Privacy Policy (CarDS Scan iOS App)
Effective date: August 18, 2025
Developer: Cardiovascular Data Science Lab (“CarDS Lab”)
1) Overview
CarDSScan is an iOS research application that performs on-device analysis of electrocardiograms (ECGs). The App has two features:
Image-based 12-lead ECG prediction (via camera or image import)
Signal-based 1-lead ECG prediction from Apple Watch ECGs
All machine-learning models are bundled within the App. No internet connection is required to use core features, and the App does not transmit ECG data or predictions to any server by default.
This Privacy Policy explains what data the App processes, how it is used, and your choices.
2) Scope
This Policy applies to your use of the App on your device. If you are participating in a research study, your participation may also be governed by a separate informed consent and/or Institutional Review Board (IRB)/Ethics approval. If there is a conflict, the research consent controls for research data handling.
3) What the App Processes (on device)
Depending on your use and permissions you grant, the App may process only on your device:
ECG images you capture with the camera or select from your photo library.
ECG signals recorded by Apple Watch and accessible via Health/HealthKit (with your permission).
Derived outputs (model predictions, scores, or visualizations) produced on device.
Local diagnostic logs (e.g., error messages, time stamps) needed to troubleshoot the App. These remain on device unless you choose to share them.
The App does not require you to enter personal identifiers (e.g., name, email). If a study workflow asks you to enter a research ID or annotation, it is stored locally on your device unless you explicitly export it.
4) Data Sources and Permissions
Camera: Used to photograph 12-lead ECGs. Images stay on device unless you save/export them.
Photo Library: Used to select ECG images for analysis. Access is read-only.
Health/HealthKit (if you opt in): Used to read Apple Watch ECGs for the 1-lead analysis.
HealthKit data accessed is used only to provide App functionality and permitted research purposes.
Health data is not used for advertising, data brokerage, or profiling.
You can change permissions at any time in iOS Settings → Privacy & Security.
5) No Automatic Collection, Sale, or Sharing
No automatic uploads: The App does not automatically send ECG data, predictions, or identifiers to the cloud or to CarDS Lab.
No third-party analytics/ads SDKs: We do not use advertising identifiers (IDFA) or cross-app trackers.
No sale or sharing for targeted advertising: We do not sell your data and do not share it for targeted advertising.
6) Optional User-Initiated Exports
You may choose to export or share outputs, ECG images, ECG signals, or logs (for instance, to your research team or to CarDS Lab for troubleshooting). When you initiate an export/share action, you control the destination (e.g., Files, Mail, AirDrop). Once you export, that copy is outside the App and subject to the recipient’s policies.
7) On-Device Storage, Backups, and Retention
Storage: ECG inputs, outputs, and logs remain on your device unless you delete them or uninstall the App.
Backups: Depending on your iOS settings, locally stored App data may be included in your device backups (e.g., encrypted iCloud backup or local iTunes/Finder backup). You control backup settings in iOS.
Retention: The App does not enforce server-side retention. Data persists on your device until you delete it, the App, or the relevant Health records (via the Health app).
8) Research Use
If you use the App as part of an approved research study:
Your informed consent will describe what data is collected, how it may be shared by you or your study device, and who can access it.
The App itself does not transmit data automatically; any transfers must be initiated by you or configured by your institution using device-level workflows consistent with the consent and approvals.
9) Security
We design the App so that core processing is on device. Still, no system can guarantee perfect security. You are responsible for:
Keeping your device updated and secured (passcode/biometrics).
Managing permissions and backups.
Exporting or sharing data only with trusted recipients.
10) Your Choices & Rights
Permissions: Grant or revoke Camera/Photos/Health access at any time in iOS Settings.
View/Correct/Delete (on device): You can delete App data by removing items within the App (if supported), deleting Health records via the Health app, and/or uninstalling the App.
Research rights: If used in a study, follow the instructions in your consent for exercising rights (e.g., withdrawal, access, correction, deletion).
Jurisdictional rights (GDPR/UK GDPR/CCPA/CPRA and others): Depending on where you live, you may have rights to access, correct, delete, restrict, or port personal data. Because the App does not send your data to CarDS Lab by default, we may not possess any data to respond to such requests—most actions will occur on your device. If you believe CarDS Lab holds a copy (e.g., you emailed logs), contact us using the information below.
11) Children’s Privacy
The App is intended for adults or authorized research participants. It is not directed to children under 13 (or under the age defined by local law). If you believe a child has provided data to CarDS Lab outside a research protocol, contact us so we can address it.
12) Third-Party Components
The App uses Apple frameworks (e.g., HealthKit, Vision, CoreML) and may include third-party/open-source components (e.g., TensorFlow Lite) on device. These components operate locally; they do not receive your ECG data unless you initiate an export to them (the App does not do so by default). Licenses for third-party components are provided in the App or documentation.
13) International Transfers
By default, the App does not transmit your data to CarDS Lab or any server; therefore, there are no routine international transfers. If you voluntarily export data to an external service, that transfer is governed by the destination’s terms.
14) Changes to This Policy
We may update this Policy to reflect changes in the App, laws, or research practices. When we do, we will update the “Effective date” above. Your continued use after changes take effect means you accept the updated Policy.
15) Contact Us
Questions about privacy or this Policy:
Cardiovascular Data Science Lab (CarDS Lab)
Email: contact@cards-lab.org
Address: New Haven, CT, USA
16) Important Notices
The App is for research use only and is not a medical device. Do not make medical decisions based on the App’s outputs.
Health/HealthKit data, if accessed, is used solely to provide App features and permitted research purposes; it is not used for advertising or sold to third parties.
You control exports and sharing—use caution when sending data outside your device.