Verus Surgical
Sign in to continue
© 2026 Verus Surgical
Sign in to continue
Verus Surgical
Verus Surgical Platform
Review the device details and approve enrollment.
Help improve wake word detection by recording yourself saying "Hey Verus".
Record at least 20 samples. Speak naturally, vary your tone and distance.
Last updated: April 6, 2026 · Effective date: April 6, 2026
Verus Surgical, Inc. ("Verus Surgical," "we," "us," or "our") operates the Verus Surgical system, which includes the Cortex surgical video system, the web portal at my.verussurgical.com, and the Verus Surgical mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
This policy is designed to comply with the EU General Data Protection Regulation (GDPR), the U.S. Health Insurance Portability and Accountability Act (HIPAA), and the Google Play Developer Program Policies.
Personal Data means any information relating to an identified or identifiable natural person, including name, email address, IP address, and device identifiers. Protected Health Information (PHI) means individually identifiable health information transmitted or maintained in any form, as defined by HIPAA. The Data Controller is the healthcare institution (hospital, clinic, or practice) that deploys the Service and determines the purposes and means of processing patient data; Verus Surgical acts as a Data Processor (GDPR) and Business Associate (HIPAA) on behalf of the Data Controller. A User is any healthcare professional, administrator, or authorized individual who accesses the Service.
When your organization provisions an account for you, we collect your full name, email address, organizational role and department assignment, authentication credentials (password hash — we never store plaintext passwords), and multi-factor authentication (MFA) enrollment status.
When the Cortex device records a surgical procedure, the following data may be uploaded to the Service: video recordings (H.265/HEVC encoded), screenshots and thumbnail images, case metadata (patient identifier as anonymized ID or initials, patient age, sex, procedure type, surgeon name, timestamps, and duration), and case notes, annotations, and tags added by authorized users.
Important: Patient data is pseudonymized at the point of capture. The Cortex device generates a randomized case ID. Linking a case to a specific patient requires access to the hospital's internal records, which are not stored in our Service.
Cortex devices periodically report system health data, including CPU, RAM, GPU, and disk usage, temperature readings, network status (IP address, connectivity), and software version and uptime. Device telemetry does not contain patient data or PHI.
We automatically collect login timestamps and session duration, pages viewed and features used (audit log), IP address and browser/device user agent, and push notification tokens (mobile app only, for delivery purposes).
The Verus Surgical mobile application additionally collects push notification tokens (Firebase Cloud Messaging) to deliver alerts and notifications, biometric authentication events (success/failure only — we never receive, transmit, or store biometric data such as fingerprints or facial geometry; biometric processing occurs entirely on your device), and device platform and app version for compatibility and support.
The mobile app does not access your contacts, calendar, location, microphone, or photo library unless you explicitly initiate a specific action (e.g., attaching a photo to a Rounds post, which uses the standard system file picker).
| Purpose | Legal Basis (GDPR) | Data Used |
|---|---|---|
| Provide and operate the Service | Performance of contract (Art. 6(1)(b)) | Account info, case data, device telemetry |
| Authenticate users and enforce access control | Performance of contract | Credentials, MFA status, role, department |
| Send push notifications (alerts, mentions, case updates) | Legitimate interest (Art. 6(1)(f)) | Push tokens, user preferences |
| Monitor device health and generate alerts | Legitimate interest | Device telemetry |
| Maintain audit logs for compliance and security | Legal obligation (Art. 6(1)(c)) / Legitimate interest | Login events, actions, IP addresses |
| Improve the Service (aggregated analytics) | Legitimate interest | Anonymized usage statistics |
| Respond to support requests | Performance of contract | Account info, usage data |
We do not use your data for advertising, profiling, automated decision-making, or any purpose unrelated to the delivery and improvement of the Service.
Verus Surgical enters into a Business Associate Agreement with each healthcare institution (Covered Entity) before processing PHI. The BAA governs our obligations regarding the use, disclosure, and safeguarding of PHI.
Administrative safeguards include role-based access control (RBAC) with a three-tier hierarchy (User, Admin, Super Admin), multi-tenant isolation ensuring organizations cannot access each other's data, department-level scoping to restrict access within organizations, and an immutable audit trail of all access events. Technical safeguards include encryption of all data in transit (TLS 1.2+) and at rest (AES-256 via AWS S3 server-side encryption), authentication via AWS Cognito with MFA support, session tokens that expire after 1 hour with automatic refresh, and time-limited sharing links that expire after a configurable period (default 48 hours). Physical safeguards are provided by AWS: all data is stored in AWS data centers in the EU (eu-central-1, Frankfurt), which maintain SOC 2, ISO 27001, and HIPAA compliance certifications.
We limit access to PHI to the minimum necessary to accomplish the intended purpose. Users only see cases belonging to their assigned tenant and department(s). Patient identifiers are pseudonymized — only initials and randomized IDs are stored in the Service.
In the event of a breach of unsecured PHI, we will notify the affected Covered Entity without unreasonable delay and no later than 60 days after discovery, in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). Where GDPR applies, we will additionally notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, in accordance with GDPR Art. 33, and the affected Data Controller without undue delay.
Your healthcare institution is the Data Controller. Verus Surgical acts as a Data Processor, processing personal data solely on behalf of and under the instructions of the Controller. We execute a Data Processing Agreement (DPA) with each Controller.
Under the GDPR, you have the right to access a copy of the personal data we hold about you (Art. 15), to rectification of inaccurate data (Art. 16), to erasure of your data subject to legal retention obligations (Art. 17), to restriction of processing in certain circumstances (Art. 18), to data portability in a structured, machine-readable format (Art. 20), to object to processing based on legitimate interests (Art. 21), and to withdraw consent at any time where processing is based on consent (Art. 7(3)).
To exercise these rights, contact your organization's administrator or email us at privacy@verussurgical.com. We will respond within 30 days.
All surgical case data, account data, and audit logs are stored and processed within the European Union (AWS eu-central-1, Frankfurt, Germany). We do not transfer this data outside the EU/EEA unless required by a Data Controller's instructions and subject to appropriate safeguards (Standard Contractual Clauses or an adequacy decision).
Our push notification service (Firebase Cloud Messaging, operated by Google LLC) processes device tokens on infrastructure that may be located outside the EU/EEA. Device tokens are pseudonymous identifiers that do not contain PHI or directly identify users. Google's processing is covered by the EU–U.S. Data Privacy Framework and Google's Data Processing Terms, which include Standard Contractual Clauses.
For questions about data protection or to exercise your rights under the GDPR, you may contact us at privacy@verussurgical.com.
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. For users in Bavaria, Germany, this is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany (www.lda.bayern.de).
We do not sell your personal data to third parties. We share data only in the following circumstances:
| Recipient | Purpose | Safeguard |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure (compute, storage, database, authentication) | DPA, SOC 2, ISO 27001, HIPAA BAA with AWS |
| Firebase (Google) | Push notification delivery (mobile app) | Only device tokens are shared; no PHI or case data. EU–U.S. Data Privacy Framework and SCCs apply. |
| Your organization's administrators | User management, audit review | RBAC, audit logging |
| Other users within your organization | Collaborative features (Rounds posts, case sharing) | Scope controls (department/tenant/public), time-limited links |
| Law enforcement | When required by law, subpoena, or court order | We will notify the Data Controller where legally permitted |
| Data Type | Retention Period | Basis |
|---|---|---|
| Surgical case data (video, screenshots, metadata) | As determined by Data Controller's retention policy | Medical record retention requirements |
| User accounts | Duration of employment/affiliation + 30 days after deletion request | Contract performance |
| Audit logs | Minimum 6 years, or as required by applicable law and the governing BAA | HIPAA (45 CFR § 164.530(j)), security and compliance |
| Device telemetry | Overwritten with each heartbeat (latest values only) | Operational necessity |
| Push notification tokens | Until logout or app uninstall | Service delivery |
| Time-limited share links | Configurable (default 48 hours, automatic expiration) | User-initiated sharing |
Data Controllers may request deletion of all organizational data at any time. Upon termination of the service agreement, we will delete or return all data within 30 days, unless retention is required by law.
All communications use TLS 1.2 or higher, and API endpoints are served via AWS API Gateway with HTTPS-only enforcement. All stored data in S3 and DynamoDB is encrypted using AES-256 server-side encryption. Authentication is handled by AWS Cognito with support for multi-factor authentication (TOTP); the password policy enforces a minimum of 8 characters, and temporary passwords expire after invitation. JWT session tokens expire after 1 hour with automatic refresh via secure refresh tokens, and users receive a session timeout warning with a countdown timer.
Access control is enforced through multi-tenant RBAC with department-level scoping, with tenant isolation applied at the database query level and cross-tenant data sharing requiring explicit tenant administrator approval. All significant actions — including login, data access, modifications, and deletions — are logged with the actor, timestamp, IP address, and action detail. Input validation includes XSS prevention on all user-generated content, S3 path traversal protection, and content-type validation on file uploads. The Service runs on a serverless architecture (AWS Lambda) with no persistent servers to patch, behind AWS CloudFront CDN with DDoS protection and regular dependency updates.
The Service is intended for use by healthcare professionals and is not directed at individuals under the age of 16 (the minimum age of digital consent under German law implementing GDPR Art. 8). In the United States, we do not knowingly collect personal data from children under 13 in accordance with the Children's Online Privacy Protection Act (COPPA). If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@verussurgical.com.
The Service uses the following client-side storage mechanisms:
| Mechanism | Purpose | Duration |
|---|---|---|
| sessionStorage (id_token, access_token, refresh_token) | Maintain authenticated session | Browser session (cleared on tab close) |
| localStorage (refresh_token — mobile app only) | Enable biometric unlock on next app launch | Until logout |
| localStorage (mfa_trust_*) | Remember trusted device for MFA bypass (30 days) | 30 days |
| localStorage (theme) | Remember display theme preference | Indefinite |
We do not use third-party cookies, advertising trackers, analytics services (e.g., Google Analytics), or any form of cross-site tracking. We do not participate in ad networks or data broker ecosystems.
The mobile app requires internet access to connect to the Service and network state access to display an offline/online indicator. Optionally, it may request biometric permission (USE_BIOMETRIC) for fingerprint or face unlock with a password fallback, push notification permission (POST_NOTIFICATIONS) to receive alerts and updates, and camera access to attach photos to Rounds posts. Optional permissions are requested only when the user initiates the relevant action.
The mobile app is a thin wrapper around the web portal. It does not collect additional data beyond what is described in Section 2, with the exception of an FCM push token (a device-specific identifier used by Firebase Cloud Messaging to deliver push notifications, which does not identify the user personally and is deleted on logout) and app version and platform information used for compatibility checking and support diagnostics.
The app uses your device's built-in biometric hardware (fingerprint sensor or face recognition) to authenticate access to a stored session. No biometric data is ever transmitted to our servers. Biometric processing is handled entirely by the Android BiometricPrompt API or iOS LocalAuthentication framework. We only receive a boolean success/failure result.
The only third-party SDK used by the mobile app is Firebase Cloud Messaging, which is used for push notification delivery. Only the device token is shared with Firebase; no PHI or case data is transmitted. Google's privacy policy is available at firebase.google.com/support/privacy.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page, notify users via an in-app banner or email, and provide a 30-day notice period before changes affecting data processing take effect.
If you have questions about this Privacy Policy or wish to exercise your data protection rights:
Verus Surgical, Inc.
San Francisco, California, United States
Email: privacy@verussurgical.com
For data protection inquiries under the GDPR: privacy@verussurgical.com