Early Access
Request early access

Legal

Privacy Policy

Last updated: 28 May 2026

1. Data controller

The data controller for personal data processed through dicomly.io is:

Ing. Martin Höger
IČO: 76263428
Svestkova 2337
412 01 Litoměřice
Czech Republic

Contact: info@dicomly.io

2. What data we collect

We collect only what is necessary to provide the service:

  • Account data — name and email address provided at registration.
  • Billing data — payment method details processed and stored by Stripe, Inc. We receive only non-sensitive billing metadata (last four digits, country, transaction amounts).
  • API credentials — API keys you create to authenticate against the Dicomly API. Keys are stored as irreversible hashes; the plaintext is shown once and then discarded.
  • Usage data — endpoint identifiers, byte counts, and timestamps, used for billing and service operation. No DICOM payload content, SOP UIDs, or patient identifiers are recorded.
  • Log data — IP addresses and HTTP metadata from API requests, retained for up to 30 days for security and debugging.

Dicomly never stores DICOM payload data. DICOM bytes flow in real time from the sender to your STOW-RS receiver and are never written to disk, a queue, or any cache on Dicomly infrastructure. No protected health information (PHI) or patient data is processed or retained by Dicomly.

3. Legal basis for processing

  • Contract performance (Art. 6(1)(b) GDPR) — processing your account, billing, and API credential data is necessary to provide the service you have agreed to use.
  • Legitimate interests (Art. 6(1)(f) GDPR) — security logging and fraud prevention, where our interest in protecting the service and its customers does not override your rights.
  • Legal obligation (Art. 6(1)(c) GDPR) — retaining transaction records as required by Czech accounting law.

4. Sub-processors and data transfers

We use a limited number of sub-processors to operate the service:

  • Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) — server infrastructure. All servers are located in the European Union.
  • Stripe, Inc. — payment processing. Stripe acts as an independent data controller for payment card data under applicable law.

We do not transfer personal data outside the European Economic Area except where Stripe processes payment data, which is governed by Stripe's standard contractual clauses and privacy policy.

5. Retention

  • Account data is retained for the duration of the account and deleted within 30 days of account closure.
  • Billing records are retained for 10 years as required by Czech accounting law (Act No. 563/1991 Coll.).
  • Security logs are retained for up to 30 days.
  • Usage data used for billing is retained for the duration of the account and exported to the monthly invoice record thereafter.

6. Your rights under GDPR

As a data subject, you have the right to:

  • Access (Art. 15) — request a copy of the personal data we hold about you.
  • Rectification (Art. 16) — request correction of inaccurate data.
  • Erasure (Art. 17) — request deletion of your data, subject to legal retention obligations.
  • Restriction (Art. 18) — request that we restrict processing in certain circumstances.
  • Data portability (Art. 20) — receive your data in a machine-readable format.
  • Objection (Art. 21) — object to processing based on legitimate interests.

To exercise any of these rights, contact info@dicomly.io. We will respond within 30 days.

You also have the right to lodge a complaint with the Czech supervisory authority: Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.

7. Cookies

The dicomly.io website does not use tracking or advertising cookies. We may set a strictly necessary session cookie when you are signed in to the Dicomly console. No third-party analytics or advertising scripts are loaded on marketing pages.

8. Changes to this policy

We may update this policy to reflect changes in the service or applicable law. Material changes will be communicated by email to registered users at least 14 days before they take effect. The date at the top of this page always reflects the most recent revision.

9. Governing law

This policy is governed by the laws of the Czech Republic and, where applicable, EU Regulation 2016/679 (GDPR).