Privacy Policy - RadInsights

Last updated: March 13, 2026

UK GDPR Compliant

RadInsights ("the App", "we", "our", or "us") is operated by Eralight Limited, founded by Dr. Gaurav Gaurav.

We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect information, including when you connect your Notion account via OAuth.

1. Scope of This Policy

This policy applies to all users of RadInsights. It covers:

Account information and user-generated content
AI-powered features (Smart Reporter, RadInsight Intelligence)
Optional third-party integrations (Notion, Microsoft OneDrive)

                
                RadInsights is an educational platform intended for radiology learning, reporting support, and exam preparation. It does not provide clinical or medical advice and must not be used for patient care decisions.
            

2. Lawful Basis for Processing

Under UK GDPR, we process personal data on the following bases:

Contract (Article 6(1)(b)): To provide your account and educational services
Consent (Article 6(1)(a)): For optional integrations (Notion, OneDrive) and AI-powered features
Legitimate Interest (Article 6(1)(f)): For security measures including login protection, IP logging for fraud prevention, and audit trails

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

Name or username
Email address
Optional profile details (e.g. public display name, profile image)

3.2 User-Generated Content

We store content you voluntarily create, including:

Notes and case annotations
Discussion forum posts and comments
Radiology reports created in Smart Reporter

This content is used only to provide requested educational features.

3.3 Technical Data

We collect limited technical data for security purposes:

IP addresses: Logged only during account recovery requests for fraud prevention. Not linked to educational content or health data.
Session data: Temporary authentication tokens that expire after 30 minutes of inactivity.

3.4 Cookies

RadInsights uses only essential cookies required for the application to function:

Session cookie (frcr_session): Maintains your logged-in state. Expires after 30 minutes of inactivity or when you log out.
Remember-me cookie (optional): If you choose "Remember Me" at login, a secure cookie persists for up to 7 days.

We do not use any analytics, tracking, advertising, or third-party cookies.

4. AI-Powered Features

Important: When you use AI-powered features, your input text is sent to a third-party AI provider for processing. Do not enter patient-identifiable information.

RadInsights includes AI-powered features such as Smart Reporter, RadInsight Intelligence, Quick Check, and AI-assisted report generation. When you use these features:

Your input text is sent to Anthropic (Claude API) for processing
Anthropic processes this data under our Data Processing Agreement
Anthropic does not use your input data to train their AI models
AI responses are generated in real-time and are not stored by Anthropic beyond the API request

A dual-layer PII Guard (client-side and server-side) actively scans for and blocks patient-identifiable data (NHS numbers, dates of birth, postcodes, etc.) before it is transmitted.

5. Third-Party Data Processors

We do not sell, rent, or trade user data. We use the following processors to provide our services:

Processor	Purpose	Data Shared
Anthropic (USA)	AI text processing for Smart Reporter and RadInsight Intelligence	User input text (reports, questions)
Cloudinary (USA)	Image hosting and delivery	Uploaded images (case images, profile pictures)
Resend (USA)	Transactional email delivery	Email address (for password recovery, account notifications)
Neon (USA)	Database hosting	All account and content data (encrypted in transit via TLS)
Vercel (USA)	Application hosting	HTTP request metadata (IP addresses in server logs)
Notion (USA, optional)	Note synchronisation (user-initiated only)	OAuth token, user-selected page content
Microsoft OneDrive (optional)	DICOM image stack storage	OAuth token, user-linked OneDrive files
Sentry (USA)	Error monitoring and performance tracking	Error stack traces, HTTP metadata (no request bodies, cookies, or IP addresses are sent)

All processors are bound by Data Processing Agreements and process data only as instructed.

6. Integrations & OAuth Permissions

6.1 Notion (Optional)

If you connect your Notion account, access is limited to user-selected pages. We do not access your full workspace, modify content without your action, or use Notion data for advertising, analytics, or profiling.

You may disconnect at any time from your RadInsights profile or Notion account settings. Upon disconnection, tokens are invalidated and no further access occurs.

6.2 Microsoft OneDrive (Optional)

If you connect OneDrive for DICOM image stacks, access is limited to files you explicitly link. OAuth refresh tokens are encrypted at rest using industry-standard encryption (Fernet/AES).

7. Data Storage & Security

We implement the following technical safeguards:

Encryption in transit: All connections use HTTPS/TLS. HSTS is enforced in production.
Encryption at rest: OAuth tokens are encrypted using Fernet (AES-based). Database hosted on Neon with provider-managed encryption.
Password security: Passwords are hashed using PBKDF2+SHA256 with automatic salting. We never store plaintext passwords.
Session security: Cookies are Secure, HttpOnly, and SameSite=Lax. Sessions expire after 30 minutes of inactivity.
PII protection: Dual-layer PII Guard scans all submissions for patient-identifiable data and blocks it before storage.
Access control: Role-based access (Student, Content Manager, Admin) with least-privilege enforcement.
Brute-force protection: Login attempts are rate-limited (5 failures trigger a 15-minute lockout).

8. Data Retention

Account data: Retained while your account is active. Upon deletion, a 31-day recovery window applies, after which all personal data is permanently and automatically purged.
Audit logs: Case access and modification logs are retained for up to 2 years for security and compliance purposes.
AI usage logs: Records of AI feature usage (without input content) are retained for up to 1 year.
Session data: Automatically expires after 30 minutes of inactivity.
IP addresses: Logged only for account recovery; retained for the duration of the recovery code validity (15 minutes).
OAuth tokens: Retained until you disconnect the integration, after which they are invalidated.

9. Your Rights (UK GDPR)

Under the UK General Data Protection Regulation, you have the right to:

Access: Request a copy of all data we hold about you (available via your profile or by contacting us)
Rectification: Correct inaccurate personal data via your profile settings
Erasure: Delete your account and all associated data (31-day recovery period, then permanent deletion)
Data portability: Export your data in JSON format
Withdraw consent: Disconnect third-party integrations or delete your account at any time
Object: Object to processing based on legitimate interest
Lodge a complaint: You may contact the Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these rights, contact us using the details below.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

We will notify the Information Commissioner's Office (ICO) within 72 hours where feasible
We will notify affected users without undue delay
We will document the breach, its effects, and remedial actions taken

11. Educational Disclaimer

RadInsights is an educational tool only.
It does not provide clinical or medical advice, diagnosis, or treatment. Content is for informational and educational purposes only. Always consult a qualified healthcare professional for clinical matters. In an emergency, dial 999 or attend your nearest A&E.

12. Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment (DPIA) for our AI-powered features, in recognition that processing text related to medical reporting requires careful consideration under UK GDPR. Our DPIA concludes that:

The PII Guard provides effective mitigation against accidental patient data submission
AI processing is limited to educational content, not clinical patient records
Users are clearly informed before AI features process their input
Data processor agreements are in place with all third-party providers

13. Changes to This Policy

We may update this policy to reflect legal changes, feature updates, or integration changes. Material changes will be communicated within the App. Continued use after changes constitutes acceptance.

14. Contact Information

Eralight Limited
Attn: Dr. Gaurav Gaurav (Data Controller)
Email: support@eralight.com

Notion Compliance Statement

RadInsights's use of Notion data complies with Notion API Terms of Use, Notion Developer Terms, and applicable data protection laws.

Ready for Notion OAuth Review

This policy satisfies Notion's requirements for:

Explicit OAuth consent
Limited scopes
User-controlled access

Clear revocation
No background data usage
No advertising or resale