Privacy Policy

1. Introduction

PeakPoint Services ("PeakPoint," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information in compliance with the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and other applicable data protection laws.

As a provider of healthcare-related services including medical AI data annotation, medical imaging training, and healthcare revenue cycle management, we handle both personal data and Protected Health Information (PHI). We are committed to maintaining the highest standards of data protection and privacy.

2. Data Controller and Contact Information

Data Controller: PeakPoint Services
Address: [Business Address - To Be Updated]
Email: privacy@peakpoint.africa
Phone: +263 77 847 7608

Data Protection Officer (DPO):
Email: dpo@peakpoint.africa
You may contact our DPO with any questions or concerns regarding data protection and privacy.

3. Information We Collect

3.1 Personal Data (GDPR)

We collect the following categories of personal data:

• Identity Data: Name, title, date of birth, gender
• Contact Data: Email address, telephone number, postal address
• Professional Data: Job title, employer, professional qualifications, training records
• Technical Data: IP address, browser type, device information, cookies
• Usage Data: Information about how you use our website and services
• Marketing Data: Your preferences for receiving marketing communications
• Financial Data: Payment card details, bank account information (processed by secure payment providers)

3.2 Protected Health Information (PHI) - HIPAA

In our capacity as a Business Associate under HIPAA, we may process PHI on behalf of Covered Entities, including:

• Medical images and diagnostic data for AI training and annotation
• Patient demographic information for healthcare revenue cycle management
• Healthcare billing and insurance information
• Medical records and clinical documentation
• Any individually identifiable health information as defined under 45 CFR § 160.103

Important: We only process PHI under valid Business Associate Agreements (BAAs) with Covered Entities and in accordance with HIPAA Privacy and Security Rules.

3.3 Special Categories of Data

We may process special categories of personal data (sensitive data) including health data, biometric data, and genetic data. We only process such data where we have a lawful basis under GDPR Article 9 and appropriate safeguards are in place.

4. Legal Basis for Processing (GDPR Article 6)

We process personal data only where we have a legal basis to do so:

• Consent (Article 6(1)(a)): You have given explicit consent for specific purposes
• Contract (Article 6(1)(b)): Processing is necessary for contract performance
• Legal Obligation (Article 6(1)(c)): Processing is required by law
• Vital Interests (Article 6(1)(d)): Processing is necessary to protect life
• Public Interest (Article 6(1)(e)): Processing is necessary for public health purposes
• Legitimate Interests (Article 6(1)(f)): Processing is necessary for our legitimate business interests

For special categories of data (health data), we rely on Article 9(2)(h) (healthcare purposes) and Article 9(2)(j) (scientific research) with appropriate safeguards.

5. How We Use Your Information

We use collected information for:

• Service Delivery: Providing healthcare services, medical AI training, and data annotation
• Healthcare Operations: Revenue cycle management, medical billing, and coding services
• Training and Development: Medical imaging training programs and professional development
• Quality Improvement: Improving AI diagnostic accuracy and healthcare service quality
• Research: Contributing to medical research and AI development (with appropriate consent)
• Compliance: Meeting legal and regulatory obligations including HIPAA and GDPR
• Security: Protecting against fraud, unauthorized access, and security incidents
• Communication: Responding to inquiries and providing customer support
• Marketing: Sending relevant information about our services (with consent, where required)

HIPAA Minimum Necessary Standard: We limit the use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose.

6. Data Security Measures

We implement comprehensive technical and organizational security measures in compliance with GDPR Article 32 and HIPAA Security Rule (45 CFR Parts 160 and 164, Subparts A and C):

6.1 Technical Safeguards

• Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
• Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA)
• Audit Logging: Comprehensive audit trails of all PHI and personal data access
• Network Security: Firewalls, intrusion detection/prevention systems, and network segmentation
• Data Loss Prevention: DLP tools to prevent unauthorized data exfiltration
• Secure Development: Security-by-design principles and regular code security reviews

6.2 Organizational Safeguards

• Training: Regular HIPAA and GDPR compliance training for all staff
• Background Checks: Comprehensive screening of personnel with data access
• Confidentiality Agreements: All employees sign confidentiality and data protection agreements
• Incident Response: Documented procedures for security incident management
• Business Continuity: Disaster recovery and business continuity plans
• Vendor Management: Due diligence and contractual safeguards for third-party processors

6.3 Compliance Certifications

• ISO 27001:2013 Information Security Management
• SOC 2 Type II Compliance
• HIPAA Security Rule Compliance
• GDPR Compliance Framework

7. Data Sharing and Disclosure

7.1 Third-Party Service Providers

We may share data with trusted third-party service providers who assist in our operations:

• Cloud infrastructure providers (with HIPAA BAAs and GDPR-compliant Data Processing Agreements)
• Payment processors (PCI-DSS compliant)
• Email and communication service providers
• Analytics and performance monitoring services
• Security and fraud prevention services

All third-party processors are contractually bound to maintain GDPR and HIPAA compliance standards.

7.2 Legal Disclosures

We may disclose personal data or PHI when required by law, court order, or regulatory authority, or to:

• Comply with legal processes and law enforcement requests
• Protect our rights, property, or safety, or that of others
• Prevent fraud or security threats
• Support audits, compliance reviews, or legal proceedings

7.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred. We will ensure the receiving party maintains equivalent data protection standards and notify affected individuals.

7.4 No Sale of Personal Data

We do not sell, rent, or trade personal data or PHI to third parties for marketing purposes.

8. International Data Transfers

We operate across multiple African countries and may transfer data internationally. For transfers outside the European Economic Area (EEA) or outside countries with adequate data protection laws:

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs for data transfers
• Adequacy Decisions: We transfer to countries with EU adequacy decisions where applicable
• Binding Corporate Rules: Internal policies ensuring consistent data protection standards
• Appropriate Safeguards: Technical and organizational measures to protect transferred data

For PHI transfers, we ensure compliance with HIPAA requirements and obtain necessary authorizations.

9. Data Retention

We retain personal data and PHI only as long as necessary for the purposes outlined in this policy:

• Contract Data: Duration of contract plus 7 years for legal and tax purposes
• PHI: As required by HIPAA (minimum 6 years from creation or last use) or as specified in BAAs
• Medical Training Records: 10 years or as required by professional accreditation bodies
• Marketing Data: Until consent is withdrawn or 2 years of inactivity
• Financial Records: 7 years as required by tax and accounting regulations
• Security Logs: 1-3 years depending on regulatory requirements

After retention periods expire, we securely delete or anonymize data using industry-standard methods including secure erasure, degaussing, or physical destruction of storage media.

10. Your Rights Under GDPR (Articles 12-22)

If you are in the EU/EEA, you have the following rights:

• Right to Access (Article 15): Request a copy of your personal data and information about how we process it
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete data
• Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing (Article 18): Request limitation of how we process your data
• Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing
• Rights Related to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing
• Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
• Right to Lodge a Complaint: File a complaint with your local supervisory authority

To exercise these rights, contact us at privacy@peakpoint.africa or our DPO at dpo@peakpoint.africa. We will respond within 30 days.

11. Your Rights Under HIPAA

If your PHI is processed by us as a Business Associate, you have rights under the HIPAA Privacy Rule:

• Right to Access PHI: Request access to your protected health information
• Right to Amend: Request corrections to your PHI
• Right to an Accounting of Disclosures: Receive a list of certain PHI disclosures
• Right to Request Restrictions: Request limits on how your PHI is used or disclosed
• Right to Confidential Communications: Request communications by alternative means or locations
• Right to a Paper Copy: Receive a paper copy of this Privacy Policy

Note: As a Business Associate, we may direct you to the Covered Entity (your healthcare provider) to exercise certain HIPAA rights. For questions, contact the Covered Entity or our HIPAA Privacy Officer at hipaa-privacy@peakpoint.africa.

12. Breach Notification

12.1 GDPR Breach Notification (Article 33-34)

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach poses a high risk to your rights and freedoms, we will also notify you directly without undue delay.

12.2 HIPAA Breach Notification (45 CFR § 164.410)

For breaches of unsecured PHI:

• We will notify the Covered Entity without unreasonable delay and no later than 60 days
• Notification will include identification of affected individuals, description of the breach, and mitigation steps
• We maintain documentation of all breach incidents and notifications

13. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. Types of cookies we use:

• Essential Cookies: Required for website functionality (no consent required)
• Performance Cookies: Help us understand how visitors use our site
• Functional Cookies: Remember your preferences and settings
• Marketing Cookies: Track your activity for targeted advertising (requires consent)

You can manage cookie preferences through your browser settings or our cookie consent tool. Blocking certain cookies may impact website functionality.

14. Children's Privacy

Our services are not directed to individuals under 16 years of age (or under 13 in jurisdictions where applicable). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete such information.

15. Automated Decision-Making and Profiling

We may use automated decision-making in limited circumstances, such as fraud detection and risk assessment. You have the right to request human intervention, express your point of view, and contest automated decisions. We do not use automated decision-making for decisions that produce legal effects or similarly significantly affect you without appropriate safeguards.

16. Marketing Communications

We will only send you marketing communications if you have consented (opt-in) or where we have a legitimate interest and you have not opted out. You can unsubscribe from marketing emails at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Contacting us at privacy@peakpoint.africa
• Updating your preferences in your account settings

17. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending email notifications for significant changes
• Obtaining fresh consent where required by law

We encourage you to review this Privacy Policy regularly to stay informed about how we protect your data.

18. Supervisory Authority

If you are in the EU/EEA and believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority:

EU Data Protection Authorities: Find your local authority

For HIPAA complaints, you may file with the U.S. Department of Health and Human Services Office for Civil Rights.

19. Contact Us

For questions, concerns, or to exercise your rights under this Privacy Policy, please contact:

We will respond to all requests within 30 days (GDPR) or 60 days (HIPAA) as required by applicable law.