Privacy

Brain MRIs are sensitive. This page describes exactly what NeuroVol does with the file you upload, what we strip from it, what we keep, where it lives, and for how long.

What happens to your upload

1. You upload a ZIP of a DICOM series over HTTPS.
2. Before anything else, we extract the ZIP into a temporary directory on the server and read each DICOM file with pydicom. We strip identifying header fields (see list below), regenerate the study/series UIDs to fresh random ones, and remove all private vendor tags wholesale.
3. We convert the now-de-identified DICOM series to a single NIfTI volume using dcm2niix.
4. We upload the NIfTI volume to a private object store (Cloudflare R2). The segmentation step runs on a GPU host that reads the volume via a short-lived pre-signed URL.
5. The segmentation returns a per-region volume map. We compute percentiles against an age/sex normative reference and store the numbers in our database, linked to your account.

What we strip from DICOM headers

We remove the following tags (and any private vendor tags) before anything is persisted off the immediate request:

• PatientName
• PatientID
• PatientBirthDate
• PatientBirthTime
• PatientAddress
• PatientTelephoneNumbers
• PatientMotherBirthName
• OtherPatientIDs
• OtherPatientNames
• ReferringPhysicianName
• ReferringPhysicianAddress
• ReferringPhysicianTelephoneNumbers
• PhysiciansOfRecord
• PerformingPhysicianName
• OperatorsName
• NameOfPhysiciansReadingStudy
• RequestingPhysician
• ResponsiblePerson
• AccessionNumber
• StudyID
• InstitutionName
• InstitutionAddress
• InstitutionalDepartmentName
• StationName
• DeviceSerialNumber
• StudyDescription
• SeriesDescription
• ProtocolName
• RequestedProcedureDescription
• ReasonForStudy
• AdmittingDiagnosesDescription
• ImageComments
• All overlay layers (groups 0x6000–0x60FF)

UIDs are regenerated so a stored file cannot be cross-referenced with the original PACS records.

What we keep

• The de-identified NIfTI volume.
• The segmentation output (a label NIfTI).
• A JSON file with per-region volumes.
• The original ZIP you uploaded, also in object storage, in case we need to re-run the pipeline. This still contains the original DICOM files; if you'd prefer we discard it after processing, request deletion and we will.
• The non-identifying metadata fields the pipeline needs: PatientAge, PatientSex, and StudyDate — captured at read-time and persisted only as numbers / one-letter codes in our database.
• Your account email and a bcrypt-hashed password (or your Google account identifier if you signed in with Google).

Where it lives

• Application and database: a server in a Hetzner data center in Falkenstein, Germany.
• Object storage: a private Cloudflare R2 bucket. Objects are not publicly listable and are fetched by the application using account-scoped S3 credentials.
• Segmentation compute: a serverless GPU endpoint on RunPod. The worker downloads the NIfTI via a short-lived pre-signed URL, runs the model, and uploads the segmentation back via a short-lived pre-signed PUT URL. No identifying data leaves the de-identified volume.

Retention & deletion

If you want your data removed, log a request and we will delete your account, all scans, and all object-store artefacts within a few business days. There is no "soft delete" — the rows and the object-store objects go away.

What we will not do

• We do not sell, share, or trade your data.
• We do not use your scans to train any machine-learning model.
• We do not display your data to other users. The "longitudinal" view is per-account.

Last updated: 2026-05-17.