Go to demo

Privacy Policy

Last updated: 20 November 2025

1. Introduction

his Privacy Policy explains how XOresearch SIA (“XOresearch”, “we”, “us”) collects, uses, discloses and protects personal data when you:

  • visit our website cardio.ai (the “Website”),
  • use the Cardio.AI™ Platform (the “Platform”),
  • communicate with us via forms, email, phone, or events.

Cardio.AI™ is a Class IIa medical device software under EU MDR (Rule 11) that provides AI-assisted ECG analysis for clinical professionals.

We comply with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.If you are a patient whose ECG data is analysed using Cardio.AI, please read Section 3.2 carefully.

2. Data Controller

For the Website, Platform accounts and business communications, the data controller is:

XOresearch SIA
 Reg. No.: 50103912671
Republikas laukums 3–225, Rīga, LV-1010, Latvia
E-mail: getintouch@cardio.aiFor ECG data processed on behalf of healthcare providers using the Platform, we act as a data processor, and the healthcare provider is the data controller.

3. Scope of this Privacy Policy & Roles

3.1 Website visitors, partners & Platform user accounts

For:

  • visitors of the Website,
  • representatives of hospitals/clinics,
  • users of the Cardio.AI Platform (Uploader, ECG Editor, Admin),

XOresearch acts as a data controller.

3.2 Patients whose ECG data is processed via Cardio.AI

When Cardio.AI is used in a clinical setting:

  • Your healthcare provider is the data controller of your ECG and related medical data.
  • XOresearch acts as a data processor, strictly following the provider’s documented instructions under a written Data Processing Agreement.

Cardio.AI:

  • does not perform real-time monitoring,
  • does not analyse pacemaker signals,
  • is intended only for adult patients (18+).

Your primary contact for medical records and data rights is your healthcare provider.

4. Personal Data We Collect

4.1 Data you provide directly

Website forms / emails / calls

We collect:

  • name, job title, organisation, contact details,
  • message content, attachments, inquiries,
  • any information you choose to share.

The Website forms request your consent to process this information.

Business relationship data

Includes:

  • professional details,
  • contracts, invoices, licensing information,
  • communication history.

Platform Account Data

Platform user profiles include:

  • full name, email, organisation, role (Uploader, ECG Editor, Admin, Support),
  • hashed password,
  • audit logs (logins, actions, approvals).

4.2 Data collected automatically (Website & Platform)

  • IP address, browser, OS, device type,
  • pages accessed, interaction logs,
  • security logs and diagnostic information.
    Collected via server logs and cookies. Server logs are processed automatically, and used only for monitoring the health status of the platform itself. Cookies are used only for normal user interaction with the platform and are not transferred to any third party. 

4.3 Patient ECG & health data (processed as processor)

Cardio.AI processes, on behalf of healthcare providers:

  • ECG recordings in EDF / BDF formats,
  • derived AI annotations (PQRST points, intervals, arrhythmia classifications),
  • patient metadata (internal patient ID, age, sex, recording time),
  • audit history (which clinician viewed/approved data).

Described in IFU..XOresearch does not use identifiable patient data for algorithm training unless the provider authorises it and legal bases permit. Anonymised data may be used for research and product improvement.

5. Purposes & Legal Bases

5.1 Website visitors & contact requests

  • Respond to inquiries → Art. 6(1)(b)/(f) GDPR
  • Maintain Website security → Art. 6(1)(f) GDPR
  • Analytics (non-essential cookies) → Art. 6(1)(a) GDPR
  • B2B marketing communications → Art. 6(1)(f) GDPR (+ e-privacy rules)

5.2 Platform user accounts

  • Provide access & operate the Platform → Art. 6(1)(b)
  • Maintain MDR-required logs & traceability (Class IIa device) → Art. 6(1)(c)
  • Security & performance of medical software → Art. 6(1)(f)

5.3 Patient ECG data

Processed only on behalf of healthcare providers:

  • Legal basis determined by the provider, typically Art. 9(2)(h) GDPR.
  • XOresearch never uses this data for independent commercial purposes.

6. Cookies

We use:

  • essential cookies (security, session management),
  • non-essential analytics cookies (with consent).

Cookie settings can be changed anytime.

7. How We Share Personal Data

We do not sell or transfer any personal data.

We may share data with:

Healthcare providers

For patient ECG reports, audit logs, and clinical traceability.

Trusted service providers

For hosting, backups, email delivery, analytics, and security. They act under strict processor agreements.

Professional advisors, auditors, insurers

Under confidentiality.

Regulators (e.g., MDR compliance)

If legally required (e.g., vigilance reporting).

Business transfers

Under protective safeguards.

8. International Transfers

Where applicable, transfers follow:

  • European Commission adequacy decisions, or
  • Standard Contractual Clauses (SCCs) with additional safeguards.

Information on specific safeguards is available upon request.

9. Data Retention

Retention times correspond to GDPR requirements and to MDR-compliant documentation processes.

Website & business data

3–6 years depending on legal requirements.

Platform user accounts

Stored for the duration of the institutional contract and regulatory documentation periods.

Patient ECG data

  • 6–12 months: complete data (raw ECG, AI annotations, reports).
  • 12 months–5 years: raw ECG data only.

After expiry, data is deleted or irreversibly anonymised.

Healthcare providers may define longer retention periods under national medical records laws.

10. Data Security

We use MDR-compliant technical and organisational measures, including:

  • encryption in transit and at rest,
  • strict role-based access control (Uploader / Editor / Admin / Support),
  • secure development lifecycle (IEC 62304),
  • server hardening,
  • audit logs,
  • regular backups,
  • cybersecurity risk management.

Users are advised to follow good security practices (strong passwords, logout, updated browsers).

11. Your Rights

Depending on your role, you may request:

  • access,
  • rectification,
  • deletion,
  • restriction,
  • portability,
  • objection,
  • withdrawal of consent.

Patients must submit requests via their healthcare provider, who is the controller.

For XOresearch-controlled data, contact: getintouch@cardio.ai

You may also lodge a complaint with the Latvian Data State Inspectorate.

12. Children

The Platform and Website are not intended for children.
Cardio.AI processes ECG data only for adults (18+).

13. Changes to This Policy

We may update this Policy due to legal, technical or operational changes. Material updates will be communicated on the Website or within the Platform.

14. Contact Us

XOresearch SIA
Republikas laukums 3–225, Rīga, LV-1010, Latvia
Email: getintouch@cardio.ai

If your query relates to data processed on behalf of your healthcare provider, we may redirect your request to them.