Privacy Policy

Spectra is designed with privacy at its core. We store nothing. No screenshots, no audio, no browsing history, no personal data. Everything happens in memory and is discarded when your session ends.

Spectra only processes data while a session is active, nothing is stored, recorded, or retained. Screen and voice data are streamed to Google's Gemini API in real time for understanding and are never saved. When your session ends, everything is discarded. No accounts, no tracking, no analytics.

The only data that leaves your device is sent to Google's Gemini API:

• Screen frames (JPEG images, ~80 KB each), for visual understanding
• Voice audio (PCM 16 kHz), for speech recognition and response generation

This data is sent via an encrypted WebSocket connection (WSS/TLS). No other third-party services receive your data. There are no analytics, tracking pixels, or advertising networks.

Data sent to the Gemini API is subject to Google's own privacy policies:

• Google Privacy Policy
• Gemini API Terms of Service

Nothing.

• No files are written to disc
• No database is used
• No cloud storage buckets are provisioned
• No cookies are set beyond what HTTPS requires
• No local storage is used for tracking
• No server-side logs contain your screen content or audio

The extension requires <all_urls> permission to execute browser actions. It:

• Does not collect, transmit, or store any browsing data
• Does not communicate with any server other than the Spectra frontend tab
• Does not read or store your passwords or cookies
• Only executes actions when explicitly instructed by the Spectra frontend
• Only executes actions explicitly requested during an active session

Because Spectra does not store personal data, most data subject rights (access, rectification, erasure, portability) are satisfied by default. There is no data to access, correct, delete, or transfer.

If you have taught Spectra preferences during a session, you can clear them by saying "Forget everything" or "Clear my memory."

Spectra is positioned as a patient-portal navigator. The privacy architecture below is the same on every workflow; the regulated- healthcare framing only adds explicit posture statements for the regimes hospital, clinic, and insurer procurement reviews care about.

HIPAA

Spectra has no data-processor relationship with any covered entity in the default configuration: page text the agent reads is rendered on the user's device, and the only outbound traffic carries no patient-identifying content unless the user reads it aloud themselves.

For health systems requiring an explicit Business Associate Agreement, Aqta offers a HIPAA-aligned configuration that runs the agent in Local mode (Ollama + Gemma 4 nano on the user's machine, no cloud inference). We sign BAAs case by case; email hello@aqta.ai with your DPIA template attached.

Spectra is not a clinical decision-support tool. It does not interpret lab values, suggest diagnoses, or recommend treatment. The read-aloud feature recites what is rendered on the page, verbatim. This stays outside FDA 510(k) and EU MDR scope by design.

EU GDPR (and UK GDPR)

Aqta Technologies Limited (Dublin, Ireland) is the data controller for any account-level data (closed-pilot enrolment email, consent state) under EU GDPR. The Irish Data Protection Commission is our lead supervisory authority. For session data (voice, screen frames), Aqta is a data processor only during an active session. No session data is persisted server-side after the session ends. UK GDPR applies in parallel for users in the UK.

Lawful bases: Article 6(1)(b) for the contract with the closed-pilot user, Article 6(1)(f) for security and abuse prevention. Where session data incidentally contains special- category data within Article 9 (e.g. a lab result the user asks Spectra to read aloud), the user's explicit instruction constitutes Article 9(2)(a) consent for that single utterance; no broader Article 9 processing takes place.

Article 28 processing terms are available on request. The standard-contractual-clauses kit applies for transfers; cloud inference today routes through Google Cloud (eu-west-1 by default for European customers).

FADP (Switzerland)

For Swiss customers (FMH-aligned clinical settings), Spectra operates under the same posture as GDPR with FADP-specific recital language available on request. Local mode is the recommended deployment.

None of the above is a legal opinion or a guarantee of certification. SOC 2 / HIPAA / GDPR alignment is a deployment-time commitment per pilot; Aqta is not a certified covered entity or a credentialed BAA partner outside an executed engagement. Reach out before relying on any of the above for procurement.

Aqta Technologies Ltd
Dublin, Ireland

aqta.ai