Skip to main content
EEGBaseTerms →

Last updated · May 2026

Privacy Notice

The short version

  • We don't sell, rent, or trade personal data. Ever.
  • We are a HIPAA Business Associate and operate under a signed BAA with every clinic that stores PHI.
  • EU clinic data lives in Frankfurt (eu-west-3). US clinic data lives in us-east-1.
  • We honor data deletion requests within 30 days. Patient records owned by clinics; clinics own deletion authority.

Who we are

EEGBase is operated by EEGBase, Inc. ("we," "us," "our"), a Delaware corporation with operations in the United States and the European Union. Contact: hello@eegbase.com. Data Protection Officer: dpo@eegbase.com.

What we collect

From clinicians (account holders): name, email, phone, organization, payment method, IP address, browser fingerprint for security.

From clinic patients: only what the clinician chooses to enter — typically name, date of birth, condition, sessions, signal recordings, outcome scores. Patient consent is collected by the clinician before data enters EEGBase.

Aggregate analytics: page views, feature usage, error logs. We use Plausible (cookie-less) for analytics. We do not use Google Analytics or Facebook tracking pixels.

Why we collect it

Provide the service · operate billing · respond to support requests · meet legal obligations (HIPAA, GDPR, PHIPA, 42 CFR Part 2 where applicable) · improve product quality through aggregate analytics.

Where data lives

Three regions:

  • United States · AWS us-east-1 (Tier IV) · primary region
  • European Union · AWS eu-west-3 Frankfurt · GDPR-compliant · Schrems II SCCs (2021/914) on file · no transatlantic transfers without DPA
  • Canada · AWS ca-central-1 · PHIPA-compliant

Encryption at rest: AES-256-GCM. In transit: TLS 1.3 with forward secrecy. Cross-AZ failover tested monthly. RTO 15 minutes, RPO 5 minutes.

Who we share with

We share data with subprocessors only as needed to deliver the service. All subprocessors are bound by a DPA and SCCs:

  • Amazon Web Services (hosting)
  • Stripe (billing)
  • Daily.co (HIPAA-BAA video)
  • Resend (transactional email)
  • Plausible (privacy-first analytics)
  • Anthropic (AI features · only de-identified content)

We do not share with advertisers, data brokers, or for-profit analytics platforms.

Your rights

Under GDPR, CCPA, PHIPA, and HIPAA, you have the right to access, correct, delete, port, and restrict processing of your personal data. Email dpo@eegbase.com with a verifiable request. We respond within 30 days.

Breach notification

Per GDPR Art. 33 and HIPAA Breach Notification Rule, we notify affected clinics within 72 hours of confirmed unauthorized access. Public RCAs ship within 5 business days at status.eegbase.com.

Changes

We'll notify clinic admins by email at least 30 days before any material change to this notice. Historical versions are available on request.

This is the public privacy notice. The full HIPAA-BAA is exchanged before sign-up.