1. Lawful, Fair, and Transparent Data Processing

Anatomy Cloud processes personal data and PHI only when a lawful basis is established (e.g., user consent, contractual necessity, legal obligation, public interest, or legitimate interest), and provides clear disclosure of：

• The purposes of processing
• The categories of data collected
• Retention periods
• Data recipients and transfer mechanisms

2. Data Minimization and Retention Limitation

• Only the minimum necessary data relevant to the intended processing purpose is collected.
• Data is retained no longer than necessary and is deleted, anonymized, or pseudonymized once the purpose is fulfilled.

3. Information Security Measures (GDPR Art. 32 / HIPAA Security Rule)

Anatomy Cloud implements appropriate technical and organizational safeguards, including:

• Encryption in storage and transit
• Role-based access control (RBAC) and least privilege principles
• Multi-factor authentication (MFA)
• Audit logs and anomaly detection
• Disaster recovery and business continuity plans

4. Fulfillment of Data Subject Rights

Anatomy Cloud provides clear procedures to support user rights under GDPR and HIPAA, including:

• Access, rectification, deletion, and data portability requests
• Objection to processing and consent withdrawal mechanisms
• Response within 30 days (GDPR) or reasonable timeframes (HIPAA) upon verified request

5. Third-Party and Cross-Border Processing

• Only authorized vendors under signed Data Processing Agreements (DPAs) or Business Associate Agreements (BAAs) are permitted to process data on our behalf.
• For cross-border transfers, appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions are used.
• Users are informed of international transfers, recipients, and associated protections.

6. Data Breach Notification

In the event of a breach:

• Anatomy Cloud will notify competent authorities within 72 hours (GDPR)
• Affected individuals will be notified if there is a risk to their rights
• HIPAA-compliant breach notification procedures are followed, including reporting to HHS and, if applicable, the media

1. Right to Process and Store Data under Legal Grounds

Anatomy Cloud has the right to process and store user data as required for:

• Delivering contracted services
• Maintaining system security and operational integrity
• Ensuring legal and regulatory compliance
• Enhancing the platform through anonymized analytics

2. Right to Refuse or Restrict Unlawful Requests

Anatomy Cloud reserves the right to deny:

• Requests that are unlawful, abusive, or infringe the rights of others
• Processing instructions that conflict with GDPR, HIPAA, or local data protection laws

3. Right to Use Anonymized Data for Research and Development

Where legally permitted, Anatomy Cloud may use fully anonymized data for:

• Medical research
• Product improvement
• Public health initiatives
• AI model training

Such use excludes any identifiable personal or health information.

4. Right to Conduct Security and System Monitoring

To maintain system integrity, Anatomy Cloud may log, monitor, and analyze:

• Access logs and usage patterns
• Security events or anomalies
• Technical support records

Monitoring is limited to what is necessary to prevent abuse or unauthorized access.

5. Right to Update Policies and Terms

Anatomy Cloud may update this statement and related policies in accordance with:

• Changes in applicable laws or regulatory guidance
• Service changes or feature updates
• Operational improvements

Users will be informed of material changes via email, platform notices, or other appropriate means.