Name: Signal Labs Preventive-Health Assessment
Brand: Signal Labs
Availability: LimitedAvailability

Signal Labs is an Irish-registered company processing GDPR Art. 9 special-category health data. This notice is region-aware: the lawful basis, residency region, and rights that apply are resolved from your organization's compliance profile, not your browser locale.

1. Who we are

Signal Labs (an Irish-registered company) provides a workplace preventive-health screening platform. For screening data, Signal Labs typically acts as a data processor on behalf of your employer (the controller), or as a business associate where US HIPAA applies. For this marketing site, Signal Labs is the controller of the limited firmographic and contact data you choose to submit. Our lead supervisory authority is the Irish Data Protection Commission (DPC) under the GDPR one-stop-shop.

2. The marketing funnel collects zero health data

The ROI calculator and pilot-booking flow are designed to stay outside the PHI / covered-entity perimeter. They collect only firmographic integers (headcount, claims figures you enter) and a work email. Booking a pilot is not consent to a health screening — explicit Art. 9(2)(a) consent is captured separately, inside the app, before any health data is processed.

3. Special-category health data (screening)

When your organization runs a screening, the deterministic 0–100 Signal Score and the underlying measurements are special-category data under Art. 9. We rely on explicit consent (Art. 9(2)(a)), and Art. 9(2)(h) where applicable. Scores are computed deterministically server-side; an LLM only narrates results and never computes the score, band, or trend.

4. Data residency & transfers

Subject health data and FHIR Observations are stored in your organization's residency region (e.g. eu, uk, us). For EU subjects, processing is EU-resident by default (EHDS, Reg (EU) 2025/327), and residency is enforced at the dispatch boundary and the model gateway — an EU tenant's request is never routed to a non-EU model provider.

5. Privacy by design

Deterministic scoring (the model narrates, it never decides).
Row-level security on all subject tables.
HR sees only k-anonymous (k ≥ 5) cohort aggregates with differential privacy — never an individual row.
Per-source consent for every connected device, with revocation honored end-to-end.

6. Your rights

Subject to your jurisdiction, you may exercise access, rectification, erasure, restriction, portability, and objection rights (GDPR Arts. 15–22; analogous US state-law rights such as CCPA/CPRA and the Washington My Health My Data Act). Exports are provided in FHIR. Contact our Data Protection Officer at dpo@signal-labs.health.

7. Cookies

This site uses a localized, consent-first cookie banner. In the EU/EEA and UK, non-essential cookies are set only after you opt in. You can change your choice at any time.

This notice is the engineering and operational posture; it is not legal advice and is validated by Irish/EU and per-jurisdiction counsel before launch.

Privacy Notice