Skip to Content

Privacy Policy

Replasia Privacy Policy for Clinical, Research, and AI Data Processing


Replasia develops technologies and conducts activities that involve processing medical imaging data, clinical information, and other health-related personal data to support research, clinical studies, artificial intelligence development, usability testing, and regulatory submissions. This Privacy Policy explains how we collect, process, store, and share such information in compliance with the General Data Protection Regulation (GDPR), applicable national data protection laws, and, where relevant, the U.S. Health Insurance Portability and Accountability Act (HIPAA).

Because Replasia processes special category personal data — including health data and imaging information — we are committed to ensuring a high level of protection, transparency, and security in all our activities.

This policy applies only to data processed in connection with Replasia’s research, imaging, AI development, usability testing, regulatory, and related activities. It does not cover data collected when you visit our website; for information about website cookies, analytics, and online contact forms, please refer to our dedicated Website Privacy Policy.

Scope

This Privacy Policy applies to all personal and health-related data processed by Replasia as part of its research and development activities. These include:

  • Collecting and processing imaging and health data for clinical studies, scientific research, and AI development

  • Conducting usability testing on software, devices, and digital platforms

  • Annotating, segmenting, and preparing datasets for algorithm training and validation

  • Supporting regulatory submissions and compliance activities

  • Collaborating with clinics, hospitals, research institutions, and trusted technical partners

If you participate in a study, usability test, clinical trial, data-sharing agreement, or similar activity with Replasia, this Privacy Policy explains how your information is handled.

Types of Data Collected

Replasia processes different types of personal data depending on the purpose of the activity. These may include:

  • Medical imaging data such as X-rays, MRIs, CT scans, ultrasound images, DICOM files, and segmentation masks

  • Associated clinical information including diagnostic reports, treatment plans, and medical histories

  • Demographic information relevant to studies or usability testing, such as age, sex, handedness, height, weight, and acquisition dates

  • Feedback and survey responses collected during research studies or usability evaluations

  • Contact details when needed for scheduling, follow-ups, or result-sharing, such as your name, email address, or phone number

  • Technical and system data generated when interacting with Replasia’s platforms, such as logs, timestamps, or performance information

Where possible, personal data is pseudonymised before processing to limit identification. Identifiable data is only used where strictly necessary and is stored separately from imaging or clinical data under strict access controls.

Purpose of Processing

Replasia processes personal and health-related data to:

  • Develop, test, and validate AI algorithms and medical imaging technologies

  • Conduct clinical and usability studies to improve product safety, accuracy, and performance

  • Support regulatory submissions under frameworks such as FDA, MDR, and CE-marking requirements

  • Advance scientific research and publish anonymised findings

  • Train healthcare professionals and optimise diagnostic workflows

  • Comply with legal and regulatory obligations applicable to medical data

If Replasia intends to use your data for purposes not originally specified, you will be informed before processing and, where required, we will request your additional consent.

Lawful Basis for Processing Special Category Data

Under GDPR, Replasia processes your personal and health-related data based on the following lawful bases:

  • Explicit consent under Articles 6(1)(a) and 9(2)(a) GDPR, obtained before any collection or processing of your data

  • Scientific research under Article 9(2)(j) GDPR, where appropriate safeguards are implemented to protect your rights and freedoms

  • Public health purposes under Article 9(2)(i), if required for safety reporting or regulatory obligations

For activities covered by HIPAA in the United States, this Privacy Policy also serves as your authorisation for the collection, use, and disclosure of Protected Health Information (PHI) where necessary.

Data Sharing and International Transfers

Replasia only shares your data where necessary for the agreed purposes and only with authorised parties. These may include:

  • Clinical collaborators and healthcare professionals

  • Academic research institutions and trusted technical partners

  • Service providers supporting data storage, annotation, and processing

  • Regulatory bodies where legally required

In some cases, your data may be transferred outside the European Economic Area (EEA), including to the United States. When this occurs, Replasia ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), adequacy decisions, or Business Associate Agreements (BAAs) where HIPAA applies.

Security of Your Data

Because we process sensitive health-related information, Replasia applies strict security measures to ensure your data remains safe. These measures include:

  • Encryption of data during storage and transmission

  • Strict role-based access controls for authorised personnel only

  • Pseudonymisation and separation of identifiable data

  • Audit logging and monitoring of all data-handling activities

  • Secure infrastructure compliant with GDPR and HIPAA

  • Regular vulnerability testing and security assessments

All third-party providers processing data on Replasia’s behalf are required to meet equivalent security and privacy standards.

Data Retention

Replasia retains personal and health-related data only for as long as necessary to fulfil the purposes for which it was collected or to comply with legal, regulatory, or scientific requirements. For activities involving research, clinical validation, or regulatory submissions, your data may be stored for up to 15 years unless a longer retention period is required by law.

When data is no longer required, it is securely deleted or irreversibly anonymised, and an auditable destruction record is maintained.

Your Rights

Under GDPR, you have the right to request access to your data, correct inaccurate information, request deletion where legally permissible, restrict processing, and object to certain processing activities. You also have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Where applicable, you may request a portable copy of your data. Under HIPAA, you also have the right to obtain a copy of your Protected Health Information, request corrections, and receive an accounting of certain disclosures.

To exercise your rights, please contact Replasia using the details below.

Voluntary Participation and Withdrawal

Your participation in studies, usability testing, or other data-driven activities with Replasia is voluntary. You may refuse to provide consent or withdraw it at any time. If you withdraw, Replasia will stop processing your personal data unless retention is required by law or unless your data has been anonymised in a way that makes identification impossible.

Contact Information

If you have any questions about this Privacy Policy, the processing of your data, or your rights, you can contact Replasia’s Data Protection Officer:

Name: Miguel Azevedo (Qity BV)

Email: dpo@qity.be

You also have the right to lodge a complaint with your national data protection authority. If your data is processed under HIPAA, you may also contact the U.S. Office for Civil Rights (OCR).

Updates to This Policy

Replasia may update this Privacy Policy to reflect changes in our practices, legal obligations, or technical safeguards. When significant updates occur, we will notify you where required by law and make the revised version available to you.