Who We Are and What This Policy Covers
TinyMovesAI Inc. (“TinyMoves,” “we,” “us,” or “our”) provides objective, video-based movement-measurement software for clinician review, progress tracking, and research collaboration (the “Platform” or “Services”). TinyMovesAI Inc. is a subsidiary of Sama Therapeutics, Inc. This Privacy Policy explains how we collect, use, disclose, and protect information processed through the Platform and our website at tinymoves.ai and platform.tinymoves.ai. It applies to use of the Platform in the United States. We do not currently offer the Platform to individuals or Organizations outside the United States.
The Platform is a records, measurement, and visualization tool. The measurements, scores, and reports it produces are objective movement-measurement outputs for documentation and progress-tracking; they are not a medical diagnosis, not a clinical performance or treatment claim, and not autonomous clinical decision support, and they are not a substitute for professional clinical judgment. Any diagnostic or clinical-decision features are offered only where cleared or authorized by the FDA, under separate terms.
1.1 Our two roles: controller vs. processor / business associate
Your rights and our obligations depend on the capacity in which we handle information. We operate on two independent axes — the data-protection axis (controller vs. processor) and the U.S. health-privacy axis (HIPAA covered entity vs. business associate):
- Organization data (we are the processor / business associate). When a healthcare provider, clinic, research site, pharmaceutical sponsor, contract research organization, or other organization (an “Organization”) uses the Platform to upload or manage information about its patients or research participants, that Organization decides why and how the information is processed. In that case the Organization is the controller (and, under U.S. health-privacy law, the HIPAA “covered entity” or its business associate), and we act as its processor and HIPAA “business associate.” Our handling of that information is governed by our agreement with the Organization, including any Master Services Agreement (“MSA”), Business Associate Agreement (“BAA”), and Data Processing Agreement (“DPA”), and, for research, the applicable Institutional Review Board (“IRB”) protocol and Informed Consent Form (“ICF”).
- Direct data (we are the controller). When you interact with us directly — for example, as a website visitor, a direct account holder, or a research participant enrolling with us outside an Organization — we act as the controller, and this Policy governs.
1.2 Order of precedence
Where information is processed on behalf of an Organization and any term of this Policy conflicts with the governing agreement, the following order of precedence controls, from highest to lowest: (1) the BAA; (2) the DPA (including its Standard Contractual Clauses and any jurisdiction-specific transfer addenda); (3) the MSA; (4) the applicable Informed Consent Form or IRB protocol; (5) the TinyMoves Terms of Use; and (6) this Privacy Policy. Questions about data held on behalf of an Organization should be directed to that Organization.
Information We Collect
2.1 Movement video and derived biometric measurements
The core function of the Platform is to store and analyze video that you or an Organization upload, and to generate measurements, scores, reports, and dashboards from it. This may include:
- Movement video and images — recordings of a person performing movements, tasks, or exercises, which may include the face, body, gait, and surroundings. This data is collected in identifiable, non-anonymized, non-pseudonymized form and is encrypted in transit and at rest.
- Derived movement measurements — pose estimates, kinematic and gait metrics, movement scores, longitudinal trajectories, and associated metadata generated from the video.
- Capture metadata — date, time, device, task or protocol performed, and notes entered alongside a recording.
Biometric notice and consent. Movement video and the measurements derived from it can constitute “biometric” or “sensitive” information under laws including the Illinois Biometric Information Privacy Act (“BIPA”), the Texas Capture or Use of Biometric Identifier Act and the Washington biometric statute, and the Washington My Health My Data Act and similar “consumer health data” laws. We collect and process this information only after a written notice has been given and an affirmative, opt-in written release has been obtained from the individual (or appropriate authorization has been provided through an Organization), and we maintain a published retention-and-destruction schedule for it (see Section 5). We do not sell biometric information, and we do not use it for advertising.
2.2 Account and contact information
- Name, email address, password, and role (e.g., clinician, administrator, participant).
- Organization name and professional details, where you use the Platform on behalf of an Organization.
- Communications you send us (support requests, feedback).
2.3 Health and clinical context information
Depending on how the Platform is used, a record may be associated with limited clinical context (for example, a condition area, an assessment task, or progress notes) supplied by you or an Organization. Where this is protected health information (“PHI”) handled for an Organization, it is governed by the BAA as described in Section 1.
2.4 Information collected automatically
- Device and technical data — IP address, browser and operating system, device identifiers, and approximate (city/region-level) location derived from IP address.
- Usage data — pages and features used, actions taken, access times, and error/diagnostic logs.
We use only strictly necessary cookies by default. Where required by law, we request consent before placing analytics or non-essential cookies. See Section 9 (Cookies).
2.5 Information we do not collect or use
- We do not use movement video, derived biometric measurements, or health information for advertising or marketing.
- We do not sell personal information, and we do not “share” it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws.
- We do not collect genetic or genomic material or DNA-sequence data through the Platform.
How We Use Information
We use information for the following purposes:
- Provide the Platform — store uploaded video, generate measurements, reports, and dashboards, and make them available to the authorized user or Organization.
- Maintain accounts and support — authenticate users, respond to requests, and send service-related communications.
- Security and integrity — protect the Platform against fraud, abuse, and unauthorized access, and maintain audit logs.
- Service improvement and research and development — understand and improve how the Platform performs, relying on de-identified or aggregated data wherever practicable.
3.1 Model training
We treat model training as a distinct, consent-gated purpose:
- Enterprise / API data is excluded by default. Identifiable data that an Organization submits through the Platform or any application programming interface in its capacity as our customer is not used to train or improve our general models, except on a de-identified and/or aggregated basis, unless the Organization expressly authorizes broader use in its MSA/DPA. Where we build a custom model for an Organization, data used for that purpose trains only that Organization’s model and is not used to improve models for other customers.
- Identifiable biometric data requires separate opt-in. We do not use identifiable movement video or derived biometric data to train or improve our models except (a) on a de-identified and/or aggregated basis, or (b) with the separate, explicit opt-in consent of the individual (or the Organization’s documented authorization). You may decline or withdraw this consent at any time without losing access to the core Platform; withdrawal applies prospectively.
- De-identified and aggregated data. We may use de-identified and aggregated data to develop, train, and improve the Platform and our models, and for research and analytics, without further consent, to the extent the data is no longer “protected health information” or “personal information” under applicable law. We de-identify using the HIPAA Safe Harbor or Expert Determination methods (see Section 6.3).
- Legal compliance and protection — comply with applicable law and legal process, and establish, exercise, or defend legal claims.
How We Disclose Information
We disclose information only as described here. We do not sell personal information.
- To your Organization — where you use the Platform through an Organization, authorized users at that Organization can access the relevant records.
- Service providers / subprocessors — vendors that host, secure, and support the Platform, bound by written contract to protect information and use it only to provide services to us. Where they handle PHI, they sign BAAs. We maintain a current list of subprocessors at platform.tinymoves.ai/subprocessors (or available on request). We will give Organizations advance notice of any new or replacement subprocessor and a reasonable opportunity to object, as set out in the DPA.
- Research partners — de-identified or aggregated information for research, subject to written agreements; or identifiable information only with appropriate consent/authorization and ethical (IRB) approval.
- Affiliates — our parent, Sama Therapeutics, Inc., and other affiliates, where necessary to operate and support the Platform, subject to this Policy and applicable agreements.
- Legal and safety — to comply with law or valid legal process, or to protect the rights, safety, and security of users, the public, or TinyMoves.
- Business transfers — in connection with a merger, financing, acquisition, or sale of assets, subject to this Policy and applicable law; affected individuals will be notified where required.
Data Retention, Destruction, and De-Identification
5.1 Retention and destruction generally
We retain information only as long as necessary for the purposes described in this Policy or as required by law or by our agreement with an Organization.
5.2 Biometric data destruction schedule
This is our publicly available written retention-and-destruction schedule for biometric data, as required by BIPA and analogous laws:
- Where we act as controller: we retain movement video and derived biometric data for the life of the account or as directed by the consent provided, and we delete or de-identify it within [30] days after the earlier of (a) account closure, (b) withdrawal of consent for that data, (c) [12] months of account inactivity, or (d) the date on which the initial purpose for collection has been satisfied — unless a longer period is required by law. In no event will we retain biometric identifiers or biometric information longer than the maximum period permitted by any applicable biometric-privacy statute.
- Where we act as processor / business associate: retention and destruction follow the Organization’s documented instructions and the BAA/DPA. On expiry or termination of the engagement, we return or delete the data at the Organization’s direction and do not retain it except as required by law.
- Account and usage data: retained for the life of the account and a reasonable period afterward for security, audit, and legal purposes.
5.3 De-identification standard
Where we de-identify data, we use one of the two methods recognized under HIPAA: (a) the Safe Harbor method, removing the eighteen categories of identifiers (which expressly include biometric identifiers and full-face photographs and comparable images, such as movement video); or (b) the Expert Determination method, under which a qualified expert certifies in writing that the risk of re-identification is very small. Because raw movement video is inherently identifying, we generally rely on Expert Determination to preserve analytic utility. Once data is no longer protected health information or personal information under applicable law, we may use and disclose it for lawful purposes, including research and model improvement.
5.4 Deletion cascade
On a verified deletion request (or on an Organization’s documented deletion instruction), we delete the relevant personal information from our active systems and instruct our subprocessors to do the same, and we confirm completion to the requester or Organization. Residual copies in secure backups are deleted or rendered inaccessible in the ordinary course of our backup-rotation cycle.
Data Security
We maintain administrative, technical, and physical safeguards designed to protect information, including encryption of video and personal information in transit and at rest, role-based access controls on a need-to-know basis, audit logging, and regular risk assessments. Our program is designed to meet the HIPAA Security Rule safeguards. We are pursuing a SOC 2 Type II examination [target: report expected [____]] and design our controls to align with recognized frameworks such as ISO/IEC 27001. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
Your Privacy Rights
Subject to applicable law and to any Organization’s control over its records, you may have the right to:
- Access, correct, or delete personal information we hold about you;
- Receive a portable copy of certain information;
- Object to or restrict certain processing, and opt out of any “sale” or “share” (we do not engage in these) and of profiling for decisions with legal or similarly significant effects;
- Withdraw consent (including consent to biometric processing or model training) at any time; and
- Appeal a denial of a request, and lodge a complaint with your data protection authority or attorney general.
To exercise rights, contact us at shobi@tinymoves.ai. We will verify your identity and respond within the timeframes required by law. If your data is held on behalf of an Organization, we will refer your request to that Organization. We will not discriminate against you for exercising your rights.
Cookies and Tracking
We use strictly necessary cookies to operate the Platform and, where you consent, limited analytics cookies to understand and improve usage. We do not use advertising or cross-site tracking cookies. You can control non-essential cookies through our consent banner and your browser settings. We do not currently respond to “Do Not Track” signals but honor recognized opt-out preference signals where required by law.
Where Data Is Processed
We are based in the United States and process and store information in the United States. We do not offer the Platform outside the United States, and we do not transfer Customer Data internationally as part of providing the US Services, except to US-based subprocessors as described in Section 4. If we expand internationally, we will publish separate terms and appropriate transfer safeguards before doing so.
Children’s Privacy
The Platform is intended for use by adults and by Organizations and clinicians acting in a professional capacity. Where the Platform is used to capture video of a minor (for example, pediatric movement assessment, including infant cerebral-palsy assessment), it must be done by an authorized Organization or by a parent/guardian who provides verifiable consent, and the data is handled under the BAA, the research protocol/ICF, or applicable children’s-privacy law (including the U.S. Children’s Online Privacy Protection Act (“COPPA”) and applicable state minor-biometric rules). We obtain biometric-specific verifiable parental consent for the collection of a minor’s movement video, apply data minimization, and apply the pediatric retention limits in Section 5. We do not knowingly collect information directly from children without such authorization.
U.S. State Privacy Disclosures
This section supplements the Policy for residents of U.S. states with comprehensive or health-specific privacy laws (including California, Colorado, Connecticut, Virginia, Texas, Washington, and Nevada). We collect the categories of personal information described in Section 2 for the purposes in Section 3, and disclose them to the recipients in Section 4. We do not sell or share personal information for cross-context behavioral advertising, and we have not done so in the preceding 12 months. We treat movement video, biometric, and health data as sensitive information and process it only as needed to provide the Services or with your consent.
11.1 Consumer Health Data (Washington, Nevada, Connecticut)
Movement and related measurements may be “consumer health data.” We do not sell consumer health data, do not collect it without consent, will not geofence around any facility that provides in-person health-care services to identify or track consumers or to collect consumer health data, and obtain separate authorization before any disclosure that requires one. A separate, standalone Consumer Health Data Privacy Policy is published and linked distinctly from our homepage as required by the Washington My Health My Data Act; that standalone policy governs consumer health data and names the affiliates (including Sama Therapeutics, Inc.) that may receive it. You may exercise the rights in Section 7 with respect to this data.
Changes to This Policy
We may update this Policy to reflect changes in our practices or the law. We will post the updated version with a new “Last Updated” date and, for material changes, provide additional notice as required (including renewed consent where the change concerns biometric or sensitive data).
Contact Us
TinyMovesAI Inc. — Attn: Privacy Officer / Data Protection Officer
Email: shobi@tinymoves.ai
You have the right to lodge a complaint with your state attorney general (or, in Washington, under the My Health My Data Act’s consumer-protection remedy) if you believe our processing violates applicable law.