Privacy Policy — Prism by Solved

The short version

✓

We collect your emailUsed only to manage your Prism account and communicate about the service.

✓

We collect provider metadataDisplay names, portal URLs and provider identifiers you configure — so Prism knows where to search.

🚫

We never see your credentialsPACS login credentials are encrypted and stored on your device only. They are never transmitted to Solved servers.

🚫

We never see patient dataNo PHI, no imaging results, no patient identifiers of any kind ever touch our infrastructure.

🚫

We don't sell your dataWe do not sell, share, or licence any personal information to third parties for commercial purposes.

🔒

Australian law appliesWe operate under the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

1. Who we are

Prism is a product of Solved Development Labs Pty Ltd (ABN 55 682 456 257), a software company incorporated in South Australia, Australia. In this policy, "Solved", "we", "us" and "our" refer to Solved Development Labs Pty Ltd.

Prism is a unified radiology history platform for referring clinicians. It consists of:

A browser extension installed in Google Chrome
A local agent application installed on the clinician's workstation (currently Windows)
A web presence at useprism.health

This policy describes how we collect, use, store and disclose personal information in connection with your use of these components.

2. What personal information we collect

2.1 Account information

When you register for Prism early access or create an account, we collect:

Your email address
Your name (if provided)
Your practice or organisation name (if provided)

2.2 Provider configuration metadata

When you configure Prism to connect to radiology providers, we store:

Provider display names (e.g. "Jones Radiology")
Provider portal URLs
Provider system identifiers (GUIDs or similar)

This metadata is used solely to enable Prism to locate and query the correct systems on your behalf.

2.3 Usage and technical information

We may collect basic technical information to operate and improve the service, including:

Browser type and version
Operating system
Error logs generated by the extension or local agent (no patient data is included in these logs)

What we do not collect — The following information is explicitly outside the scope of what Prism collects or transmits to Solved servers: PACS credentials (usernames, passwords, session tokens), patient identifying information (names, dates of birth, MRN, Medicare numbers), imaging study content or reports, and any other protected health information (PHI).

3. How your PACS credentials are handled

Prism requires your individual login credentials for each radiology provider portal you configure. The handling of these credentials is central to our architecture and our privacy commitment.

3.1 On-device encryption

PACS credentials are encrypted using AES-256 encryption and stored exclusively on your local device — within the Prism local agent's secure credential store. They are never uploaded to, processed by, or accessible to Solved's servers or infrastructure.

3.2 Local agent model

When you conduct a patient search, the Prism browser extension sends the search request via Chrome Native Messaging to the local agent running on your workstation. The local agent uses the locally-stored credentials to authenticate directly with each configured radiology provider portal. All authentication happens device-to-provider — Solved is not in the data path.

In plain terms: Solved's infrastructure never receives, stores, or processes your PACS passwords, session tokens, or any credentials. If Solved's servers were compromised tomorrow, your radiology portal credentials would be unaffected — they are not there.

3.3 Session tokens

Session tokens obtained during provider authentication are held transiently in memory by the local agent for the duration of the search session. They are not written to disk beyond the local agent's own secure runtime and are not transmitted to Solved.

4. Patient data and protected health information

Prism is architected such that patient data does not pass through Solved's infrastructure at any point.

When search results are returned from a radiology provider, they are rendered locally in your browser via the Prism extension. Solved does not log, cache, store, or transmit imaging results, patient names, dates of birth, referral details, report content, or any other information that could identify a patient.

The browser extension acts as a thin messaging bridge between the web portal and the local agent. It does not store data independently.

Prism is a tool for accessing data that already exists in systems you are authorised to access. It does not create new records or transmit patient information to any new destination. Your obligations as a clinician regarding patient privacy and information security remain unchanged when using Prism.

5. How we use personal information

We use the account and configuration information we collect for the following purposes:

To create and manage your Prism account
To provide, operate and improve the Prism service
To communicate with you about your account, updates and the early access programme
To diagnose technical issues using anonymised error logs
To meet our legal obligations

We do not use personal information for automated decision-making, profiling, or targeted advertising.

6. Disclosure of personal information

We do not sell, rent, or trade personal information to third parties.

We may disclose personal information in the following limited circumstances:

Service providers: Trusted third-party vendors who assist us in operating the service (e.g. cloud hosting on AWS, transactional email), under confidentiality obligations and only to the extent necessary
Legal requirements: Where required by Australian law, a court order, or to protect the rights, safety or property of Solved, our users, or the public
Business transfers: In the event of a merger, acquisition or sale of assets, subject to the acquirer agreeing to honour this policy

In all cases, disclosures are limited to account-level information. No patient data passes through our systems and therefore cannot be disclosed.

7. Data storage and security

Account information is stored on AWS infrastructure located in the Asia Pacific (Sydney) region. We apply industry-standard security controls including encryption at rest, encryption in transit (TLS 1.2+), access controls, and audit logging.

PACS credentials, as described in section 3, are stored only on your device and are outside the scope of our server-side security controls. You are responsible for the physical and logical security of the workstation running the Prism local agent.

While we take reasonable steps to protect personal information, no system is completely secure. We encourage you to use strong, unique passwords for your Prism account.

8. Retention

We retain account information for as long as your account is active and for a reasonable period thereafter to meet legal obligations, resolve disputes, and enforce our agreements.

If you request deletion of your account, we will delete or de-identify your personal information within 30 days, except where retention is required by law.

Error logs are retained for a maximum of 90 days and are automatically purged.

9. Australian Privacy Principles

Solved Development Labs is committed to compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy has been prepared to reflect our obligations under the APPs, including:

APP 1: Open and transparent management of personal information — this policy
APP 3: Collection of solicited personal information — we collect only what is necessary
APP 5: Notification of the collection of personal information — at point of collection
APP 6: Use or disclosure of personal information — limited to stated purposes
APP 8: Cross-border disclosure — AWS Sydney; any cross-border transfers are subject to equivalent privacy protections
APP 11: Security of personal information — appropriate technical and organisational measures
APP 12: Access to personal information — available on request
APP 13: Correction of personal information — available on request

As Prism serves clinicians who may interact with health information, we are cognisant of the additional obligations that may apply under the My Health Records Act 2012 (Cth) and state health records legislation. Prism's architecture — specifically the fact that no patient data is processed by Solved — is designed in part to minimise our obligations and risk profile under these frameworks.

10. Your rights

You have the right to:

Access the personal information we hold about you
Request correction of inaccurate or incomplete information
Request deletion of your account and associated personal information
Withdraw consent to communications at any time (unsubscribe links are included in all marketing emails)
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy rights have been breached

To exercise any of these rights, contact us using the details in section 12.

11. Changes to this policy

We may update this policy from time to time. Where changes are material, we will notify registered users by email prior to the change taking effect. The effective date at the top of this page will always reflect the current version.

Continued use of Prism following notification of changes constitutes acceptance of the updated policy.

12. Contact and complaints

For privacy-related questions, requests, or complaints, please contact our Privacy Officer:

Solved Development Labs Pty Ltd Privacy enquiries: privacy@useprism.health
General: hello@solved.dev
Adelaide, South Australia, Australia

We will acknowledge receipt of your enquiry within 5 business days and aim to resolve all privacy matters within 30 days. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner at oaic.gov.au.