Cancer3.AI › Privacy Policy

Privacy Policy

Version 1.2 · Effective 2026-04-19

1. Data controller

The controller of personal data processed in connection with the use of the Cancer3.AI website (the “Service”) is Cancer3.AI. Contact on personal-data matters: admin@cancer3.ai.

Processing is carried out under Regulation (EU) 2016/679 of 27 April 2016 (“GDPR”) and the Polish Personal Data Protection Act.

Nature of the Service. The Service is a scientific, research, educational and science-popularisation project, maintained as a hobby, non-commercial, non-profit effort. The Service is intended for researchers, scientists, students and professionals with a scientific interest in oncology; the Discussion Groups are a space for the exchange of knowledge in general terms (scientific publications, clinical guidelines, epidemiology, research methodology) — they are not a space for discussing the health of specific individuals nor for patient support (see Terms, § 1 and § 5a). The Operator carries out no economic activity through the Service, charges no fees to Users, displays no advertising, does no marketing profiling, and neither sells nor rents data to third parties. The scope and depth of security measures deployed by the Service are proportionate to its non-commercial nature, limited processing scale, and minimal data set (Art. 32(1) GDPR — “taking into account the nature, scope, context and purposes of processing”).

2. Philosophy: data minimisation

The Service is designed around the principle of data minimisation (Art. 5(1)(c) GDPR). We deliberately do not require and do not ask for personal data. Creating an Account only requires a nickname and a password — we do not ask for an email, first name, surname, phone number, or any other identifying information.

We ask Users not to use personal data as their nickname (see section 6 of the Terms).

3. What data we collect

3.1. From non-logged-in visitors

  • IP address — logged by the server in truncated form only: IPv4 to a /24 block, IPv6 to a /48 block. The full address is used once to derive the approximate country (below) and is not stored in the database in full form.
  • User-Agent — browser/operating-system string.
  • Referrer — the URL the User was redirected from (if the browser sends it).
  • Path and time of visits — which Service URL was visited and when, stored in table page_visits.
  • Approximate country — derived from the IP via ip-api.com. Used only for aggregate statistics.
  • Language preference — PL/EN choice stored in the session cookie.
  • Cookie decision — acceptance or refusal of non-essential cookies, stored in cookie cookie_consent.

3.2. From registered Users

  • Nickname — chosen by the User.
  • Password hash — the password is stored only as a one-way hash (algorithm: werkzeug/scrypt). The Operator does NOT know Users’ passwords.
  • Registration date and date of last acceptance of the Terms / Privacy Policy, along with the version numbers (proof of consent under Art. 7 GDPR).
  • Preferred interface language (PL/EN).
  • Discussion-group messages along with their AI translations.
  • Private messages between Users, along with AI translations.
  • Message reactions (e.g. “Support”, “You’re not alone”, “Thank you”).
  • Account linkage of visits — the logged-in User’s ID is stored alongside the page_visits entry for statistics.

3.3. What we do not collect

We do not require and do not ask for: email address, first name, surname, phone number, home address, national ID, medical data (history, diagnoses, test results), payment data (the Service is free). We do not use profiling tools, behavioural advertising, or Google Analytics.

3.4. Special-category data — what we do NOT process (Art. 9 GDPR)

In line with the principle of data minimisation and to avoid triggering Article 9 GDPR, the Operator does not collect, require, invite or process any data revealing:

  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs,
  • trade-union membership,
  • genetic or biometric data used to uniquely identify a natural person,
  • health data (diagnoses, test results, medical history, course of treatment, medications),
  • data concerning sex life or sexual orientation.

The Service is not a medical tool, does not constitute medical records, and does not replace medical advice. The Terms (§ 5a) expressly forbid Users from voluntarily posting detailed medical data (nickname or name + diagnosis + facility), require that Users speak only in general, anonymised terms, and introduce a notice-and-takedown moderation model. A voluntary disclosure of such data by a User is a breach of the Terms and results in removal of the Content.

Under this architecture, the Service does not process special-category data within the meaning of Art. 9(1) GDPR. The Operator performs no statistical analysis, profiling, or linking of Content to health data. If a User publishes special-category data despite the prohibition, the Operator will remove it without undue delay upon notice or own detection.

4. Legal bases for processing (Art. 6 GDPR)

  • Consent (Art. 6(1)(a)) — Account creation, posting Content, sending private messages, accepting non-essential cookies.
  • Performance of a contract (Art. 6(1)(b)) — delivery of Service features after login.
  • Legitimate interest (Art. 6(1)(f)) — security, abuse prevention, bot detection, aggregate visit statistics.
  • Legal obligation (Art. 6(1)(c)) — fulfilling obligations under applicable law (e.g. responding to Users’ requests, handling abuse reports).

5. Cookies used by the Service

The Service uses cookies minimally. We do not use marketing, tracking or third-party advertising cookies.

5.1. Essential cookies (no consent required)

NamePurposeLifetime
session Flask session (login state, CSRF) Browser session
remember_token “Remember me” at login 30 days
locale Store selected language (PL/EN) Session / 365 days after consent
cookie_consent Remember decision on non-essential cookies 365 days

5.2. Non-essential cookies

The Service currently does not use any non-essential cookies. If that changes (e.g. external analytics), the consent banner will clearly disclose them and the cookies will not fire without the User’s active consent.

6. Processors and sub-processors

The Operator entrusts processing of certain data to the following parties:

  • Render Inc. (USA) — hosting of the application and database. Transfers to the USA rely on the EU Standard Contractual Clauses (SCCs). More: render.com/privacy.
  • Anthropic PBC (USA) — provider of the Claude model used for automatic translation of Content in discussion groups and private messages. Details of this processing are set out in § 6a below. Key guarantees under the Anthropic API commercial terms:
    • Anthropic processes only the message text sent to the API, at the moment the call is made.
    • Data sent through the API is not used to train or fine-tune Anthropic models (Anthropic Commercial Terms of Service).
    • Anthropic applies a zero-retention policy for commercial API customers — request and response are not retained beyond the technical window required to serve the call.
    • The transfer to the USA relies on EU Standard Contractual Clauses approved by the European Commission (Decision 2021/914), which Anthropic incorporates into its Data Processing Addendum (DPA).
    Anthropic acts as a processor within the meaning of Art. 28 GDPR. More: anthropic.com/privacy, Anthropic DPA: anthropic.com/legal/dpa.
  • Google LLC (USA) — Google Fonts (Inter font) via CDN. Google may receive visitors’ IP addresses to deliver the font. More: policies.google.com/privacy.
  • ip-api.com — approximate country from IP for statistics. Requests contain only the visitor’s IP address.

6a. AI translation and Messages — processing details

6a.1. Automatic translation of Content (Anthropic)

The Service is bilingual (PL/EN). So that a User writing in Polish can be read by a User in English (and vice versa), Content (discussion-group posts and private messages) is automatically translated using Anthropic PBC’s Claude model.

Processing details:

  • When: translation is triggered automatically at the moment the author publishes Content (post / message). The original text is sent to the Anthropic API and the Service stores the result alongside the original.
  • What is sent: only the Content text and the minimum context the model needs (language direction). The Service does not send Anthropic the author’s nickname, IP address, Account linkage, message ID, or any other User metadata.
  • Legal basis: performance of a contract for electronic services (Art. 6(1)(b) GDPR — translation is an integral function of the bilingual Service) and User consent given by accepting this Privacy Policy at registration (Art. 6(1)(a) GDPR).
  • Role of Anthropic: processor within the meaning of Art. 28 GDPR. Anthropic processes the text solely to return the translation.
  • No training use: under the Anthropic API commercial terms, data sent through the API is not used to train or fine-tune Anthropic models.
  • No long-term retention: Anthropic applies a zero-retention policy for commercial API customers — request and response are not retained beyond the technical window required to serve the call.
  • Transfer outside the EEA: Anthropic processes data on US infrastructure. The transfer relies on EU Standard Contractual Clauses (European Commission Decision 2021/914), incorporated into the Anthropic Data Processing Addendum (DPA).
  • Scope of Content subject to translation: posts and replies in discussion groups (visible to other Users) and private messages (visible only to the other side of the conversation). The mechanism is identical in both cases — text passes through the Anthropic API.
  • Practical consequence for Users: before sending any message or post, assume the text will be transmitted to Anthropic PBC in the US at that moment. The Terms (§ 5a) prohibit posting special-category data (including health data) in Content, and one of the reasons for that prohibition is precisely that Content leaves the EEA during translation.

6a.2. Private messages — additional notes

Private messages (PMs) exchanged between Users are stored in the Service database in plain text (not end-to-end encrypted at the application layer). Because the moderation function (§ 5a of the Terms — removal of Content upon notice) and the AI-translation function in § 6a.1 both require server-side access to message bodies, end-to-end encryption is not deployed. The Operator transparently discloses:

  • Storage: Render (USA) PostgreSQL database with infrastructure-level at-rest encryption.
  • Transport: HTTPS/TLS 1.2+ only.
  • Operator technical access: possible but limited to (a) notice-and-takedown moderation, (b) diagnosis of technical errors, (c) responses to documented law-enforcement requests. The Operator does not routinely read private messages and does not use them for analytics, model training, or profiling.
  • Retention: up to 24 months from the date of sending, unless the User deletes the message earlier or the sender’s or recipient’s Account is deleted.
  • Advisory: Private messages are not a cryptographically end-to-end-secure channel — Users should treat them like email rather than an encrypted messenger. Do not send medical data, identity documents, passwords, or payment data over PMs.

7. Data retention

  • User Account — until the Account is deleted at the User’s request or by the Operator (see section 17 of the Terms).
  • Discussion-group Content — until deleted by the author or until Account deletion; after Account deletion may remain in anonymised form.
  • Private messages — up to 24 months from the date of sending, or until the sender’s or recipient’s Account is deleted (whichever comes first).
  • Visit logs (page_visits) — kept for up to 24 months for statistics and security, then deleted or aggregated.
  • Consent records (acceptance timestamps for Terms and Policy) — kept up to 3 years after Account deletion, for audit.
  • Backups — rotation up to 30 days.

8. Your rights (Arts. 15–22 GDPR)

Every User has the following rights:

  • Right of access (Art. 15) — obtain a copy of data processed about you.
  • Right to rectification (Art. 16) — correct inaccurate or complete incomplete data.
  • Right to erasure (“right to be forgotten”, Art. 17).
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used format (e.g. JSON).
  • Right to object (Art. 21).
  • Right to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal).
  • Right not to be subject to automated individual decision-making (Art. 22) — the Service does not use such decision-making with legal effects.

9. How to exercise your rights

Most rights can be exercised directly after login, on the Account settings page:

  • Art. 15 + Art. 20 GDPR — access and portability: the “Download JSON” button generates and downloads a JSON file with all data processed in connection with the Account (profile, discussion posts, reactions, private messages).
  • Art. 17 GDPR — right to erasure: the “Delete Account” button leads to a confirmation form (nickname and password required). On confirmation, the Account and its personal data are deleted as described in § 8 above.
  • Other rights (rectification, restriction, objection, withdrawal of consent) — please email.

For requests that cannot be performed in the interface (e.g. access to an Account after password loss, rectification after Account deletion, complaints about how a request was handled), please email: admin@cancer3.ai. In the message, please state the Account nickname and the kind of request. The Operator will respond without undue delay, at latest within 1 month of receiving the request (Art. 12(3) GDPR).

10. Complaint to a supervisory authority

Every data subject has the right to lodge a complaint with a supervisory authority:

President of the Personal Data Protection Office (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
www.uodo.gov.pl

11. Age of Users

The Service is intended for persons 16 years of age or older (Art. 8 GDPR). The Operator does not knowingly process data of persons under 16 without a legal guardian’s consent. Any such Account will be deleted upon detection.

12. Technical and organisational measures (Art. 32 GDPR)

The Operator has implemented technical and organisational measures proportionate to the nature, scope, context and purposes of processing, and to the risk to the rights and freedoms of natural persons. The Service is a hobby, non-commercial project, and the dataset has been minimised to a nickname and a password hash — which in itself constitutes a pseudonymisation safeguard (Recital 26 GDPR).

12.1. Confidentiality

  • User passwords stored only as one-way hashes (werkzeug/scrypt). The Operator never knows plaintext passwords.
  • All traffic encrypted with TLS 1.2+ (HTTPS) — automatic redirect from HTTP at the application layer, plus HSTS (Strict-Transport-Security: max-age=31536000; includeSubDomains) in the production environment.
  • PostgreSQL database with at-rest encryption provided by the hosting operator (Render).
  • Session cookies with HttpOnly, Secure and SameSite=Lax flags — inaccessible to JavaScript, sent over HTTPS only.
  • The Flask session-signing key (SECRET_KEY) is required from an external environment variable in production — its absence halts application startup (safeguard against the default value).
  • API credentials (Claude, ip-api) stored outside the source code, in platform environment variables.
  • Restricted production console access — Operator only, authenticated through the hosting provider (Render), plus an additional second factor (TOTP) when logging into the Service’s administrative Account.
  • IP addresses in visit logs are truncated to a /24 block (IPv4) or /48 block (IPv6) — the full IP address is never persisted in the database.

12.2. Integrity

  • CSRF protection (Flask-WTF, CSRFProtect) on every state-changing form and on fetch() POST/PUT/PATCH/DELETE calls. Tokens valid for 1 hour.
  • SQL-injection protection via the SQLAlchemy ORM with parameterised queries.
  • XSS protection: Jinja2 default template escaping; |safe used only for sanitised Content.
  • HTTP security headers: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, Content-Security-Policy (default source 'self' plus an explicit allow-list for external font/CDN providers), Permissions-Policy disabling camera, microphone, and geolocation access.
  • Input length and format validation (min/max lengths, nickname patterns, rejection of nicknames that look like emails or phone numbers).
  • Rate limits (flask-limiter) on authentication and Content-publishing endpoints — /login 10/min, /register 5/min, post publication 20/h, private messages 30/h, Account-deletion confirmation 10/h.

12.3. Availability and resilience

  • Hosted on Render infrastructure with automatic process restart on failure.
  • Database backups performed by the provider (rotation up to 30 days).
  • Uptime monitoring.
  • Regular library updates in response to published CVEs.

12.4. Pseudonymisation and minimisation

  • User Accounts are created using only a nickname and a password — no identifying data about the natural person.
  • Visit logs (page_visits) store the IP address only in truncated form: /24 for IPv4, /48 for IPv6, preventing identification of an individual device. The session identifier (visitor_hash) is computed from the already-truncated address.
  • Visit logs are deleted after at most 24 months by the administrative command flask purge-old-data (Art. 5(1)(e) GDPR — storage-limitation principle).
  • The Service enforces a minimal-identity principle — Content is published under the User’s nickname.

12.5. Two-factor authentication (MFA) on the administrative Account

  • The Service’s administrator Account is protected by a second factor in the form of a TOTP code (RFC 6238) generated by an authenticator application (e.g. Google Authenticator, 1Password, Yubico Authenticator, Authy).
  • After a successful password check, the Operator is redirected to a 6-digit-code entry screen; the half-logged-in session expires after 5 minutes.
  • The code-verification endpoint is additionally rate-limited (10 attempts / min, 20 / h), which makes practical code guessing infeasible.

12.6. Testing, review and improvement

  • Regular review of the measures in place in response to feature changes.
  • Monitoring of server logs for unusual activity.
  • Bot and automation detection (is_bot flag on visit log rows).
  • The Operator documents the deployed measures in the internal “Technical and Organisational Measures (Art. 32 GDPR)” document.

12.7. Self-service exercise of User rights

  • Download a copy of the data (Art. 15 + Art. 20 GDPR) — the /account/export endpoint returns a JSON file containing all Account data.
  • Deletion of the Account and personal data (Art. 17 GDPR) — the /account/delete endpoint requires nickname and password confirmation. Posts that have replies from other Users are anonymised (author changed to __deleted__, content replaced with “[deleted]”); the remaining Account data is permanently deleted. Full specification of the behaviour is in § 8 above.

12.8. Limitations (full transparency)

In line with the transparency principle, the Operator openly lists the architectural limitations of the Service:

  • Private messages and group posts are not end-to-end encrypted — content is accessible at the database layer to the Operator and the hosting provider (Render). It also passes through Anthropic PBC for translation (§ 6a.1).
  • The Service has no third-party external security audit and no ISO 27001 certification — it is a hobby project maintained by a single administrator; the scope of safeguards reflects that scale.
  • The Service does not deploy a dedicated WAF (Web Application Firewall); it relies on protections built into the Render platform.
  • Users should not submit information to the Service that would require a higher security tier (medical, financial, identity data — see § 5a of the Terms).

13. Data-security incidents

In the event of a personal-data breach that may result in a high risk to the rights and freedoms of natural persons, the Operator will notify the President of UODO within 72 hours (Art. 33 GDPR) and, where necessary, the affected individuals (Art. 34 GDPR).

14. Transfers outside the European Economic Area (EEA)

Because of the locations of infrastructure providers (Render, Anthropic, Google), data may be processed in the United States. Transfers rely on the EU Standard Contractual Clauses approved by the European Commission (Decision 2021/914), providing an appropriate level of protection.

15. Changes to the Privacy Policy

The Policy may change due to new Service features, changes in third-party services, or changes in the law. Material changes will be announced through the Service. The current version is always available at: http://cancer3.ai/privacy.

16. Final provisions

The Polish version of the Policy is the binding version. The English version is provided for convenience.

17. Contact

For any personal-data matters, please contact:
admin@cancer3.ai

Terms of Service ›