Privacy Policy

1. Introduction

Report Rad AI ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our radiology reporting platform (the "Service").

By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Service.

2. Information We Collect

2.1 Personal Information

We collect the following personal information:

• Account Information: Name, email address, and profile picture (via Google OAuth)
• Professional Information: Medical license number, institution affiliation, specialty (optional)
• Contact Information: Email address for service notifications

2.2 Medical Content

IMPORTANT - Protected Health Information (PHI):

• Findings & Reports: We store de-identified radiology findings and generated reports
• Voice Recordings: Audio files are processed with automatic PII redaction and are NOT permanently stored
• Transcriptions: All transcripts undergo automatic redaction of PII, PHI, email addresses, phone numbers, and SSNs using Deepgram's HIPAA-compliant AI
• Templates: Custom report templates you create

2.3 Usage Data

• Number of reports generated
• Voice transcription duration and frequency
• Template usage statistics
• Feature engagement metrics
• Performance and error logs

2.4 Technical Information

• IP address (hashed for rate limiting)
• Browser type and version
• Device information
• Session data (via secure cookies)
• Performance metrics

3. How We Use Your Information

We use collected information for the following purposes:

• Service Delivery: Generate radiology reports, transcribe voice dictations, manage templates
• Authentication: Verify your identity and maintain secure access
• Performance Optimization: Improve AI model accuracy and response times
• Usage Analytics: Understand feature usage to improve the Service
• Communication: Send service updates, security alerts, and billing notifications
• Security: Detect fraud, abuse, and security threats
• Legal Compliance: Comply with HIPAA, GDPR, and other applicable regulations

5. Information Sharing and Disclosure

5.1 We DO NOT Sell Your Data

We never sell, rent, or trade your personal information or medical data to third parties for marketing purposes.

5.2 Permitted Disclosures

We may share your information only in the following circumstances:

• With Your Consent: When you explicitly authorize us to share specific information
• Service Providers: With HIPAA-compliant vendors who assist in providing our Service (all under BAAs)
• Legal Requirements: When required by law, subpoena, or court order
• Emergency Situations: To prevent harm or protect rights, property, or safety
• Business Transfers: In connection with a merger, acquisition, or sale of assets (with continued privacy protections)

6. Data Retention

• Generated Reports: Retained for 7 years (HIPAA requirement) or until account deletion
• Voice Recordings: Deleted immediately after transcription (NOT stored)
• Templates: Retained while your account is active
• Usage Logs: Retained for 90 days for security and analytics
• Account Data: Retained until you request deletion

7. Your Privacy Rights

7.1 HIPAA Rights

• Access: Request copies of your PHI
• Amendment: Request corrections to your PHI
• Accounting: Receive an accounting of PHI disclosures
• Restrictions: Request restrictions on PHI use and disclosure

7.2 GDPR Rights (if applicable)

• Right to Access: Obtain confirmation of data processing
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion of your data
• Right to Portability: Receive your data in a structured format
• Right to Object: Object to processing of your personal data

7.3 Exercising Your Rights

To exercise any of these rights, contact us at privacy@reportradai.com. We will respond within 30 days.

8. Cookies and Tracking

We use the following cookies:

• Essential Cookies: Required for authentication and security (session management)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Understand usage patterns (Vercel Analytics - anonymized)

You can control cookie preferences in your browser settings, but disabling essential cookies may affect Service functionality.

9. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure that all international transfers comply with applicable data protection laws, including GDPR Standard Contractual Clauses where required.

10. Children's Privacy

Our Service is intended for healthcare professionals aged 18 and over. We do not knowingly collect information from individuals under 18. If you believe we have inadvertently collected such information, contact us immediately.

11. Security Measures

We implement industry-standard security measures including:

• TLS 1.3 encryption for data in transit
• AES-256 encryption for data at rest
• Multi-factor authentication (MFA) support
• Regular security audits and penetration testing
• Employee security training and background checks
• Incident response and breach notification procedures
• Regular data backups with encryption

12. Data Breach Notification

In the event of a data breach affecting PHI, we will notify affected individuals and the Department of Health and Human Services within 60 days as required by HIPAA. For other data breaches, we will comply with applicable state and federal notification requirements.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email and by posting a notice on our Service at least 30 days before the changes take effect. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.