Privacy Policy

VIRad.AI Medical LLC, a Delaware limited liability company ("VIRad.AI," "we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy describes what information we collect, how we use it, what we do NOT do with it, and your rights regarding your data.

1. Information We Collect

Account Information

When you create an account, we collect:

• Email address — used for authentication and account communications
• Full name — used for personalization within the Service
• Institution — used to understand our user base and tailor features
• Specialty — used to provide relevant clinical content
• Role (e.g., attending, fellow, resident) — used for experience-appropriate content delivery

Usage and Device Data

We collect first-party analytics to understand how the Service is used and to improve it. This includes:

• Features accessed and frequency of use
• Query text submitted to the AI (logged for product improvement and safety auditing)
• Session duration and navigation patterns
• Device type, browser type, operating system, and screen resolution
• IP address (used for country-level analytics only; not stored long-term)
• Error logs for debugging and reliability

Payment Information

If you subscribe to a paid tier, payment processing is handled entirely by a PCI-compliant third-party payment processor. We do not store credit card numbers, bank account details, or other payment credentials on our servers. We receive only a transaction confirmation, subscription status, and the last four digits of your payment method for display purposes.

2. Information We Do NOT Collect

3. How We Use Your Data

We use the information we collect for the following purposes:

• Provide the Service: Authenticate users, deliver AI-powered clinical reference, and maintain your account.
• Improve quality: Analyze usage patterns and query data to improve the accuracy, relevance, and reliability of clinical outputs.
• Safety auditing: Monitor for harmful or inaccurate AI outputs and maintain quality assurance standards.
• Technical support: Diagnose and resolve bugs, errors, and performance issues.
• Communications: Send account-related notifications, service updates, and (with consent) product announcements.

4. What We Do NOT Do With Your Data

5. Data Storage and Security

All user data is stored in a managed PostgreSQL database with the following security measures:

• Encryption at rest (AES-256)
• Encryption in transit (TLS 1.2+)
• Row-level security policies to prevent unauthorized data access
• Regular automated backups
• Isolated container environments with encrypted connections

No method of electronic transmission or storage is 100% secure. If you become aware of any security vulnerability, please contact us immediately at support@virad.ai.

6. Third-Party Services

We share data with a limited number of third-party services, only as necessary to operate the Service:

Service	Purpose	Data Shared
Supabase	Authentication, database, data storage	Account info, usage data, queries
Anthropic	AI-powered clinical responses (Claude API)	Query text (no user-identifying data attached). Per Anthropic's API Terms, inputs/outputs are not used for model training and are deleted after 7 days.
Stripe	Subscription billing and payment processing	Email, payment details (handled directly by Stripe; we do not store card numbers)
Resend	Transactional email delivery	Email address, email content (account notifications, password resets)
PubMed / NCBI	Medical literature search via public E-Utilities API	Search query terms (no user-identifying data)
Google Analytics	Usage analytics and service improvement	Anonymized usage data, page views, session data (no PII)

We do not use Facebook Pixel, ad networks, or any other third-party advertising or tracking services.

7. Cookies and Local Storage

VIRad.AI uses minimal browser storage:

• Supabase auth session — authentication tokens stored in localStorage to maintain your logged-in session
• User preferences — theme settings and UI state stored in localStorage
• Google Analytics cookies — used for anonymized usage analytics (page views, session duration, feature usage). You can opt out of Google Analytics using the Google Analytics Opt-out Browser Add-on.
• No ad tracking — zero advertising cookies of any kind

You can clear localStorage and cookies through your browser settings at any time. Doing so will log you out and reset your preferences.

8. AI Query Processing

When you submit a query, the text is sent to Anthropic's Claude API for processing. These queries:

• Are not linked to your user identity when sent to Anthropic
• Are not used for AI model training (per Anthropic's API Terms of Service)
• Are deleted by Anthropic after 7 days per their data retention policy
• Are logged by VIRad.AI with PII redaction for service improvement and safety auditing

Do not include patient-identifying information in queries. While we strip identifying metadata before sending queries to the AI, the safest practice is to never enter PHI in the first place.

9. Data Retention and Pseudonymization

Query logs are retained with PII redaction for service improvement and safety monitoring. We retain your account data for as long as your account is active. If you delete your account:

• Your personal data (name, email, institution) will be removed within 30 days.
• Clinical query logs are pseudonymized — all personally identifying information is replaced with an irreversible code — and retained for up to 7 years solely for quality assurance, safety monitoring, and defense of legal claims.
• This retention is permitted under GDPR Article 17(3)(d), CCPA §1798.105(d)(8), and applicable medical record retention laws.

Anonymized, aggregated usage statistics (which cannot be linked back to any individual) may be retained indefinitely for service improvement purposes.

10. Your Rights

You have the following rights regarding your personal data:

• Access: Request a copy of all personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your account and all associated data, subject to the pseudonymized retention described in Section 9.
• Export: Request an export of your data in a portable format.
• Opt-out of analytics: Opt out of Google Analytics tracking using the browser add-on or by contacting us.
• Opt-out of communications: Unsubscribe from non-essential communications at any time.

To exercise any of these rights, email support@virad.ai. We will respond within 30 days.

11. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to the pseudonymized retention described in Section 9.
• Right to Opt-Out: VIRad.AI does NOT sell your personal information. No opt-out is necessary because we do not engage in data sales.
• Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality, or service levels for exercising your rights.

To exercise your CCPA rights, contact us at support@virad.ai. We will respond within 45 days as required by law.

12. GDPR (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Legal basis: We process your data based on contractual necessity (to provide the Service) and legitimate interest (to improve the Service and maintain safety).
• Data portability: You may request your data in a structured, machine-readable format.
• Right to object: You may object to processing based on legitimate interest.
• Data Protection Authority: You have the right to lodge a complaint with your local data protection authority.

13. Children's Privacy

The Services are designed for use by licensed healthcare professionals and are not intended for use by children under the age of 18. We do not knowingly collect personal information from individuals under 18. If we learn that we have collected data from a minor, we will delete it promptly. If you believe a minor has provided us with personal information, please contact us at support@virad.ai.

14. International Data Transfers

VIRad.AI is based in the United States. If you access the Services from outside the United States, you consent to the transfer and processing of your information in the United States. We take reasonable measures to ensure your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or via email. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

16. Contact

For privacy-related questions or requests, contact us at:

VIRad.AI Medical LLC
8 The Green, Ste B
Dover, DE 19901

Phone: (302) 375-8771

General: support@virad.ai