Tridimed← Back to home

Privacy Policy

Effective date: 1 January 2025

1. Introduction

Tridimed(“we”, “our”, or “the platform”) is a private radiology workflow platform serving authorised healthcare organisations. We take the protection of personal data and special-category health data very seriously.

This Privacy Policy explains what data we collect, how we use it, the legal basis for processing, and the rights you hold under the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable national implementing legislation.

2. Data Controller

The data controller responsible for this platform is Tridimed, operating within the European Union. For all data-protection enquiries, contact us at: privacy@tridimed.com

3. Data We Collect

We collect only what is necessary for legitimate medical workflow purposes:

  • Account data – name, professional email address, role (technician, doctor, admin).
  • Patient data – first name, last name, date of birth, gender, contact details, and medical history notes provided by authorised clinical staff.
  • Study data – imaging files (DICOM, PDF, etc.), examination type, body part, indication, and associated clinical reports.
  • Session data – IP address, device type, and timestamps used for security auditing and session management.
  • Usage logs – anonymised request logs for performance monitoring and incident investigation.

We do not sell personal data. We do not use data for advertising purposes. We do not use automated decision-making or profiling with legal or similarly significant effects.

4. Legal Basis for Processing

Processing activities rely on the following GDPR legal bases:

  • Article 6(1)(b) – Processing necessary for the performance of a contract (service agreement with the healthcare organisation).
  • Article 6(1)(c) – Processing necessary for compliance with a legal obligation (medical record-keeping requirements).
  • Article 6(1)(f) – Legitimate interests for platform security and fraud prevention.
  • Article 9(2)(h) – Processing of special-category health data for medical diagnosis and provision of health care by a health professional bound by professional secrecy.

5. Data Retention

Patient and study records are retained for as long as required by the applicable healthcare regulations of the organisation's jurisdiction, and for no longer than necessary for the purposes described in this policy. Account data is deleted within 30 days of account closure, except where retention is legally required.

6. Data Sharing

We do not share personal data with third parties except:

  • Cloud infrastructure providers acting as data processors under a signed Data Processing Agreement (DPA) with appropriate technical and organisational measures.
  • Legal obligations – where disclosure is required by law, court order, or regulatory authority.

7. Security Measures

We implement the following technical and organisational measures:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control (RBAC) — staff only access data relevant to their role.
  • Short-lived presigned URLs for imaging files — no permanent public links.
  • Audit logging for all sensitive operations.
  • Regular security reviews and penetration testing.
  • Session management with automatic expiry and revocation capability.

8. Your Rights Under GDPR

Subject to applicable law, data subjects have the right to:

  • Access – request a copy of personal data we hold about you.
  • Rectification – correct inaccurate or incomplete data.
  • Erasure – request deletion where no overriding legal obligation requires retention.
  • Restriction – limit how we process your data in certain circumstances.
  • Portability – receive your data in a structured, machine-readable format.
  • Objection – object to processing based on legitimate interests.
  • Supervisory authority – lodge a complaint with your national data protection authority.

To exercise any of these rights, contact privacy@tridimed.com. We will respond within 30 days.

9. Cookies and Session Storage

We use strictly necessary session cookies to maintain authenticated sessions. No third-party tracking cookies, advertising pixels, or analytics cookies are used. Disabling session cookies will prevent you from logging in.

10. Changes to This Policy

We may update this policy to reflect regulatory changes or platform improvements. Significant changes will be communicated to authorised users via the platform or by email. Continued use after the effective date constitutes acceptance.

11. Contact

For any data protection questions, please contact our privacy team at privacy@tridimed.com.