Privacy Policy

This Privacy Policy describes how Pegasi, Inc. ("Pegasi," "we," "us," or "our") collects, uses, stores, and discloses personal information when you visit our website at pegasiio.com, contact us, or interact with our health data intelligence platform. Please read this policy carefully. By using our website or services, you agree to the practices described here.

1. About Pegasi

Pegasi, Inc. is a health data intelligence company headquartered at 6550 Fannin Street, Suite 1800, Houston, TX 77030, United States. We develop AI-powered software for cancer diagnostic support, helping oncology departments integrate multi-modal clinical data into structured diagnostic workflows. We are not a covered entity under HIPAA but operate as a Business Associate to covered entity health system partners.

2. Information We Collect

We collect personal information in the following ways:

2.1 Information You Provide Directly

When you fill out a contact form, request a product demo, subscribe to our newsletter, or correspond with us by email, we collect:

• Full name and professional title
• Work email address
• Institution or organization name
• Phone number (if provided)
• The content of your message or inquiry
• Department, specialty, or role (if provided in context)

2.2 Information Collected Automatically

When you visit pegasiio.com, our systems and third-party analytics tools automatically record:

• IP address and approximate geographic location (country/city level)
• Browser type and version
• Operating system
• Referring URL (the page you came from)
• Pages visited on our site and time spent on each
• Date and time of your visit
• Device type (desktop, tablet, mobile)
• Cookie identifiers (see Section 6 for details)

2.3 Clinical Platform Data

Pegasi's clinical software processes patient health data on behalf of our health system clients under signed Business Associate Agreements (BAAs) as required by HIPAA. This data is processed exclusively within each health system's secure IT environment. Protected Health Information (PHI) is never transmitted to Pegasi servers, stored in Pegasi cloud infrastructure, or used for any purpose outside the scope of the applicable BAA. This Privacy Policy does not govern PHI handling. PHI handling is governed by the BAA, the applicable health system's Notice of Privacy Practices, and HIPAA regulations.

3. How We Use Your Information

We use personal information collected from our website for the following purposes:

• Responding to inquiries: We use contact form submissions to respond to demo requests, partnership inquiries, and support questions.
• Product and sales communications: With your consent, we may send information about Pegasi products, case studies, or upcoming events. You can opt out at any time.
• Site improvement: Aggregate analytics data helps us understand how visitors navigate our site and which content is most useful, so we can improve the experience.
• Legal compliance: We retain records as required by applicable law and may process data to comply with legal obligations or respond to lawful government requests.
• Security: We monitor access logs and usage patterns to detect and prevent fraud, unauthorized access, and security threats.

We do not sell, rent, or trade personal information to third parties for marketing purposes. We do not use contact form data to add individuals to marketing lists without explicit opt-in consent.

4. Legal Basis for Processing (GDPR)

For individuals in the European Economic Area (EEA) or United Kingdom, we process personal data under the following legal bases:

• Legitimate interests: Responding to business inquiries, improving our website, and maintaining security.
• Consent: Sending marketing communications and placing non-essential cookies. You may withdraw consent at any time.
• Legal obligation: Retaining records as required by law and responding to regulatory or legal requests.
• Contract: Processing data necessary to fulfill contractual obligations with clients and partners.

5. Information Sharing and Disclosure

We share personal information only in the following limited circumstances:

5.1 Service Providers

We engage trusted third-party service providers who process data on our behalf, including cloud hosting providers (AWS), email delivery services, CRM platforms, and analytics tools. These providers are contractually prohibited from using your data for any purpose other than providing services to Pegasi and are required to maintain appropriate security measures.

5.2 Legal Requirements

We may disclose personal information if required by law, regulation, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Pegasi, our users, or the public.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of Pegasi's assets, personal information may be transferred to the acquiring entity. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on pegasiio.com. Cookies are small text files placed on your device. We use:

• Essential cookies: Required for core site functionality such as navigation and security. Cannot be disabled.
• Analytics cookies: Help us understand traffic patterns, popular pages, and how visitors interact with our site. We use aggregated, anonymized data from these cookies.
• Preference cookies: Remember your settings, such as cookie consent choices.

You can control cookie preferences through our cookie consent banner when you first visit the site, or by adjusting your browser settings. Note that disabling certain cookies may affect site functionality. For full details on cookies we use, see our Cookie Policy.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law:

• Contact form submissions and demo request records: 24 months from last interaction
• Website analytics data: 14 months (then aggregated/anonymized)
• Email correspondence: 36 months
• Contractual records with health system clients: 7 years as required by applicable law

You may request deletion of your personal data at any time (subject to legal retention requirements) by contacting us at the address below.

8. Data Security

We implement technical and organizational security measures appropriate to the nature of the data we process. These include TLS 1.2+ encryption for all data in transit, access controls limiting data access to authorized personnel only, regular security assessments of our website and infrastructure, incident response procedures for breach detection and notification, and vendor security reviews for all third-party service providers. No method of electronic transmission or storage is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security. If you believe your information has been compromised, contact us immediately at privacy@pegasiio.com.

9. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

9.1 Rights Under GDPR (EEA/UK Residents)

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data in certain circumstances.
• Right to restriction: Request that we limit how we process your data.
• Right to portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time.

9.2 Rights Under CCPA (California Residents)

California residents have the right to:

• Know what personal information we collect, use, disclose, and sell
• Request deletion of personal information we have collected
• Opt out of the sale of personal information (note: we do not sell personal information)
• Non-discrimination for exercising CCPA rights

To exercise any of these rights, email privacy@pegasiio.com with "Privacy Rights Request" in the subject line. We will respond within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before fulfilling requests.

10. Children's Privacy

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately at privacy@pegasiio.com and we will take steps to delete the information.

11. International Data Transfers

Pegasi is based in the United States. If you are located outside the US, your personal information will be transferred to and processed in the US. For transfers from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data receives an adequate level of protection. You may request a copy of applicable SCCs by contacting privacy@pegasiio.com.

12. Third-Party Links

Our website may contain links to third-party websites, publications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any external sites you visit. Linking to a third-party site does not constitute an endorsement of their privacy practices.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we may also send a notice to the email address on file for our registered users or display a prominent notice on our website. Your continued use of our website after any changes constitutes your acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Privacy Team:

If you are in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (DPA). A list of EU DPAs is available at edpb.europa.eu.