top of page

Data Processing Policy (GDPR)

Last updated: 5 May 2026

This policy describes how PhoxRay processes personal data in the context of its web application and associated services, in accordance with Regulation (EU) 2016/679 (GDPR) and French law "Informatique et Libertés". It complements the Terms of Use.

1. Data controller

The controller of data collected via PhoxRay is the publisher of the service operating under the PhoxRay brand. For any question about this policy or your rights, you may write to: contact@phoxray.com.

2. Data collected

Depending on your use, we may process in particular:

  • Account and identification data: member ID, first and last name, e-mail address, and where applicable information transmitted by the site hosting or authentication platform (e.g. Wix Members), depending on your profile.

  • Service usage data: content you upload or generate in the application (including radiograph images and derived files: masks, processing outputs), associated technical metadata (file identifiers, generation logs, workflow parameters where they allow identifying you or linking processing to your account).

  • Commercial relationship data: subscriptions, credits or consumption related to offers, where processed for billing or contract management.

  • Technical and security data: IP address, server logs, cookies or trackers strictly necessary for operating and securing the service, depending on configuration.

Content that may contain health data (in particular radiograph images and derived files) may constitute health data within the meaning of the GDPR when it identifies a natural person or can be linked to an identifiable person. You must submit such content only with the legal and professional bases that apply to you (consent, legal obligation, practice of your profession, etc.). In accordance with the ToU, you should prioritize uploading content that is anonymized or, failing that, pseudonymized as far as possible; pseudonymization does not necessarily remove the personal nature of data or your obligations (professional secrecy, clinical records, etc.). You remain responsible for the lawfulness of submitted content and for prior measures you apply.

3. Purposes and legal bases

We process data to:

  • Provide and secure the service (performance of the contract / pre-contractual measures; legitimate interest in security and abuse prevention): authentication, storage, AI processing of files you submit, display in your space, technical support.

  • Manage subscriptions and payments (performance of the contract; legal accounting obligations where applicable).

  • Improvement and maintenance (legitimate interest or performance of the contract as the case may be): incident fixes, aggregate statistics, feature development.

  • Commercial communications: only if you have consented or where otherwise permitted by law (legal basis: consent or legitimate interest with right to object depending on channel).

Where processing health data is necessary to operate the service for your account, the legal basis may include performance of the contract and, where applicable, obligations related to your professional status; adapt your practice regarding patients in accordance with the rules that apply to you.

4. Recipients and subprocessors

Data may be processed by vendors acting on our behalf under our instructions (subprocessors), including: file hosting and storage (e.g. Google Cloud-type cloud), inference processing or execution queues (e.g. ComfyUI-type environments / AI services), front site hosting and member account management (e.g. Wix), payment or billing providers if used.

For storage or processing of content that may contain health data, we may use vendors whose offerings, within the scope of the relevant processing chain, meet health data hosting (HDS) requirements where regulation requires or provides for them for those activities. This does not mean that the PhoxRay publisher itself holds HDS certification in its own name.

These parties are contractually required to comply with the GDPR. An up-to-date list of subprocessor categories may be provided on reasonable request to contact@phoxray.com.

For transfers outside the European Economic Area, we rely on appropriate safeguards (EU Commission standard contractual clauses, adequacy decisions, or other mechanisms provided for by the GDPR), insofar as the tools used involve such transfers.

5. Retention periods

Data are kept only as long as necessary for the purposes above:

  • Active account: profile data and service-related content kept while the account is active and as needed for operation (gallery, generation history, etc.).

  • After closure or deletion request: erasure or anonymization within delays compatible with technical backups, unless retention is required by law (e.g. accounting or evidence in litigation, within strict limits).

  • Security logs: short or moderate durations depending on security needs and regulation.

For a targeted erasure request, see also the Data deletion page.

6. Security

We implement appropriate technical and organizational measures (access control, encryption in transit where relevant, environment segregation, authorization management) to protect data against unauthorized access, loss or alteration. No system is risk-free; we encourage you to secure your credentials and to share sensitive content only within the lawful scope of your activity. You remain responsible, under your professional obligations, for choosing content transmitted and for anonymization or pseudonymization measures you apply before the service, as stated in the ToU.

7. Your rights

Under the GDPR you have the following rights, subject to legal conditions and limits:

  • Right of access and rectification;

  • Right to erasure (“right to be forgotten”);

  • Right to restriction of processing;

  • Right to object to processing based on legitimate interests (including profiling where applicable);

  • Right to data portability for data you provided, where processing is automated and based on contract or consent;

  • Right to withdraw consent at any time where processing is consent-based, without affecting prior lawful processing;

  • Right to lodge a complaint with a supervisory authority (in France: the CNIL, www.cnil.fr).

To exercise your rights: contact@phoxray.com. We may ask for proof of identity if reasonably in doubt.

8. Cookies and trackers

The site may use cookies or local storage necessary for session, preferences or audience measurement, depending on technical implementation. You may configure your browser to refuse certain cookies; some features may then be degraded.

8.1 Audience measurement — Microsoft Clarity

On PhoxRay application pages (excluding legal pages and the external patient view), we use Microsoft Clarity to analyze service ergonomics (heatmaps, anonymized session replays). No health data or radiograph images are transmitted to Microsoft. Collection is enabled only after your explicit consent via the banner shown on your first visit.

  • Purpose: understanding user journeys and improving UX.

  • Legal basis: your consent (Art. 6(1)(a) GDPR).

  • Recipient: Microsoft Corporation. Non-EU transfers are governed by EU Commission standard contractual clauses implemented by Microsoft.

  • Cookies set: _clck, _clsk, CLID, MUID, ANONCHK, SM.

  • Duration: varies by cookie (from session to 1 year maximum).

  • Microsoft privacy policy: privacy.microsoft.com/privacystatement.

You may reopen the choice banner or revoke consent at any time:

 

9. Changes

We may update this policy. The date at the top will be changed; more visible notice may be given if the change is material.

10. Contact

For any question about processing of your data: contact@phoxray.com.

bottom of page