Privacy Policy

Introduction

iksa.ai ("iksa.ai," "we," "us," or "our") operates a Clinical Context Platform—a vendor-neutral AI operating layer that connects healthcare data sources, orchestrates in-workflow automations, and deploys guard-railed AI agents for clinical and research operations.

We serve healthcare providers, health systems, life sciences companies, clinical research organizations, and digital health platforms ("Customers") to enable patient engagement, clinical trial operations, and clinical workflow automation under strict regulatory and privacy requirements.

This Privacy Policy describes how we collect, use, disclose, and protect information when you:
- Visit our website at https://iksa.ai (the "Site")
- Communicate with us or request information
- Use or interact with our products, platforms, and services (collectively, the "Services")

Relationship to Contracts:
This Privacy Policy does not supersede any Business Associate Agreement (BAA), Data Processing Agreement (DPA), Clinical Trial Agreement, or other contract with a Customer. Where conflicts exist, the contract governs.

Agreement:
By using our Site or Services, you acknowledge that you have read and understood this Privacy Policy.

1. Our Role and Contact Information

As a Controller: For information collected through the Site and directly from you (such as contact forms, demo requests, and marketing communications), iksa.ai acts as a data controller under GDPR and similar laws, and as a business under CCPA/CPRA.

As a Processor: For data processed on behalf of Customers through our platform—including Protected Health Information (PHI) and clinical trial data—we act as a data processor (GDPR), service provider (CCPA/CPRA), and Business Associate (HIPAA) as applicable.

Contact Us:
- Company: Iksa Inc. (d/b/a iksa.ai)
- Email: info@iksa.ai
- Address: Baltimore, Maryland, United States

2. Scope of This Policy
Our platform functions as an AI operating layer that:
- Connects to existing healthcare systems (EHRs, laboratories, claims systems, devices, clinical trial databases, and cloud data platforms)
- Normalizes and routes data into workflows and agentic automations
- Returns actions, insights, and outputs to the systems and interfaces your teams already use

For Patients, Trial Participants, and Program Beneficiaries:

Your primary privacy notices are provided by:
- Your healthcare provider's Notice of Privacy Practices
- The trial sponsor's or research site's informed consent documents
- Program-specific disclosures from the organization administering your care or study participation

This Privacy Policy describes how iksa.ai handles such data when processing it on behalf of those organizations.

3. Information We Collect

3.1 Information You Provide Directly

When you interact with us through the Site or business communications, we may collect:
- Contact Information: Name, email address, phone number, organization, and job title
- Account Credentials: Usernames, hashed passwords, roles, and access permissions for Customer deployments
- Professional Details: Your role, department, and organizational affiliation
- Communications: Content of messages, meeting notes, support requests, and attachments
- Commercial Information: Billing and contract details in B2B engagements

3.2 Platform Data (Processed on Behalf of Customers)

To deliver our interoperability and workflow orchestration services, we process data from Customer-configured sources, which may include:
- Clinical Systems: EHR data (Epic, Oracle Health, Athena, and others) including demographics, encounters, diagnoses, procedures, orders, and clinical documentation
- Ancillary Systems: Laboratory results, imaging summaries, pharmacy data, and connected device measurements
- Administrative Systems: Claims, authorizations, benefit verifications, and revenue cycle data
- Clinical Research Systems: Electronic data capture (EDC), clinical trial management systems (CTMS), safety databases, adverse event records, protocol deviations, and query management data
- Patient Engagement Channels: Portal messages, SMS and email logs, appointment communications, adherence signals, and consent records
- Remote Monitoring: Connected device and wearable data supporting chronic disease management or clinical studies
- Derived Data: Risk scores, eligibility determinations, triage priorities, workflow states, and other outputs generated by our engines and agents

In most deployments, this data remains within the Customer's environment (their cloud infrastructure or on-premises systems). Our platform architecture minimizes the need to host sensitive source data in multi-tenant environments.

3.3 Workflow and Telemetry Data

To operate compliance-aware agentic workflows, our platform generates:
- Execution Logs: Agent activity, policy evaluations, timestamps, and outcome codes
- Prompt Metadata: Input classifications, model routing decisions, guardrail evaluations, and action statuses
- Performance Metrics: Success rates, escalation frequencies, and safety monitoring data
These telemetry streams are configured to use pseudonymized identifiers where feasible and are typically stored within the Customer's environment.

3.4 Automatically Collected Information

When you visit the Site or use web-based Service components, we automatically collect:
- IP address, browser type, and device information
- Pages visited, interactions, session duration, and referring URLs
- Session identifiers and diagnostic data
- We use cookies and similar technologies for these purposes, as described in Section 8.3.5
- Information from Third Parties

We may receive information from:
- Customers and implementation partners provisioning users and integrations
- Analytics, support, and marketing platforms
- Professional and public sources in B2B contexts

4. How We Use Information

4.1 Platform Operations (Processor Role)

We use information processed on behalf of Customers to:
- Connect and synchronize data from clinical, research, and administrative systems
- Normalize data using interoperability standards (FHIR, HL7, REST APIs, flat-file imports)
- Route data into appropriate workflows and agentic engines
- Return actions, alerts, documentation, and dashboards to Customer systems

4.2 Agentic Workflow Execution

Our guard-railed AI agents process data to:
- Detect and prioritize clinical and operational events (abnormal results, safety signals, missed visits, revenue anomalies)
- Generate suggested actions (case narratives, clinical queries, follow-up tasks, patient communications)
- Apply sequential policy checks for privacy, bias, and clinical validity before outputs proceed
- Maintain full traceability to source data and enforce human-in-the-loop requirements where configured

4.3 Service Delivery and Improvement

We use information to:
- Configure deployments and manage user access
- Provide implementation support, training, and managed services
- Monitor system performance, reliability, and security
- Improve algorithms, guardrails, and workflow templates using aggregated and de-identified data

4.4 Security, Compliance, and Audit
We use information to:
- Detect, investigate, and respond to security incidents
- Enforce access controls and permissions
- Generate audit trails for Customers, regulators, and internal compliance
- Demonstrate adherence to HIPAA, GDPR, DPDP Act (India), ISO 27001, and other applicable frameworks

4.5 Business Communications (Controller Role)
For Site visitors and business contacts, we use information to:
- Respond to inquiries, demo requests, and partnership discussions
- Send administrative notices (terms updates, system notifications)
- Share relevant content, insights, and product information
- You may opt out of marketing communications at any time.

4.6 Aggregated and De-Identified Data
We may use and share aggregated or de-identified data for analytics, benchmarking, algorithm improvement, and published insights. We apply technical and organizational measures to minimize re-identification risk, following recognized frameworks such as HIPAA de-identification standards where applicable.5. Legal Bases for Processing

Where required by law (such as in the EEA and UK), we rely on the following legal bases:
- Contractual Necessity: To deliver Services, fulfill requests, and support Customer deployments
- Legitimate Interests: To secure and improve the platform, prevent misuse, and communicate with Customers, balanced against individual rights
- Consent: For certain cookies, analytics, and marketing activities where consent is required
- Legal Obligations: To comply with healthcare, research, financial, and data protection regulations
For data processed on behalf of Customers, the Customer determines the appropriate legal basis.

6. How We Share Information

6.1 Within Customer Environments

Clinical and research data typically remain in Customer-controlled infrastructure. Within that environment, data is shared with:
- Authorized users designated by the Customer
- Integrated systems configured by the Customer

6.2 Service Providers
We engage service providers to support platform operations, including:
- Cloud infrastructure and hosting
- Security monitoring and logging
- Customer support platforms
- Communication services
- Professional advisors
These providers are contractually bound to use information only for specified purposes, implement appropriate security measures, and execute BAAs, DPAs, or equivalent agreements where required.

6.3 Platform Telemetry
Certain telemetry and configuration data may flow to iksa.ai for managed services, including:
- Deployment configurations and feature settings
- System health and error metrics
- Pseudonymized identifiers for troubleshooting
These streams are designed to exclude raw PHI and direct identifiers. Deeper access for troubleshooting occurs under strict access controls and Customer approval.

6.4 Business Transactions
In connection with a merger, acquisition, financing, or asset sale, information may be transferred to the relevant parties. Any successor will be required to honor this Privacy Policy or provide equivalent protections.

6.5 Legal and Safety Disclosures
We may disclose information where necessary to:
- Comply with applicable laws, regulations, or legal process
- Respond to lawful government requests
- Protect the rights, safety, or property of individuals, Customers, or iksa.ai
- Investigate security incidents or potential fraud

6.6 With Consent or Direction
We may share information where you or your organization provide consent or explicit direction.

7. Data Retention
We retain information for as long as necessary to:
- Operate the Site and Services
- Fulfill the purposes described in this Privacy Policy and applicable contracts
- Meet legal, regulatory, and audit obligations
- Resolve disputes and enforce agreements

Retention Periods:
- Clinical and Research Data: Governed by Customer policies, BAAs/DPAs, and applicable healthcare and research regulations
- Workflow and Agent Logs: Retained for periods supporting safety, auditability, and legal requirements, often per Customer-defined settings
- Business Contact Data: Retained during active business relationships and for a reasonable period thereafter, or until you opt out
- De-identified and aggregated data may be retained for longer periods as permitted by law.

8. Cookies and Similar Technologies
We use cookies, pixels, and related technologies on the Site and web-based Service components to support:
- Core functionality (session management, form handling)
- Analytics and performance measurement
- Security monitoring
- B2B marketing attribution where permitted
You can manage cookie preferences through your browser settings. We may provide additional in-page controls depending on your jurisdiction. Disabling certain cookies may affect Site or Service functionality.

9. Data Security
We maintain administrative, technical, and physical safeguards designed to protect information, including:
- Encryption of data in transit and at rest
- Role-based access controls and least-privilege principles
- Multi-factor authentication for administrative access
- Logging and monitoring of security events
- Regular security assessments and vulnerability management
- Vendor risk management and contractual security requirements
- Employee training on privacy and security practices
Our platform and operations align with healthcare-grade frameworks including HIPAA, GDPR, DPDP Act (India), and ISO 27001.

While no system is immune to all security risks, we continuously work to strengthen our controls. We will notify affected Customers and individuals of security incidents as required by law and contract.

10. Your Privacy Rights
Depending on your location and your relationship with us, you may have rights including:
- Access: Obtain confirmation of whether we process your personal information and request a copy
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of personal information, subject to legal and contractual exceptions
- Restriction: Request restriction of certain processing activities
- Objection: Object to processing based on legitimate interests
- Portability: Receive certain information in a structured, machine-readable format
- Withdrawal of Consent: Withdraw consent where processing is consent-based
-To Exercise Rights for Information We Control: Contact us at info@iksa.ai.
- For Information Processed on Behalf of Customers: Direct your request to the relevant Customer (your healthcare provider, trial sponsor, or research site). We will support them in responding consistent with our agreements and applicable law.
- You may also lodge a complaint with your local data protection authority.

11. Region-Specific Disclosures

11.1 European Economic Area, United Kingdom, and Similar Jurisdictions
- iksa.ai is the controller for Site and business contact data
- For clinical, research, and workflow data, Customers are controllers and we act as processor
- Cross-border transfers are supported by Standard Contractual Clauses and technical safeguards
Contact info@iksa.ai for questions about international transfers.

11.2 United States (Including California and State Privacy Laws)
Residents of California and other states with comprehensive privacy laws may have additional rights:
- Know what categories of personal information are collected, used, and disclosed
- Access, correct, and delete personal information
- Opt out of the "sale" or "sharing" of personal information for targeted advertising
We do not monetize PHI or clinical data. We do not sell or share personal information for cross-context behavioral advertising.

To exercise rights, contact info@iksa.ai and indicate your state of residence. For information processed on behalf of a Customer, we may refer your request to that Customer.

11.3 India
For individuals in India, we process personal data in accordance with the Digital Personal Data Protection Act (DPDP Act) and implement appropriate safeguards for cross-border transfers.

12. Children's Privacy
Our Site and marketing are not directed at children. We do not knowingly collect personal information directly from children through the Site.
Where Customers use our platform for programs involving minors (such as pediatric care or clinical trials), the Customer is responsible for compliance with applicable laws governing children's data and parental consent. We process such data solely as a processor under Customer instructions.
If you believe we have collected personal information from a child without appropriate authorization, contact us at info@iksa.ai.

13. Third-Party Links
The Site may contain links to third-party websites and services not operated by iksa.ai. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing information.

14. International Transfers
We and our service providers may process information in countries other than your own, including the United States and India.
For international transfers, we implement safeguards consistent with applicable law:
- Standard Contractual Clauses
- Data processing agreements
- Technical controls including encryption and access restrictions

15. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our Services, data practices, or applicable law.
For material changes, we will update the Effective Date and provide appropriate notice (such as prominent notice on the Site or direct communication where required).We encourage you to review this Privacy Policy periodically.

16. Contact Us
For questions, concerns, or requests related to this Privacy Policy:
Email: info@iksa.ai
Company: Iksa Inc. (d/b/a iksa.ai)
Location: Baltimore, Maryland, United States
For questions about data processed in a specific healthcare or research program, we may coordinate with the relevant Customer to provide an appropriate response.

Deploy compliant healthcare automations in weeks — on your terms and in your cloud.

Quick Links
Platform
Solutions
About us
Contact
Privacy Policy
Iksa Inc. © 2025 All Rights Reserved.
iksa.ai

Tell us where you’re losing time or revenue today, and we’ll map a pilot that shows measurable value in 6 weeks or less (without ripping and replacing your current systems).

Navigation
PlatformSolutionsResourcesAbout us
Contact
+1 123 323 2223info@iksa.ai
iksa.ai
© 2025 Iksana Integrated Health Pvt. Ltd. All Rights Reserved.
Schedule a 30-minute demo with our team
Give us your toughest problem, we'll show you tailored workflows
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.