This agreement describes how inou processes your health data. It applies to all users and any third-party services that access your data through our platform.
You. You decide what data to upload, who can access it, and when to delete it.
inou. We store, encrypt, and transmit your data according to your instructions.
You may connect external services to your account, such as AI assistants. These services operate as independent controllers or as processors engaged directly by you — not as our sub-processors. We do not engage sub-processors for storage or core functionality.
Medical imaging (DICOM files including MRI, CT, X-ray), laboratory results, genetic/genomic data, and any other health information you upload. Genetic and genomic data constitutes special category data under GDPR Article 9 and is processed solely on the basis of your explicit consent.
Name, email address, date of birth, and sex. Used for account management and medical context.
IP addresses and session identifiers. Used exclusively for security and access control.
All health data is encrypted using FIPS 140-3 validated cryptography before storage. Data resides on dedicated infrastructure in the United States that we own and operate.
All data in transit is protected by TLS 1.3 encryption. When you connect third-party services, data travels through an encrypted bridge directly to your session.
Only you and accounts you explicitly authorize can access your data. Staff access requires your explicit request, is restricted to senior personnel, and is logged.
We process your data solely to provide the service. Specifically, we do not:
When you connect an AI assistant or other service to inou:
We recommend reviewing the privacy policy of any service you connect.
FIPS 140-3 validated encryption at rest. TLS 1.3 encryption in transit. Application-layer encryption before database storage.
Dedicated hardware. No shared cloud environments. Redundant storage with RAID-Z2. Uninterruptible power with generator backup.
Role-based access control. Mandatory authentication. All access logged and auditable.
Continuous automated monitoring. Intrusion detection. Regular security assessments.
We retain your data for as long as your account is active. When you delete your account:
We do not offer recovery of deleted data.
See and export everything we store — data you've entered, account details, access logs, and audit history.
Correct any inaccurate data directly or by request.
Delete your account and all associated data instantly.
Download data you've entered in standard formats. Your uploaded files are already yours.
Revoke any permission at any time. We comply immediately.
This agreement is designed to comply with:
We apply the highest standard regardless of your jurisdiction.
Data Protection Officer: privacy@inou.com
Questions about data processing: privacy@inou.com
This agreement was last updated on February 8, 2026.