![MachineMD_RGB_C_DarkBG[5718]](https://www.machinemd.com/hs-fs/hubfs/MachineMD_RGB_C_DarkBG%5B5718%5D.png?width=200&height=26&name=MachineMD_RGB_C_DarkBG%5B5718%5D.png "MachineMD_RGB_C_DarkBG[5718]"){kind=small}
Who we are
machineMD Inc. provides the neos system and related cloud and support services.
Privacy inquiries (Data Protection Officer): privacy@machinemd.com.
Written privacy inquiries may be sent to: 1 Broadway, Cambridge, MA 02142, United States.
Our role
For Protected Health Information (PHI) processed through neos, your organization is typically the healthcare provider, Covered Entity, or other responsible party, where applicable.
machineMD processes such Protected Health Information (PHI) on the customer's behalf under the applicable agreement and, where applicable, Business Associate Agreement.
For customer account, user, support, security, billing, and contract-administration data, machineMD may process data for its own legitimate business purposes related to providing and supporting neos.
machineMD does not use patient data for its own independent purposes.
What this notice covers
This notice covers data processed through the neos application, neos cloud services, reports, support workflows, and related logs.
It does not cover website browsing, cookies, or marketing pages.
This notice describes ordinary customer use of neos by customer organizations and authorized users. Patients should generally receive privacy information from the healthcare provider or institution acting as controller. Separate clinical research, complaint, post-market surveillance, or other regulatory workflows may be governed by separate documentation, notices, or contractual terms
Data we process for the customer and for service administration
Patient and examination data, such as patient ID, name, date of birth, sex, examination date and time, gaze measurements, pupil size, refraction data, examination results, PDF reports, and eye-region video recordings.
Customer account and user data, such as business contact details, usernames, organization name, device identifiers, system configuration, and support-related information.
Security and technical data, including authentication logs, access logs, user activity logs, and system events needed to secure, support, and maintain the service.
De-identified operational and monitoring logs used for troubleshooting, security monitoring, and service analysis. These categories may be processed by machineMD to administer, secure, and support neos.
Why we process data
To provide and operate neos and related cloud services.
To process examinations and generate reports for your clinical use.
To manage customer accounts, user access, support, and ordinary contract administration.
To maintain system security, performance, availability, and auditability.
To investigate defects, resolve incidents, and provide technical support.
To meet applicable legal, regulatory, and quality-system obligations, including medical device safety, complaint handling, and post-market surveillance, where required by law or contract.
What we do not do
We do not sell Protected Health Information (PHI).
We do not use patient data for advertising.
We do not determine medical purposes, patient care decisions, or treatment decisions.
neos is not designed to identify individuals from gaze data or eye videos. It does not create biometric templates or perform identity matching.
neos supports clinical assessment and reporting, but it is not intended to make decisions about individuals without human review.
We do not use customer patient data for product development, machine learning, or other secondary purposes unless you separately instruct us in writing and the use is permitted by law and contract.
How data is shared
machineMD shares data only with authorized personnel and the limited subprocessors needed to provide neos.
Authorized machineMD personnel may access data only as needed to provide requested support, maintain security and availability, investigate defects or incidents, or meet applicable legal, regulatory, or quality-system obligations.
machineMD currently uses the following subprocessors for neos: Microsoft Azure for hosting and storage of patient and examination data, customer data, and related neos cloud data; and Datadog for de-identified application, system, and security logging and monitoring.
Patient and examination data are stored only in Microsoft Azure. Datadog is not used to store patient or examination data.
machineMD requires these subprocessors to protect data under written agreements and applicable privacy and security obligations.
machineMD may also disclose data where required by law, regulation, court order, or to respond to security, fraud, or misuse events.
Where data is stored
neos data is hosted in controlled cloud environments.
For U.S. customers, data is generally stored in the United States unless otherwise agreed in writing.
Storage location does not necessarily limit remote support, security, or regulatory access by authorized machineMD personnel, including personnel located in Switzerland.
Security
machineMD applies administrative, technical, and physical safeguards designed to protect confidentiality, integrity, and availability.
These safeguards include role-based access control, least-privilege access, logging and monitoring, encryption in transit, restricted internal access, and vendor and security review processes.
machineMD limits access to patient-identifying data to authorized personnel with a legitimate need to know.
Retention
machineMD retains data as instructed by the customer and as required by applicable law, contract, and medical-device quality obligations.
For U.S. customer deployments, patient examination records are generally retained for at least 7 years unless a longer period is required by contract or law.
Audit logs related to authentication, access, and changes to patient-related records may be retained for up to 7 years for security, compliance, and investigation purposes.
De-identified operational and security logs may be retained for up to 3 years for troubleshooting, security monitoring, service analysis, or incident investigation. At the end of the applicable retention period, data is deleted or de-identified in accordance with applicable requirements and system constraints.
Upon termination or expiration of the customer relationship, machineMD will delete or return customer data in accordance with the applicable agreement, the Business Associate Agreement, and applicable law, subject to required retention periods, backup cycles, and legal holds.
Customer responsibilities
The customer is responsible for providing required notices to patients, obtaining any required authorizations or consents, determining whether HIPAA and other laws apply to its use of neos, deciding what patient data is entered into neos, managing workforce access and user accounts, and instructing machineMD on retention, export, and deletion where applicable.
Patient rights and requests
For patient data processed through neos, privacy requests should normally be directed to the customer or healthcare provider.
machineMD will support the customer in responding to valid requests to the extent required by law, contract, and the Business Associate Agreement where applicable.
For business contact, account, and support data processed by machineMD directly, requests may be sent to privacy@machinemd.com.
Security incidents
If machineMD becomes aware of a confirmed security incident involving customer data or patient data, machineMD will notify the customer without undue delay and in accordance with applicable law and contract.
Changes to this notice
machineMD may update this notice from time to time.
If a material change is made, the updated version will be made available to customers through the usual contractual or operational channel.
NEOS-01_REC_710-029_Privacy Notice – U.S._V1
Published 16 April 2026