Privacy Policy

Last updated: March 1, 2026

1. Introduction

AiCreative Innovations LLC ("we", "us", "our"), a limited liability company organized under the laws of the State of Delaware, USA, operates RadAssist ("Service"). This Privacy Policy explains how we collect, use, protect, and share your information when you use our Service.

By using RadAssist, you consent to the practices described in this policy. If you do not agree, do not use the Service.

2. Information We Collect

• Account data: Email address, name, specialty, organization (provided at registration or via Google OAuth).
• Usage data: Features used, report count, decision analytics, session timestamps, modality preferences (no PHI).
• Payment data: Processed exclusively by Stripe. We do not store, process, or have access to credit card numbers, CVVs, or full bank account details. We only store your Stripe customer ID for subscription management.
• Technical data: IP address (for rate limiting only, not stored long-term), browser type, device information (via standard HTTP headers).

3. Information We Do NOT Collect

• Protected Health Information (PHI): Medical images are stripped of EXIF/DICOM metadata on the client side before upload, processed ephemerally, and automatically purged from our servers within 24 hours.
• Patient-identifiable data: We do not collect, store, or process patient names, MRNs, dates of birth, or any data subject to HIPAA.
• Tracking data: We do not use Google Analytics, Facebook Pixel, or any third-party tracking cookies.

4. How We Use Your Information

• To provide, maintain, and improve the Service
• To process payments, manage subscriptions, and administer free trials
• To send transactional emails (verification, password reset, receipts, billing alerts)
• To send optional product updates and weekly usage digests (you can unsubscribe at any time)
• To enforce rate limits and prevent abuse
• To generate anonymized, aggregated analytics to improve the Service

5. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

• Contractual necessity: To provide the Service you signed up for (account management, report generation, billing).
• Legitimate interest: To improve the Service, prevent fraud, and ensure security.
• Consent: For optional communications (product updates, digests). You may withdraw consent at any time.

6. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with the following processors, strictly for service delivery:

• Stripe Inc. (San Francisco, CA) — Payment processing. Stripe Privacy Policy
• Resend Inc. — Transactional email delivery (verification, receipts). Resend Privacy Policy
• Cloudflare Inc. (San Francisco, CA) — Hosting infrastructure, CDN, edge computing. Cloudflare Privacy Policy
• Google LLC — OAuth authentication (only if you sign in with Google). Google Privacy Policy
• AI providers — Image analysis and report generation via API. Images are not stored by these providers and are processed under data processing agreements.

We may also disclose data if required by law, court order, or governmental authority.

7. Data Security

• All data transmitted via TLS 1.3 encryption
• Authentication via signed JWT tokens (HMAC-SHA256)
• Passwords hashed with SHA-256 (not stored in plaintext)
• Rate limiting on all authentication endpoints
• Account lockout after repeated failed login attempts
• EXIF metadata stripped from images before upload (client-side)
• Images automatically purged from storage within 24 hours
• Hosted on Cloudflare's global edge network with enterprise-grade DDoS protection

8. HIPAA Notice

RadAssist is not a HIPAA-covered entity and does not store PHI. Images are anonymized on upload and auto-purged within 24 hours. Users are solely responsible for ensuring their use of the Service complies with their institution's HIPAA policies and applicable regulations. Do not upload images containing visible patient-identifiable information.

Enterprise customers requiring a Business Associate Agreement (BAA) should contact ahmed@reportsrad.org.

9. Your Rights

GDPR (EEA/UK users) and CCPA (California users):

• Right to Access: Download all your data in JSON format via Settings > Export My Data.
• Right to Rectification: Update your account information at any time in Settings.
• Right to Erasure: Permanently delete your account and all data via Settings > Delete Account. Deletion is completed within 72 hours and is irreversible.
• Right to Portability: Export your data in a machine-readable JSON format.
• Right to Object: Unsubscribe from optional emails at any time.
• Right to Withdraw Consent: Contact us to withdraw consent for any processing based on consent.

To exercise any of these rights, use the in-app Settings or email support@reportsrad.org. We respond to all requests within 30 days.

California Users (CCPA): We do not sell personal information. You have the right to know what data we collect, request deletion, and opt out of any future sale (though we do not sell data).

10. Data Retention

• Account data: Retained while your account is active. Deleted within 72 hours of account deletion request.
• Medical images: Automatically purged within 24 hours of upload.
• Usage analytics: Anonymized after 12 months.
• Payment records: Retained for 7 years as required by US tax law.
• Session data (localStorage): Stored on your device only, auto-cleaned after 30 days of inactivity.

11. Cookies & Local Storage

We use only essential localStorage entries (not HTTP cookies) for authentication and session persistence. No tracking cookies, no third-party analytics scripts. See our Cookie Policy for full details.

12. International Data Transfers

Our Service is hosted on Cloudflare's global edge network. Data may be processed in the United States and other countries where Cloudflare operates edge nodes. By using the Service, you consent to data processing outside your country of residence. We ensure appropriate safeguards are in place for international transfers.

13. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect data from minors. If we become aware that a minor has provided personal data, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 14 days before they take effect. The "Last updated" date at the top indicates the latest revision.

15. Contact & Data Protection

AiCreative Innovations LLC
A Delaware Limited Liability Company
Email: support@reportsrad.org
Data Protection Inquiries: support@reportsrad.org
Founder: Dr. Ahmed Elzein, FRCR, MRCSI, CCT UK