Panopteia is a fictional company from Highly Compatible — a novel by Olivia Hudson. Read the book →
Legal · Privacy

Privacy Policy

Panopteia operates inside healthcare, emergency services, and public-access workflows. Privacy is not a compliance checkbox — it is a prerequisite for the trust that makes our work possible. This policy explains what we collect, why, and what you can do about it.

Effective dateJanuary 1, 2024
Last revisedQ1 2024
Applies topanopteia.com and all Panopteia-operated platform interfaces

What we collect

We collect different categories of information depending on whether you are visiting our public website, using a Panopteia-operated platform under an institutional agreement, or interacting with a product like Panopteia Life directly.

Information you give us directly

  • Contact and inquiry data — name, email address, organization, and message content when you submit a contact or demo request form.
  • Application data — name, work history, and supporting materials when you apply for a role.
  • Account credentials — email and hashed password if you create a platform account.

Information generated by your use of our systems

  • Interaction logs — actions taken within the platform, timestamps, and the contextual signals used in authorization decisions. These logs are the foundation of our Subject Rights commitments.
  • Recognition and continuity data — where an institution has deployed TheiaX or Continuity services, signals used to establish identity continuity across sessions (see our Subject Rights commitments).
  • Support data — content of support communications and the system state at the time of the issue.

Information collected automatically on this website

  • Usage data — pages visited, referrer, browser type, and session duration, collected via first-party analytics. We do not use Google Analytics or other third-party behavioral trackers.
  • Cookies and local storage — see our Cookie Policy for detail.

We do not sell personal data. We do not use personal data to train machine-learning models without explicit, time-bounded institutional consent. These are constraints, not aspirations — they are reflected in our Data Processing Agreements and Trust & Governance Council charter.

How we use it

We use the information we hold for the following purposes:

  • Delivering and improving services — operating the platform, diagnosing faults, and improving reliability and fairness.
  • Fulfilling contractual obligations — processing data as instructed by institutional customers under a signed Data Processing Agreement.
  • Trust and safety — detecting and investigating misuse, unauthorized access, or system integrity issues.
  • Legal compliance — meeting obligations under applicable law, including healthcare data regulations, employment law, and law enforcement requests where legally compelled.
  • Communications — responding to inquiries, sending service notices, and (with consent) sharing research updates or product news. You can withdraw marketing consent at any time.

We do not use personal data for automated decision-making that produces legal or similarly significant effects on individuals outside of an institutional agreement that explicitly authorizes such use and provides for human review.

Who we share with

We share personal data only in the circumstances described below. We do not sell data to data brokers, advertisers, or any third party.

Institutional customers

When you interact with a Panopteia-operated system deployed by a hospital, public agency, or other institution, that institution is the data controller. We act as a data processor on their behalf, under a signed DPA.

Service providers

We use a limited set of sub-processors for infrastructure, secure communications, and payment processing. All sub-processors are bound by data processing terms consistent with this policy. A current list of sub-processors is available on request.

Legal and regulatory obligations

We may disclose data if required by law, court order, or regulatory authority. Where we are legally permitted to do so, we will notify affected parties before complying and will challenge requests we believe are overbroad.

Business transfers

In the event of a merger, acquisition, or asset sale, personal data may be transferred as part of that transaction. We will provide notice before any such transfer and before data becomes subject to a different privacy policy.

Retention

We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law.

  • Website inquiries — 24 months from the date of last interaction.
  • Platform interaction logs — as specified in the applicable DPA, typically 36 months for audit purposes.
  • Subject-access records — 7 years to support dispute resolution and regulatory review.
  • Job applications — 12 months for unsuccessful candidates unless you consent to a longer period.

When a retention period expires, data is deleted or irreversibly anonymized on a rolling basis. Deletion timelines are reported in the quarterly Trust & Continuity Report.

Security

We apply layered technical and organizational controls to protect personal data, including encryption at rest and in transit, tiered access controls, continuous audit logging, and independent security review. Our security posture is described in our Trust Framework.

No system is immune to breach. If a security incident affects your personal data, we will notify you in accordance with our 72-hour disclosure policy and applicable breach notification law.

Your rights

Depending on where you are located, you may have some or all of the following rights. We apply the most protective standard available regardless of your jurisdiction — you do not need to know which law applies to invoke these rights.

  • Access — receive a copy of the personal data we hold about you.
  • Correction — correct inaccurate or incomplete data, with downstream propagation across consenting partner systems.
  • Deletion — request deletion of your data, subject to legal retention obligations.
  • Restriction — ask us to pause processing while accuracy or lawfulness is disputed.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest or for direct marketing.
  • Human review — escalate any automated decision to a human reviewer.

To exercise any of these rights, use the contact form. We will respond within 30 days. There is no charge for a first request in any 12-month period.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

International transfers

If you are located in a jurisdiction with data transfer restrictions, we take appropriate steps to ensure that any transfer of your personal data is subject to suitable safeguards consistent with applicable law.

Details of applicable transfer mechanisms are available on request via the contact form.

Children

Our public website and most platform services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16 without verified parental or guardian consent. If you believe we have inadvertently collected such data, contact us via the contact form and we will delete it promptly.

Deployments in healthcare, education, or public-service contexts may involve processing data about minors under institutional direction; those deployments are governed by a separate DPA that addresses applicable child-data requirements.

Changes to this policy

We will post material changes to this policy at least 30 days before they take effect, with a notice on this page and an entry in our public incident log. Non-material clarifications take effect immediately. The effective date at the top of this page is always current.

Continuing to use our services after the effective date of a change constitutes acceptance of the revised policy.

Contact

Privacy inquiries, subject-access requests, and data-related complaints should be submitted via the contact form. We will respond within 30 days.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.