Privacy Policy

Effective date: 2026-02-08

This Privacy Policy describes how Radiology PACS App ("we", "us", "our") collects, uses, stores, and shares information when you use our website, services, and applications (the "Service"). It explains choices you can make about your information and how to contact us about privacy concerns.

Summary — Key Points

• We use Firebase for authentication, storage, Firestore and Cloud Functions (Google Cloud).
• We use analytics and tracking (Google Tag Manager, Meta / Facebook Pixel). We only enable tracking when you provide explicit consent via the cookie/consent banner.
• Your uploaded DICOM files and related metadata (which may contain health information) are stored on our infrastructure and/or on Google Cloud Storage; you control and may delete them.
• We do not sell personal data. We only share personal data with processors, with your consent, or as required by law.

Information We Collect

Account and Authentication Data

When you create an account or sign in, we collect identifiers necessary for authentication (using Firebase Authentication). We store a unique user identifier (UID) and may store profile information you provide (display name, email) to the extent you supply it.

Uploads and Medical Images

You may upload DICOM files (medical images) and ZIP archives containing studies. Uploaded files may contain personally identifiable information and protected health information (PHI). We store file metadata (filename, size, content type) and attempt to extract study metadata (StudyInstanceUID and limited DICOM header fields) to power the viewer and search features. Extracted metadata may be stored in our database and used to build study previews and secure viewer links.

Usage Data & Analytics

We collect usage and performance data to improve the Service. This includes anonymous or pseudonymous metrics, server logs (IP address, browser type, timestamps), and events sent to third-party analytics providers if you consent.

Automated Data & Derived Metadata

We may create derived data such as anonymized usage trends, aggregated statistics, and image analysis output (if you enable features that produce such results). These aggregated/derived data do not identify individuals when published or used for analytics.

How We Use Your Data

• Provide, operate, and maintain the Service (authentication, uploads, study viewer).
• Enable secure access to studies via signed links with short time-to-live values.
• Communicate with you about your account, updates, and security issues.
• Analyze and improve the Service using aggregated or consented analytics.
• Comply with legal obligations and respond to lawful requests (e.g., court orders).

Third-Party Services & Processors

We use third-party processors to operate the Service. Key providers include:

• Google LLC / Firebase (Google Cloud) — authentication, Cloud Storage, Firestore, Cloud Functions for hosting and data management.
• Google Tag Manager — used to load analytics & measurement tools. We load GTM only if you consent.
• Meta / Facebook Pixel — used for page view and advertising events. We activate this only if you consent.

For a complete list of processors with links to their privacy documentation and DPA information, see our Processors & Subprocessors page.

You can revoke analytics/tracking consent at any time using the cookie preferences in the site footer or by clearing the tracking-consent value in your browser's localStorage.

Legal Basis (for EU GDPR)

Where applicable, we rely on the following legal bases for processing personal data: performance of a contract (to provide the Service), compliance with legal obligations, our legitimate interests (security, fraud prevention, improving the Service) and, when required (e.g., analytics and marketing), your consent.

Data Retention

We retain your account data and uploaded files for as long as your account exists or unless you request deletion. Upload metadata and extracted DICOM summaries may also be retained to maintain application integrity (e.g., study listings). We automatically expire signed viewer links and secure URLs (time-limited), and we may retain server logs and backups for troubleshooting and security for a limited period.

Security

We implement reasonable administrative, technical, and physical safeguards to protect data. Examples include TLS in transit, access controls, Firebase Auth for authentication, signed short-lived links for viewer access, and restricted access to storage. However, no system is 100% secure — if you discover a vulnerability, contact us immediately.

Special Note on Health Data (PHI)

Uploaded DICOM files may contain PHI (protected health information). If you are subject to health data regulations (e.g., HIPAA in the U.S., or national laws in your country), you should ensure that you have appropriate legal grounds and consents before uploading PHI. We treat uploaded studies as confidential and apply technical protections described above, but you are responsible for compliance when uploading PHI unless we have a separate signed Business Associate Agreement (BAA) covering HIPAA obligations.

Your Rights

Subject to applicable law, you may have the right to:

• Request access to personal data we hold about you;
• Request correction or deletion of your personal data (we will delete uploads and account data on request subject to verification);
• Export or portability of your data in common machine-readable formats;
• Object to or restrict certain processing (e.g., direct marketing, analytics); and
• Withdraw consent at any time for processing based on consent.

To exercise these rights, contact us at privacy@radiologypacs.app. We generally respond to verified requests within 30 days.

How to Control Cookies & Tracking

We display a consent banner on first visit. You can accept or reject analytics and advertising tracking. To withdraw consent manually:

• Open the site and use the Manage Preferences button in the consent banner (if available).
• Clear the tracking-consent entry from your browser's DevTools console:

  localStorage.removeItem('tracking-consent')

• Use browser privacy controls or ad/network opt-outs (e.g., Google Ad Settings, Facebook Ad Settings).

Children's Privacy

The Service is not intended for children under the age of 18. We do not knowingly collect personal data from children under 18. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will post the updated policy here with a revised effective date. Where required by law, we will seek consent for material changes.

Contact & Requests

If you have questions, need details about the data we hold, or wish to exercise your privacy rights, contact:
privacy@radiologypacs.app

Last updated: 2026-02-08