Privacy Policy for NeuroRadX

Effective Date: July 1, 2025 · Germany

NeuroRadX is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have when you use our neuroradiology learning platform. We process your data in compliance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

1. Data Controller

The entity responsible for the processing of your personal data under GDPR Art. 4(7) is:

Andres Pinta
Strasse 1
74078 Heilbronn
Germany
Email: support@neuroradx.com

For any questions regarding data protection or to exercise your rights, please contact us at the address or email above.

2. Data We Process, Purposes, and Legal Basis

We process your personal data in the following categories:

2.1. Account and Subscription Information

Information required to create and manage your account.

  • Data collected: First name, last name, full name, email address, unique user ID (Firebase UID), account status (e.g. approved, pending), role (e.g. user, admin), subscription level (e.g. Premium), and account creation date.
  • Purpose: To create and secure your account, authenticate you, manage your subscription, and communicate with you about the Service.
  • Legal basis: Art. 6(1)(b) GDPR – processing necessary for the performance of the contract (our Terms of Use).

2.2. Optional Profile Information

Voluntary information you may provide to personalise your profile.

  • Data collected: Country, institution, avatar URL, declared specialisation (e.g. student, resident), and profession.
  • Purpose: To personalise your profile. We may use this data in anonymised and aggregated form for statistical analysis.
  • Legal basis: Art. 6(1)(a) GDPR – your consent. You may withdraw consent at any time by removing this information from your profile.

2.3. Activity and Progress Data

Data generated as you use the app, essential for the learning functionality.

  • Data collected:
    • Quiz sessions: History of study sessions, exam settings, scores, and which questions you answered correctly or incorrectly.
    • User questions: Record of questions you interact with, including times seen, correct/incorrect answers, and mastery status.
    • Bookmarked questions: Questions you have saved for future review.
    • Question notes: Your personal annotations on specific questions.
    • Seen facts: Record of which "Did you know..." facts you have seen.
  • Purpose: To provide your personalised learning experience, track progress, identify strengths and weaknesses, and enable you to review your activity.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest is to provide the core educational features of the Service.

2.4. Notifications and Issue Reports

Data related to in-app communications and support.

  • Data collected: In-app notifications (linked to your user ID) and issue reports you submit (including question ID, problem type, description, and your user ID).
  • Purpose: To deliver administrative messages, inform you about updates to reported issues, and process your support requests.
  • Legal basis: Art. 6(1)(b) GDPR (contract) and Art. 6(1)(f) GDPR (legitimate interest in improving our content and support).

2.5. Technical Data

  • Data collected: IP address, device type, operating system, and server logs (which may contain your user ID or email in error messages).
  • Purpose: To ensure technical functionality, stability, security, and troubleshooting.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

2.6. Cookies and Local Storage

We use minimal local storage and cookies for essential functionality.

  • Data stored: Your preferred language and text size (localStorage); sidebar open/closed state (cookie).
  • Purpose: To remember your preferences and improve your experience.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest). We do not use advertising or tracking cookies.

3. Data Recipients and International Transfers

We do not sell your personal data. We share data only with the following service providers who help us operate the Service:

  • Google Firebase (Authentication, Firestore, Hosting, Cloud Run): Hosts your account data, progress data, and the application. Data may be processed in the EU and the USA. Transfers to the USA are governed by the EU-US Data Privacy Framework and/or Standard Contractual Clauses.
  • Algolia: Powers the search functionality. We index only question content (not personal data). Algolia may process data in the EU or USA under appropriate safeguards.
  • Google AI (Gemini): Used by administrators to enrich question content with scientific references. Only question text (not linked to users) is processed. Your personal data is not sent to Google AI.

All providers act as processors on our behalf and are contractually bound to process data only as instructed.

4. Data Retention

We retain your personal data for as long as your account is active. Upon account deletion, we erase your personal data in accordance with our deletion processes, unless we are legally required to retain it for a longer period (e.g. under German commercial or tax law, typically up to 10 years for certain records). Server logs are typically retained for up to 30 days.

5. Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS), access controls, and secure authentication. Our infrastructure is hosted on Google Cloud Platform with industry-standard security practices.

6. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

  • Right of access (Art. 15): To obtain confirmation as to whether we process your data and to receive a copy of it.
  • Right to rectification (Art. 16): To have inaccurate data corrected.
  • Right to erasure (Art. 17): To have your data deleted ("right to be forgotten"), subject to legal retention obligations.
  • Right to restriction of processing (Art. 18): To limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20): To receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): To object to processing based on legitimate interests (sections 2.3, 2.4, 2.5, 2.6). If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time.
  • Right to lodge a complaint (Art. 77): To complain to a supervisory authority. In Germany, you may contact the competent state data protection authority (Landesdatenschutzbehörde) or the Federal Commissioner for Data Protection and Freedom of Information (BfDI): www.bfdi.bund.de.

To exercise any of these rights, please contact us at the address or email in Section 1. We will respond within one month.

7. Minors

NeuroRadX is intended for medical professionals, residents, and students in the field. We do not knowingly collect data from children under 16. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. For significant changes, we may also notify you by email or in-app message. We encourage you to review this policy periodically.

9. Contact

For any questions about this Privacy Policy or our data practices, please contact us at support@neuroradx.com or at the address in Section 1.