Privacy policy
Last updated: 22 May 2026
1. Who we are
This privacy policy explains how MyRadAssistant collects, uses, and protects your personal data. The data controller is The Radiology Academy Ltd, a company registered in England and Wales (company number 12768615), registered office: 2nd Floor, Parkgates, Bury New Road, Prestwich M25 0TL.
ICO registration: ZB621582.
For any privacy question, contact: hello@theradiologyacademy.com.
2. What we collect
Account data: name, professional email address, professional role (radiologist, trainee, other healthcare professional), country of practice, and where applicable, your professional registration number (GMC, equivalent).
Usage data: queries you submit to the Service, responses we return, click events on citations, session timestamps, IP address, and browser metadata.
Billing data (when paid pricing applies): name, billing address, and payment-card token. Card data itself is processed by Stripe and never reaches our servers.
Communications: emails you send to us and our replies.
3. What we do not collect
We do not collect, request, or want patient-identifiable information. The Service is designed for clinical reference and education only. You should not submit patient names, dates of birth, NHS numbers, hospital identifiers, accession numbers, or any other patient-identifiable data. If you believe you have inadvertently submitted such data, contact us immediately and we will work with you to remove it.
4. Lawful bases
We rely on the following Article 6 bases under the UK GDPR:
- 6(1)(b) Contract: to provide the Service to you and to operate your account.
- 6(1)(c) Legal obligation: for tax, accounting, and regulatory record-keeping.
- 6(1)(f) Legitimate interests: for product analytics, security, and service improvement (we balance these against your rights and document our legitimate interest assessments).
- 6(1)(a) Consent: for non-essential marketing communications (you can withdraw consent at any time).
5. Sub-processors
We use the following sub-processors. Each is bound by a Data Processing Agreement and (where data leaves the UK) by Standard Contractual Clauses, the EU–US Data Privacy Framework, or the UK–US Data Bridge as applicable.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner | Application hosting (server infrastructure) | Germany (EEA) |
| Qdrant Cloud | Vector database | Germany (EEA) |
| Anthropic | Large language model API (Claude) | US (DPF) |
| OpenAI | Embedding model API | US (DPF) |
| Embedding and re-ranking model API | US (DPF) | |
| Cohere | Re-ranking model API | Canada (UK adequacy) |
| Exa | Web search augmentation (used when the curated corpus does not contain a directly relevant source) | US (DPF) |
| Tavily | Web search augmentation (used when the curated corpus does not contain a directly relevant source) | US (DPF) |
| Microsoft (Entra ID) | Identity and single sign-on for NHS Trust deployments (OIDC). Applies only where NHS SSO is enabled. | UK / EEA |
| Cookiebot (Cybot A/S) | Cookie consent management and consent record storage | Denmark (EEA) |
| Stripe | Payment processing (when paid pricing applies) | UK / US (DPF) |
| Google Workspace | Email and document storage | UK / EEA |
| Google Analytics 4 | Site analytics | UK / EEA |
We will update this list when sub-processors change. Material changes will be notified at least 30 days in advance.
6. International transfers
Where your personal data is transferred outside the UK, we rely on Standard Contractual Clauses, the UK–US Data Bridge / EU–US Data Privacy Framework, or an adequacy decision. Documentation of the transfer mechanism for each sub-processor is held in our IAR/ROPA and available on request.
7. Retention
| Data | Retention |
|---|---|
| Account data | While your account is active and for 12 months after closure |
| Query and response logs | 90 days for service operation; aggregated analytics retained indefinitely with no personal identifiers |
| Billing records | 7 years from end of relevant tax year (HMRC requirement) |
| Communications | 24 months from last interaction |
8. Your rights
Under the UK GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Request erasure (subject to legal retention requirements).
- Restrict processing.
- Data portability.
- Object to processing based on legitimate interests.
- Withdraw consent (where consent is the lawful basis).
To exercise any of these rights, email hello@theradiologyacademy.com. We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office: ico.org.uk.
9. Cookies
See our Cookie policy for full detail.
10. Security
We maintain technical and organisational measures aligned with our Information Governance Policy Pack v1.1 and our DSPT "Standards Met" status (2025-26, valid to 30 June 2027). We are pursuing Cyber Essentials Plus certification (in progress with CSS Ltd).
11. Changes
We may update this policy from time to time. Material changes will be notified at least 30 days in advance.
12. Contact
The Radiology Academy Ltd · hello@theradiologyacademy.com · ICO ZB621582