At NinthMoon.AI ("we," "us," or "our"), we are committed to maintaining the highest standards of privacy, security, and ethical data processing in full alignment with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). As a provider of advanced AI and technology solutions, including services involving sensitive health data, we recognize our responsibility to ensure that personal data is processed lawfully, transparently, and fairly. We have embedded privacy by design and privacy by default principles into every aspect of our operations, ensuring that data protection is integral to our products and services.

Our Commitment to GDPR

We understand the critical importance of safeguarding personal information, especially sensitive categories such as health-related data. Our compliance framework is designed to ensure that personal data is collected only for specific, legitimate purposes and is limited to what is necessary in relation to the purposes for which it is processed, in accordance with Article 5(1)(c) of the GDPR. We prioritize data integrity and confidentiality, retain data only for as long as necessary, and take all appropriate measures to ensure its secure handling throughout its lifecycle.

Categories of Data We Process

The personal data we process includes identification and contact details such as names, email addresses, and phone numbers. We process demographic data such as age and gender, health-related data (special category data under Article 9 of the GDPR) voluntarily submitted by users with explicit consent, and technical data such as IP addresses, device identifiers, and usage logs. In cases where special category data, such as health information, is involved, we rely on explicit consent or other lawful bases as outlined under the GDPR.

Roles and Responsibilities

Depending on the context, we may act as a data controller when collecting personal data directly from users or as a data processor when handling data on behalf of healthcare institutions or business partners. To oversee compliance, we have appointed a qualified Data Protection Officer (DPO), who is responsible for ensuring adherence to GDPR requirements, managing data subject requests, conducting Data Protection Impact Assessments (DPIAs), and leading our privacy and ethics governance processes. The DPO can be contacted at privacy.officer@ninthmoon.ai, and is responsible for GDPR oversight across all departments.

Legal Basis for Processing

Our processing activities rely on lawful grounds such as explicit consent, particularly in the case of health-related or profiling data, or the performance of a contract, which is essential for delivering our services. We may also rely on legitimate interests to improve our services, enhance security, and prevent fraud, as well as compliance with legal obligations when applicable.

Consent Management

Wherever required, we obtain user consent in a clear, informed, and affirmative manner. Consent can be withdrawn or modified at any time by contacting our DPO or through the account settings available on our platform. We maintain a verifiable record of all consents and ensure that changes are reflected promptly in our data processing systems.

Data Subject Rights

In accordance with GDPR, individuals have the right to access their personal data, request corrections to inaccurate or incomplete information, and request deletion of their data where applicable. They may also restrict or object to certain processing activities and request data portability in machine-readable formats. Users have the right to withdraw their consent at any time without affecting the lawfulness of prior processing. In addition, individuals have the right to lodge complaints with a supervisory authority if they believe their data rights have been violated. We ensure timely responses to all rights requests, typically within one month, with possible extensions of up to two months in complex cases.

Profiling and Automated Decision-Making

Where profiling or automated decision-making is employed, we ensure that individuals receive meaningful information about the logic involved. Users have the right under Article 22 to object to decisions based solely on automated processing, including profiling, request human intervention, and challenge decisions that may significantly affect them. Our AI models undergo regular testing to ensure fairness, accuracy, and the mitigation of bias.

Data Security and Safeguards

We have implemented stringent technical and organizational security measures to protect personal data. This includes encryption of data both at rest and in transit, pseudonymization and anonymization of data used for AI training, and strict access control through role based permissions and multi-factor authentication. Our systems follow secure development practices and are regularly tested for vulnerabilities through penetration testing and security audits. We also maintain an incident response plan to ensure that, in the event of a data breach, the relevant supervisory authority is notified within 72 hours and affected individuals are informed promptly where there is a high risk to their rights.

Data Retention and Minimization

Personal data is retained only for as long as necessary to achieve the purposes for which it was collected or as required by law. Once the retention period expires, data is securely deleted or anonymized. Our internal retention schedules are regularly reviewed to ensure compliance, and we can provide documentation of deletion or anonymization processes upon request.

Third-Party Processors

We engage third-party service providers, such as cloud and analytics partners, only after rigorous due diligence to confirm their GDPR compliance. All processors operate under strict data processing agreements that require them to follow confidentiality obligations, maintain security standards, and process data only for authorized purposes.

International Data Transfers

When personal data is transferred overseas, we rely on approved mechanisms such as Standard Contractual Clauses and conduct Transfer Impact Assessments to ensure adequate protection of data. Additional contractual and technical safeguards are implemented where necessary.

Children's Data

Our services are not designed for children under 18 years of age, and we do not knowingly collect personal data from minors without verified parental consent. If such data is identified, it is immediately deleted from our systems.

Ethical AI Commitment

Beyond legal obligations, we are committed to ethical AI practices that emphasize transparency, accountability, and fairness. We invest in explainable AI technologies, conduct bias detection, and ensure that human oversight is available in critical decision-making processes. Our goal is to build AI systems that respect human rights and foster user trust.

Record Keeping and Documentation

In compliance with Articles 30 and 35 of the GDPR, we maintain detailed records of our data processing activities, including the categories of data processed, processing purposes, recipients, and security measures. Regular audits and reviews ensure that our practices remain aligned with regulatory requirements and industry best practices.

Policy Updates

We may revise this GDPR Compliance Statement from time to time to reflect changes in law, technology, or our operations. Updated versions will be published on our website, with the effective date clearly indicated.

Contact Us

For any questions regarding this GDPR Compliance Statement or to exercise your data rights, please contact our Data Protection Officer:

Email: privacy.officer@ninthmoon.ai
Address: NinthMoon.AI, 8 THE GREEN STE A DOVER DE 19901

For more details on our data handling practices, please refer to our Privacy Policy and Cookie Policy.

GDPR Compliance