GDPR statement.

1. Data controller

Neuro Scan AI Solutions Oy (Y-tunnus 3437722-8), registered in Espoo, Finland, is the data controller for personal data we collect through this website, our planned clinical pilot program (currently under ethics-committee review at four hospital sites), and our partner-facing communications.

Postal correspondence: see contact. Data-protection inquiries: clinical@nsai.fi.

2. Categories of personal data we process

• Identification & contact data — name, professional email, employer, role — provided when you contact us, request a demo, or apply for an open role.
• Communications data — the content of emails and other correspondence you send to us.
• Technical data — IP address, browser type, time of visit, referring page — logged for security and basic site analytics.
• Clinical & health data — only under signed Data Processing Agreement with a clinical partner. We do not process patient health data through this public website.

3. Legal basis for processing

We rely on the following legal bases under Article 6 GDPR:

• Legitimate interest (Art. 6(1)(f)) — for website analytics, security logging, and unsolicited inbound business inquiries.
• Contract (Art. 6(1)(b)) — for processing necessary to fulfill a partnership, pilot, or employment agreement.
• Consent (Art. 6(1)(a)) — for optional newsletter signups or marketing communications, where consent can be withdrawn at any time.
• Legal obligation (Art. 6(1)(c)) — for tax, accounting, and regulatory record-keeping.

For clinical (special category) data under Article 9 GDPR, processing only occurs on the basis of explicit consent, contractual necessity with a clinical partner, or research with appropriate safeguards.

4. How we use your data

• To respond to your inquiry and continue the conversation you started.
• To deliver the services agreed under a signed contract (pilot, partnership, OEM integration).
• To maintain the security and integrity of our systems.
• To meet our legal and regulatory obligations as a Finnish business and a medical device software company.

We do not sell personal data. We do not share personal data with third parties for marketing purposes.

5. International transfers

Our infrastructure is hosted within the European Economic Area. Where a sub-processor is located outside the EEA (for example, a US-based email delivery service), transfers are governed by Standard Contractual Clauses approved by the European Commission, supplemented by technical measures appropriate to the risk.

A current list of sub-processors is available on request from clinical@nsai.fi.

6. Retention

• Inquiry correspondence — retained for 24 months after last contact, then deleted unless an active commercial relationship exists.
• Contractual records — retained for the duration of the contract plus 10 years (Finnish accounting law).
• Web analytics logs — anonymized after 90 days; raw IPs are not retained.

7. Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you (Art. 15).
• Correct inaccurate personal data (Art. 16).
• Erase your personal data, subject to legal retention requirements (Art. 17).
• Restrict processing (Art. 18).
• Data portability for data you provided to us (Art. 20).
• Object to processing based on legitimate interest (Art. 21).
• Withdraw consent at any time, where consent is the legal basis (Art. 7(3)).

To exercise any of these rights, email clinical@nsai.fi. We respond within 30 calendar days as required by Article 12.

8. Right to lodge a complaint

If you believe our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) — tietosuoja.fi — or with the supervisory authority of your habitual residence in the EU.

9. Updates to this statement

We will update this statement when our processing materially changes. The effective date at the top of the page reflects the most recent revision. Substantive changes are announced via the relevant contractual channels for active partners.