Skip to main content
Last Updated: March 7, 2026

1. Introduction

ALTICIAN Spine (“Application”, “we”, “us”, or “our”) is a browser-based medical image visualization tool intended for research and educational use. This Privacy Policy explains how we handle information when you use the Application. The Application is operated by Altician Inc., based in the Republic of Korea.

2. Privacy by Design

This Application is architected according to Privacy by Design principles (GDPR Article 25). Patient DICOM images — which may contain Protected Health Information (PHI) under HIPAA or personal data under GDPR — are processed entirely on your local computer. No imaging data, patient identifiers, or PHI/PII is transmitted to any external server at any point. This local-first architecture means the Application does not function as a Business Associate under HIPAA, as it neither receives, maintains, nor transmits PHI on behalf of covered entities.

3. Information We Collect

Data TypePurposeStorageContains PHI?
DICOM filesVolume rendering, 3D visualizationBrowser memory only (never uploaded)Possible (user-controlled)
Processed volumesFaster reload on subsequent visitsBrowser IndexedDB (local)No (derived numerical data only)
3D mesh data (STL)Faster reload on subsequent visitsBrowser IndexedDB (local)No (geometry only)
Cookie consent preferenceAnalytics consent managementBrowser localStorageNo
Analytics data (if consented)Usage statistics, product improvementGoogle Analytics (cloud)No
We do NOT collect, process, or transmit: patient names, medical record numbers, email addresses, account credentials, IP addresses (beyond standard analytics aggregation), or any identifiers that could link analytics data to a specific patient or clinician.

4. ALTICIAN Spine Helper (Optional)

The optional ALTICIAN Spine Helper application runs locally on your computer for AI-based spinal segmentation. It communicates exclusively via localhost and does not transmit any data to external networks. No model inference data leaves the machine. It is suitable for use on hospital intranets and air-gapped (closed) networks. We use Google Analytics 4 (GA4) to understand aggregate usage patterns. Analytics is only activated after you provide explicit consent via the cookie banner (Google Consent Mode v2), in compliance with GDPR Article 7 and ePrivacy Directive requirements. Analytics data collected (when consented) includes: page views, session duration, device type, browser type, and approximate country. No patient data, DICOM content, or clinical information is ever included in analytics. You can withdraw consent at any time by clearing your browser’s local storage for this site.

6. Local Data Caching & Retention

Processed 3D volumes and mesh data are cached in the browser’s IndexedDB for faster subsequent loading. This cache:
  • Remains entirely on your local computer and persists across browser sessions
  • Contains only derived numerical arrays and 3D geometry — not original DICOM files or patient identifiers
  • Can be cleared at any time via browser settings (Clear Site Data) or the Application’s cache management
Institutional users: If your facility’s data governance policy requires that no derived imaging data persist on the local machine, clear the browser’s site data after each session.

7. Data Sharing & Third Parties

We do not sell, rent, or share any user data. The only third-party data sharing occurs via Google Analytics when the user has consented, and this data contains no patient or clinical information.

8. Your Rights

Under GDPR (for EU/EEA users), you have the right to: access your data, rectify inaccurate data, request erasure (Article 17), restrict processing, data portability, and object to processing. Since we collect minimal data (anonymous analytics only, with consent), most rights are exercised directly through your browser settings. Under CCPA (for California users), you have the right to know what data is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information. For any privacy inquiry, contact us at the address below. We will respond within 30 days (GDPR) or 45 days (CCPA).

9. Data Breach Notification

In the unlikely event of a data breach affecting personal data processed by this Application, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and affected individuals without undue delay where the breach is likely to result in high risk to their rights and freedoms.

10. International Data Transfers

The Application itself does not transfer patient data internationally, as all processing is local. Analytics data (when consented) may be processed by Google in data centers outside your jurisdiction, subject to Google’s data processing terms and Standard Contractual Clauses.

11. Children’s Privacy

This Application is intended for healthcare professionals and researchers. We do not knowingly collect information from anyone under 18 years of age.

12. Changes to This Policy

We may update this policy from time to time. The “Last Updated” date at the top indicates the most recent revision. Material changes will be communicated through the Application interface.

13. Contact & Data Protection Inquiries

Altician Inc. Email: vincent.won@altician.com For GDPR-related inquiries, this contact serves as the designated point of contact for data protection matters.