OFO Labs
Back to Oct Insight

Privacy Policy

Oct Insight

Privacy Policy for Oct Insight

Last Updated: March 1, 2026

1. Data Controller

The data controller responsible for processing personal data under GDPR and German BDSG is:

Faruk Orman 24105 Kiel, Germany Email: ofolabs@gmail.com

No Data Protection Officer is required as fewer than 20 persons engage in automated data processing.

2. Overview of Data Processing

Explicit consent (Art. 9(2)(a)): We process health data — specifically uploaded OCT scan images (retinal images), which constitute special category data — for AI-based retinal disease classification. Session data (uploaded images held in server memory during processing) is likewise processed under explicit consent for classification inference and Grad-CAM heatmap generation.

Legitimate interest (Art. 6(1)(f)): We process technical data — specifically your IP address, present in Streamlit Cloud server logs — for web hosting and security.

Oct Insight processes health data (medical images) as defined under Art. 9 GDPR. No accounts, no registration, no analytics, and no persistent data storage. Uploaded images exist only in server memory during your session and are discarded when the session ends.

3. Detailed Processing Activities

3.1 OCT Image Upload & Classification

When you upload an OCT scan image:

  • The image is uploaded to the Streamlit Cloud server where the AI model runs.
  • The image is processed in-session in server memory to generate a classification result (CNV, DME, Drusen, or Normal) and a Grad-CAM explainability heatmap.
  • Processing typically takes 1–5 seconds.
  • Images are not stored permanently. They exist only in server memory during your session and are discarded when you close the browser tab or the session ends.
  • Images are never used for AI model training, shared with third parties, or retained on any server.
  • No patient identifiers, names, or other personal data is collected alongside uploaded images.

3.2 Special Category Data (Art. 9 GDPR)

OCT scan images constitute health data as they are medical images of the retina. Processing of health data is permitted under:

  • Art. 9(2)(a) GDPR — explicit consent: By voluntarily uploading an OCT scan, you explicitly consent to its processing for the purpose of AI-based classification. You are under no obligation to upload any image.
  • Images are processed solely for the purpose you initiate (classification and heatmap generation).
  • No secondary use of health data occurs.

3.3 Hosting & Server

Oct Insight runs on Streamlit Cloud (Snowflake Inc.), which provides the hosting infrastructure and Python runtime environment. Standard web hosting involves your browser sending HTTP requests that include your IP address. Streamlit Cloud may log IP addresses and request metadata as part of normal hosting operations.

3.4 Data We Do NOT Collect

Oct Insight does not collect:

  • Names, email addresses, or contact information
  • Patient identifiers or medical record numbers
  • Location data or device identifiers
  • Usage analytics or behavioral data
  • Financial or payment information
  • Any data beyond the uploaded OCT image and your IP address

4. Third-Party Service Providers

Streamlit Cloud (Snowflake Inc., USA) provides web hosting and the server-side Python runtime. Your IP address appears in server logs, and uploaded OCT images are held in-session in server memory only.

Hugging Face (Hugging Face, Inc., USA) hosts the AI model file (baseline_model.pkl, ~100 MB, cached on the server after first download). No user data is transmitted — the model is downloaded to the server only.

No user data is transmitted to Hugging Face. The AI model file is downloaded once to the Streamlit Cloud server and cached for subsequent sessions. Only the server's IP address is exposed during model download.

5. AI Processing & Transparency (EU AI Act)

Per Regulation (EU) 2024/1689, Art. 50:

Retinal Disease Classification uses a ResNet50 model custom-trained on 84,000+ OCT images via FastAI/PyTorch to classify retinal conditions (CNV, DME, Drusen, or Normal). Processing occurs server-side on Streamlit Cloud. The model takes a user-uploaded OCT scan image as input and produces an AI-generated classification with confidence scores.

Explainability Heatmap uses Grad-CAM (pytorch_grad_cam) to highlight image regions influencing the classification. Processing occurs server-side on Streamlit Cloud. It takes the same uploaded OCT image along with model activations as input and produces an AI-generated heatmap overlay.

Important Disclosures:

  • Classification results are AI-generated predictions, not clinical diagnoses. They are produced by automated processing of the uploaded image.
  • The AI model was trained on a publicly available dataset of OCT images. Your uploaded images are not used for model training.
  • AI processing occurs only by your explicit action (uploading an image). No automated processing without user initiation.
  • Grad-CAM heatmaps are provided for transparency, showing which image regions the model focused on for its prediction.
  • All AI outputs should be reviewed by the user and are not intended for autonomous clinical decision-making.

6. Automated Decision-Making (Art. 22 GDPR)

Oct Insight performs automated classification of uploaded medical images. Disclosure per Art. 22 GDPR:

  • Nature: The AI model automatically classifies retinal conditions from OCT scans without human intervention in the classification process.
  • Logic: A ResNet50 convolutional neural network processes the image and outputs probability scores for four categories (CNV, DME, Drusen, Normal). The highest-scoring category is presented as the classification result.
  • Significance and safeguards: The automated classification does not produce decisions with legal effects or similarly significant effects because:
    • Results are for research and educational purposes only, not clinical diagnosis
    • No treatment decisions, insurance determinations, or other consequential actions are taken based on outputs
    • Users review all outputs and are explicitly informed results are not medical advice
    • A qualified medical professional must always be consulted for clinical decisions
  • Your rights: You may request human review of any classification result by contacting ofolabs@gmail.com.

7. International Data Transfers

Streamlit Cloud (Snowflake Inc., USA): We rely on Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR as adopted by Commission Implementing Decision (EU) 2021/914.

Hugging Face (USA — model file hosting only): We rely on SCCs per Art. 46(2)(c) GDPR. No user data is transferred to Hugging Face — only the AI model file is downloaded to the server.

Contact ofolabs@gmail.com for specific transfer safeguard details.

8. Cookies & Local Storage

Per § 25 German TTDSG and Art. 5(3) ePrivacy Directive:

Oct Insight does not use cookies or localStorage in the application itself. Streamlit Cloud may set session management cookies at the framework level that are strictly necessary for the web application to function. These are exempt from consent under § 25(2) TTDSG as strictly necessary for the service requested by the user.

No advertising, analytics, or tracking cookies are used.

9. Provision of Personal Data

No personal data is required to use Oct Insight. The application functions without any account or registration. Uploading an OCT scan image is entirely voluntary. The only other data exposure (IP address via hosting) is a technical necessity of internet communication.

10. Data Subject Rights

Under GDPR and BDSG, you have:

  • Right of access (Art. 15 GDPR, § 34 BDSG) — we do not persistently store personal data; uploaded images are discarded at session end
  • Right to rectification (Art. 16 GDPR) — not applicable as no personal data is persistently stored
  • Right to erasure (Art. 17 GDPR, § 35 BDSG) — uploaded images are automatically discarded at session end; no persistent data to erase
  • Right to restriction (Art. 18 GDPR) — you may close your browser tab at any time to immediately terminate processing
  • Right to data portability (Art. 20 GDPR) — not applicable as no personal data is persistently stored
  • Right to object (Art. 21 GDPR, § 36 BDSG) — you may object to IP address logging by not visiting the site; image processing only occurs upon your voluntary upload
  • Right to withdraw consent (Art. 7(3) GDPR, Art. 9(2)(a)) — you may withdraw consent for health data processing at any time by closing the session; images are immediately discarded. Withdrawal does not affect lawfulness of processing performed before withdrawal.
  • Right regarding automated decisions (Art. 22 GDPR) — see Section 6; you may request human review of classification results

Contact ofolabs@gmail.com to exercise rights. Response within one month per Art. 12(3) GDPR. Period may extend two further months for complex requests with first-month notice.

11. Right to Lodge a Complaint

Lodge complaints with data protection supervisory authorities per Art. 77 GDPR. Competent authority for Kiel, Schleswig-Holstein:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) Holstenstraße 98, 24103 Kiel, Germany Website: https://www.datenschutzzentrum.de

You may also contact supervisory authorities in your EU member state of habitual residence, work, or alleged infringement location.

12. Data Retention

  • Uploaded OCT images: Exist in server memory only during the active session (typically 1–5 seconds for processing). Automatically discarded when the session ends or the browser tab is closed. No images are logged, archived, or backed up.
  • Classification results and heatmaps: Generated in-session and displayed to the user. Not stored on the server after the session ends.
  • Server logs (Streamlit Cloud): IP addresses and request metadata may be retained by Streamlit Cloud per their retention policy.
  • AI model file: Cached on the Streamlit Cloud server. Contains no user data.

13. Medical Disclaimer

Oct Insight is a research prototype and is not a medical device. It has not been approved, cleared, or certified by any medical regulatory authority, including the FDA (USA), CE marking (EU), or any equivalent body.

Classification results are for research and educational purposes only. They must not be used for:

  • Clinical diagnosis of retinal diseases
  • Treatment planning or medical decision-making
  • Monitoring of eye conditions
  • Any purpose requiring validated medical device output

Always consult a qualified ophthalmologist or retinal specialist for professional medical evaluation of OCT scans and any eye health concerns.

14. Children's Privacy

Oct Insight does not collect personal data from any user beyond session-only image processing. Per Art. 8 GDPR and § 25 TTDSG, no special protections for children are triggered as no persistent personal data collection occurs. Use by minors should be supervised by an adult.

15. Security Measures

Appropriate technical and organizational measures per Art. 32 GDPR:

  • HTTPS/TLS encryption for all data in transit (image uploads, page loads)
  • Images processed in server memory only — no persistent storage, no database writes
  • No user accounts or credentials to protect
  • Session isolation on Streamlit Cloud — each user session runs independently
  • AI model does not retain or learn from user-uploaded images
  • Minimal data principle — only the uploaded image is processed, no additional data collected

16. Changes to This Policy

Privacy policy may update reflecting practice or legal changes. "Last updated" date indicates most recent revision. Changes are effective when posted. We encourage periodic review.

17. Contact

For privacy inquiries or exercising data subject rights:

Faruk Orman 24105 Kiel, Germany Email: ofolabs@gmail.com