Privacy Policy

Privacy Policy

1. Who We Are

Futuuri (“Futuuri”, “we”, “us”, “our”) develops explainable AI systems for medical imaging and related digital‑health workflows. This Privacy Policy describes how we collect, use, disclose, and protect personal data when you interact with our websites, products, and services (together, the “Services”).

Futuuri is based in Finland and operates under European data‑protection law, including the EU General Data Protection Regulation (GDPR), where applicable.

Contact details

  • Email: contact@futuuri.co
  • Address: Hämeenkatu 9, 20500 Turku, Finland

For most clinical deployments, we act as a data processor/business associate on behalf of healthcare providers or research institutions, who remain the data controllers / covered entities. In those cases, processing is further governed by a Data Processing Agreement (“DPA”) or Business Associate Agreement (“BAA”).

2. Scope

This Policy applies to:

  • Visitors to futuuri.co and related web pages.
  • Users of our demo environments, cloud platform, and APIs.
  • Representatives of hospitals, clinics, teleradiology providers, research institutions, and vendors who engage with us.
  • Clinical users of Futuuri systems, to the extent we process their account or telemetry data.

It does not replace any patient‑facing privacy notices that healthcare providers must give under local law.

3. Data We Collect

3.1 Data You Provide

We may collect the following information directly from you:

  • Contact details: name, email address, phone number, job title, organisation.
  • Account data: username, password (stored using industry‑standard hashing), role, preferences.
  • Support and communications: emails, chat or ticket messages, meeting notes, survey responses.
  • Commercial data: organisation name, billing and contract contacts, purchase orders, invoices.
  • Form submissions: demo and event registrations, newsletter sign‑ups, and similar forms.

3.2 Data Processed In Clinical Use

Our systems are designed as PHI‑light and expect anonymised or de‑identified data in clinical workflows. Depending on the configuration agreed with your organisation and documented in the DPA/BAA, we may process:

  • Imaging data: DICOM studies and derived images (for example chest, skeletal, dental X‑rays) and technical metadata. Futuuri requires that such data be de‑identified or anonymised before it is sent to our infrastructure, in line with GDPR, HIPAA de‑identification standards, or other applicable frameworks.
  • Clinical context: modality, study description, acquisition parameters and other fields that have been stripped of direct patient identifiers and unnecessary quasi‑identifiers.
  • Operational logs: pseudonymous user identifiers, timestamps, actions taken, system events, error traces, and performance metrics used for safety, audit, and troubleshooting.

No patient‑identifiable data is stored or persisted by Futuuri. If your workflow requires temporary exposure to identifiers, that processing must occur on your own systems, prior to de‑identification, and not within Futuuri’s hosted environment.

Data‑Minimisation And Design Principles

Futuuri follows a data‑minimisation approach:

  • We instruct and support customers to anonymise or de‑identify imaging data at source.
  • Our default APIs and connectors accept only the minimum metadata required for analysis and routing.
  • We do not attempt to re‑identify anonymised data we receive.

3.3 Data Collected Automatically

When you use our websites or cloud interfaces, we may automatically collect:

  • Technical data: IP address, browser type, device identifiers, operating system, language, time zone.
  • Usage data: pages visited, clicks, session duration, referring URLs, feature usage patterns.
  • Cookies and similar technologies: used to remember preferences, maintain sessions, and understand service performance. You can manage cookies through browser settings and, where required, via consent banners.

We do not embed third‑party marketing trackers or ad pixels within clinical viewing or reporting interfaces used for patient care. Telemetry in clinical products is limited to what is necessary for security, safety, and product quality.

4. Legal Bases For Processing

Where GDPR or similar laws apply, our legal bases include:

  • Performance of a contract: providing, maintaining and supporting the Services under agreements with you or your organisation.
  • Legitimate interests: operating, securing and improving our Services; preventing abuse; developing new features and models, where these interests are not overridden by your rights and freedoms.
  • Consent: using non‑essential cookies and sending certain marketing communications where required. You may withdraw consent at any time.
  • Legal obligations: complying with accounting, tax, medical‑device, or other regulatory requirements.

For PHI under HIPAA or similar frameworks, we process data only as permitted by the relevant BAA (for example, for healthcare operations) or with any additional required authorisations.

5. How We Use Data

We use personal data and anonymised data to:

5.1 Provide And Operate The Services

  • Ingest and analyse imaging studies.
  • Generate explainable outputs, structured findings, and draft reports.
  • Deliver workflow integrations with PACS, RIS, telemedicine platforms, and other systems.

5.2 Support And Secure Deployments

  • Monitor uptime, latency, and model performance.
  • Troubleshoot issues and provide user support.
  • Maintain audit logs and records required for safety, quality management, and regulatory compliance.

5.3 Improve Our Products

  • Use aggregated and anonymised usage metrics (for example, feature usage counts, error rates, model performance statistics) to improve reliability and user experience.
  • Use only anonymised imaging data, and only under written agreements with customers, for model training, validation, and benchmarking, subject to ethics or IRB approvals where required.
  • Because we do not store patient‑identifiable data, model‑development activities never involve direct identifiers such as names, national IDs, full dates of birth, or unmasked medical record numbers.

5.4 Communicate With You

  • Respond to enquiries, schedule demos, and manage contracts.
  • Send essential service notices, including security or safety updates.
  • Provide marketing communications (for example, newsletters or event invitations) in line with your preferences and applicable law.

5.5 Meet Legal And Contractual Obligations

  • Maintain business and financial records.
  • Manage disputes, enforce our agreements, and respond to lawful requests from authorities.

We do not sell personal data or PHI.

6. Sharing And Disclosure

We may share data in the following circumstances:

  • With your organisation: For clinical deployments, outputs, analytics dashboards, logs, and audit information are shared with the healthcare provider or organisation that controls the data.
  • With service providers: Cloud infrastructure, storage, monitoring, logging, email, analytics, and support vendors who act as processors under written contracts containing confidentiality, security, and data‑processing obligations.
  • With professional advisers: Lawyers, auditors and insurers under confidentiality duties when reasonably necessary.
  • In corporate transactions: Potential buyers, investors, or partners in connection with a merger, acquisition or restructuring, subject to appropriate safeguards.
  • For legal and safety reasons: Authorities or third parties where required by law, regulation, legal process, or to protect the rights, safety, or property of Futuuri, our customers, or others.

Third parties are not permitted to use the data we share with them for their own independent marketing or product development without your or our explicit agreement.

7. International Transfers

We may store and process data in the EU/EEA and other locations, depending on our cloud providers and your chosen deployment region. Where personal data is transferred outside its country of origin, we implement appropriate safeguards such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Data Processing Agreements and BAAs with clear privacy and security commitments.
  • Regional hosting options to keep anonymised imaging data and operational logs within specific jurisdictions where feasible.

Customers can request EU‑only or other regional deployments, subject to technical and commercial feasibility.

8. Data Retention

We retain data only for as long as necessary for the purposes described in this Policy or as required by law. Retention periods depend on:

  • Contractual terms with customers (for example, retention of anonymised imaging studies, outputs, and logs).
  • Legal and regulatory requirements, including those for medical‑device quality systems and healthcare record‑keeping.
  • The need to maintain records for safety, audit, and incident investigation.

Where anonymised imaging data is used for quality improvement or research, it may be retained for longer periods because it no longer relates to an identifiable individual under applicable law. Logs that could indirectly relate to individuals (for example, pseudonymous user IDs) are retained only as long as necessary for security, audit, and compliance, then deleted or further anonymised.

9. Security

We implement technical and organisational measures designed to protect data, including:

  • Encryption in transit and at rest for clinical data and key storage systems.
  • Role‑based access control, multi‑factor authentication, and least‑privilege access.
  • Network segmentation, logging, and continuous monitoring for suspicious activity.
  • Secure software development lifecycle, regular vulnerability scanning, and security testing.
  • Employee confidentiality agreements and regular training on data protection and security.

While no system can be guaranteed 100% secure, we work continuously to strengthen our defences and respond promptly to potential incidents.

10. Your Rights

Depending on your location, you may have rights over your personal data, such as:

  • Access to a copy of your personal data.
  • Rectification of inaccurate or incomplete data.
  • Erasure or restriction of processing in certain circumstances.
  • Objection to processing based on legitimate interests or direct marketing.
  • Data portability where technically feasible.

Requests relating to data processed on behalf of a healthcare provider (including anonymised imaging data that may still be linked at source) should typically be directed to that organisation. We will assist them in responding as required by our DPA/BAA.

For other data (for example, website accounts, marketing contacts), you can email contact@futuuri.co. We may need to verify your identity and may decline or limit requests where the law allows or requires us to retain certain data.

You can manage marketing preferences via unsubscribe links in our emails. Cookie preferences can be adjusted via your browser and, where available, cookie‑consent tools.

11. Children’s Privacy

Our websites and commercial Services are not directed to children under 16, and we do not knowingly collect personal data directly from children via our marketing sites. Use of Futuuri in paediatric clinical settings is governed by our agreements with healthcare providers and applicable law.

12. Third‑Party Sites And Services

Our Services may link to or interoperate with third‑party sites and applications (for example, PACS/RIS vendors, cloud providers, analytics tools). Their use of data is governed by their own privacy policies, not this one. We encourage you to review those policies separately.

13. Changes To This Policy

We may update this Privacy Policy from time to time to reflect changes in law, our Services, or our practices. When we do, we will update the “Last updated” date above and, where appropriate, provide additional notice (for example via email or in‑product banners).

14. Contact And Complaints

If you have questions or concerns about this Privacy Policy or our data practices, please contact:

Futuuri Privacy

If you are in the EU/EEA, UK, or another jurisdiction with a dedicated data‑protection authority, you also have the right to lodge a complaint with your local supervisory authority.