Verus Surgical

Last updated: April 6, 2026 · Effective date: April 6, 2026

Verus Surgical GmbH ("Verus Surgical," "we," "us," or "our") operates the Verus Surgical platform, which includes the Cortex surgical video system, the web portal at my.verussurgical.com, and the Verus Surgical mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

This policy is designed to comply with the EU General Data Protection Regulation (GDPR), the U.S. Health Insurance Portability and Accountability Act (HIPAA), and the Google Play Developer Program Policies.

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person, including name, email address, IP address, and device identifiers.
• Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form, as defined by HIPAA.
• Data Controller: The healthcare institution (hospital, clinic, or practice) that deploys the Service and determines the purposes and means of processing patient data. Verus Surgical acts as a Data Processor (GDPR) and Business Associate (HIPAA) on behalf of the Data Controller.
• User: Any healthcare professional, administrator, or authorized individual who accesses the Service.

2. Information We Collect

2.1 Account Information

When your organization provisions an account for you, we collect:

• Full name and email address
• Organizational role and department assignment
• Authentication credentials (password hash — we never store plaintext passwords)
• Multi-factor authentication (MFA) enrollment status

2.2 Surgical Case Data

When the Cortex device records a surgical procedure, the following data may be uploaded to the Service:

• Video recordings (H.265/HEVC encoded)
• Screenshots and thumbnail images
• Case metadata: patient identifier (anonymized ID or initials), patient age, sex, procedure type, surgeon name, timestamps, duration
• Case notes, annotations, and tags added by authorized users

Important: Patient data is pseudonymized at the point of capture. The Cortex device generates a randomized case ID. Linking a case to a specific patient requires access to the hospital's internal records, which are not stored in our Service.

2.3 Device Telemetry

Cortex devices periodically report system health data:

• CPU, RAM, GPU, and disk usage
• Temperature readings
• Network status (IP address, connectivity)
• Software version and uptime

Device telemetry does not contain patient data or PHI.

2.4 Usage Data

We automatically collect:

• Login timestamps and session duration
• Pages viewed and features used (audit log)
• IP address and browser/device user agent
• Push notification token (mobile app only, for delivery purposes)

2.5 Mobile App Data

The Verus Surgical mobile application additionally collects:

• Push notification tokens (Firebase Cloud Messaging) to deliver alerts and notifications
• Biometric authentication events (success/failure only — we never receive, transmit, or store biometric data such as fingerprints or facial geometry; biometric processing occurs entirely on your device)
• Device platform and app version for compatibility and support

The mobile app does not access your contacts, calendar, location, microphone, or photo library unless you explicitly initiate a specific action (e.g., attaching a photo to a Rounds post, which uses the standard system file picker).

3. How We Use Your Information

We do not use your data for advertising, profiling, automated decision-making, or any purpose unrelated to the delivery and improvement of the Service.

4. HIPAA Compliance

4.1 Business Associate Agreement (BAA)

Verus Surgical enters into a Business Associate Agreement with each healthcare institution (Covered Entity) before processing PHI. The BAA governs our obligations regarding the use, disclosure, and safeguarding of PHI.

4.2 PHI Safeguards

• Administrative: Role-based access control (RBAC) with three-tier hierarchy (User, Admin, Super Admin). Multi-tenant isolation ensures organizations cannot access each other's data. Department-level scoping restricts access within organizations. All access is logged in an immutable audit trail retained for 90 days.
• Technical: All data encrypted in transit (TLS 1.2+) and at rest (AES-256 via AWS S3 server-side encryption). Authentication via AWS Cognito with MFA support. Session tokens expire after 1 hour with automatic refresh. Time-limited sharing links expire after a configurable period (default 48 hours).
• Physical: All data is stored in AWS data centers in the EU (eu-central-1, Frankfurt), which maintain SOC 2, ISO 27001, and HIPAA compliance certifications.

4.3 Minimum Necessary Standard

We limit access to PHI to the minimum necessary to accomplish the intended purpose. Users only see cases belonging to their assigned tenant and department(s). Patient identifiers are pseudonymized — only initials and randomized IDs are stored in the Service.

4.4 Breach Notification

In the event of a breach of unsecured PHI, we will notify the affected Covered Entity without unreasonable delay and no later than 60 days after discovery, in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414).

5. GDPR Compliance

5.1 Data Controller and Processor

Your healthcare institution is the Data Controller. Verus Surgical acts as a Data Processor, processing personal data solely on behalf of and under the instructions of the Controller. We execute a Data Processing Agreement (DPA) with each Controller.

5.2 Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate personal data.
• Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
• Right to Restriction (Art. 18): Request limitation of processing in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time.

To exercise these rights, contact your organization's administrator or email us at privacy@verussurgical.com. We will respond within 30 days.

5.3 International Transfers

All data is stored and processed within the European Union (AWS eu-central-1, Frankfurt, Germany). We do not transfer personal data outside the EU/EEA unless required by a Data Controller's instructions and subject to appropriate safeguards (Standard Contractual Clauses or adequacy decision).

5.4 Data Protection Officer

You may contact our Data Protection Officer at:
privacy@verussurgical.com

6. Data Sharing and Disclosure

We do not sell your personal data to third parties. We share data only in the following circumstances:

7. Data Retention

Data Controllers may request deletion of all organizational data at any time. Upon termination of the service agreement, we will delete or return all data within 30 days, unless retention is required by law.

8. Security Measures

• Encryption in transit: All communications use TLS 1.2 or higher. API endpoints are served via AWS API Gateway with HTTPS-only enforcement.
• Encryption at rest: All stored data (S3, DynamoDB) is encrypted using AES-256 server-side encryption.
• Authentication: AWS Cognito with support for multi-factor authentication (TOTP). Password policy enforces minimum 8 characters. Temporary passwords expire after invitation.
• Session management: JWT tokens with 1-hour expiry. Automatic session refresh via secure refresh tokens. Session timeout warnings with countdown timer.
• Access control: Multi-tenant RBAC with department-level scoping. Tenant isolation enforced at the database query level. Cross-tenant data sharing requires explicit tenant administrator approval.
• Audit trail: All significant actions (login, data access, modifications, deletions) are logged with actor, timestamp, IP address, and action detail.
• Input validation: XSS prevention on all user-generated content. S3 path traversal protection. Content-type validation on file uploads.
• Infrastructure: Serverless architecture (AWS Lambda) with no persistent servers to patch. AWS CloudFront CDN with DDoS protection. Regular dependency updates.

9. Children's Privacy

The Service is intended for use by healthcare professionals and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@verussurgical.com.

10. Cookies and Tracking

The Service uses the following client-side storage mechanisms:

We do not use third-party cookies, advertising trackers, analytics services (e.g., Google Analytics), or any form of cross-site tracking. We do not participate in ad networks or data broker ecosystems.

11. Mobile Application

11.1 Permissions

11.2 Data Collected by the Mobile App

The mobile app is a thin wrapper around the web portal. It does not collect additional data beyond what is described in Section 2, with the exception of:

• FCM push token: A device-specific identifier used by Firebase Cloud Messaging to deliver push notifications. This token does not identify the user personally and is deleted on logout.
• App version and platform: Used for compatibility checking and support diagnostics.

11.3 Biometric Data

The app uses your device's built-in biometric hardware (fingerprint sensor or face recognition) to authenticate access to a stored session. No biometric data is ever transmitted to our servers. Biometric processing is handled entirely by the Android BiometricPrompt API or iOS LocalAuthentication framework. We only receive a boolean success/failure result.

11.4 Third-Party SDKs

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify users via an in-app banner or email (for material changes)
• Provide a 30-day notice period before changes affecting data processing take effect

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights:

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. For users in Germany, this is the relevant state data protection authority (Landesdatenschutzbehörde).