquiries, data-subject requests, or DPA/BAA requests, contact privacy@esus.health. For security disclosures, contact security@esus.health.

Privacy & data requests: privacy@esus.health · security@esus.health