Privacy Policy

Last Updated: April 21, 2026

1. Introduction

This Privacy Policy describes how Brightlamp, Inc. (“Brightlamp,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you use our mobile applications Reflex, Reflex Pro, and Reflex Telehealth (collectively, the “App”), our website, or any other Brightlamp product or service (collectively, the “Services”).

The App is a Class I medical device exempt from 510(k) premarket notification under U.S. Food and Drug Administration (FDA) regulations. It is intended to measure the pupillary light reflex.

The Services are designed for use by licensed healthcare professionals (“Practitioners”). Practitioners use the App to conduct pupillary assessments on their patients (“Patients”). This Privacy Policy describes how we handle information relating to both Practitioners and Patients.

By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Services.

2. Information We Collect

2.1 Practitioner Information

We collect and store the following information from Practitioners who register for and use the Services:

• Account information: Name, email address, professional credentials, and organization or practice affiliation.
• Payment information: Credit or debit card details and billing address, processed through third-party payment processors. We do not store full card numbers on our systems.

2.2 Patient Assessment Data

When a Practitioner conducts an assessment using the App, the following Patient data may be collected and stored:

• Patient identifier: A unique patient ID assigned within the App.
• Name: Optional. The Practitioner may choose not to enter a Patient name.
• Age: Recorded with a precision of no greater than one year (exact date of birth is not collected or stored).
• Sex: As entered by the Practitioner.
• Pupillary metrics: Quantitative measurements of the pupillary light reflex.
• De-identified eye video: A video recording of the eye captured during assessment. This video does not contain facial features; however, it does capture iris patterns, which may constitute a biometric identifier under applicable law. To mitigate this risk, the video is de-identified (stripped of association with directly identifying Patient information) and encrypted at rest on our servers.

2.3 Information Collected Automatically

• Device information: Device type, operating system, unique device identifiers, and App version.
• Usage data: Features accessed, session duration, and interaction patterns.
• Log data: IP address, browser type, access times, and referring URLs (website only).

2.4 Information We Do Not Collect or Store

• Biometric authentication data: The App supports Apple Face ID for device unlock convenience. Face ID is processed entirely on the Practitioner’s device by Apple’s operating system. Brightlamp does not receive, access, or store any facial recognition or biometric authentication data. Note: While de-identified eye videos stored on our servers contain iris patterns that may qualify as biometric identifiers, these videos are not used for biometric identification purposes and are encrypted at rest. See Section 2.2 for details.
• Precise location: We do not collect GPS or precise geolocation data.
• Exact date of birth: Patient age is stored only at year-level precision.

3. How We Use Your Information

3.1 Practitioner Information

• Providing the Services: Creating and maintaining your account, processing payments, and delivering App functionality.
• Communications: Sending service-related notices, security alerts, software updates, and, with your consent, information about new products or features.
• Safety and compliance: Detecting and preventing fraud, enforcing our terms of service, and complying with legal obligations.

3.2 Patient Assessment Data

• Clinical use: Enabling the Practitioner to conduct, review, and manage pupillary light reflex assessments for their Patients.
• Improvement and development: Analyzing de-identified and aggregated assessment data to improve our measurement algorithms, products, and services.
• Research: Using de-identified and aggregated data for peer-reviewed research, product validation, and quality improvement. Individual-level Patient data is not used for research purposes without applicable informed consent or IRB approval.
• Regulatory compliance: Maintaining data as necessary for FDA post-market surveillance and adverse event reporting obligations.

We do not sell personal information or Patient data to any third party. We do not use Patient data for advertising purposes.

4. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area or the United Kingdom, our legal bases for processing your information include:

• Performance of a contract: To provide the Services to Practitioners.
• Legitimate interests: To improve and secure our Services, provided these interests are not overridden by your rights.
• Consent: Where you have provided explicit consent, such as for marketing communications.
• Legal obligation: To comply with applicable laws and regulations.
• Vital interests: In emergencies posing a threat to health or safety.

5. How We Share Your Information

We do not sell personal information. We may share information in the following circumstances:

5.1 Service Providers

We engage third-party service providers who perform functions on our behalf, such as cloud hosting, payment processing, analytics, and customer support. These providers are contractually required to use information only as necessary to provide services to us and to maintain appropriate security measures.

5.2 Healthcare Organizations

If the App is deployed within a clinical or organizational setting, assessment data may be accessible to authorized administrators or personnel within the subscribing organization in accordance with applicable law and any applicable agreements.

5.3 Legal and Safety Disclosures

We may disclose information when we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request;
• Enforce our terms of service or investigate potential violations;
• Detect, prevent, or address fraud, security, or technical issues;
• Protect the rights, property, or safety of Brightlamp, our users, or the public.

5.4 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, information may be transferred as part of that transaction. We will notify affected Practitioners of any such change and any choices they may have regarding their information.

5.5 De-Identified or Aggregated Data

We may share de-identified or aggregated data that cannot reasonably be used to identify any individual for research, analytics, or product improvement purposes.

6. HIPAA Compliance

When Brightlamp receives, creates, or maintains Protected Health Information (“PHI”) on behalf of a Covered Entity (e.g., a healthcare provider or health plan), we act as a Business Associate under the Health Insurance Portability and Accountability Act (“HIPAA”). In such cases:

• We enter into a Business Associate Agreement (“BAA”) with the Covered Entity as required and dictated by the Covered Entity.
• PHI is used and disclosed only as permitted by the BAA and HIPAA.
• We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule.
• We will notify the Covered Entity of any breach of unsecured PHI in accordance with the HIPAA Breach Notification Rule.

Patient data collected through the App on behalf of a Covered Entity is governed by that entity’s Notice of Privacy Practices. Patients should direct questions about their health information rights to their healthcare provider.

7. Data Security

We implement industry-standard administrative, technical, and physical safeguards designed to protect information, including:

• Encryption of data in transit (TLS) and at rest;
• Encryption at rest for all stored eye video recordings containing iris patterns;
• Access controls and authentication requirements;
• Support for on-device biometric authentication (Apple Face ID) for App access;
• Regular security assessments and monitoring;
• Employee training on data protection obligations.

No method of transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Data Retention

• Practitioner account and payment information: Retained for the duration of the account and a reasonable period thereafter for legal and operational purposes.
• Patient assessment data: Retained in accordance with applicable medical records retention laws and any agreements with subscribing organizations, or until deletion is requested by the Practitioner and is legally permissible.
• Automatically collected data: Retained for a reasonable period necessary for analytics and security purposes.

Practitioners may request deletion of their account and associated data as described in Section 9.

9. Your Rights and Choices

9.1 Practitioner Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Opt-out of marketing: Unsubscribe from promotional communications at any time using the link in any marketing email or by contacting us.

9.2 Patient Rights

Because Patient assessment data is collected and managed by the Practitioner, Patients should direct requests regarding access, correction, or deletion of their data to the healthcare provider who conducted the assessment. Where Patient data is maintained under a BAA, the Covered Entity’s Notice of Privacy Practices governs Patient rights.

If a Patient contacts Brightlamp directly, we will make reasonable efforts to direct them to the appropriate Practitioner or organization.

9.3 California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California residents have the right to:

• Know what personal information we collect, use, and disclose;
• Request deletion of personal information;
• Request correction of inaccurate personal information;
• Opt out of the sale or sharing of personal information (we do not sell or share personal information as defined by the CCPA/CPRA);
• Limit the use of sensitive personal information;
• Not be discriminated against for exercising these rights.

Note: Patient data collected and maintained on behalf of a healthcare provider may be exempt from the CCPA/CPRA to the extent it is governed by HIPAA.

To exercise these rights, contact us using the information in Section 13. We will verify your identity before processing your request.

9.4 EEA/UK Residents (GDPR/UK GDPR)

In addition to the rights above, EEA and UK residents may:

• Withdraw consent at any time where processing is based on consent;
• Request restriction of processing;
• Request data portability (receive your data in a structured, machine-readable format);
• Object to processing based on legitimate interests;
• Lodge a complaint with a supervisory authority.

9.5 Other U.S. State Privacy Laws

Residents of states with applicable consumer privacy laws (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana) may have similar rights to access, correct, delete, and opt out. Contact us to exercise any applicable rights.

10. Children’s Privacy

The App is designed for use by licensed healthcare professionals, not by children directly. Practitioners may use the App to assess Patients of any age, including minors.

• Patient age is recorded only at year-level precision; exact date of birth is not collected.
• Patient name is optional and is not required to conduct an assessment.
• Eye videos captured during assessment are de-identified and encrypted at rest. While these videos do not contain facial features, they do capture iris patterns. The de-identification and encryption safeguards apply equally to assessments of minor Patients.
• All Patient assessments of minors are conducted under the authority and supervision of the Practitioner, who is responsible for obtaining any required parental or guardian consent in accordance with applicable law.

Because Patients (including minors) do not interact directly with the App or provide information directly to Brightlamp, the Children’s Online Privacy Protection Act (COPPA) direct-collection provisions do not apply to the App’s clinical use. We do not knowingly collect personal information directly from children through our website or other consumer-facing channels. If you believe we have inadvertently collected such information, please contact us immediately.

11. International Data Transfers

Information may be transferred to and processed in the United States or other jurisdictions where our service providers operate. When transferring data from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses or other legally recognized transfer mechanisms.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify Practitioners of material changes by posting the updated policy within the App or on our website and updating the “Last Updated” date. Where required by law, we will obtain consent to material changes. Continued use of the Services after the effective date of any changes constitutes acceptance of the revised Privacy Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: