Privacy Policy

1. Who we are and the scope of this policy

careos platform is provided by ITLOX LTD (“ITLOX”, “careos”, “we”, “our”, “us”), a company incorporated in England and Wales with registered offices at 167-169 Great Portland Street, London W1W 5PF, United Kingdom.

This Privacy Policy explains how we collect, use, share, retain and protect personal data when you:

• Visit or interact with the careosp.com website or any sub-domain;
• Submit an enquiry, request a demonstration, or apply for a pilot;
• Subscribe to careos platform communications;
• Enter into a commercial agreement with ITLOX for careos platform;
• Use careos platform as an authorised user of a customer tenant.

Two roles, two regimes. For website and marketing data, ITLOX acts as an independent data controller and this Privacy Policy governs our processing directly. For personal data — including Protected Health Information (“PHI”) and personal data relating to patients, clinicians and operational staff — that we process on behalf of healthcare customers inside their careos platform tenants, ITLOX acts as a processor (UK GDPR) or Business Associate (HIPAA). That processing is governed by the customer’s Data Processing Agreement, Business Associate Agreement and order form, which take precedence over this policy for in-service data. See our Data Processing Agreement.

2. Personal data we collect

2.1 Data you provide to us directly

• Identity data: full name, job title, organisation, professional role;
• Contact data: work email, phone number, business address;
• Account data: login identifiers, single sign-on attributes, role and permission assignments, preferences;
• Enquiry content: use-case descriptions, integration requirements, free-text messages submitted through forms or email;
• Commercial data: billing address, tax identifiers, purchase order details, signatory information (we do not store full payment card numbers);
• Diligence data: security questionnaires, compliance attestations and other information exchanged during procurement.

2.2 Data collected automatically

• Technical data: IP address, browser type and version, operating system, device identifiers, language preference;
• Usage data: pages visited, time on page, referrer URL, click paths within the marketing site and the authenticated admin console;
• Security telemetry: authentication events, failed login attempts, session fingerprints, anomaly signals;
• Cookies and similar technologies, as described in our Cookie Policy.

2.3 Protected Health Information and patient data

careos platform is designed for the orchestration of regulated healthcare workloads. PHI and personal data relating to patients, service users and clinicians is processed only on documented instructions from our customers, within their tenants, and subject to the Data Processing Agreement and — for US customers — a Business Associate Agreement under HIPAA. ITLOX does not use PHI for its own purposes, does not sell PHI, and does not use PHI to train general-purpose AI models.

2.4 Data from third parties

• Public professional information (for example from LinkedIn or a company website) used for business development;
• Identity provider attributes received via single sign-on where a customer has enabled SAML or OIDC;
• Referral information from partners, resellers and integration providers;
• Enrichment data from reputable business information providers, used sparingly and only for legitimate B2B relationship management.

2.5 Special category and sensitive data

Through the marketing site, we do not intentionally collect special category data under UK GDPR Article 9. Where such data is processed inside a customer tenant (for example, health, genetic or biometric data), we rely on the customer’s Article 9 condition, the Data Processing Agreement, and — where applicable — HIPAA safeguards.

3. Legal bases for processing

We process personal data only where we have a valid lawful basis. Our principal bases under UK GDPR Article 6 are:

• Contract (Art. 6(1)(b)) — pre-contractual enquiries, demo requests, subscription administration, billing, support, and performance of order forms for careos platform;
• Legitimate interests (Art. 6(1)(f)) — improving the platform and website, fraud and abuse prevention, security monitoring, sending service-related updates to existing customers, defending legal claims, and measuring marketing effectiveness. We have performed legitimate interest assessments for each of these activities and you may object at any time;
• Legal obligation (Art. 6(1)(c)) — tax, accounting, anti-money laundering, responses to lawful requests, and statutory reporting;
• Consent (Art. 6(1)(a)) — optional cookies, direct email marketing to individual subscribers where PECR requires consent, and any specific activity where we have asked for your agreement.

Where we process PHI inside a customer tenant, our legal basis derives from the customer’s instructions and applicable healthcare regulation, not from this Privacy Policy.

4. How we use personal data

• Delivering careos platform: provisioning tenants, authenticating users, operating the Care Graph, AgentOS, Evidence Ledger and connected services on behalf of customers;
• Service improvement: analysing aggregated, de-identified usage to improve reliability, ergonomics and model performance. PHI is never used for cross-customer model training;
• Security and integrity: detecting and responding to unauthorised access, abuse, vulnerabilities, and supply-chain risks;
• Support and communications: responding to support tickets, publishing change notes, sending incident notifications and security advisories;
• Commercial operations: invoicing, credit control, renewals and relationship management;
• Legal and regulatory: meeting our obligations under applicable law and cooperating with regulators.

5. Sharing and disclosure

We do not sell personal data. We share personal data only with the categories of recipient described below, under written contracts that impose confidentiality and data protection obligations.

5.1 Sub-processors and service providers

• Cloud infrastructure providers hosting careos platform in Europe and the USA regions;
• Observability, logging and error-tracking providers;
• Transactional email and notification providers;
• Identity, anti-fraud and security tooling;
• Customer support and CRM tooling;
• Payment and invoicing processors.

A current list of sub-processors with jurisdiction and purpose is maintained in Schedule C of our Data Processing Agreement and is available to customers on request. We provide at least 30 days’ notice of material sub-processor changes.

5.2 Legal and regulatory disclosure

We may disclose personal data where we are required to do so by law, court order, or a binding request from a competent authority. We will challenge overbroad or unlawful requests, notify customers where legally permitted, and limit disclosure to what is strictly necessary.

5.3 Corporate transactions

In the event of a merger, acquisition, financing or sale of assets, personal data may be transferred to a successor entity bound by obligations at least as protective as those in this policy. Customers will be notified in advance.

6. International data transfers

careos platform is operated primarily from the United Kingdom and the United States. Where personal data is transferred outside the UK or European Economic Area to a jurisdiction without an adequacy decision, we rely on appropriate safeguards, including:

• The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
• EU Standard Contractual Clauses where an EEA nexus exists;
• UK and EU adequacy decisions, where available;
• Transfer impact assessments considering the legal regime of the destination country and supplementary technical measures such as encryption and key management.

US customers can choose a US-resident deployment of careos platform, in which case PHI remains in the United States by default, subject to the order form.

7. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law.

• Website and marketing data: enquiries retained for up to 36 months from last contact; marketing subscriber records retained until unsubscribe plus 12 months of consent evidence;
• Customer account data: retained for the duration of the subscription and, unless otherwise agreed, up to 7 years after termination for tax, audit and legal defence purposes;
• PHI and tenant data: retained in accordance with the customer’s retention schedule and the Data Processing Agreement. At end of contract, data is exported or deleted per customer instruction;
• Audit and security logs: retained per the customer’s configured retention (typically 1–7 years), with minimum retention required for regulatory investigations;
• Backups: rotating schedule with a maximum retention window defined in the SLA.

8. Your rights under UK GDPR and DPA 2018

You have the following rights in relation to your personal data:

• Right of access (Art. 15);
• Right to rectification (Art. 16);
• Right to erasure in certain circumstances (Art. 17);
• Right to restriction of processing (Art. 18);
• Right to data portability (Art. 20);
• Right to object to processing based on legitimate interests (Art. 21);
• Right to withdraw consent where processing is based on consent;
• Right not to be subject to solely automated decisions producing legal or similarly significant effects (Art. 22).

Where ITLOX processes data as a controller, you may exercise these rights by contacting privacy@careosp.com. Where ITLOX processes data as a processor on behalf of a healthcare customer, please contact that customer as the controller; we will assist them in responding.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk or with your local supervisory authority.

9. US privacy rights

Where careos platform processes PHI on behalf of a US covered entity, the individual rights of patients — including rights of access, amendment, accounting of disclosures, and restriction — are exercised through the covered entity as required by 45 CFR Part 164 Subpart E. ITLOX, as Business Associate, will assist covered entities in responding to these requests within the timelines agreed in the applicable Business Associate Agreement.

Residents of US states with comprehensive privacy laws (including California, Colorado, Connecticut, Utah, Virginia and Texas) may have additional rights in relation to personal data processed by ITLOX as a controller. ITLOX does not sell personal information and does not share personal information for cross-context behavioural advertising. To exercise state privacy rights, email privacy@careosp.com.

10. Cookies and tracking

careos platform uses a minimal set of strictly necessary and functional cookies. We do not use advertising cookies, cross-site tracking, or third-party trackers on the authenticated application. Full detail is in our Cookie Policy.

11. Security

ITLOX operates a security programme designed to the principles of ISO/IEC 27001 and SOC 2 and to the UK DSPT and NHS Data Security and Protection Toolkit expectations, with HIPAA Security Rule principles applied to US deployments. ITLOX does not currently hold formal ISO 27001, SOC 2 or HIPAA certifications; formal certification is on the roadmap. Measures include:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
• Tenant isolation, role-based access and just-in-time elevation;
• Append-only audit via the Evidence Ledger, with cryptographic anchoring;
• Multi-factor authentication, device trust, and session hardening;
• Continuous vulnerability management, dependency scanning and penetration testing;
• Incident response with breach notification within 24 hours to affected customers and 72 hours to regulators where required.

See the security overview for additional detail.

12. Children’s data

The careos platform marketing site is not directed at children under 16, and we do not knowingly collect personal data from children through that site. As a processor for healthcare customers, careos platform may process data relating to paediatric patients at the instruction of the controller and subject to Article 9 and HIPAA safeguards.

13. Automated decision-making and AI

careos platform includes AI-assisted features provided by the AgentOS module. AgentOS does not make solely automated decisions with legal or similarly significant effects. All clinically influential outputs are routed for human review and are recorded in the Evidence Ledger with model identity, prompt, sources and reviewer. See our AI Disclaimer for a complete statement of AI governance.

14. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices, our services, or the law. Material changes will be notified by email (where we hold your address) or via a prominent notice on the careosp.com website. The effective date and version at the top of this page indicate the current release.

15. Contact

ITLOX LTD
167-169 Great Portland Street, London W1W 5PF, United Kingdom

• Privacy enquiries: privacy@careosp.com
• Legal: legal@careosp.com
• General: hello@careosp.com
• Data Protection Officer: dpo@careosp.com

This Privacy Policy is a template intended to support healthcare procurement and diligence. It is not legal advice. Customers and ITLOX should obtain qualified legal review before relying on it for a specific engagement.