Privacy Policy

Last updated: April 11, 2026

VIRad.AI Medical LLC, a Delaware limited liability company ("VIRad.AI," "we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy describes what information we collect, how we use it, what we do NOT do with it, and your rights regarding your data.

No Patient Data. VIRad.AI is not designed to collect, store, or process Protected Health Information (PHI). Users must not enter any patient-identifying information into the Service. See our Terms of Service for details.

      We do NOT sell your data. VIRad.AI does NOT sell, share, or transfer your personal information or query data to any third party for advertising, marketing, or commercial purposes. Your clinical queries and interactions remain confidential.
    

1. Information We Collect

Account Information

When you create an account, we collect:

Email address — used for authentication and account communications
Full name — used for personalization within the Service
Institution — used to understand our user base and tailor features
Specialty — used to provide relevant clinical content
Role (e.g., attending, fellow, resident) — used for experience-appropriate content delivery

Usage and Device Data

We collect first-party analytics to understand how the Service is used and to improve it. This includes:

Features accessed and frequency of use
Query text submitted to the AI (logged for product improvement and safety auditing)
Session duration and navigation patterns
Device type, browser type, operating system, and screen resolution
IP address (used for country-level analytics only; not stored long-term)
Error logs for debugging and reliability

Payment Information

If you subscribe to a paid tier, payment processing is handled entirely by Stripe, a PCI-compliant payment processor. We do not store credit card numbers, bank account details, or other payment credentials on our servers. We receive only a transaction confirmation, subscription status, and the last four digits of your payment method for display purposes.

2. Information We Do NOT Collect

      We do not collect:
      Protected Health Information (PHI) or patient data — we actively warn users not to input it
Social Security numbers or government-issued ID numbers
Financial information (credit card numbers are handled exclusively by Stripe)
Biometric data
Precise geolocation (only country-level derived from IP for analytics)
Data from third-party tracking pixels, ad networks, or social media integrations

    

3. How We Use Your Data

We use the information we collect for the following purposes:

Provide the Service: Authenticate users, deliver AI-powered clinical reference, and maintain your account.
Improve quality: Analyze usage patterns and query data to improve the accuracy, relevance, and reliability of clinical outputs.
Safety auditing: Monitor for harmful or inaccurate AI outputs and maintain quality assurance standards.
Technical support: Diagnose and resolve bugs, errors, and performance issues.
Communications: Send account-related notifications, service updates, and (with consent) product announcements.

4. What We Do NOT Do With Your Data

      We do NOT:
      Sell, share, or transfer personal information to any third party for advertising or marketing purposes
Share your data with data brokers or advertisers
Use your clinical queries to train AI models (queries sent to our AI processing provider are not used for model training)
Use third-party advertising or tracking cookies
Profile you for targeted advertising

    

5. Data Storage and Security

All user data is stored in a managed database with the following security measures:

Encryption at rest (AES-256)
Encryption in transit (TLS 1.2+)
Row-level security policies to prevent unauthorized data access
Regular automated backups
Isolated environments with encrypted connections

No method of electronic transmission or storage is 100% secure. If you become aware of any security vulnerability, please contact us immediately at support@virad.ai.

6. Third-Party Services

We share data with a limited number of third-party services, only as necessary to operate the Service:

Service Category	Purpose	Data Shared
Cloud database provider	Authentication, database, data storage	Account info, usage data, queries
AI processing provider	AI-powered clinical responses	Query text (no user-identifying data attached). Per provider policy, inputs/outputs are not used for model training.
Stripe	Subscription billing and payment processing	Email, payment details (handled directly by Stripe; we do not store card numbers)
Email delivery provider	Transactional email delivery	Email address, email content (account notifications, password resets)
Medical literature APIs	Literature search, retrieval, and device information	Search query terms (no user-identifying data)
Search infrastructure provider	Text processing for literature search	Query text (no user-identifying data)

We do not use advertising pixels, ad networks, or any other third-party advertising or tracking services.

7. Cookies and Local Storage

VIRad.AI uses minimal browser storage:

Authentication session — tokens stored in localStorage to maintain your logged-in session
User preferences — theme settings and UI state stored in localStorage
No ad tracking — zero advertising cookies of any kind
No third-party analytics cookies — we use first-party analytics only

You can clear localStorage and cookies through your browser settings at any time. Doing so will log you out and reset your preferences.

8. AI Query Processing

When you submit a query, the text is sent to a third-party AI service for processing. These queries:

Are not linked to your user identity when sent to the AI provider
Are not used for AI model training per our provider's policies
Are deleted by the provider after processing per their data retention policy
Are logged by VIRad.AI with PII redaction for service improvement and safety auditing

Do not include patient-identifying information in queries. While we strip identifying metadata before sending queries to the AI, the safest practice is to never enter PHI in the first place.

9. Data Retention and Pseudonymization

Query logs are retained with PII redaction for service improvement and safety monitoring. We retain your account data for as long as your account is active. If you delete your account:

Your personal data (name, email, institution) will be removed within 30 days.
Clinical query logs are pseudonymized — all personally identifying information is replaced with an irreversible code — and retained for up to 7 years solely for quality assurance, safety monitoring, and defense of legal claims.

Anonymized, aggregated usage statistics (which cannot be linked back to any individual) may be retained indefinitely for service improvement purposes.

10. Your Rights

You have the following rights regarding your personal data:

Access: Request a copy of all personal data we hold about you.
Correction: Request correction of inaccurate personal data.
Deletion: Request deletion of your account and all associated data, subject to the pseudonymized retention described in Section 9.
Export: Request an export of your data in a portable format.
Opt-out of communications: Unsubscribe from non-essential communications at any time.

To exercise any of these rights, email support@virad.ai. We will respond within 30 days.

11. International Data Transfers

VIRad.AI is operated from the United States. If you use the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We take reasonable measures to ensure your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

12. Data Breach Notification

In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify you and applicable regulatory authorities as required by law.

13. Children's Privacy

The Services are designed for use by licensed healthcare professionals and are not intended for use by children under the age of 18. We do not knowingly collect personal information from individuals under 18. If we learn that we have collected data from a minor, we will delete it promptly. If you believe a minor has provided us with personal information, please contact us at support@virad.ai.

14. Device Session Tracking

To secure your account and enforce the device limits of your subscription, VIRad.AI maintains a record of the devices actively signed in to your account. For each active session, we store:

Device identifier — a random UUID generated locally on your device; it is not linked to any hardware serial number, advertising ID, or other persistent device fingerprint
User agent string — browser and operating system information, truncated for storage
Session timestamps — creation time and last-active timestamp updated via periodic heartbeat

Purpose. Session records are used solely to protect your account from unauthorized access, display your active sessions so you can sign out of devices remotely, and enforce your subscription's concurrent device limit.

Retention. Session records are automatically deleted seven (7) days after the last-active timestamp. You may also revoke any active session at any time from your account settings.

15. Subscription and Payment Data

Subscriptions are processed by Stripe, a PCI-DSS Level 1 certified payment processor. The following applies to subscription data:

What we store. When you start a subscription, we store your Stripe customer ID and subscription ID along with your current subscription status, plan, and trial end date (if applicable).
What we never store. We do not receive, process, or store full payment card numbers, CVCs, bank account numbers, or any other raw payment credentials.
Webhook synchronization. Stripe notifies our servers via signed webhooks when your subscription is created, updated, renewed, or cancelled. We use those notifications to keep your access rights in sync with your billing status.

Stripe's handling of payment data is governed by the Stripe Privacy Policy.

16. Q-Bank Progress and Anonymized Cohort Statistics

The VIRad.AI Q-Bank is a spaced-repetition learning module. In connection with your use of Q-Bank, we collect and store:

Your answers (correct / incorrect), timestamps, and time-to-answer
Your per-question spaced-repetition schedule and review history
Flags such as questions you have marked for review

How this data is used. Individual Q-Bank history is visible only to you. It is used to personalize your study queue, power the spaced repetition algorithm, and show you your own performance trends.

Cohort comparison. We compute aggregated, anonymized statistics across groups of users (for example, cohort accuracy percentages). These aggregates do not identify any individual user, and we apply minimum cohort-size thresholds before any aggregate is displayed.

Your control. You may request deletion of all of your Q-Bank progress, review history, and answer logs at any time by emailing support@virad.ai.

17. Feedback, Ratings, and Comments

VIRad.AI allows you to provide feedback on AI responses, Q-Bank questions, and other content. When you do so, we collect:

Your thumbs-up / thumbs-down rating, stored with your user ID and a reference to the item being rated
Any optional free-text comment you choose to submit, stored verbatim
The time the feedback was submitted and the context in which it occurred

Purpose. Feedback is used to identify low-quality or incorrect content, prioritize fixes, and improve the reliability of the Service.

You should not include PHI or patient-identifying information in free-text feedback. Free-text comments may be reviewed by VIRad.AI staff.

18. Device "Contact Rep" Requests

Certain device pages within the Service include a "Contact Rep" button that allows you to request an introduction to a device manufacturer or their sales representative. When you click this button and confirm:

We log the request (device, timestamp, your user ID) in our systems.
Where the manufacturer is a partner of VIRad.AI, we share your name and email address with that manufacturer for the sole purpose of allowing them to contact you about the device. The partner relationship and the fact that your information will be shared are clearly disclosed to you at the moment you click the button.
Information shared with a manufacturer is then governed by that manufacturer's own privacy practices.

We do not share your information with any manufacturer unless you have explicitly initiated a Contact Rep request for that manufacturer.

19. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or via email. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

20. Contact

For privacy-related questions or requests, contact us at:

VIRad.AI Medical LLC
8 The Green, Ste B
Dover, DE 19901

Phone: (302) 375-8771

General: support@virad.ai