Privacy Policy

Last updated: March 2026

HIPAA Compliant (US)
ISO 27001 Aligned (Global)
GDPR Compliant (EU/UK)
PDPO Compliant (HK)
PIPEDA Compliant (CA)
APP Compliant (AU)

All PHI is end-to-end encrypted (E2EE).  View full compliance attestation →

Coglix Labs ("we", "us", "our") operates the Sync Platform, a clinical neurorehabilitation web application. This Privacy Policy explains how we collect, use, store, and protect your personal and health information. This policy supplements the Terms of Service available within this platform. For the general Coglix Labs privacy policy, visit coglixlabs.com/privacy.

1. HIPAA Compliance Notice (US)

The Sync Platform processes Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As a healthcare technology provider, Coglix Labs operates as a Business Associate under HIPAA and implements administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. These safeguards include:

  • End-to-end encryption of PHI at rest and in transit (AES-256-GCM, TLS 1.2+).
  • Role-based access controls ensuring minimum necessary access to patient data.
  • Automated session timeouts after 30 minutes of inactivity.
  • Comprehensive audit logging of all PHI access events, retained for a minimum of 6 years.
  • Data breach notification procedures in compliance with the HIPAA Breach Notification Rule.

Healthcare organizations using Sync should ensure a Business Associate Agreement (BAA) is in place with Coglix Labs. Contact privacy@coglixlabs.com to request a BAA.

1b. GDPR Compliance Notice (EU / UK)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or equivalent legislation applies to the processing of your personal data. Coglix Labs processes your data on the following lawful bases under GDPR Article 6 and Article 9:

  • Contractual Necessity (Art. 6(1)(b)): Processing your account information and session data is necessary to deliver the rehabilitation platform you have agreed to use.
  • Explicit Consent for Health Data (Art. 9(2)(a)): We process special category health data (speech recordings, biometrics, motor performance) only with your explicit written consent, which you may withdraw at any time.
  • Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and platform improvement — subject to your right to object.

A Data Processing Agreement (DPA) has been signed with Supabase (our primary data processor) as required by GDPR Art. 28. To exercise your GDPR rights (access, rectification, erasure, portability, restriction, objection) contact privacy@coglixlabs.com. We will respond within 30 days. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33.

1c. ISO 27001 Information Security (Global)

The Sync Platform is designed and operated in alignment with ISO/IEC 27001:2022, the international standard for information security management systems (ISMS). Our information security controls include:

  • Access Control (ISO 27001 A.5.15): Role-based access control (RBAC), row-level security (RLS) in the database, and JWT-based authentication with short-lived tokens.
  • Cryptography (ISO 27001 A.8.24): AES-256-GCM encryption at rest, TLS 1.2+ in transit, PBKDF2 key derivation with 600,000 iterations.
  • Incident Management (ISO 27001 A.5.26): Documented incident response procedures with 72-hour breach notification capability.
  • Business Continuity (ISO 27001 A.5.29): Recovery Point Objective (RPO) of 24 hours, Recovery Time Objective (RTO) of 4 hours, with documented runbook.
  • Audit Logging (ISO 27001 A.8.15): Immutable append-only audit logs retained for 6 years.

For the full compliance attestation including signed agreements and technical controls, see compliance.html.

1d. PDPO Compliance Notice (Hong Kong)

For users in the Hong Kong Special Administrative Region, Coglix Labs complies with the Personal Data (Privacy) Ordinance (PDPO) (Cap. 486). We collect and process your personal data in accordance with the Data Protection Principles. You have the right to request access to and correction of your personal data under the PDPO. Such Data Access Requests (DAR) or Data Correction Requests (DCR) should be directed to the Privacy Office using the contact details in Section 12.

1e. PIPEDA Compliance Notice (Canada)

For users in Canada, Coglix Labs complies with the Personal Information Protection and Electronic Documents Act (PIPEDA). We rely on your explicit consent for the collection, use, and disclosure of your personal health information, as detailed in this Privacy Policy. You have the right to access the personal information we hold about you and request corrections if it is inaccurate. To exercise these rights or to bring a privacy complaint to the attention of our Privacy Officer, please contact us using the details in Section 12. We respond to such requests within 30 days.

1f. APP Compliance Notice (Australia)

For users in Australia, Coglix Labs is subject to the Privacy Act 1988 (Cth) and complies with the Australian Privacy Principles (APPs). By using our services and providing your health information, you explicitly consent to its collection and processing as described in this policy. In accordance with APP 12 and 13, you have the right to access and seek correction of your personal information. If you wish to make a complaint about a breach of the APPs, please contact us per Section 12. We will handle your complaint promptly and within 30 days.

2. Cookies and Tracking

We use minimal tracking technologies necessary for the functioning and security of the platform:

  • Essential Cookies: We use strictly necessary cookies to maintain your login session and enforce security settings. These cannot be disabled.
  • No Third-Party Advertising: We do not use tracking pixels, advertising cookies, or share any of your browsing behavior with third-party marketers.

3. Information We Collect

We collect the following categories of information when you use the Sync Platform:

  • Account Information: Email address, display name, account type (patient/therapist/admin).
  • Health and Therapy Data (PHI): Speech recordings and transcripts, exercise performance metrics (range of motion, accuracy, repetitions), heart rate readings from wearable devices, hand and body tracking data, therapy goals and progress notes, clinical outcome measurements.
  • Usage Data: Game session timestamps and duration, feature usage patterns, device and browser information.

4. How We Use Your Information

Your information is used exclusively for the following purposes:

  • Delivering and personalizing your rehabilitation therapy experience.
  • Tracking your progress and generating performance reports for you and your assigned therapist.
  • Improving the accuracy of speech recognition and movement analysis.
  • Ensuring the security and integrity of the platform.
  • Meeting legal and regulatory compliance requirements.

5. Data Storage and Security

We implement the following security measures to protect your data:

  • Encryption at Rest: Sensitive data stored on your device is encrypted using AES-256-GCM before being written to local storage.
  • Encryption in Transit: All data transmitted between your browser and our servers uses HTTPS/TLS encryption.
  • Key Derivation: Encryption keys are derived using PBKDF2 with 600,000 iterations and random 32-byte salts.
  • Session Security: Sessions automatically expire after 30 minutes of inactivity. Encryption keys are bound to your browser session and cannot be recovered after you close the tab.
  • Access Control: Row-level security policies ensure that patients can only access their own data. Therapists can only access data for their assigned patients.
  • Audit Logging: All access to patient data is recorded in an audit log for compliance and security monitoring.

6. Data Sharing

We do not sell, rent, or share your personal health information with third parties, except:

  • Your Therapist: If you are assigned to a therapist, they can view your therapy progress and session data.
  • Service Providers: We use Google Cloud Speech-to-Text for speech analysis. Audio is processed in real-time and is not stored by Google beyond the processing request.
  • Legal Requirements: If required by law, court order, or regulatory authority.

7. Data Retention

  • Active patient data is retained for the duration of the therapeutic relationship.
  • Upon request, patient data can be soft-deleted and will be permanently purged within 30 days.
  • Audit logs are retained for a minimum of 6 years in compliance with HIPAA requirements.
  • Consent records are retained indefinitely for legal compliance.

8. Your Rights

As a user of the Sync Platform, you have the right to:

  • Access: Request a copy of all personal and health data we hold about you.
  • Correction: Request corrections to inaccurate personal information.
  • Deletion: Request deletion of your personal and health data. Your therapist or an administrator can initiate this process from the My Progress dashboard.
  • Export: Export your data in a machine-readable format (CSV) from the My Progress dashboard.
  • Restrict Processing: Request that we limit how your data is used.
  • Withdraw Consent: Withdraw your consent at any time, though this may affect your ability to use the platform.

9. Opting Out

You may opt out of specific data processing activities at any time:

  • Stop using the platform: You may discontinue use at any time. No further data will be collected once you stop.
  • Request data deletion: Contact your therapist or email privacy@coglixlabs.com to request deletion of all your PHI. Therapists and administrators can also initiate deletion from the My Progress dashboard. Soft-deleted data is permanently purged within 30 days.
  • Withdraw consent: Email privacy@coglixlabs.com to withdraw your consent for data processing. Your account will be deactivated and your data will be scheduled for deletion.
  • Restrict sharing with therapists: Contact your healthcare provider to be unassigned from a therapist, which will immediately revoke their access to your data.

Note: Opting out of data collection will prevent the platform from providing personalized rehabilitation tracking. Certain data (audit logs, consent records) is retained for legal compliance regardless of opt-out requests.

10. Children's Privacy

The Sync Platform is intended for use by adults and by minors under the supervision of a parent, guardian, or licensed therapist. We do not knowingly collect personal information from children under 13 without parental consent.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Effective Date" at the top of this page and notify active users. Continued use of the platform after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or need to report a data concern, please contact:

Coglix Labs -- Privacy Office
Email: privacy@coglixlabs.com