Privacy Policy

How we collect, use, and protect your personal and medical imaging data — in compliance with the Saudi Personal Data Protection Law (PDPL).

Last updated: April 2026

1. 1. Data Controller Identity

This Privacy Policy is issued by RadHubs ("we", "us", "the Controller"), a medical imaging storage platform operating under Saudi law. This policy complies with the Saudi Personal Data Protection Law (PDPL) issued by Royal Decree No. M/19 dated 9/2/1443H, and its implementing regulations.

2. 2. Scope and Applicability

This policy applies to all users of RadHubs, including:

  • Registered patients who create an account and upload medical imaging files.
  • Visitors who access a study shared with them via a secure link.
  • Visitors who browse our public-facing website pages.

By creating an account, you confirm that you have read this policy and given your explicit consent to the processing of your personal and health data as described, in accordance with PDPL Article 5 and Article 26.

3. 3. Categories of Personal Data We Collect

We collect the following categories of data, limited to what is strictly necessary for the stated purposes (PDPL Article 19 — data minimisation):

  • Identity data: Your full name and email address.
  • Authentication data: Your password, stored exclusively as a bcrypt hash (we never store plain-text passwords).
  • Health data (sensitive): DICOM medical imaging files (.dcm) you upload, including embedded metadata such as date of birth, study date, modality, body part, and referring physician name.
  • Documents: PDF radiology reports and images you upload alongside your studies.
  • Usage and security data: Pages visited, actions performed, timestamps, and IP addresses — used exclusively for security auditing and fraud prevention.
  • Share activity: When a shared link is accessed, we log the access timestamp and IP address for your security and to enable link revocation.
  • Payment data: Billing details are collected and stored exclusively by our payment processor (Moyasar). We receive only a transaction reference — we do not store card numbers or bank account details.
  • Consent record: The timestamp, type, and IP address of your consent at registration, as required by PDPL for audit purposes.

4. 4. Legal Basis for Processing

We process your personal data on the following legal bases under the PDPL:

  • Explicit consent (PDPL Article 5, Article 26): You provided explicit consent at registration to the processing of your health data for medical record storage and sharing. You may withdraw this consent at any time — see Section 9.
  • Contract performance: Processing of account, authentication, and subscription data is necessary to deliver the service you subscribed to.
  • Legal obligation: We may process data where required by Saudi law, a court order, or a regulatory authority.
  • Legitimate interest: Security logging, fraud detection, and service improvement — where these interests are not overridden by your fundamental rights.

5. 5. Purpose of Processing

We process your data solely for the following specific purposes:

  • To store, display, and manage your medical imaging studies and reports.
  • To authenticate you and protect your account from unauthorised access.
  • To enable you to generate secure sharing links for healthcare providers you choose.
  • To enforce your storage plan limits and process subscription payments.
  • To send transactional emails (share notifications, password reset, data rights responses).
  • To detect, investigate, and prevent security incidents or platform misuse.
  • To comply with legal and regulatory obligations under Saudi law.

We do not use your medical data for advertising, profiling, or automated decision-making. We do not sell, rent, or trade your data to any third party for commercial purposes.

6. 6. Health Data — Special Protections

Important: RadHubs is a personal health record storage platform, not a licensed medical device, diagnostic system, or healthcare provider. The platform does not provide medical advice, diagnosis, or treatment.

In accordance with PDPL Article 26 and Ministry of Health requirements, your health data is protected by the following measures:

  • Your explicit consent was obtained before any health data was processed.
  • Files are stored in isolated, access-controlled storage — no other user can access your files.
  • All data is transmitted over TLS-encrypted HTTPS connections.
  • Role-based access control (RBAC) ensures only you and RadHubs staff with documented authorisation can access your data.
  • All access to your files is logged and auditable at all times.
  • Share links are the only mechanism by which your files are accessible to others — and only for the duration you specify.
  • Processing of your health data is limited to the minimum necessary for service delivery.
  • Health data protections are contractually imposed on all infrastructure providers.

7. 7. Data Sharing and Third Parties

We share your data only in the following strictly limited circumstances:

  • Payment processing: Billing data is shared with Moyasar (our Saudi SAMA-licensed payment processor) solely to process your subscription. Moyasar is PDPL-compliant and does not receive your health data.
  • Infrastructure providers: Your data is stored on cloud infrastructure (Cloudflare, Vercel). These providers are contractually bound to keep your data confidential and may not use it for any purpose other than service delivery.
  • Email service: Transactional emails are delivered via Resend. Your email address is shared with Resend for this purpose only.
  • Legal requirements: We may disclose data if required by Saudi law, a court order, or a competent regulatory authority (SDAIA, ZATCA, or other relevant bodies).
  • Your explicit sharing actions: When you generate a share link and send it to a doctor or healthcare provider. This is entirely your choice and under your control.

All third-party processors are required to implement appropriate security measures and are prohibited from using your data for any purpose beyond what we instruct.

8. 8. Cross-Border Data Transfers

Some of our infrastructure providers operate outside the Kingdom of Saudi Arabia. In accordance with PDPL Articles 5 and 6, we ensure that any cross-border transfer of your data is subject to adequate protection:

  • All providers with whom data is shared have executed data processing agreements that require PDPL-equivalent protections.
  • We have conducted risk assessments for each provider to verify that the destination country or provider offers an adequate level of data protection.
  • Where required by regulations, we will use Standard Contractual Clauses or equivalent safeguards.

We will notify you of any material changes to our data transfer practices via email and a notice on this page.

9. 9. Data Retention

We retain your data only for as long as necessary for the stated purposes, in accordance with PDPL Article 19:

  • Active account data: Retained for the duration of your account.
  • Files you delete: Permanently removed from active storage within 30 days of deletion.
  • Closed accounts: All personal data and medical files are permanently deleted within 30 days of account closure. Security logs may be retained for up to 90 days.
  • Expired share links: Link access logs are retained for 90 days, then deleted.
  • Payment records: Transaction references retained for 7 years as required by Saudi tax law (ZATCA).
  • Consent records: Retained for 5 years after account closure, as required by PDPL Article 33 for processing activity records.
  • Activity and security logs: Retained for 5 years per PDPL Article 33 requirements.

10. 10. Your Rights Under PDPL

Under the Saudi Personal Data Protection Law (PDPL) Articles 4, 14–18, you have the following rights:

  • Right to Access (Article 14): Request a copy of all personal data we hold about you, in a readable electronic format.
  • Right to Correction (Article 15): Request correction of inaccurate or incomplete data held about you.
  • Right to Deletion (Article 16): Request deletion of your personal data (subject to legal retention obligations).
  • Right to Portability: Export your studies and reports at any time from your dashboard, or request a structured data export.
  • Right to Objection: Object to specific processing activities not essential for service delivery.
  • Right to Restriction: Request restriction of processing while a correction or objection is being reviewed.
  • Right to Withdraw Consent (Article 5): Withdraw your consent to health data processing at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. To withdraw, close your account or submit a request at /data-rights.

To exercise any of these rights, submit a request at medivault.app/data-rights or email privacy@medivault.app.

We will respond within 30 days of receiving your request, as required by PDPL Article 18. Complex requests may be extended to 60 days with notice to you.

If you are unsatisfied with our response, you have the right to file a complaint with the Saudi Data & AI Authority (SDAIA) at sdaia.gov.sa within 90 days of the incident.

11. 11. Cookies and Tracking

RadHubs uses essential and functional cookies only. We do not use advertising, tracking, or analytics cookies that share data with third parties.

  • Session cookie: Keeps you securely logged in during your browser session.
  • CSRF token: Prevents cross-site request forgery attacks — required for security.
  • Language preference (mv_locale): Remembers your preferred language (Arabic or English).
  • Currency preference (mv_currency): Remembers your preferred display currency.
  • Cookie notice (mv_cookie_notice): Records that you have acknowledged our cookie notice.

You can clear all cookies at any time through your browser settings. Note that clearing session cookies will log you out.

12. 12. Security Measures

We implement the following security measures, aligned with Saudi National Cybersecurity Authority (NCA) standards:

  • TLS 1.2+/HTTPS encryption for all data in transit.
  • Passwords hashed using bcrypt with 12 rounds — we never store plain-text passwords.
  • Role-based access control (RBAC) — users can only access their own data.
  • Comprehensive activity logging for security monitoring and audit.
  • Rate limiting on authentication endpoints to prevent brute-force attacks.
  • Share links with configurable expiry and optional PIN protection.
  • Isolated file storage — no cross-user file access is possible by design.

13. 13. Data Breach Notification

In the event of a personal data breach, in accordance with PDPL Article 24:

  • We will notify the Saudi Data & AI Authority (SDAIA) within 72 hours of becoming aware of the breach.
  • We will notify affected users without undue delay if the breach is likely to result in harm to their rights or interests.
  • The notification will include: the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed to mitigate the breach.
  • We maintain a breach register documenting all incidents and corrective actions taken.

14. 14. Direct Marketing

If you opted in to marketing communications at registration, in accordance with PDPL Article 29:

  • All marketing emails will clearly identify RadHubs as the sender.
  • Every marketing email will contain a simple, free opt-out link.
  • We will immediately cease marketing communications upon your unsubscribe request.

You may withdraw your marketing consent at any time by clicking "Unsubscribe" in any email, updating your preferences in account settings, or emailing privacy@medivault.app.

15. 15. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal obligations. For material changes:

  • We will notify registered users by email at least 14 days before the change takes effect.
  • We will display a prominent notice on this page.
  • Continued use of RadHubs after the effective date constitutes acceptance of the revised policy.
  • If the change requires fresh consent under PDPL (e.g., a new processing purpose), we will request your consent explicitly before processing.

16. 16. Contact

For privacy-related questions, data rights requests, or concerns about how we handle your data:

You also have the right to escalate any unresolved complaint to the Saudi Data & AI Authority (SDAIA) at sdaia.gov.sa.