1. Who We Are

RadBytes.org ("we," "our," or "us") is an educational platform offering radiology training tools, including AI-driven feedback and DICOM image viewing. This Privacy Policy outlines how we handle your data in accordance with the UK General Data Protection Regulation (UK GDPR).

2. What Data We Collect

We take data protection seriously and are committed to respecting your privacy. We may collect the following types of personal data:

Account Data

• Name
• Email address
• Password (hashed)

Usage Data

• Device/browser type
• Pages visited and time spent

Educational Interaction Data

• Reports you submit on cases
• AI feedback based on your submissions
• Session history and scores

Cookies and Tracking Data

• Essential cookies (e.g., login sessions)
• Analytics cookies (e.g., Google Analytics)

User Submissions

• Anonymised files submitted by users for education may be stored.
• Images are further anonymised on upload as a safety precaution.
• Users are responsible for ensuring submissions contain no identifiable patient data, including burnt-in identifiers or metadata.
• If identifying information is found, we reserve the right to remove the file to maintain patient confidentiality.

Personalisation Data

• First name (entered during signup)
• Declared job role (e.g. radiologist, radiographer, medical student)
• Other non-identifiable information such as training year, language preference or learning goals may be used to personalise AI tutor responses.

3. Legal Basis for Processing

4. How We Use Your Data

We process your data to:

• Provide access to educational content
• Log and review AI feedback outputs (where appropriate)
• Deliver personalised feedback via AI (which may include your name, job role, and other non-identifiable educational data)
• Analyse platform usage to improve performance
• Detect and prevent fraud or misuse
• Communicate important service updates
• Support educational case submissions

5. Retention Periods

• Account data: retained while the account is active. If the account remains inactive for an extended period (e.g., no login or case activity), we may anonymise or delete it after a reasonable time.
• Reports & AI interactions: while account is active
• Analytics data: retained for up to 2 years to monitor usage patterns, improve platform performance and AI tools, and support long-term educational engagement, after which it is anonymised.
• User submissions: retained until removed or account closed

6. Data Sharing and Processors

We use client-side open-source tools (e.g., OHIF DICOM Viewer, Cornerstone.js) for educational interaction. These libraries operate locally in your browser and do not transmit data externally. We share personal data only with trusted processors who help deliver our services:

• Stripe – Payment processing
• Google Analytics – Analytics
• Zoho & Brevo – Email communications
• DigitalOcean – Hosting and infrastructure

Each processor has signed Data Processing Agreements (DPAs) and complies with UK GDPR.

7. Organisational Case Contributions

• Organisations that contribute anonymised educational cases (e.g., DICOM files, reports, or structured data) grant RadBytes a non-exclusive, perpetual licence to retain and use these cases to advance radiology education and improve AI learning tools.
• These contributions may be integrated into training datasets, educational modules, and AI systems, which means full removal may not be technically feasible after processing.
• All cases are anonymised on receipt and handled in accordance with UK GDPR.
• We do not share or sell these contributions for commercial purposes.
• Anonymised data may be used in collaborative research or diagnostic tool development in partnership with healthcare, academic, or regulatory bodies — but only under appropriate safeguards and data-sharing agreements.

8. International Transfers

Some providers (e.g., Stripe) may process data outside the UK/EEA. We rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

9. Your Rights

You can:

• Access your personal data
• Request correction or deletion
• Object to or restrict processing
• Withdraw consent (cookies/emails)
• Complain to the UK Information Commissioner's Office (ICO)

Contact us at: support@radbytes.org

10. Automated Decision-Making

• Cubey provides educational scores (e.g., FRCR 2B simulation) that do not restrict access.
• You may request a human review if you disagree with a score via our contact form.
• Your inputs (name, reports, image coordinates) may be used to personalise feedback.
• We use large language models (e.g., OpenAI, Gemini, Claude) via OpenRouter or direct access.

We regularly assess risks and apply GDPR safeguards.

11. Cookies

We use cookies to:

• Enable essential functionality
• Analyse trends (with consent)

No advertising or tracking cookies are used. You can manage cookies via our banner and browser settings.

12. AI-Driven Tools Terms of Use

RadBytes provides AI tools ("Cubey") for educational purposes only. By using them, you agree to the following terms:

• Purpose: These tools are strictly for education and training. They are not intended to support clinical decision-making or diagnosis and must not be used in any clinical setting.
• Limitations: AI outputs may be imperfect or incomplete. Always review critically and do not rely on them as a substitute for expert human judgement.
• Data Input: You are responsible for ensuring that no identifiable patient data is submitted.
• Prohibited Use: You may not use the AI tools for unlawful, abusive, or irrelevant submissions.
• Review Access: You may request human review of any AI-generated feedback through our contact form.

13. Contact

If you have questions, contact: support@radbytes.org

Postal address: [124 City Road City Road, London, England, EC1V 2NX]

This policy will be updated as our platform evolves. Significant changes will be communicated via email and/or a pop-up notification.