Privacy Policy

Last updated: April 4, 2026

VIRad.AI Medical LLC, a Delaware limited liability company ("VIRad.AI," "we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy describes what information we collect, how we use it, what we do NOT do with it, and your rights regarding your data.

No Patient Data. VIRad.AI is not designed to collect, store, or process Protected Health Information (PHI). Users must not enter any patient-identifying information into the Service. See our Terms of Service for details.

      We do NOT sell your data. VIRad.AI does NOT sell, share, or transfer your personal information or query data to any third party for advertising, marketing, or commercial purposes. Your clinical queries and interactions remain confidential.
    

1. Information We Collect

Account Information

When you create an account, we collect:

Email address — used for authentication and account communications
Full name — used for personalization within the Service
Institution — used to understand our user base and tailor features
Specialty — used to provide relevant clinical content
Role (e.g., attending, fellow, resident) — used for experience-appropriate content delivery

Usage and Device Data

We collect first-party analytics to understand how the Service is used and to improve it. This includes:

Features accessed and frequency of use
Query text submitted to the AI (logged for product improvement and safety auditing)
Session duration and navigation patterns
Device type, browser type, operating system, and screen resolution
IP address (used for country-level analytics only; not stored long-term)
Error logs for debugging and reliability

Payment Information

If you subscribe to a paid tier, payment processing is handled entirely by a PCI-compliant third-party payment processor. We do not store credit card numbers, bank account details, or other payment credentials on our servers. We receive only a transaction confirmation, subscription status, and the last four digits of your payment method for display purposes.

2. Information We Do NOT Collect

      We do not collect:
      Protected Health Information (PHI) or patient data — we actively warn users not to input it
Social Security numbers or government-issued ID numbers
Financial information (credit card numbers are handled exclusively by our payment processor)
Biometric data
Precise geolocation (only country-level derived from IP for analytics)
Data from third-party tracking pixels, ad networks, or social media integrations

    

3. How We Use Your Data

We use the information we collect for the following purposes:

Provide the Service: Authenticate users, deliver AI-powered clinical reference, and maintain your account.
Improve quality: Analyze usage patterns and query data to improve the accuracy, relevance, and reliability of clinical outputs.
Safety auditing: Monitor for harmful or inaccurate AI outputs and maintain quality assurance standards.
Technical support: Diagnose and resolve bugs, errors, and performance issues.
Communications: Send account-related notifications, service updates, and (with consent) product announcements.

4. What We Do NOT Do With Your Data

      We do NOT:
      Sell, share, or transfer personal information to any third party for advertising or marketing purposes
Share your data with data brokers or advertisers
Use your clinical queries to train AI models (queries sent to Anthropic are processed under their API data policy, which prohibits training on API inputs and deletes data after 7 days)
Use third-party advertising or tracking cookies (no Facebook Pixel or similar ad-tracking services)
Profile you for targeted advertising

    

5. Data Storage and Security

All user data is stored in a managed PostgreSQL database with the following security measures:

Encryption at rest (AES-256)
Encryption in transit (TLS 1.2+)
Row-level security policies to prevent unauthorized data access
Regular automated backups
Isolated container environments with encrypted connections

No method of electronic transmission or storage is 100% secure. If you become aware of any security vulnerability, please contact us immediately at support@virad.ai.

6. Third-Party Services

We share data with a limited number of third-party services, only as necessary to operate the Service:

Service	Purpose	Data Shared
Supabase	Authentication, database, data storage	Account info, usage data, queries
Anthropic	AI-powered clinical responses (Claude API)	Query text (no user-identifying data attached). Per Anthropic's API Terms, inputs/outputs are not used for model training and are deleted after 7 days.
Stripe	Subscription billing and payment processing	Email, payment details (handled directly by Stripe; we do not store card numbers)
Resend	Transactional email delivery	Email address, email content (account notifications, password resets)
PubMed / NCBI	Medical literature search via public E-Utilities API	Search query terms (no user-identifying data)
Google Analytics	Usage analytics and service improvement	Anonymized usage data, page views, session data (no PII)

We do not use Facebook Pixel, ad networks, or any other third-party advertising or tracking services.

7. Cookies and Local Storage

VIRad.AI uses minimal browser storage:

Supabase auth session — authentication tokens stored in localStorage to maintain your logged-in session
User preferences — theme settings and UI state stored in localStorage
Google Analytics cookies — used for anonymized usage analytics (page views, session duration, feature usage). You can opt out of Google Analytics using the Google Analytics Opt-out Browser Add-on.
No ad tracking — zero advertising cookies of any kind

You can clear localStorage and cookies through your browser settings at any time. Doing so will log you out and reset your preferences.

8. AI Query Processing

When you submit a query, the text is sent to Anthropic's Claude API for processing. These queries:

Are not linked to your user identity when sent to Anthropic
Are not used for AI model training (per Anthropic's API Terms of Service)
Are deleted by Anthropic after 7 days per their data retention policy
Are logged by VIRad.AI with PII redaction for service improvement and safety auditing

Do not include patient-identifying information in queries. While we strip identifying metadata before sending queries to the AI, the safest practice is to never enter PHI in the first place.

9. Data Retention and Pseudonymization

Query logs are retained with PII redaction for service improvement and safety monitoring. We retain your account data for as long as your account is active. If you delete your account:

Your personal data (name, email, institution) will be removed within 30 days.
Clinical query logs are pseudonymized — all personally identifying information is replaced with an irreversible code — and retained for up to 7 years solely for quality assurance, safety monitoring, and defense of legal claims.
This retention is permitted under GDPR Article 17(3)(d), CCPA §1798.105(d)(8), and applicable medical record retention laws.

Anonymized, aggregated usage statistics (which cannot be linked back to any individual) may be retained indefinitely for service improvement purposes.

10. Your Rights

You have the following rights regarding your personal data:

Access: Request a copy of all personal data we hold about you.
Correction: Request correction of inaccurate personal data.
Deletion: Request deletion of your account and all associated data, subject to the pseudonymized retention described in Section 9.
Export: Request an export of your data in a portable format.
Opt-out of analytics: Opt out of Google Analytics tracking using the browser add-on or by contacting us.
Opt-out of communications: Unsubscribe from non-essential communications at any time.

To exercise any of these rights, email support@virad.ai. We will respond within 30 days.

11. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of your personal information, subject to the pseudonymized retention described in Section 9.
Right to Opt-Out: VIRad.AI does NOT sell your personal information. No opt-out is necessary because we do not engage in data sales.
Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality, or service levels for exercising your rights.

To exercise your CCPA rights, contact us at support@virad.ai. We will respond within 45 days as required by law.

12. GDPR (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

Legal basis: We process your data based on contractual necessity (to provide the Service) and legitimate interest (to improve the Service and maintain safety).
Data portability: You may request your data in a structured, machine-readable format.
Right to object: You may object to processing based on legitimate interest.
Data Protection Authority: You have the right to lodge a complaint with your local data protection authority.

13. Children's Privacy

The Services are designed for use by licensed healthcare professionals and are not intended for use by children under the age of 18. We do not knowingly collect personal information from individuals under 18. If we learn that we have collected data from a minor, we will delete it promptly. If you believe a minor has provided us with personal information, please contact us at support@virad.ai.

14. International Data Transfers

VIRad.AI is based in the United States. If you access the Services from outside the United States, you consent to the transfer and processing of your information in the United States. We take reasonable measures to ensure your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or via email. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

16. Device Session Tracking

To secure your account and enforce the device limits of your subscription, VIRad.AI maintains a record of the devices actively signed in to your account. For each active session, we store:

Device identifier — a random UUID generated locally on your device; it is not linked to any hardware serial number, advertising ID, or other persistent device fingerprint
User agent string — browser and operating system information, truncated for storage
Session timestamps — creation time and a last_active timestamp updated via a periodic heartbeat while the session is in use

Purpose. Session records are used solely to (a) protect your account from unauthorized access, (b) display your active sessions to you so you can sign out of devices remotely, and (c) enforce the maximum concurrent device limit of your subscription (see our Terms of Service).

Retention. Session records are automatically deleted seven (7) days after the last_active timestamp. You may also revoke any active session at any time from your account settings, which immediately removes the corresponding record.

17. Subscription and Payment Data

Subscriptions are processed by Stripe, a PCI-DSS Level 1 certified payment processor. The following applies to subscription data:

What we store. When you start a subscription, we store your Stripe customer ID and subscription ID in our profiles table, along with your current subscription status, plan, and trial end date (if applicable).
What we never store. We do not receive, process, or store full payment card numbers, CVCs, bank account numbers, or any other raw payment credentials. All payment information is entered directly into Stripe's hosted checkout and stored exclusively by Stripe.
Webhook synchronization. Stripe notifies our servers via signed webhooks when your subscription is created, updated, renewed, or cancelled. We use those notifications to keep your access rights in sync with your billing status.
Display data. Where useful (for example, on a billing settings page), we may display the last four digits and brand of your payment method as returned by Stripe.

Stripe's handling of payment data is governed by the Stripe Privacy Policy.

18. Trial Period Data Handling

New subscribers are offered a fourteen (14) day free trial. Your data is handled as follows:

During the trial: You have full feature access, and all data handling described elsewhere in this Policy applies normally.
If you cancel before the trial ends: You are not charged, your account remains in place in a free-tier state, and all account and usage data is retained in accordance with this Policy unless you specifically request deletion.
If the trial expires without a paid subscription: Your account transitions to a read-only / upgrade-required state. Your account, preferences, Q-Bank progress, and feedback history are retained so that they remain available if you later subscribe.
Deletion at any time. You may request deletion of your account and associated data at any point during or after the trial by emailing support@virad.ai. Retention of pseudonymized query logs described in Section 9 still applies.

19. Q-Bank Progress and Anonymized Cohort Statistics

The VIRad.AI Q-Bank is a spaced-repetition learning module. In connection with your use of Q-Bank, we collect and store:

Your answers (correct / incorrect), timestamps, and time-to-answer
Your per-question spaced-repetition schedule and review history
Flags such as questions you have marked for review

How this data is used. Individual Q-Bank history is visible only to you. It is used to personalize your study queue, power the spaced repetition algorithm, and show you your own performance trends.

Cohort comparison. We compute aggregated, anonymized statistics across groups of users (for example, "Trainee cohort accuracy on this question: 71%"). These aggregates do not identify any individual user, and we apply minimum cohort-size thresholds before any aggregate is displayed. We never share your individual answer history with any other user.

Your control. You may request deletion of all of your Q-Bank progress, review history, and answer logs at any time by emailing support@virad.ai. Deletion of your Q-Bank history does not require deletion of your account.

20. Feedback, Ratings, and Comments

VIRad.AI allows you to provide feedback on AI responses, Q-Bank questions, and other content. When you do so, we collect:

Your thumbs-up / thumbs-down rating, stored with your user ID and a reference to the item being rated
Any optional free-text comment you choose to submit, stored verbatim
The time the feedback was submitted and the context in which it occurred (for example, which AI response or question it referred to)

Purpose. Feedback is used to identify low-quality or incorrect content, prioritize fixes, and improve the reliability of the Service. Aggregated, anonymized feedback metrics (for example, the percentage of users who rated a particular answer positively) are used for internal quality monitoring and are not tied to any individual user externally.

You should not include PHI or patient-identifying information in free-text feedback. Free-text comments may be reviewed by VIRad.AI staff.

21. Device "Contact Rep" Requests

Certain device pages within the Service include a "Contact Rep" button that allows you to request an introduction to a device manufacturer or their sales representative. When you click this button and confirm:

We log the request (device, timestamp, your user ID) in our systems.
Where the manufacturer is a partner of VIRad.AI, we share your name and email address with that manufacturer for the sole purpose of allowing them to contact you about the device. The partner relationship and the fact that your information will be shared are clearly disclosed to you at the moment you click the button.
Information shared with a manufacturer is then governed by that manufacturer's own privacy practices.

We do not share your information with any manufacturer unless you have explicitly initiated a Contact Rep request for that manufacturer. You can decline at the confirmation step at any time.

22. International Users and Data Location

VIRad.AI stores and processes data on infrastructure located in the United States, including our primary database provider (Supabase, US region). By using the Service from outside the United States, you consent to the transfer, storage, and processing of your information in the United States.

European Economic Area and United Kingdom. If you are located in the EEA or UK, we comply with applicable data subject rights under GDPR / UK GDPR, including the rights of access, rectification, erasure, restriction, portability, and objection, as further described in Sections 10 and 12.

Data export. You may request a machine-readable export of your personal data (account information, Q-Bank progress, feedback history, and associated metadata) at any time by emailing support@virad.ai. We will respond within 30 days.

23. Contact

For privacy-related questions or requests, contact us at:

VIRad.AI Medical LLC
8 The Green, Ste B
Dover, DE 19901

Phone: (302) 375-8771

General: support@virad.ai