1 Data Controller
The data controller responsible for personal data processed through this platform is:
- Organization: DFFCO — Dehydration, Fibromyalgia and Cognitive Function
- Nature: Independent scientific evidence repository — educational and research purposes
- Contact: contact@dffcoevidence.com
- Website: dffcoevidence.com
DFFCO is not a healthcare provider, medical institution, clinical research organization or regulated health entity. It is an open-access repository of peer-reviewed scientific evidence summaries for educational purposes.
2 Information We Collect
2.1 — Automatically collected (current)
- Server logs: IP address, browser type, operating system, pages visited, timestamp and HTTP status codes — retained for up to 90 days for security and diagnostic purposes only.
- Session data: A temporary, server-side session stores only your language preference (
lang). Analytics cookies are set only if you consent to them (see Section 6).
2.2 — Voluntarily provided (future — newsletter)
When newsletter functionality is implemented, users who explicitly opt in will provide:
- Email address — required for delivery
- First name — optional, for personalized salutation
- Thematic interest (Dehydration / Fibromyalgia / Hydration & Pain) — optional
- Subscription timestamp and confirmation record
2.3 — What we do NOT collect
- Health, medical or clinical records of any kind
- Government-issued identifiers (CPF, SSN, passport numbers)
- Financial data (no payments or purchases on this platform)
- Biometric or genetic data
- Behavioral tracking, cross-site profiling or advertising data
- Sensitive personal data as defined by GDPR Article 9 or LGPD Article 11
3 How We Use Information
Data collected is used exclusively for:
- Operating and maintaining the platform (server logs for security and diagnostics)
- Remembering your language preference within your current session
- Sending newsletter updates about new indexed articles and methodological developments (newsletter subscribers only — when implemented)
- Detecting and preventing unauthorized access or abuse
- Improving platform usability through aggregate, non-identifiable usage patterns
We do not use your data for advertising, profiling, automated decision-making, or any commercial purpose. We do not sell, rent, license or share personal data with third parties, except as required by law or described in Section 9 (International Transfers).
4 Legal Basis for Processing
We rely on the following legal bases under GDPR (Article 6) and LGPD (Article 7):
- Legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 7(IX)): Server logs and session data processed to ensure platform security, stability and abuse prevention — balanced against minimal privacy impact given the anonymous nature of the data.
- Consent (GDPR Art. 6(1)(a) / LGPD Art. 7(I)): Newsletter subscription processed on the basis of freely given, specific and informed consent via double opt-in. You may withdraw consent at any time.
- Legal obligation (GDPR Art. 6(1)(c) / LGPD Art. 7(II)): Data may be processed if required by applicable law, court order or regulatory authority.
For California residents: our processing activities do not constitute a "sale" or "sharing" of personal information as defined by CCPA/CPRA. We do not use data for cross-context behavioral advertising.
5 Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
Under GDPR (EU / EEA residents)
- Right of access — request a copy of personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your data ("right to be forgotten")
- Right to restrict processing — limit how we use your data in certain circumstances
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing
- Right to lodge a complaint — with your national supervisory authority (e.g., CNIL in France, ICO in the UK, AEPD in Spain)
Under LGPD (Brazilian residents)
- Confirmation of processing existence and access to your data
- Correction of incomplete, inaccurate or outdated data
- Anonymization, blocking or deletion of unnecessary or excessive data
- Data portability to another service provider
- Deletion of data processed with your consent
- Information about third parties with whom data is shared
- Revocation of consent at any time
- Opposition to processing that violates LGPD provisions
Under CCPA/CPRA (California residents)
- Right to know what personal information is collected and how it is used
- Right to delete personal information (with certain exceptions)
- Right to opt out of the sale or sharing of personal information (we do not sell data)
- Right to non-discrimination for exercising CCPA rights
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information (we do not process sensitive PI)
To exercise any of these rights, contact us at contact@dffcoevidence.com. We will respond within 30 days (GDPR/LGPD) or 45 days (CCPA). Identity verification may be required before fulfilling requests.
6 Cookies & Tracking Technologies
DFFCO uses a consent-first, minimal cookie approach. Cookies fall into two categories:
6.1 — Strictly necessary (always active)
- Session cookie (
session): A single server-side session cookie stores your language preference and, for authenticated curators and administrators, your login state. It carries no advertising or cross-site identifiers and expires when you close your browser or after an idle timeout. - Anti-bot challenge (Cloudflare Turnstile): On public forms (curator application, newsletter) we use Cloudflare Turnstile to block automated abuse. Running the challenge means Cloudflare, Inc. processes your IP address and basic browser signals. No advertising cookie is set.
6.2 — Analytics (only with your consent)
We use Google Analytics 4, loaded through Google Tag Manager, to understand aggregate audience metrics (pages viewed, approximate region, device type). This is governed by Google Consent Mode v2: no analytics cookie or identifier is set until you accept through our cookie banner. If you decline, the analytics tags do not fire.
- Legal basis: your consent (GDPR Art. 6(1)(a) / LGPD Art. 7(I)), which you may withdraw at any time by clearing cookies or changing your choice.
- Cookies set after consent: Google Analytics identifiers (e.g.
_ga) used solely to distinguish visitors for aggregate statistics. - No advertising: Google Signals, ads personalization and cross-context behavioral advertising are not enabled. We never use analytics data to profile or target you.
6.3 — External assets
Public pages load web fonts from Google Fonts, and interactive charts on the statistics page load the Plotly visualization library from a content-delivery network. These providers may log the requesting IP address per their own policies; only the static asset request is involved and no analytics identifier is shared. Application code and styling (Tailwind CSS and our own scripts) are self-hosted on our EU infrastructure.
7 Data Retention
- Server logs: Retained for 90 days, then automatically deleted or anonymized.
- Session data: Automatically cleared when the session expires (browser close or idle timeout). No persistent user profiles are created for anonymous visitors.
- Analytics data: Where you consent to analytics, aggregate data is retained by Google according to our GA4 configuration (up to 14 months) and processed only in aggregate, non-identifiable form.
- Curator applications & accounts: Data submitted by curator applicants (name, email, professional background, motivation) is retained while the application is under review and, if approved, for the duration of the collaboration. Rejected or withdrawn applications are deleted within 12 months.
- Newsletter emails (future): Retained for the duration of your subscription. Upon unsubscription, your email will be permanently deleted within 30 days. Aggregate statistics (number of subscribers per axis, send dates) may be retained in anonymized form.
- Curator & admin accounts: Credentials are retained for as long as the account is active. Inactive accounts are reviewed and removed annually.
When retention periods expire, data is securely deleted using methods appropriate to the storage medium. We do not retain personal data beyond what is necessary for the stated purpose.
8 Data Security
We implement technical and organizational measures proportionate to the risk level associated with the data we process:
- HTTPS/TLS encryption for all data in transit, with HSTS enforced (Let's Encrypt certificates)
- Hosting within the European Union (Germany) on ISO 27001-certified data-center infrastructure
- Database isolated on a private network, reachable only by authenticated application services — never exposed to the public internet
- Salted cryptographic password hashing for all credentials; plaintext passwords are never stored
- Two-factor authentication (TOTP) and automatic account lockout after repeated failed logins on privileged accounts
- Strict Content-Security-Policy, rate limiting and reverse-proxy hardening against common web attacks
- Session tokens managed server-side with cryptographic signing; secure, HttpOnly cookies
- Regular dependency updates, security monitoring and routine backups
- Minimal data collection principle — we do not store what we do not need
No system is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected individuals where required (GDPR Art. 34 / LGPD Art. 48).
9 International Transfers & Service Providers
DFFCO is hosted in the European Union. Primary infrastructure is operated by Hetzner Online GmbH in data centers located in Germany. For users in the EU/EEA, hosting therefore involves no international transfer of personal data.
We rely on a small number of carefully selected service providers (sub-processors) that may process limited data on our behalf. Where a provider processes data outside the EU/EEA, transfers are governed by an EU adequacy decision or Standard Contractual Clauses (SCCs) under GDPR Chapter V, and by LGPD Chapter IX for Brazilian users.
Sub-processors
- Hetzner Online GmbH (Germany, EU) — website hosting, database and server logs. Data remains within the EU.
- Cloudflare, Inc. (EU / USA) — DNS and Turnstile anti-bot protection on public forms; processes IP address and basic browser signals to block automated abuse. Governed by SCCs.
- Google LLC (USA) — Google Analytics 4 / Tag Manager (only after your consent) and Google Fonts delivery. Governed by SCCs and the EU–U.S. Data Privacy Framework. See Google Privacy Policy.
- Resend, Inc. (USA) — transactional and newsletter email delivery, used only when you provide an email address. Governed by SCCs.
Server-side calls to public scientific databases (PubMed / NCBI E-utilities) are performed by our servers only and transmit no personal user data.
10 Children's Privacy
DFFCO is a scientific evidence platform intended for adults, including healthcare professionals, researchers and patients. It is not directed at children under 13 years of age (or under 16 where required by local law, such as GDPR Article 8).
We do not knowingly collect personal data from children. If you believe a child has submitted data to this platform, please contact us immediately at contact@dffcoevidence.com and we will delete such data promptly.
11 Policy Updates
This Privacy Policy may be updated to reflect changes in our practices, legal requirements or platform features. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Post a notice on the platform homepage for at least 30 days after significant changes
- Notify newsletter subscribers by email for changes that affect how their data is used
Continued use of the platform after the effective date of any update constitutes acceptance of the revised policy. We encourage you to review this page periodically.
Previous versions of this policy are available upon request at contact@dffcoevidence.com.
12 Contact Us
For privacy-related inquiries, requests to exercise your rights, data breach reports or questions about this policy, please contact:
DFFCO — Dehydration, Fibromyalgia and Cognitive Function
Privacy inquiries: contact@dffcoevidence.com
Response time: within 30 days · Available in EN / PT
Supervisory Authorities
EU residents may lodge a complaint with their national data protection authority (e.g., CNIL — France, Garante — Italy, BfDI — Germany). Brazilian residents may contact the ANPD (Autoridade Nacional de Proteção de Dados) at gov.br/anpd. California residents may contact the CPPA (California Privacy Protection Agency).