Privacy Policy
1. Data We Collect
- Account data: name, email, professional role, institution affiliation (if provided).
- Report data: raw input text, AI-generated drafts, your edited/finalized text, timing metrics, body part, study type, correction type.
- Images: worksheet screenshots and radiographs you submit. Stored only when tied to a correction (to enable image-aware learning); otherwise discarded after processing.
- Usage metrics: per-call endpoint, models invoked, token counts, cost.
- Audit log: logins, administrative actions, high-impact data events.
2. PHI Handling
Text submitted for report generation is passed through an automated HIPAA Safe Harbor redaction pipeline before being sent to any third-party language model. Names, dates, MRNs, accession numbers, and other 18-identifier PHI are replaced with non-reversible tokens. Restored PHI (if any) is re-inserted client-side after generation; only redacted text is retained in our database.
Images submitted for vision analysis are forwarded to the vision-capable LLM vendor(s) selected for that study. Radiology images may contain burned-in PHI (overlays, annotations) that automated text redaction cannot remove. Users are responsible for pre-clearing burned-in PHI before upload or using our DICOM-aware import (which strips DICOM metadata).
3. LLM Subprocessors
We transmit redacted content to the following processors as needed to generate reports:
| Vendor | Purpose | BAA executed? |
|---|---|---|
| OpenAI (GPT-4.1, GPT-5.4, text-embedding-3-small) | Primary report generation, embeddings | Pending — in active negotiation as of 2026-04-22 |
| Anthropic (Claude Opus 4.6, Sonnet 4.6) | Consensus second-opinion, fallback | Pending — in active negotiation as of 2026-04-22 |
| Google (Gemini 2.0 Flash, 2.5 Pro) | Vision analysis, consensus, Volume Intelligence | Pending — in active negotiation as of 2026-04-22 |
| Railway Corp | Application hosting, database, logs | Pending — in active negotiation as of 2026-04-22 |
| Stripe, Inc. | Payment processing (billing data only) | Not applicable — Stripe is a PCI DSS processor, not a BAA subprocessor. No PHI shared. |
4. Data Retention
- Confirmed reports are retained for the life of your account plus 90 days after cancellation, unless a longer period is required by statute.
- Usage logs and audit logs are retained for 7 years to support compliance and quality monitoring.
- Unconfirmed drafts (generated but not saved) are discarded after 48 hours.
- Full image payloads attached to corrections are retained only while the user's account is active.
5. Your Rights
- Access: Download your data at any time via Settings → Export Data.
- Correction: Edit or re-confirm any report from the Reports tab.
- Deletion: Request account deletion by emailing support@myradagent.ai. We will delete all personal data and confirmed reports within 30 days (subject to statutory retention for audit logs).
- Portability: Exported data is provided in JSON and plain text formats.
- If you are in the EEA, UK, or California, you have additional rights under GDPR, UK GDPR, or CCPA/CPRA. Email support@myradagent.ai to exercise them.
6. Security
- Data in transit: TLS 1.2 or higher between your browser/desktop and our servers, and between our servers and subprocessors.
- Data at rest: encrypted at the storage layer by our hosting provider.
- Access controls: role-based (admin / radiologist / viewer), JWT-signed sessions, password hashing via PBKDF2 with per-user salt.
- Audit log: administrative actions are logged and reviewed periodically.
7. Cookies and Tracking
We use first-party cookies and local storage only for authentication and UI state. We do not use third-party analytics or advertising trackers.
8. Children
The Service is intended for professional use and is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children.
9. Changes
We will notify you of material changes to this policy at least 30 days in advance by email or in-app notice.
10. Contact
Privacy questions: support@myradagent.ai