Privacy Policy

Last updated: March 2026

Moonshot Medical LLC ("Moonshot," "we," "us") operates the DEXA Upgrade software and related cloud services. This Privacy Policy describes what information we collect, how we use it, and your rights regarding that information.

1. What We Collect

Data Type	Examples	Source
Account information	Email address, name	You provide at signup; Stripe provides billing name
License and device info	License key, machine ID	Generated during activation
Payment information	Billing details	Processed and stored by Stripe; we never see or store card numbers
Scan data (PHI)	DEXA body composition and bone density results, patient identifiers	Uploaded via cloud sync
Usage data	Feature usage, error logs	Collected automatically by the Software

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the DEXA Upgrade service
• Generate and deliver reports based on your scan data
• Process subscription payments through Stripe
• Send transactional emails (account confirmations, billing receipts, service updates)
• Diagnose and fix technical issues
• Comply with legal obligations

We do not sell your information. We do not use your scan data or PHI for marketing, advertising, or any purpose other than delivering the service.

3. PHI Handling (HIPAA)

DEXA scan data may constitute Protected Health Information (PHI) under HIPAA. Moonshot acts as a Business Associate when processing PHI on behalf of covered entities. Our safeguards include:

• Encryption at rest: AES-256 encryption on all stored PHI
• Encryption in transit: TLS 1.2 or higher for all data transmission
• Access controls: PHI access limited to authorized personnel on a need-to-know basis
• Audit logging: All access to PHI is logged and monitored
• BAA available: We will execute a Business Associate Agreement upon request

Contact support@dexaupgrade.com to request a BAA.

4. Third-Party Services

We use the following third-party service providers to operate DEXA Upgrade:

• Amazon Web Services (AWS) — Cloud hosting, data storage, and compute infrastructure. AWS operates under their own privacy policy and supports HIPAA compliance via a BAA with Moonshot.
• Stripe — Payment processing. Stripe handles all credit card data directly and operates under their own privacy policy. Moonshot never receives or stores card numbers.
• Resend — Transactional email delivery (account confirmations, receipts, service notifications). Resend processes email addresses and message content for delivery purposes only.

We do not share PHI with any third party except AWS for storage/hosting under our BAA.

5. Data Storage

All data is stored on US-based AWS infrastructure in the us-east-1 (N. Virginia) region. This includes:

• PostgreSQL database (RDS) for account and scan metadata
• S3 object storage for scan files and generated reports

All storage services are configured with encryption at rest enabled.

6. Data Retention

• Active subscription: All data retained and accessible for the duration of your subscription.
• After cancellation: Data retained for 30 days to allow re-subscription or export. After 30 days, all customer data and PHI are permanently deleted from our systems.
• Anonymized analytics: Aggregate, de-identified usage data (not PHI) may be retained indefinitely for product improvement.
• Legal requirements: We may retain certain records longer if required by law.

7. Your Rights

You have the right to:

• Access your data — View and download your scan data and reports through the Software at any time.
• Correct your data — Update your account information through the Software or by contacting us.
• Delete your data — Request deletion of your account and all associated data by contacting us. Deletion is completed within 30 days of a verified request.
• Export your data — Use the built-in export functionality in the Software to download your data in standard formats.

To exercise any of these rights, contact support@dexaupgrade.com.

8. Cookies

Marketing site (dexaupgrade.com): We use Google Analytics to understand site traffic. This involves cookies for session tracking and analytics. No PHI is collected on the marketing site.

DEXA Upgrade application: The desktop application does not use cookies. Authentication is handled via API tokens stored locally on your machine.

9. Children

DEXA Upgrade is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact us at support@dexaupgrade.com and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you at least 30 days in advance via the email address associated with your account. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the Software after the effective date constitutes acceptance of the updated policy.

11. Contact

If you have questions about this Privacy Policy or how we handle your data, contact us:

• Email: support@dexaupgrade.com
• Company: Moonshot Medical LLC, Illinois, USA