Skip to content

Privacy Policy — OpenMyScan

Last updated: April 25, 2026

1. Data Controller

The data controller responsible for the processing of personal data on this website, within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws, is:

Gabriel Theis
Email: legal@openmyscan.com

If you have any questions about how we handle your personal data, or to exercise your rights as a data subject, you can contact us at any time at the email address above.

2. What data we process

OpenMyScan is built to be privacy-friendly by design. We collect as little data as possible. Below we explain transparently what data is processed and when.

2.1 Anonymous usage statistics

We use Vercel Analytics to understand how many people view our pages. Vercel Analytics is a cookieless analytics solution. No cookies are set, no unique user IDs are generated, and no device fingerprints are created.

The following information is recorded in aggregate (without any link to you personally):

  • the URL accessed,
  • the referring page (referrer),
  • approximate geographic location at country/region level (derived from your IP address; the IP itself is not stored),
  • approximate device type (mobile/desktop) and browser type.

This data is used solely to understand how the website is used and to improve the service. No individual person can be identified from this data.

2.2 Your medical scans

When you use OpenMyScan to open an MRI, CT, or other DICOM scan, those files never leave your device. Processing happens entirely locally in your browser.

  • No upload to our servers takes place.
  • No transmission to third parties takes place.
  • When you close the browser tab, the images are removed from memory.

We do not have technical access to your scans — and we don't want it.

2.3 Server logs

When you visit our website, our hosting provider Vercel automatically creates server logs. These typically contain:

  • the IP address of the requesting device,
  • date and time of access,
  • the URL accessed,
  • the user agent (browser and operating system information),
  • HTTP status codes.

This data is used solely for technical delivery, security, and error analysis, and is automatically deleted by Vercel after a short period (typically within 30 days). No personal evaluation of these logs takes place.

2.4 Cookies

We do not use tracking cookies. We do not use advertising cookies. We do not use third-party cookies.

We set a single, technically necessary cookie called omsc_locale. It only stores your chosen language version (German or English), so that on a return visit you land directly in your preferred language. This cookie contains no personal data and is stored only on your device.

3. Legal basis

Processing of the data described above is carried out on the following legal bases under the GDPR:

  • Server logs and the language cookie: Art. 6(1)(f) GDPR (legitimate interest in the technical delivery and security of the website).
  • Anonymous usage statistics: Art. 6(1)(f) GDPR (legitimate interest in understanding how the website is used). As the data is processed anonymously, it is strictly speaking outside the scope of the GDPR; we cite a legal basis here for transparency.
  • Processing of your scans: We do not process your scans. They are displayed locally in your browser only.

4. Processors and third parties

We use the following service providers for the technical delivery of the website:

Vercel Inc.
340 S Lemon Ave #4133, Walnut, CA 91789, USA
Service: website hosting and cookieless usage statistics (Vercel Analytics)
Privacy policy: https://vercel.com/legal/privacy-policy

A Data Processing Agreement under Art. 28 GDPR is in place with Vercel. Data transfer to the United States is based on the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

5. Transfers to third countries

Because our hosting provider Vercel is based in the United States, server logs and anonymous statistics may be transferred to the US. The US is considered an unsafe third country under the GDPR.

Data transfers are based on the EU Standard Contractual Clauses (SCCs) issued by the European Commission. Vercel has implemented additional technical and organizational measures to ensure an appropriate level of data protection.

Your medical scans are never transferred to the US or any other third country — they do not leave your device at all.

6. Retention period

Retention periods depend on the purpose of processing:

  • Anonymous usage statistics: aggregated, no personal reference, therefore retained indefinitely.
  • Server logs: typically 30 days, then automatically deleted by Vercel.
  • Language cookie omsc_locale: up to 12 months, or until you delete the cookie yourself.
  • Medical scans: not stored — the data does not leave your device.

7. Your rights as a data subject

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR),
  • Right to rectification (Art. 16 GDPR),
  • Right to erasure (Art. 17 GDPR),
  • Right to restriction of processing (Art. 18 GDPR),
  • Right to data portability (Art. 20 GDPR),
  • Right to object to processing (Art. 21 GDPR).

To exercise your rights, an informal email to legal@openmyscan.com is sufficient.

8. Right to complain to a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data. You can contact the supervisory authority of your place of residence or habitual residence.

A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

9. Children

OpenMyScan is not directed at children under 16. We do not knowingly collect personal data from children. If you are a parent or guardian and become aware that your child has provided us with personal data, please contact us — we will delete it promptly.

10. Changes to this privacy policy

We reserve the right to update this privacy policy, for example when legal requirements change or new features are introduced. The current version is always available on this page. We will notify you of significant changes in an appropriate manner.

11. Contact

For privacy questions or to exercise your rights, you can reach us at any time:

Email: legal@openmyscan.com

We usually respond within a few business days.