How we collect, use, and protect your personal and medical imaging data — in compliance with the Saudi Personal Data Protection Law (PDPL).
Last updated: April 2026
Contents
This Privacy Policy is issued by RadHubs ("we", "us", "the Controller"), a medical imaging storage platform operating under Saudi law. This policy complies with the Saudi Personal Data Protection Law (PDPL) issued by Royal Decree No. M/19 dated 9/2/1443H, and its implementing regulations.
This policy applies to all users of RadHubs, including:
By creating an account, you confirm that you have read this policy and given your explicit consent to the processing of your personal and health data as described, in accordance with PDPL Article 5 and Article 26.
We collect the following categories of data, limited to what is strictly necessary for the stated purposes (PDPL Article 19 — data minimisation):
We process your personal data on the following legal bases under the PDPL:
We process your data solely for the following specific purposes:
We do not use your medical data for advertising, profiling, or automated decision-making. We do not sell, rent, or trade your data to any third party for commercial purposes.
Important: RadHubs is a personal health record storage platform, not a licensed medical device, diagnostic system, or healthcare provider. The platform does not provide medical advice, diagnosis, or treatment.
In accordance with PDPL Article 26 and Ministry of Health requirements, your health data is protected by the following measures:
We share your data only in the following strictly limited circumstances:
All third-party processors are required to implement appropriate security measures and are prohibited from using your data for any purpose beyond what we instruct.
Some of our infrastructure providers operate outside the Kingdom of Saudi Arabia. In accordance with PDPL Articles 5 and 6, we ensure that any cross-border transfer of your data is subject to adequate protection:
We will notify you of any material changes to our data transfer practices via email and a notice on this page.
We retain your data only for as long as necessary for the stated purposes, in accordance with PDPL Article 19:
Under the Saudi Personal Data Protection Law (PDPL) Articles 4, 14–18, you have the following rights:
To exercise any of these rights, submit a request at medivault.app/data-rights or email privacy@medivault.app.
We will respond within 30 days of receiving your request, as required by PDPL Article 18. Complex requests may be extended to 60 days with notice to you.
If you are unsatisfied with our response, you have the right to file a complaint with the Saudi Data & AI Authority (SDAIA) at sdaia.gov.sa within 90 days of the incident.
You can clear all cookies at any time through your browser settings. Note that clearing session cookies will log you out.
We implement the following security measures, aligned with Saudi National Cybersecurity Authority (NCA) standards:
In the event of a personal data breach, in accordance with PDPL Article 24:
If you opted in to marketing communications at registration, in accordance with PDPL Article 29:
You may withdraw your marketing consent at any time by clicking "Unsubscribe" in any email, updating your preferences in account settings, or emailing privacy@medivault.app.
We may update this Privacy Policy to reflect changes in our practices or legal obligations. For material changes:
For privacy-related questions, data rights requests, or concerns about how we handle your data:
You also have the right to escalate any unresolved complaint to the Saudi Data & AI Authority (SDAIA) at sdaia.gov.sa.