Welcome to Exer Labs, Inc. (“Exer Labs,” “we,” “us,” or “our”). This Privacy Policy (“Privacy Policy”) applies exclusively to the authorized users (“User”, “you” or “your”) access to and use of Exer Scan, a regulated Software as a Medical Device (SaMD) developed and operated by Exer Labs. It explains how we
collect, use, disclose, protect, and retain information when Exer Scan is used in clinical, institutional, or supervised care environments.
This Privacy Policy is designed to align with:
- FDA expectations for SaMD data integrity and cybersecurity
- HIPAA and applicable U.S. state privacy laws (where applicable)
- Enterprise healthcare and senior‐living
compliance requirements
1. Who We Are
Company: Exer Labs, Inc.
Product: Exer Scan (Software as a Medical Device)
Address: 1873 South Bellaire Street, Suite 1420, Denver, CO 80222
Email: support@exerai.com
2. Scope and Applicability
This Privacy Policy applies to information processed through Exer Scan, including:
- The Exer Scan mobile application and related software
- User-facing dashboards, reports, and analytics
- Customer support, training, and safety communications related to User interactions.
This Policy does not apply to unrelated Exer Labs websites, marketing pages, or consumer products.
3. Regulatory Context
Exer Scan is a Class II, 510(k)‐exempt Software as a Medical Device (SaMD) registered with the U.S. Food and Drug Administration.
Information processed by Exer Scan may include health‐related data. Depending on the customer relationship, Exer Labs may act as:
- A Business Associate under HIPAA (when a BAA is in place), or
- A Service Provider / Data Processor under applicable state privacy laws.
4. Information We Collect
4.1 Information You Provide
We may collect:
- User identifiers (name, role, organization, email)
- Account credentials and authentication data
- Support communications and training records
4.2 Patient / Resident Data (as Configured by Customers)
Depending on customer configuration and workflow, Exer Scan may process:
- Movement and functional performance data
- Assessment results and derived metrics
- Limited identifiers or pseudonymous IDs assigned by the customer
Exer Labs does not require direct patient identification unless explicitly configured by the customer.
Customer is solely responsible for ensuring compliance with applicable privacy laws when configuring
patient identification. Exer Labs disclaims liability for any misconfiguration.
4.3 Device and Technical Data
We automatically collect:
- Device type, operating system, app version
- System logs, error reports, and performance metrics
- Security and audit logs
This information is used for safety, cybersecurity, troubleshooting, and regulatory compliance.
5. How We Use Information (SaMD‐Aligned Purposes)
We use information for purposes consistent with Exer Scan’s regulated function, including:
- Authenticate Users and manage access controls;
- Monitor performance, reliability, and security;
- Improve and enhance Exer Scan, including validation, testing, and quality assurance;
- Providing, operating, and maintaining Exer Scan
- Supporting clinical and operational workflows as configured by Users
- Ensuring device safety, performance, and effectiveness
- Quality management, validation, and improvement activities
- Complaint handling, adverse event evaluation, and FDA reporting
- Cybersecurity monitoring and threat detection
- Customer support, onboarding, and training
- Complying with our legal and regulatory obligations.
We do not use Exer Scan data for consumer advertising or unrelated marketing purposes.
6. De‐Identification and Aggregated Data
Where not expressly prohibited by applicable law and contract, Exer Labs may:
- De‐identify or aggregate data
- Use aggregated data for quality improvement, analytics, and product enhancement
De‐identified protected health information (“PHI”) is handled in accordance with HIPAA Safe Harbor or
Expert Determination standards where applicable.
7. How We Share Information
We may share information only as follows:
- With Users within your organization
- With service providers supporting hosting, security, analytics, or support (under strict confidentiality obligations)
- For legal and regulatory purposes, including FDA obligations
- For safety investigations involving adverse events, misuse, or cybersecurity incidents
We do not sell Exer Scan data.
8. HIPAA and Business Associate Obligations
When Exer Labs acts as a Business Associate:
- PHI is processed only as permitted by the applicable Business Associate Agreement (BAA)
- Safeguards consistent with HIPAA Security Rule requirements are implemented
- Exer will provide reasonable assistance to Customers to help meet their HIPAA obligations as required by applicable law or the BAA
If there is a conflict between this Privacy Policy and a BAA, the BAA controls.
9. Data Security and FDA Cybersecurity Alignment
Exer Labs maintains administrative, technical, and physical safeguards designed to protect data
confidentiality, integrity, and availability, including:
- Role‐based access controls
- Encryption in transit and at rest (where applicable)
- Audit logging and monitoring
- Secure development and change‐management processes
Security practices are designed to align with FDA medical device cybersecurity guidance.
10. Data Retention
Information is retained only for as long as necessary to:
- Provide the Services
- Meet contractual obligations
- Comply with FDA, HIPAA, and other regulatory requirements
- Support post‐market surveillance and quality systems
Retention periods may be extended where required by law or regulation.
11. User Responsibilities
Users are responsible for:
- Maintaining secure login credentials
- Using Exer Scan only as authorized
- Complying with organizational privacy and security policies.
If you violate any of the terms of this Privacy Policy, Exer Labs may, at its sole discretion, limit or suspend
your access to Exer Scan and report your violation in accordance with applicable law.
12. Individual Rights
Depending on applicable law and customer role, individuals may have rights to:
- Access or correct information
- Request restrictions on use or disclosure
- Receive an accounting of disclosures.
Residents of certain U.S. states may have additional rights under applicable state privacy laws, including rights to
access, delete, correct, or opt out of certain data processing activities. Requests may be submitted using
the contact information below and will be handled in accordance with applicable law.
Requests to exercise these rights should be directed to your organization or to support@exerai.com.
13. Children’s Privacy
Exer Scan is not intended for use by children under 13 except within regulated clinical or institutional
settings under appropriate authorization and supervision, where you are responsible for compliance
with all applicable child privacy laws and consent requirements.
Exer Labs does not knowingly collect personal information directly from children for consumer purposes.
14. Changes to This Privacy Policy
We may update this Privacy Policy to reflect:
- Regulatory or legal changes
- Security or safety improvements
- Changes in Exer Scan functionality
Material changes will be communicated through the Services or contractual notice mechanisms.
15. Contact Us
For questions, concerns, or privacy‐related requests:
Mail: 1873 South Bellaire Street, Suite 1420, Denver, CO 80222
Email: support@exerai.com
End of Exer Scan Privacy Policy
