← Back to MedSeg

Privacy Policy

Version 1, effective 1 May 2026

This Privacy Policy explains what personal data we collect when you use the MedSeg web application at app.medseg.ai (the "Service"), why we collect it, what we do with it, and what rights you have. The GDPR and UK-GDPR specifics for users in those jurisdictions are in Section 11. The Terms of Service contain the broader contract for using the Service.

1. Who we are

The Service is operated by Artificial Intelligence AS, a Norwegian-registered company trading as MedSeg ("MedSeg", "we", "us"). We act as the data controller (in the meaning of Article 4(7) of the GDPR) for the personal data described below. Contact us at dlinradiology@gmail.com.

2. What we collect

We collect only what we need to operate the Service. There are no third-party advertising trackers, analytics beacons, or fingerprinting scripts on the Service.

2.1 Information you give us

• Account information: first name, last name, email address, and a password. The password is stored only as a bcrypt hash; the plaintext is never stored.
• Imaging data: what you choose to upload to your projects (NIfTI volumes, DICOM series, masks, model outputs). The Service is designed for de-identified data. You agree under the Terms of Service not to upload data containing direct patient identifiers.
• Assistant conversations: messages you send to the in-app assistant, and the assistant's replies. We use them to render the chat for you and, in aggregate, to improve the assistant's documentation. We do not use them to train AI models or share them with third parties.
• Support correspondence: any email you send to us is stored in our support inbox.

2.2 Information we collect automatically

• HTTP request logs for security and debugging: IP address, browser/user-agent string, request method and path, HTTP status, response size, and timestamps. Retained on a fixed-size rotation budget capped at roughly 200 MB per file.
• Usage events for quota enforcement: per-user counts of model-inference, training, and assistant calls with timestamps. Used to apply weekly credit limits and plan GPU capacity.
• Storage occupancy: the byte size of your data directory, refreshed roughly hourly, used to apply your storage quota.

3. What we do not do

• We do not sell, rent, or share your data with advertisers, data brokers, or other third parties.
• We do not run analytics trackers, advertising beacons, or third-party fingerprinting on the Service.
• We do not fine-tune AI models on your imaging data or conversations. The pretrained models we ship come from their original authors as listed in Third-Party Notices and are not modified by us based on your data.
• We do not read or download your imaging data except as necessary to operate the Service (rendering it back to your browser, running the AI models you start, regenerating thumbnails, and similar operations) or to investigate a security incident or abuse complaint.
• We do not track you across websites. The Service does not respond to a Do-Not-Track preference because there is nothing to opt out of.

4. Cookies

The Service sets exactly two cookies, both first-party and strictly necessary:

• medseg_token: an HttpOnly, Secure, SameSite=Lax cookie containing a signed JSON Web Token (JWT). Identifies your session for up to 7 days. Without it you cannot stay signed in.
• medseg_csrf: a non-HttpOnly, SameSite=Strict cookie containing a random token. Used as a CSRF double-submit countermeasure. Without it state-changing requests are rejected.

We do not set any analytics, advertising, or third-party cookies.

5. Lawful bases for processing

We process the personal data above to:

• operate the Service for you, including storing your data, rendering it, running the models you choose, and signing you in (performance of contract);
• apply quota limits and prevent abuse (legitimate interests in keeping the Service running for everyone);
• send transactional email such as verification, password reset, and admin notifications, via our email provider Resend (performance of contract);
• comply with our legal obligations and respond to lawful requests where required (legal obligation);
• investigate security incidents and abuse (legitimate interests).

If you are based in the EU/EEA, UK, or another GDPR-equivalent jurisdiction, your rights and our lawful bases are detailed in Section 11.

6. Subprocessors

We use a small number of third parties to operate the Service. These are the only places your personal data leaves our infrastructure:

• Resend (resend.com): sends transactional email (verification, password reset, admin notifications). Receives your email address, first name, and the body of the email it delivers. Resend's privacy policy is at resend.com/legal/privacy-policy.

Pretrained AI models and the in-app assistant are run on infrastructure under our control and are not third-party SaaS services. Your imaging data and assistant conversations do not leave our servers.

7. Where data is stored

Account information, imaging data, server logs, and assistant conversations are stored on infrastructure we operate. Transactional email is delivered through Resend (see Section 6). Where any storage involves transfers outside the European Economic Area, those transfers are made under appropriate safeguards as recognised by the GDPR (typically the European Commission's Standard Contractual Clauses).

8. How long we keep it

• Account and uploaded data are kept for as long as your account is active. When you delete your account from the Account page, login is blocked immediately and the data is permanently purged 30 days later.
• Server access logs rotate on a fixed-size budget covering, at typical volume, a few weeks of access records.
• Application and error logs rotate on a fixed-size budget covering, at typical volume, several months of records. Older error logs are necessary to investigate regressions.
• Email-verification and password-reset tokens are deleted when used. Unused tokens expire 24 hours (verification) or 1 hour (reset) after issue.
• Backups, if any, follow the same schedule as the data they back up.

9. Security

• HTTPS-only access, with TLS termination at our edge.
• Passwords hashed with bcrypt. The plaintext is never stored and we cannot tell you what your password is.
• HttpOnly Secure session cookies, plus a CSRF double-submit token on every state-changing request.
• Per-route rate limiting on authentication endpoints.
• Principle of least access internally. Only the small number of people who run the Service have administrative access, and their actions on user accounts are logged.

No system is perfectly secure. If we discover a personal-data breach affecting your account, we will notify you by email and, where required by law, the relevant supervisory authority within the legally required timescale.

10. Children's data

The Service is not directed to children, and we do not knowingly create accounts for users under 18. If you believe a child has registered an account, contact us and we will delete it.

11. Your rights (GDPR / UK-GDPR users)

If you are based in the EU/EEA or the United Kingdom, you have the following rights under the General Data Protection Regulation (EU) 2016/679 and the UK Data Protection Act 2018:

• Access: request a copy of the personal data we hold about you.
• Rectification: request that we correct inaccurate data. Name and email are editable on the Account page.
• Erasure ("right to be forgotten"): request that we delete your data. You can self-serve this on the Account page; if you need a faster purge than the 30-day grace window, contact us.
• Restriction of processing: request that we stop processing your data while we resolve a dispute about its accuracy or use.
• Portability: receive a structured copy of the data you provided to us. We can supply a tarball of your imaging data and a JSON dump of your account record.
• Objection: object to processing based on legitimate interests (Section 5).
• Lodge a complaint with your national data-protection authority. For users in Norway this is Datatilsynet (datatilsynet.no); users elsewhere in the EEA may complain to the equivalent authority in their member state. UK users may complain to the Information Commissioner's Office (ico.org.uk).

Send rights requests to dlinradiology@gmail.com. We aim to respond within 30 days.

12. Changes

We may update this Privacy Policy from time to time. When a change is material we will increase the version number at the top of this page and notify you by email. Other changes (clarifications, formatting, broken-link fixes) take effect when published.

13. Contact

Questions about this Privacy Policy or about how we handle your personal data? Write to dlinradiology@gmail.com.