Privacy Policy — European Union

1. Who We Are

The Fractal Resonance Model platform ("FRM", "we", "us", "our") is operated by Neuro-Medtech UK Ltd, a company registered in England and Wales.

We are the data controller for the personal data processed through this platform, as defined under Regulation (EU) 2016/679 (the General Data Protection Regulation, "EU GDPR").

Where required under EU GDPR Article 27, we will appoint a representative in the European Union. Details of our EU Representative will be published here once appointed.

2. Scope and Applicability

This privacy policy applies to the processing of personal data of individuals located in the European Union and the European Economic Area (EEA).

The EU GDPR applies to our processing activities under Article 3(2), as we offer services to data subjects in the EU, regardless of whether the controller is established within the EU.

This policy should be read alongside any jurisdiction-specific privacy notices we may provide. Where there is a conflict between this policy and mandatory provisions of EU member state law, the member state law shall prevail.

3. What Data We Collect

We collect and process the following categories of personal data depending on your role and use of the platform:

Account and Identity Data

• Full name, email address, and login credentials (hashed with bcrypt)
• Role assignment (super_admin, admin, technician, or patient)
• Clinic association and organisational identifiers

Patient Clinical Data

• Date of birth, age, sex, and clinical identifiers
• Medical history and medication records relevant to neurological assessment
• Session recordings and condition metadata (eyes-closed, eyes-open, activity)

Neurological and qEEG Data

• Quantitative electroencephalography (qEEG) recordings across 19 standard 10-20 electrodes
• Spectral analysis results: power spectral density, band power, and alpha peak frequency
• Fractal analysis metrics: DFA, Hurst exponent, Higuchi fractal dimension, entropy, and correlation dimension
• Resonance model outputs: i-APF, i-FAI, CDI, BDWS scores, and Better Frequencies

Usage and Technical Data

• IP address, browser type, and device information
• Session timestamps and platform interaction logs
• Audit trail records (immutable, append-only)

4. Special Category Health Data

EEG recordings and neurological analysis results constitute special category data under EU GDPR Article 9. We process this data under the following conditions:

• EU GDPR Article 9(2)(a) — the data subject has given explicit consent to the processing of their personal data for one or more specified purposes
• EU GDPR Article 9(2)(h) — processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems and services
• EU GDPR Article 9(2)(j) — processing is necessary for scientific research purposes in accordance with Article 89(1), subject to appropriate safeguards

5. Legal Basis for Processing

Under EU GDPR Article 6, we rely on the following lawful bases for processing personal data:

6. How We Use Your Data

We process your personal data for the following purposes:

• Clinical analysis: Processing qEEG recordings through our spectral and fractal analysis pipeline to generate individual Alpha Peak Frequency (i-APF), Fibonacci Alpha Index (i-FAI), Cognitive Decline Index (CDI), and Brain Dynamic Wellness Scores (BDWS)
• Report generation: Producing clinical reports with fractal resonance metrics, Better Frequencies, and neuromodulation protocol recommendations
• Protocol computation: Calculating personalised fractal neuromodulation protocol adjustments using our proprietary formula
• Longitudinal monitoring: Tracking changes in neurological metrics across sessions to assess treatment efficacy
• Platform security: Maintaining audit trails, enforcing role-based access control, and detecting unauthorised access
• Scientific research: When Research Mode is enabled, processing anonymised data for academic and clinical research purposes in compliance with ethics committee approvals

7. International Data Transfers

As a UK-based controller processing the personal data of EU data subjects, international data transfers are a key aspect of our data protection framework.

UK Adequacy Decision

On 28 June 2021, the European Commission adopted an adequacy decision for the United Kingdom under Article 45 of the EU GDPR, recognising that the UK provides an essentially equivalent level of data protection. This decision permits the transfer of personal data from the EU/EEA to the UK without additional safeguards.

Supplementary Safeguards

In addition to the adequacy decision, we implement the following supplementary measures:

• Standard Contractual Clauses (SCCs): We maintain EU Commission-approved SCCs (Commission Implementing Decision (EU) 2021/914) as a supplementary transfer mechanism in the event the adequacy decision is revoked or expires.
• Transfer Impact Assessment (TIA): We conduct and maintain a documented assessment of the legal framework in the UK to ensure continued adequacy of data protection for EU data subjects.
• Technical measures: All data in transit between EU-based users and our UK servers is encrypted with TLS 1.2 or higher. Data at rest is protected by two-layer encryption (application-level Fernet + volume-level AES-256).

Onward Transfers

Where personal data is transferred from the UK to any other third country, we ensure that one of the following safeguards under EU GDPR Articles 46 or 49 is in place:

• An adequacy decision by the European Commission
• Standard Contractual Clauses approved by the European Commission
• Binding corporate rules approved by a competent supervisory authority
• Explicit consent of the data subject, after being informed of the possible risks (Art. 49(1)(a))

8. Data Storage and Security

We implement comprehensive technical and organisational measures to protect your personal data in accordance with EU GDPR Article 32.

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. API communications use HTTPS exclusively.

Encryption at Rest

Patient data is protected by two layers of encryption at rest:

• Application layer: Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) applied to sensitive fields before database storage
• Volume layer: AES-256 full-disk encryption on all storage volumes

Authentication and Access Control

• JWT-based authentication: Access tokens (30 minutes) and refresh tokens (7 days) with automatic expiry
• Password security: All passwords hashed with bcrypt (cost factor 12)
• Role-Based Access Control (RBAC): Four-tier permission model (super_admin, admin, technician, patient) enforced server-side on every request

Breach Notification

In the event of a personal data breach, we will notify the lead supervisory authority within 72 hours of becoming aware of the breach, as required by EU GDPR Article 33. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will also notify affected data subjects directly without undue delay under Article 34.

9. Data Retention

In accordance with the storage limitation principle under EU GDPR Article 5(1)(e), we retain personal data only for as long as necessary to fulfil the purposes for which it was collected.

10. Third Parties and Data Sharing

We do not sell your personal data. We may share data with the following categories of recipients, under appropriate safeguards:

• Clinical team members: Authorised technicians and administrators within your clinic, governed by RBAC permissions
• AI processing services: Where AI-assisted analysis is used (Ollama for local inference, or Claude API for cloud-based analysis), data is processed under strict data processing agreements compliant with EU GDPR Article 28. Local AI processing (Ollama) keeps all data on-premises.
• Legal and regulatory authorities: Where required by law, court order, or regulatory investigation
• Service providers: Hosting, database, and infrastructure providers operating under data processing agreements compliant with EU GDPR Article 28

All sub-processors are bound by data processing agreements that impose obligations no less protective than those set out in this policy, including obligations regarding international data transfers.

11. AI Processing and Automated Analysis

The FRM platform uses algorithmic and AI-assisted processing to analyse qEEG data. Under EU GDPR Article 22 and Recital 71, we confirm the following:

• Decision-support only: All AI and algorithmic outputs (i-APF, i-FAI, CDI, BDWS, Better Frequencies, neuromodulation protocols) are presented as decision-support tools. No solely automated decisions with legal or similarly significant effects are made.
• Clinician oversight: A qualified clinician must review, interpret, and approve all analysis results before any clinical action is taken. The platform is a tool, not a substitute for professional clinical judgement.
• Transparency: You have the right to request meaningful information about the logic involved in any automated processing, as well as the significance and envisaged consequences of such processing (Art. 13(2)(f) and Art. 14(2)(g)).
• Right to contest: You have the right to obtain human intervention, express your point of view, and contest any automated decision (Art. 22(3)).

12. Your Rights

Under the EU GDPR, you have the following rights in relation to your personal data:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you, free of charge.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You may request deletion of your personal data where there is no compelling reason for its continued processing, subject to legal retention obligations.
• Right to restriction of processing (Art. 18): You may request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability (Art. 20): You may request to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decisions (Art. 22): You have the right not to be subject to a decision based solely on automated processing which produces legal effects or similarly significantly affects you.
• Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Judicial Remedy and Compensation

Under Article 79, you have the right to an effective judicial remedy against a controller or processor if you consider that your rights under the EU GDPR have been infringed. Under Article 82, you have the right to receive compensation from the controller or processor for material or non-material damage suffered as a result of an infringement of the EU GDPR.

Right to Complain

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement (Art. 77). You may also lodge a complaint with the European Data Protection Board (EDPB).

To exercise any of these rights, please contact us using the details provided in Section 16. We will respond to your request within one month, as required by EU GDPR Article 12(3).

13. Cookies and Local Storage

The FRM platform minimises the use of client-side storage. In accordance with the ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC), we do not use tracking cookies or third-party analytics.

• No tracking cookies: We do not set any cookies for advertising, analytics, or cross-site tracking purposes.
• JWT in memory: Authentication tokens are stored in JavaScript memory (not cookies or localStorage) and are discarded when the browser tab is closed.
• sessionStorage for UI state: Temporary UI preferences are stored in sessionStorage and cleared when the session ends.
• localStorage for language: Your selected language preference is stored in localStorage to persist across visits. This contains no personal data.

As we use only strictly necessary storage mechanisms (exempt under Art. 5(3) of the ePrivacy Directive), cookie consent is not required for the storage described above.

14. Children's Data

Where the FRM platform processes data relating to children, the following safeguards apply in accordance with EU GDPR Article 8:

• Digital consent age: Under Article 8, the age at which a child can provide their own consent for information society services varies between 13 and 16 years depending on the member state. We apply the consent age of the member state applicable to the data subject.
• Parental or guardian consent: For children below the applicable digital consent age, processing requires consent from the holder of parental responsibility over the child.
• Clinical context: In a clinical healthcare context, processing of a child's health data requires explicit consent from a parent or legal guardian, in addition to any other lawful basis. This applies regardless of the digital consent age threshold.
• Extended retention: Clinical records for children are retained in accordance with the applicable member state legislation for medical records involving minors.

15. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• The "Last updated" date at the top of this policy will be revised.
• We will notify registered users via the platform or by other appropriate means.
• Where changes affect the lawful basis for processing or introduce new categories of data processing, we will seek fresh consent where required.

We encourage you to review this policy periodically to stay informed about how we protect your data.

16. Contact, EU Representative, and Complaints

Data Controller

EU Representative (Article 27)

Where required under EU GDPR Article 27, we will appoint a representative established in the European Union. The details of our EU Representative will be published here once appointed.

Complaints to Supervisory Authorities

If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with the supervisory authority of the EU member state in which you reside, work, or in which the alleged infringement took place (Art. 77).

A list of EU/EEA data protection authorities is maintained by the European Data Protection Board (EDPB):