1 Data Controller
The data controller responsible for personal data processed through this platform is:
- Organization: DFFCO — Dehydration, Fibromyalgia and Cognitive Function
- Nature: Independent scientific evidence repository — educational and research purposes
- Contact: contact@dffcoevidence.com
- Website: dffcoevidence.com
DFFCO is not a healthcare provider, medical institution, clinical research organization or regulated health entity. It is an open-access repository of peer-reviewed scientific evidence summaries for educational purposes.
2 Information We Collect
2.1 — Automatically collected (current)
- Server logs: IP address, browser type, operating system, pages visited, timestamp and HTTP status codes — retained for up to 90 days for security and diagnostic purposes only.
- Session data: A temporary, server-side session stores only your language preference (
lang). No persistent tracking cookies are set.
2.2 — Voluntarily provided (future — newsletter)
When newsletter functionality is implemented, users who explicitly opt in will provide:
- Email address — required for delivery
- First name — optional, for personalized salutation
- Thematic interest (Dehydration / Fibromyalgia / Hydration & Pain) — optional
- Subscription timestamp and confirmation record
2.3 — What we do NOT collect
- Health, medical or clinical records of any kind
- Government-issued identifiers (CPF, SSN, passport numbers)
- Financial data (no payments or purchases on this platform)
- Biometric or genetic data
- Behavioral tracking, cross-site profiling or advertising data
- Sensitive personal data as defined by GDPR Article 9 or LGPD Article 11
3 How We Use Information
Data collected is used exclusively for:
- Operating and maintaining the platform (server logs for security and diagnostics)
- Remembering your language preference within your current session
- Sending newsletter updates about new indexed articles and methodological developments (newsletter subscribers only — when implemented)
- Detecting and preventing unauthorized access or abuse
- Improving platform usability through aggregate, non-identifiable usage patterns
We do not use your data for advertising, profiling, automated decision-making, or any commercial purpose. We do not sell, rent, license or share personal data with third parties, except as required by law or described in Section 9 (International Transfers).
4 Legal Basis for Processing
We rely on the following legal bases under GDPR (Article 6) and LGPD (Article 7):
- Legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 7(IX)): Server logs and session data processed to ensure platform security, stability and abuse prevention — balanced against minimal privacy impact given the anonymous nature of the data.
- Consent (GDPR Art. 6(1)(a) / LGPD Art. 7(I)): Newsletter subscription processed on the basis of freely given, specific and informed consent via double opt-in. You may withdraw consent at any time.
- Legal obligation (GDPR Art. 6(1)(c) / LGPD Art. 7(II)): Data may be processed if required by applicable law, court order or regulatory authority.
For California residents: our processing activities do not constitute a "sale" or "sharing" of personal information as defined by CCPA/CPRA. We do not use data for cross-context behavioral advertising.
5 Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
Under GDPR (EU / EEA residents)
- Right of access — request a copy of personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your data ("right to be forgotten")
- Right to restrict processing — limit how we use your data in certain circumstances
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing
- Right to lodge a complaint — with your national supervisory authority (e.g., CNIL in France, ICO in the UK, AEPD in Spain)
Under LGPD (Brazilian residents)
- Confirmation of processing existence and access to your data
- Correction of incomplete, inaccurate or outdated data
- Anonymization, blocking or deletion of unnecessary or excessive data
- Data portability to another service provider
- Deletion of data processed with your consent
- Information about third parties with whom data is shared
- Revocation of consent at any time
- Opposition to processing that violates LGPD provisions
Under CCPA/CPRA (California residents)
- Right to know what personal information is collected and how it is used
- Right to delete personal information (with certain exceptions)
- Right to opt out of the sale or sharing of personal information (we do not sell data)
- Right to non-discrimination for exercising CCPA rights
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information (we do not process sensitive PI)
To exercise any of these rights, contact us at contact@dffcoevidence.com. We will respond within 30 days (GDPR/LGPD) or 45 days (CCPA). Identity verification may be required before fulfilling requests.
6 Cookies & Tracking Technologies
DFFCO uses a minimal cookie approach:
-
Session cookie (
session): A single server-side session cookie stores your language preference and, if logged in as an admin, your authentication state. This cookie expires when you close your browser or after a defined idle period. It contains no personal identifiers or tracking data.
We do not use: Google Analytics, Meta Pixel, advertising trackers, cross-site cookies, fingerprinting techniques, or any third-party analytics scripts. No tracking SDK is loaded on any public page.
Google Fonts and Tailwind CSS CDN are loaded from external servers; these providers may log IP addresses per their own privacy policies. We are evaluating self-hosting these assets to eliminate this exposure.
Because we use only strictly necessary session cookies, we are not legally required to present a cookie consent banner under current interpretations of GDPR Recital 30 and ePrivacy Directive guidance. If tracking cookies are introduced in the future, a consent mechanism will be implemented before deployment.
7 Data Retention
- Server logs: Retained for 90 days, then automatically deleted or anonymized.
- Session data: Automatically cleared when the session expires (browser close or idle timeout). No persistent user profiles are created for anonymous visitors.
- Newsletter emails (future): Retained for the duration of your subscription. Upon unsubscription, your email will be permanently deleted within 30 days. Aggregate statistics (number of subscribers per axis, send dates) may be retained in anonymized form.
- Admin accounts: Admin credentials are retained for as long as the account is active. Inactive accounts are reviewed and removed annually.
When retention periods expire, data is securely deleted using methods appropriate to the storage medium. We do not retain personal data beyond what is necessary for the stated purpose.
8 Data Security
We implement technical and organizational measures proportionate to the risk level associated with the data we process:
- HTTPS/TLS encryption for all data in transit (when deployed to production)
- Database access restricted to authenticated application services only
- Bcrypt password hashing for all administrative credentials
- Session tokens managed server-side with cryptographic signing
- Regular dependency updates and security monitoring
- Minimal data collection principle — we do not store what we do not need
No system is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected individuals where required (GDPR Art. 34 / LGPD Art. 48).
9 International Data Transfers
DFFCO is currently operated locally (development phase). When deployed to production cloud infrastructure, data may be processed on servers located outside your country of residence.
- We will use only cloud providers that offer appropriate data processing agreements (DPAs) and standard contractual clauses (SCCs) compliant with GDPR Chapter V.
- Transfers to countries without an EU adequacy decision will be governed by EU SCCs or other approved transfer mechanisms.
- For Brazilian users, transfers will comply with LGPD Chapter IX requirements.
Third-party services currently used that may process data from your request:
- Google Fonts CDN: Fonts loaded from Google servers. Google LLC, based in the USA. See Google Privacy Policy.
- jsDelivr / Tailwind CDN: JavaScript loaded from CDN. Processing limited to the static asset request.
- PubMed / NCBI E-utilities: Article search API calls are server-side only; no user data is transmitted to NCBI.
10 Children's Privacy
DFFCO is a scientific evidence platform intended for adults, including healthcare professionals, researchers and patients. It is not directed at children under 13 years of age (or under 16 where required by local law, such as GDPR Article 8).
We do not knowingly collect personal data from children. If you believe a child has submitted data to this platform, please contact us immediately at contact@dffcoevidence.com and we will delete such data promptly.
11 Policy Updates
This Privacy Policy may be updated to reflect changes in our practices, legal requirements or platform features. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Post a notice on the platform homepage for at least 30 days after significant changes
- Notify newsletter subscribers by email for changes that affect how their data is used
Continued use of the platform after the effective date of any update constitutes acceptance of the revised policy. We encourage you to review this page periodically.
Previous versions of this policy are available upon request at contact@dffcoevidence.com.
12 Contact Us
For privacy-related inquiries, requests to exercise your rights, data breach reports or questions about this policy, please contact:
DFFCO — Dehydration, Fibromyalgia and Cognitive Function
Privacy inquiries: contact@dffcoevidence.com
Response time: within 30 days · Available in EN / PT
Supervisory Authorities
EU residents may lodge a complaint with their national data protection authority (e.g., CNIL — France, Garante — Italy, BfDI — Germany). Brazilian residents may contact the ANPD (Autoridade Nacional de Proteção de Dados) at gov.br/anpd. California residents may contact the CPPA (California Privacy Protection Agency).