Privacy policy

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Smart4Soft
Hauptstraße 453
53639 Königswinter
Germany
E-mail: contact@scopeviewer.de

For data-protection enquiries please use the e-mail address above. A formally appointed Data Protection Officer is not currently required due to the size of the organisation; the controller fulfils this role in person.

This privacy policy applies to the public marketing website and the SaaS application "ScopeViewer", accessible at the provider's domain. It describes the nature, scope and purposes of the processing of personal data.

Two operating models: ScopeViewer is currently operated as a self-hosted demo (MVP phase). With the transition to productive EU SaaS operation, additional processors are involved. Both models are documented in section 4.

Current state (MVP phase): ScopeViewer runs on infrastructure controlled by the controller and located in Germany. All data — accounts, slides, audit logs, e-mails — is stored and processed exclusively on this infrastructure. No transfer to third parties takes place, with the exception of the technical services listed in section 7.

Planned productive operation (EU SaaS): Hosting in a data centre of IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany. A data processing agreement under Art. 28 GDPR is or will be in place. All servers are located in the EU.

4.1 Account and authentication data

Data processed: e-mail address, first and last name, display name, auto-generated 6-digit user ID, language preference, role, password hash (bcrypt), an encrypted TOTP secret when two-factor authentication is enabled, registered passkeys (FIDO2 public key, sign counter, transports), and bcrypt-hashed backup codes.

Purpose: provision of the user account, authentication, account recovery (password reset, e-mail verification, account activation).

Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract).

4.2 Session and security tokens

To enforce the "one active session per account" principle and to block compromised tokens, short-lived keys are held in a cache (Redis) for up to 24 hours and 5 minutes.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in protecting accounts against unauthorised sharing and token theft).

4.3 Audit log

Security-relevant events are recorded in a dedicated audit_logs table: login, logout, multi-factor authentication, member management, file upload, annotation, sharing, org switch and security violations. Each entry contains action code, resource type, resource ID, timestamp and a denormalised reference to the acting account (user ID, e-mail).

IP address and user agent: For guest sessions (OTP request, share acceptance, share access), the IP address and user agent are recorded. For regular login events, no IP address is collected at this time. We reserve the right to extend this collection to authenticated logins in the future; this policy will be updated accordingly in good time.

Audit entries are subject to a database-level immutability trigger and are pseudonymised on account anonymisation (user ID set to NULL, e-mail set to [deleted]).

Retention: An automated purge is not currently set up. We aim for a maximum retention period of 24 months and will enforce this through automated cleanup in the future.

Legal basis: Art. 6 (1) lit. c GDPR (compliance with legal obligations under Art. 32 GDPR — security of processing) and Art. 6 (1) lit. f GDPR (legitimate interest in platform security and abuse prevention).

4.4 Whole-slide images (WSI) and slide metadata

Special category under Art. 9 GDPR: Whole-slide images (digital tissue slide preparations) and their derived representations (tile pyramids, thumbnails, label images, macro images) may constitute health data within the meaning of Art. 9 (1) GDPR as soon as they are patient-identifiable. Annotations, measurements and notes attached to such a slide share this classification.

Fields recorded: display name, original filename (internal, audit-only), description, stain code (e.g. H&E), organ code, scanner metadata (vendor, magnification, µm/pixel), content hash for deduplication, storage location (object storage), owner, organisation.

Note on pseudonymisation: ScopeViewer does notperform automated pseudonymisation of patient-identifying content at upload. Slide filenames and scanner labels are stored as provided by the uploading account. Responsibility for pseudonymising patient data prior to upload lies with the data exporter (typically the uploading institution). The UI "label display" option only controls presentation; the underlying image data remains unchanged in storage.

Legal basis: Art. 9 (2) lit. h GDPR (health care, diagnostics, treatment) in conjunction with § 22 BDSG (Federal Data Protection Act) where patient data is processed; alternatively Art. 9 (2) lit. j GDPR (scientific research) in conjunction with § 27 BDSG. For non-patient-identifiable content (e.g. research data without personal reference), Art. 6 (1) lit. b and f GDPR apply.

4.5 Annotations, measurements, slide notes

Markers, measurement lines, polygons, freehand drawings and free-text notes can be created on slides. Recorded: geometry, label, note text, category, colour, timestamp and the creating account.

Retention: persists until the associated slide or entry is deleted.

Legal basis: Art. 6 (1) lit. b GDPR; for patient-related slides additionally Art. 9 (2) lit. h GDPR.

4.6 Organisation and membership data

Within an organisation ("team"), memberships (user ID, role, status, join/removal timestamps) and invitations (recipient e-mail, inviter, role, status) are processed.

Removed memberships are kept in the status removed so that historical contributions (slides, annotations) remain correctly attributable. There is no automated deletion.

Legal basis: Art. 6 (1) lit. b GDPR.

4.7 Share links and guest sessions

When a share link is created, the recipient's e-mail, a recipient display name, an optional personal message from the inviter, the expiry date and the granted permissions (upload, annotate, download) are stored. On acceptance, a one-time password (OTP) is delivered by e-mail; the OTP is held in cache only as a bcrypt hash for 10 minutes.

Retention of share links: 30 days after expiry or revocation, then automatic deletion.

Legal basis: Art. 6 (1) lit. b GDPR.

4.8 E-mail communication

For system-triggered events (registration, invitation, share OTP, password reset, e-mail change, MFA reset, membership changes, admin approval requests), the platform sends transactional e-mails. Content: recipient e-mail, inviter / org name, role, activation or confirmation link, OTP code, optionally the inviter's personal message.

SMTP delivery with STARTTLS transport encryption. The SMTP provider used is listed in section 7. Content and recipients of e-mails are not retained by the provider after delivery; retention on the recipient's mail server is outside the provider's control.

Legal basis: Art. 6 (1) lit. b GDPR.

4.9 Server logs

The reverse proxy (Nginx / Traefik) records — as technically necessary — IP address, timestamp, HTTP method, path, status code, user agent and referer. Application logs of the backend components (FastAPI, Celery) may contain account or resource identifiers in error output.

Retention: Logs are retained for a maximum of 30 days and then rotated; an appropriate retention and rotation rule will be enforced at infrastructure level.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in operational security and error analysis) and Art. 32 GDPR.

ScopeViewer enables the processing of whole-slide images, which may constitute health data within the meaning of Art. 9 (1) GDPR (cf. section 4.4). The legal basis depends on the specific use context:

• Diagnostic and therapeutic use in patient care: Art. 9 (2) lit. h GDPR in conjunction with § 22 BDSG (professional secrecy)
• Research with pseudonymised data: Art. 9 (2) lit. j GDPR in conjunction with § 27 BDSG
• Teaching and training with anonymised example slides: Art. 6 (1) lit. b / f GDPR, provided no personal reference exists

Important: ScopeViewer is not a CE-IVD certified medical device and is not approved for primary diagnostics (see Imprint). Responsibility for the lawfulness of processing patient-identifying content lies with the uploading party.

ScopeViewer uses exclusively strictly necessary and functional cookies; no tracking, analytics, advertising or third-party cookies are used. Consent is therefore not required under § 25 (2) no. 2 TDDDG.

A complete list with retention period and purpose can be found in our cookie policy.

7.1 Current MVP phase

In the current MVP phase, personal data is processed exclusively on the infrastructure controlled by the controller. No transfer to processors takes place.

7.2 Planned productive operation

The following processors will be engaged for productive SaaS operation (all EU-based, DPA under Art. 28 GDPR concluded):

• IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany — hosting (cloud servers, object storage, optionally managed Kubernetes). Data categories: all categories listed in section 4.
• SMTP provider — the specific transactional e-mail provider will be named in this policy before productive operation begins. Only EU-based providers will be used. Data transferred: e-mail address, name, OTP code, system notification content.
• Let's Encrypt (Internet Security Research Group, USA) — automated issuance and renewal of TLS certificates. Only the domain names to be certified and a public key are transmitted; no user or content data. Legal basis: Art. 6 (1) lit. f GDPR.

No transfer to US providers within the meaning of Schrems II takes place. In particular, neither AWS, Google Cloud, Microsoft Azure nor Cloudflare R2 is used for data storage.

Personal user data is not transferred to third countries outside the EU / EEA. The only exception is the communication with Let's Encrypt described in section 7.2 for the issuance of TLS certificates; no user or content data is transmitted, only technical metadata necessary for certificate issuance.

Personal data is only stored for as long as is necessary to fulfil the respective purpose or as required by statutory retention obligations:

• Account and profile data: for the duration of the account
• Slides, annotations, measurements, notes: until deleted by the owner or an administrator
• Session tokens: up to 24 hours and 5 minutes (Redis TTL)
• OTP codes: 10 minutes
• Share links: 30 days after expiry or revocation
• Backup codes: until use, then deleted without delay
• Authentication tokens (e-mail verification, password reset): between 1 hour and 7 days depending on the token type
• Audit logs: targeted maximum retention 24 months (see 4.3)
• Server logs: max. 30 days

You have the following rights:

• Access (Art. 15 GDPR) — you can request information about the data stored about you at any time.
• Rectification (Art. 16 GDPR) — inaccurate data can be corrected; profile and e-mail changes are possible directly in your account.
• Erasure (Art. 17 GDPR) — you may request deletion of your account. Note: A full self-service deletion is not yet implemented in the profile. Please send the deletion request by e-mail to contact@scopeviewer.de. We will confirm receipt without delay and carry out the deletion within the statutory period. Audit entries will be pseudonymised (user ID set to NULL, e-mail set to [deleted]) where statutory retention or evidence-preservation obligations require.
• Restriction (Art. 18 GDPR) — you can request blocking of your data.
• Data portability (Art. 20 GDPR) — you can receive your data in a structured, commonly used, machine-readable format. Note: An automated export function is not yet implemented. We will handle requests manually via the e-mail address above.
• Objection (Art. 21 GDPR) — where processing is based on Art. 6 (1) lit. f GDPR (in particular security logs), you may object to the processing at any time on grounds relating to your particular situation.
• Withdrawal of consent (Art. 7 (3) GDPR) — where processing is based on consent, it can be withdrawn at any time with effect for the future.

You have the right to lodge a complaint with a data-protection supervisory authority (Art. 77 GDPR). The competent authority for the controller is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2–4
40213 Düsseldorf, Germany
Web: https://www.ldi.nrw.de/

Providing the data required for account creation and use (e-mail, first and last name, password) is neither required by law nor by contract. However, without this data the service cannot be provided.

No automated decision-making within the meaning of Art. 22 GDPR (including profiling) takes place. ScopeViewer does not make diagnostic or other legally effective decisions about you on a purely automated basis.

We implement technical and organisational measures under Art. 32 GDPR, in particular: transport encryption (TLS) for all externally reachable connections, bcrypt password hashing, Fernet-encrypted TOTP secrets, FIDO2/WebAuthn passkeys as a phishing-resistant alternative to passwords, single active session to prevent account sharing, audit logs with immutability trigger, tenant isolation at the database query level, rate limits on security-critical endpoints, restricted-tier visibility filtering for restricted roles.

We reserve the right to adapt this privacy policy to reflect current legal requirements or changes to our services. The current version is available at this URL; the date of the last update can be found at the top of this page.