PRIVACY POLICY

This document (“Privacy Policy”) defines the rules for the processing and protection of personal data of Users in connection with their use of the CancerCenter.ai online platform (“Platform”). This document is an integral part of the Terms and Conditions.

1. DATA CONTROLLER

The administrator of your personal data, meaning the entity that determines the purposes and means of its processing, is:

Cancer Center Sp. z o.o. with its registered office in Wrocław, ul. Góralska 5, 53-610 Wrocław, Poland, entered into the Register of Entrepreneurs of the National Court Register under KRS number: 0000662335.

In all matters concerning the processing of your personal data and the exercise of your rights, you can contact us via:

Email: [email protected]
Postal Address: Cancer Center Sp. z o.o., ul. Góralska 5, 53-610 Wrocław, Poland.

2. DEFINITIONS

The terms used in this Privacy Policy have the meanings assigned to them in the Terms of Service. In particular:

Personal Data: Means any information relating to an identified or identifiable natural person as defined by the GDPR.
User Data: Means any data, information, or materials, including medical data, radiological images, and microscopic scans, that you upload, process, or store on the Platform.
Anonymized Data: Means User Data that has been processed in such a way that the data subject is not or is no longer identifiable. In accordance with the Terms of Service, the responsibility for effective anonymization rests exclusively with you. Data that has been merely pseudonymized is not considered Anonymized Data.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
User: Means any individual or organization using our Services.
Data Processing Addendum (DPA): A legally binding agreement that governs the processing of Personal Data.

3. WHAT DATA WE PROCESS, FOR WHAT PURPOSE, AND ON WHAT LEGAL BASIS

We process your personal data for the following purposes:

Purpose of Processing	Example Scope of Data	Legal Basis (GDPR)
To Provide and Manage the Services (e.g., maintaining your account on the Platform)	Email address, login credentials, subscription history, billing information (for paid services).	Art. 6(1)(b) – processing is necessary for the performance of a contract to which you are a party.
Essential Service-Related Communication(e.g., information about changes to the Terms, security matters, service availability, payments).	Email address.	Art. 6(1)(b) and (f) – necessity for contract performance and our legitimate interest.
Marketing Communication (e.g., sending commercial information, newsletters, special offers).	Email address.	Art. 6(1)(a) – your voluntary consent, which you may withdraw at any time.
To Comply with Legal Obligations (e.g., arising from tax and accounting regulations).	Billing information, payment details.	Art. 6(1)(c) – processing is necessary for compliance with a legal obligation to which we are subject.
To Establish, Exercise, or Defend Legal Claims.	All data necessary to demonstrate the existence of a claim or to defend against it.	Art. 6(1)(f) – our legitimate interest in protecting our rights.
To Identify You as Our Client in Marketing Materials (e.g., on our website).	Your name (company) or first and last name.	Art. 6(1)(f) – our legitimate interest. You may opt-out of this form of promotion at any time.
Analysis and Statistics to Improve Service Quality.	Anonymized or aggregated data about how the Platform is used.	Art. 6(1)(f) – our legitimate interest in developing our products and services.

4. CRITICAL RULES REGARDING DATA UPLOADED TO THE PLATFORM (USER DATA)

This section outlines the fundamental division of responsibilities for data you upload to the Platform.

You are the Data Controller. With respect to all User Data that you upload and process using our Platform (e.g., patient medical data), you act as the Data Controller. You are solely and exclusively responsible for ensuring a valid legal basis for processing that data (e.g., patient consent).
We are the Data Processor. To the extent that User Data contains Personal Data, we act solely on your instruction as a Data Processor.

The requirements differ based on your user type:

Individual and Trial Users: You are strictly and absolutely prohibited from uploading any Personal Data to the Platform. You are obligated to upload only Anonymized Data. The full and exclusive responsibility and liability for conducting effective anonymization lie with you. Any breach of this obligation constitutes a material violation of the Terms of Service.
Institutional Users (Cloud Service): You may process Personal Data if, and only if, you have first entered into a separate Data Processing Addendum (DPA) with us. In the absence of a signed DPA, you are obligated to upload only Anonymized Data.
Institutional Users (On-Premise License): In this model, the Platform operates within your own IT environment. We do not have access to your data, we do not process it, and therefore we are not a Data Processor. The full responsibility for lawful data processing lies with you.

5. WHO MAY WE SHARE YOUR DATA WITH?

We may share your personal data with the following categories of recipients:

Technical service providers (Sub-processors) who enable us to provide the Services, such as hosting service providers or payment operators.
Authorized employees and associates who require access to the data to perform their duties.
Legal advisors, consultants, and auditors, to the extent necessary for them to provide services to us.
Public authorities, if required by applicable law.
In the event of a business transfer, such as a merger, acquisition, or sale of assets, with potential buyers or investors.

We ensure that all partners to whom we entrust data processing guarantee an appropriate level of data protection, in particular by using data processing agreements compliant with Article 28 of the GDPR.

6. HOW LONG DO WE STORE YOUR DATA?

The retention period for your data depends on the purpose for which it was collected:

Data related to your Platform account: For the entire duration of the service agreement, and after its termination, for the period necessary to establish, exercise, or defend against legal claims (i.e., until the statute of limitations expires) and for the time required by law (e.g., tax regulations).
User Data on the Platform: In accordance with the Terms of Service, you have the option to export your data for 30 days after the end of the agreement. After this period, your data may be permanently deleted.
Data processed based on consent (e.g., for marketing): Until you withdraw your consent.
Data processed based on legitimate interest: Until you lodge an effective objection.

7. DATA TRANSFER OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

As a rule, we strive to use service providers who process data within the EEA. However, some of our technology partners may be based outside the EEA. In such cases, we ensure that the data transfer is carried out using appropriate legal safeguards required by the GDPR, such as:

Adequacy decisions of the European Commission,
Standard Contractual Clauses (SCCs) approved by the European Commission.

You have the right to obtain a copy of the safeguards we use regarding the transfer of data to third countries.

8. YOUR RIGHTS REGARDING PERSONAL DATA PROCESSING

In connection with our processing of your personal data, you have several rights:

Right of access to data (Art. 15 GDPR): You can obtain information from us as to whether we process your data and, if so, to what extent.
Right to rectification of data (Art. 16 GDPR): You can request the correction of incorrect or completion of incomplete data.
Right to erasure of data (“right to be forgotten”) (Art. 17 GDPR): You can request the deletion of your data if, for example, it is no longer necessary for the purposes for which it was collected or if you have withdrawn your consent for its processing.
Right to restriction of processing (Art. 18 GDPR): You can request that we restrict the processing of your data (except for storage) in certain cases.
Right to data portability (Art. 20 GDPR): You can receive your data from us in a structured, commonly used format and transmit it to another controller.
Right to object (Art. 21 GDPR): You can object to the processing of your data that is based on our legitimate interest. An objection to direct marketing is binding on us.
Right to withdraw consent: If we process your data based on your consent, you can withdraw it at any time. This will not affect the lawfulness of the processing carried out before its withdrawal. You can withdraw consent for marketing by clicking the “Unsubscribe” link in an email or by writing to [email protected].

To exercise these rights, please contact us at [email protected].

9. CHANGES TO THE PRIVACY POLICY

We reserve the right to make changes to this Privacy Policy. We will inform you of any material changes that may affect your rights or obligations with reasonable advance notice by email. The current version of the Privacy Policy is always available on our website. Your continued use of the Platform after the changes are introduced constitutes your acceptance of them.

10. CONTACT

If you have any questions or concerns regarding this Privacy Policy, please contact us at [email protected].

11. COOKIES

Our Platform may use cookies (small text files saved on your device) and other similar technologies.

Strictly Necessary Cookies: These are essential for the proper functioning of the Platform, e.g., for handling login and maintaining sessions. Their use does not require your consent.
Other Cookies (e.g., Analytical, Marketing): We may use these cookies to analyze website traffic, personalize content, or conduct marketing activities. We will ask for your explicit consent for their use through a cookie management mechanism (cookie banner).

You can change your cookie preferences at any time by clicking the link below. However, please remember that disabling necessary cookies may affect the functionality of the Platform.