buttons_download_mray

mRay Importer:
PRIVACY
POLICY

mbits imaging GmbH
(a German limited liability company)
Hans-Bunte-Str. 4
69123 Heidelberg
Germany

Represented by the CEOs:
Dr. Ingmar Gergel und Dr. Michael Müller

Data Protection Officer:
Luca Frank (mail: frank(at)mbits.info)

Contact

Tel: +49 6221 3217 400
Fax: +49 6221 3217 409
E-Mail: mail(at)mbits.info

Introduction

Welcome to mRay Importer!
We are pleased that you are using our software to integrate your patients’ examinations into your system.

Data protection is our highest priority. In the following, we would like to inform you about how and which of your data is used and stored by the software, how we protect it, and what rights you have at any time.

The lawfulness of the processing of your data in the described manner is confirmed by your acceptance of the Terms of Use during your initial login or upon any changes to the Terms of Use.

Scope

This Privacy Policy applies to the Software-as-a-Service (SaaS) version of mRay Importer operated by mbits imaging GmbH (including all individual components of the software). The solution essentially comprises two main functions:

  1. Download of examinations from imaging portals (DLX and non-DLX capable).

  1. Import of examinations (DICOM and non-DICOM files) into the user’s own systems.

On-premises use by hospitals is not covered by this Privacy Policy and requires a separate one.

Brief Overview

  • Purpose: Download-based transfer of DICOM studies (images and metadata) and non-DICOM files (e.g., PDFs) to authorized recipients (e.g., hospitals/medical practices), as well as import of the data into the user’s own system with corresponding metadata adjustment.

  • Personal Data: Includes account data (e.g., name, email), patient data from medical examinations, and technical logs.

  • Hosting: Processing is carried out exclusively in data centers within the EU operated by Hetzner Online GmbH (data processor). No transfer to third countries takes place.

Your Rights

With respect to all personal data described below that you provide to us – directly or indirectly – you have the following rights:

  • Right to object / right to withdraw consent: You may object to the processing of your data at any time. In such cases, the data will be deleted.

  • Right of access: You may request comprehensive information at any time about the personal data we store about you.

  • Right to erasure or rectification: You may request the deletion or correction of your personal data stored by us.

  • Right to data portability: You may receive the personal data we store about you.

  • Right to lodge a complaint with a supervisory authority.

Categories of Processed Data

  • Account/Profile Data: Name, email address, if applicable organization/affiliation, password hash, role identifiers (user/admin), consent and permission flags.

  • Patient Data: complete DICOM datasets including image data and DICOM headers/metadata, any non-DICOM files contained within the examination (e.g., physician reports as PDF), as well as other treatment-related data that may be included in the DICOM worklist.

  • Target URL: URLs/parameters embedded in download links (may contain personal data).

  • Usage/Log Data: device and browser information, timestamps, login events, error and system logs.

  • Support/Communication Data: content of support requests and associated metadata.

Purposes and Legal Bases (Art. 6 GDPR, § 25 TDDDG)

  • Patient Data (DICOM): Processing in a healthcare context by the respective healthcare organization (Art. 6(1)(b) and/or (f) GDPR in conjunction with Art. 9(2)(h) and (3) GDPR as well as applicable professional and social security law provisions). mbits imaging GmbH acts as a data processor pursuant to Art. 28 GDPR.

    • Self-Download by Patients: Patients may download imaging data (e.g. DICOM studies) directly via the application. The legal basis is the consent pursuant to Art. 6(1)(a) in conjunction with Art. 9(2)(a) GDPR, which is granted through the use of the application and/or the explicit initiation of the download by the patient. Consent may be withdrawn at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

    • Download and/or Import by Healthcare Professionals (Hospitals/Practices): Download and import may also be carried out by treating healthcare professionals as part of the provision of medical care. The legal basis is the fulfilment of the medical treatment contract and/or the provision of healthcare (Art. 6(1)(b) and/or (f) GDPR in conjunction with Art. 9(2)(h) and (3) GDPR as well as applicable professional and social security law provisions) and/or the indirect consent of the patient to the download.

  • Provision of mRay Importer, Login, and User Management: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in ensuring operational functionality).

  • Error reporting: If medical professionals report an error when retrieving imaging data from an external portal, the reporting user, the URL used to access the images on the respective portal, and, where applicable, the patient's date of birth and/or PIN are transmitted to mbits imaging by email and stored temporarily. The imaging data itself is temporarily retained on the system, as is the case during normal operation. The aforementioned data is used exclusively for the analysis and resolution of the error as well as for the implementation of the corresponding portal integration and is subsequently deleted; this constitutes further processing for a purpose compatible with the original processing (Art. 6(4) GDPR). Patients do not have the possibility to initiate an error report themselves. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring the functionality and further development of the software).

  • Security, Logging, and Error Diagnostics: Art. 6(1)(f) GDPR (IT security, system stability, and integrity).

  • Communication / Support: Art. 6(1)(b) and (f) GDPR.

  • Cookies:

    • Technically necessary cookies (authentication, session management, CSRF protection): § 25(2) No. 2 TDDDG (no consent required), Art. 6(1)(f) GDPR.

    • No analytics or tracking cookies; no third-party tracking is used.

Cookies

  • We exclusively use strictly necessary cookies (e.g. session/authentication cookies, optionally refresh token cookies, and CSRF protection tokens).

  • Retention period: Session cookies are stored until the end of the session. Any persistent authentication cookies (if used) are stored only for the minimum necessary duration.

  • Control: As no optional cookies are used (e.g. no analytics or similar tracking cookies), no consent banner is required. Cookies may be deleted at any time via browser settings.

Recipients / Data Processors / Hosting

  • Data Processor: Hetzner Online GmbH (EU data centers). A data processing agreement pursuant to Art. 28 GDPR is in place.

  • Other recipients: none.

  • Third-country transfers: not envisaged.

Retention and Deletion

  • Account/Profile Data: retained for the duration of the usage/contractual relationship; thereafter deleted or anonymized, unless statutory retention obligations apply.

  • Log Data: purely technical logs without personal reference; therefore generally not subject to the scope of the GDPR; any short-term storage is solely for operational and security purposes and is deleted thereafter.

  • DICOM Data: temporarily stored for the purpose of transfer and further processing by the receiving healthcare organization. The retention period is a maximum of seven (7) calendar days (168 hours) from receipt of the data; after this period, data is automatically deleted. Earlier deletion may occur where no technical requirements prevent it.

  • Support / Communication Data: retained until final resolution of the request and in accordance with applicable legal documentation and record-keeping obligations.

  • Error report data: Until the portal integration has been fully implemented or the issue has been resolved; thereafter, immediate deletion.

Security (Art. 32 GDPR)

We implement appropriate technical and organizational measures, including TLS transport encryption, encryption of data at rest, role-based access controls, system hardening and monitoring, antivirus protection, backup and restore procedures, the principle of least privilege, and logging of security-relevant events.

Obligation to Provide Data / No Automated Decision-Making

The provision of basic account data is required for the use of the service. No automated individual decision-making, including profiling, takes place.

Rights of Data Subjects (Art. 15–21, 77 GDPR)

You have the right to access, rectification, erasure, restriction of processing, data portability, and the right to object to processing based on Art. 6(1)(f) GDPR. Any consent may be withdrawn at any time with effect for the future.
You also have the right to lodge a complaint with a data protection supervisory authority (e.g. at your place of habitual residence or at the location of the controller’s registered office).

Contact for data protection inquiries: mbits imaging GmbH – mail@mbits.info; Data Protection Officer: Luca Frank – frank@mbits.info.

Minors

The application is intended for professional users only. Use by minors is not intended.

Changes to this Privacy Policy

We may update this Privacy Policy where technical, legal, or organizational changes make such updates necessary.

Letzte Aktualisierung: 10.06.2026.

EN
DE EN

Vielen Dank für Ihre Anmeldung

In Kürze erhalten Sie eine E-Mail, mit der Sie das Abonnement unseres Newsletters bestätigen können.