ARTISIGHT, INC. PRIVACY POLICY COVERING CUSTOMER DATA

Date:  June 1, 2025

Introduction

Artisight, Inc. licenses its software and data services to hospitals as tools to help collect and aggregate data to help coordinate events, personnel, and procedures for multiple operating rooms and patient bays in a hospital setting. Artisight also supports remote patient monitoring in operating rooms, patient rooms, and clinics. Hospital customers can use the software to display the status of individual operating rooms, patient rooms, procedures, assets, materials, patients, surgeons, anesthesiologists, nurses, and other hospital staff members working throughout the hospital. It collects data from a variety of data sources, including video cameras and microphones that monitor the status of patients and spaces and assist in the management functions of their software in addition to generating data for optimization problems. With artificial intelligence, the software is able to monitor an area for specific events and assets to coordinate highly efficient processes on a large scale.

For the privacy of patients and hospital staff, our software does not store any images, video, or audio with protected health information, links to individual patient records, or searchable tags. Artisight has undergone a third-party audit on its privacy procedures and received an expert determination for the creation of de-identified and synthetic data that is used to retrain algorithms for client sites. No PHI is used in the creation of algorithms. No PHI is stored by Artisight’s systems.

In order to assist with clinical documentation, our software does interface with the hospital’s electronic medical records. During this interface, the database is temporarily populated with protected health information. This allows the software to document events captured by the artificial intelligence in the appropriate patient’s chart. However, no protected health information, like a medical record number, name, or address, is stored permanently.

This privacy policy refers to Artisight, Inc. throughout as “Artisight,” “we,” “us,” or “our.”

1. What Kinds of Personal Information Artisight Display

Artisight’s software displays on its digital dashboards Personal Information about patients in the hospital’s operating rooms and patient rooms managed by our software. This information is not permanently stored. The main categories of Personal Information displayed by our software are:

• Patient names (displayed as initials)
  • Preferred language
  • Hospital staff names
  • The procedures being performed on these patients

Most of the Personal Information relating to patients collected by the software constitutes “Protected Health Information” (“PHI”) within the meaning of the Health Insurance Portability and Accountability Act (HIPAA) and regulations issued under HIPAA. Accordingly, Artisight enters into HIPAA “business associate agreements” with our hospital customers to protect the privacy and security of PHI collected by our software. Of note, this information is used in a temporary database that is permanently deleted from our systems each night. We do not keep any PHI in our permanent databases.

The hospital can configure our software to collect additional categories of information, some of which may be Personal Information, including PHI. We may have access to these additional categories of information in connection with our maintenance of the software.

• How Artisight Collects Personal Information

The software collects patient Personal Information from the EHR like patient names, preferred language, planned procedures, and other confidential information collected from the hospital electronic medical records systems. The software receives information from electronic medical records systems via a structured electronic transmission using a standard format (FHIR, API, etc.). The information is encrypted while in transit. The video and audio streams are transmitted to our system via encrypted (using TLS encrypted channels, typically on a VLAN if provided by the hospital. On arrival, these streams are analyzed for objects and events of interest and that data is sent back to the EHR in real-time. It is not stored by Artisight.

• Use of Personal Information

Artisight uses the collected Personal Information to display on digital dashboards for the purpose of disseminating important information to staff members. In this manner, the software facilitates coordinated events and monitoring amongst hospital staff procedures across multiple operating rooms and patient bays. We will also use the Personal Information to locate the appropriate patient record for documentation in the electronic record. However, this only occurs for patients while admitted to the hospital. As we do not retain PHI, we have no ability to locate patient records after their discharge.

• Sharing or Disclosing Personal Information

We do not sell, share or rent Personal Information under any circumstances. We do not permanently store Personal Information. All PHI is held in temporary databases for less than 24 hours. It is encrypted in transit and at rest.

We may, however, sell, transfer, or otherwise share some or all of Artisight’s assets, which would not include PHI, in connection with a merger, acquisition, reorganization, or sale of assets of our business, or in the event of bankruptcy.

If we use any third-party service providers, they will not under any circumstances have access to patients’ Personal Information. We will require services providers to enter into a business associates agreement with us in which they must comply with the requirements of this privacy policy.

We may disclose the Personal Information we collect, and the other collected data used by the software when required by a subpoena, court order, search warrant, other legal process, requests by law enforcement agencies, or applicable law though we have no ability to retain or locate PHI since it is never permanently stored. Also, we may disclose Personal Information and data collected by the software to maintain the security of our or the hospital’s software or systems, resolve disputes, or investigate misuse of our software or these systems.

• Safeguarding Personal Information

Artisight maintains reasonable and appropriate administrative, technical, and physical safeguards to:

• Provide assurances of the confidentiality and integrity of the Personal Information we collect or to which we have access,
  • Protect against reasonably anticipated threats to the confidentiality or integrity of the Personal Information in our possession or that we access, including the threats of unauthorized access or use, and
  • Require compliance with our privacy and security practices by Artisight personnel and third parties that have received access to Personal Information we have collected.

Among other things, the hardware on which our software runs are located on client premise and thus are protected by our customers’ firewalls and physical security measures. Some of our services will run in the cloud on Microsoft Azure or Amazon’s AWS per our clients’ requests. In all deployment configurations (cloud, on-premises, or hybrid), our systems are SOC-2 type 2 compliant. All data and video transmissions are encrypted with the TLS 1.2 encryption protocol and encrypted at rest with AES-128

• Access to Personal Information and Making Changes

It is possible that a patient or representative or a patient may seek to exercise individual rights regarding PHI in our possession under HIPAA’s privacy regulations, including:

• Requests to limit uses or disclosures of PHI.
  • Requests to access or receive a copy of PHI about the patient.
  • Requests for amendments to PHI about the patient.
  • Requests for an accounting of disclosures of PHI about the patient.

Our agreements with our hospital customers require our customers to notify us promptly of any such requests. We will then work with the customer to assist in a response to the patient. However, we do not have the ability to retrieve PHI as we do not store any PHI. Therefore, we would have little if any information relevant to a specific patient to share upon request.

Individuals wishing to contact us directly to access Personal Information in our possession or amend it may write to us at support@artisight.com. Our privacy group will provide a response to any such requests.

• Contact Information

Please contact us at support@artisight.com if you have any questions about our privacy policy or want to discuss anything relating to our privacy practices.

• Resolving Complaints

If you have any complaints about this privacy policy or Artisight privacy practices, please submit them by email at [support@artisight.com]. Once we receive your email, our privacy group will investigate what you have submitted to us and respond to your email to talk about resolving your complaint.

Please send us enough information and whatever documentation or evidence you have to support your position in order for us to investigate and evaluate what you have submitted to us. We may write to you asking for more information if we do not have sufficient information to evaluate or resolve your complaint.

• Changes to the Privacy Policy

Artisight reviews and updates this privacy policy from time to time. We reserve the right to amend this policy as part of our updating process.

If we amend this policy, we will notify you by email of the change sent to our last email of record of your contact person. Please review such emails and the amended policy carefully. Your continued use of Artisight’s software after notification of the new privacy policy constitutes your agreement to the terms of the amended policy.