GDPR LGPD CCPA

Privacy Policy

This policy explains how DFFCO — Dehydration, Fibromyalgia and Cognitive Function collects, uses, stores and protects personal data from users worldwide — in compliance with the EU General Data Protection Regulation (GDPR), Brazilian LGPD and California CCPA.

Last updated: 15 July 2026 · Version 3.0

Educational content only. DFFCO is an educational scientific evidence repository. We do not collect, process or store health records, medical history, diagnoses or any clinical personal data. This platform does not constitute medical advice, diagnosis or treatment.

Contents

1 Data Controller

The data controller responsible for personal data processed through this platform is:

DFFCO is not a healthcare provider, medical institution, clinical research organization or regulated health entity. It is an open-access repository of peer-reviewed scientific evidence summaries for educational purposes.

2 Information We Collect

2.1 — Automatically collected (current)

2.2 — Voluntarily provided (future — newsletter)

When newsletter functionality is implemented, users who explicitly opt in will provide:

2.3 — What we do NOT collect

3 How We Use Information

Data collected is used exclusively for:

We do not use your data for advertising, profiling, automated decision-making, or any commercial purpose. We do not sell, rent, license or share personal data with third parties, except as required by law or described in Section 9 (International Transfers).

4 Legal Basis for Processing

We rely on the following legal bases under GDPR (Article 6) and LGPD (Article 7):

For California residents: our processing activities do not constitute a "sale" or "sharing" of personal information as defined by CCPA/CPRA. We do not use data for cross-context behavioral advertising.

5 Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

Under GDPR (EU / EEA residents)

Under LGPD (Brazilian residents)

Under CCPA/CPRA (California residents)

To exercise any of these rights, contact us at contact@dffcoevidence.com. We will respond within 30 days (GDPR/LGPD) or 45 days (CCPA). Identity verification may be required before fulfilling requests.

6 Cookies & Tracking Technologies

DFFCO uses a consent-first, minimal cookie approach. Cookies fall into two categories:

6.1 — Strictly necessary (always active)

6.2 — Analytics (only with your consent)

We use Google Analytics 4, loaded through Google Tag Manager, to understand aggregate audience metrics (pages viewed, approximate region, device type). This is governed by Google Consent Mode v2: no analytics cookie or identifier is set until you accept through our cookie banner. If you decline, the analytics tags do not fire.

6.3 — External assets

Public pages load web fonts from Google Fonts, and interactive charts on the statistics page load the Plotly visualization library from a content-delivery network. These providers may log the requesting IP address per their own policies; only the static asset request is involved and no analytics identifier is shared. Application code and styling (Tailwind CSS and our own scripts) are self-hosted on our EU infrastructure.

7 Data Retention

When retention periods expire, data is securely deleted using methods appropriate to the storage medium. We do not retain personal data beyond what is necessary for the stated purpose.

8 Data Security

We implement technical and organizational measures proportionate to the risk level associated with the data we process:

No system is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected individuals where required (GDPR Art. 34 / LGPD Art. 48).

9 International Transfers & Service Providers

DFFCO is hosted in the European Union. Primary infrastructure is operated by Hetzner Online GmbH in data centers located in Germany. For users in the EU/EEA, hosting therefore involves no international transfer of personal data.

We rely on a small number of carefully selected service providers (sub-processors) that may process limited data on our behalf. Where a provider processes data outside the EU/EEA, transfers are governed by an EU adequacy decision or Standard Contractual Clauses (SCCs) under GDPR Chapter V, and by LGPD Chapter IX for Brazilian users.

Sub-processors

Server-side calls to public scientific databases (PubMed / NCBI E-utilities) are performed by our servers only and transmit no personal user data.

10 Children's Privacy

DFFCO is a scientific evidence platform intended for adults, including healthcare professionals, researchers and patients. It is not directed at children under 13 years of age (or under 16 where required by local law, such as GDPR Article 8).

We do not knowingly collect personal data from children. If you believe a child has submitted data to this platform, please contact us immediately at contact@dffcoevidence.com and we will delete such data promptly.

11 Policy Updates

This Privacy Policy may be updated to reflect changes in our practices, legal requirements or platform features. When we make material changes, we will:

Continued use of the platform after the effective date of any update constitutes acceptance of the revised policy. We encourage you to review this page periodically.

Previous versions of this policy are available upon request at contact@dffcoevidence.com.

12 Contact Us

For privacy-related inquiries, requests to exercise your rights, data breach reports or questions about this policy, please contact:

DFFCO — Dehydration, Fibromyalgia and Cognitive Function

Privacy inquiries: contact@dffcoevidence.com

Response time: within 30 days · Available in EN / PT

Contact us

Supervisory Authorities

EU residents may lodge a complaint with their national data protection authority (e.g., CNIL — France, Garante — Italy, BfDI — Germany). Brazilian residents may contact the ANPD (Autoridade Nacional de Proteção de Dados) at gov.br/anpd. California residents may contact the CPPA (California Privacy Protection Agency).