Privacy Policy

Last updated: June 2026

1. Data Controller

The data controller responsible for your personal data is:

• Eleanor Watson, EthicsNet Ltd (Company number 11412076)
• 11 Kingfisher Business Park, Arthur Street, Lakeside, Redditch, United Kingdom, B98 8LG

For data protection queries, please contact us.

2. What Data We Collect

When you contact us through our website form, we collect:

• Your name
• Your email address
• The content of your message
• Timestamp of submission

3. How We Use Your Data

We process your personal data for the following purposes:

• Responding to inquiries: We use your contact information to respond to your questions or feedback about our research.
• Research collaboration: If relevant, we may contact you about research opportunities or collaborations.

4. Legal Basis for Processing

We rely on a single legal basis for each purpose described in section 3:

• Consent (Article 6(1)(a) GDPR): We process the name, email address, and message you submit through the contact form, in order to respond to your inquiry, on the basis of the consent you give when you tick the consent box and submit the form. You may withdraw this consent at any time (see section 7).
• Legitimate interests (Article 6(1)(f) GDPR): Where relevant, we may later contact you about research opportunities or collaborations. We rely on our legitimate interest in pursuing and managing research collaboration for this follow-up; you may object to it at any time (see section 7).

5. Data Sharing

Your data may be shared with:

• Formspree: Our form processor (see their privacy policy)
• Research team members: Only as necessary to respond to your inquiry
• No marketing third parties: We never sell or share your data for marketing purposes.

Clinic and third-party services

Some features of this site contact third parties directly from your browser. These services receive data as described below, not through us:

• Anthropic, PBC (Clinic): If you use the Clinic with a cloud model, your chat messages and the Anthropic API key you supply are sent directly from your browser to Anthropic's API, which acts as a data processor. This data does not pass through our servers. See Anthropic's privacy policy and usage policies.
• Content delivery networks (Book and Clinic): Two areas of this site load files from third-party content delivery networks directly to your browser; to deliver those files, the CDN receives your IP address (but none of your conversation or form data). The Book reading view (/book/) loads the MathJax maths-rendering library from jsDelivr when the page opens. In the Clinic, the semantic-search encoder used for differential diagnosis loads the transformers.js runtime from jsDelivr and the encoder model from Hugging Face whenever you run a differential diagnosis (including when you use a cloud model); if you additionally choose an in-browser (local) model, its model files are also downloaded from these CDNs. All other site assets, including fonts, are self-hosted, so browsing the rest of the site (for example the home page, framework, and Wizard) contacts no third-party CDN.

International transfers

Some of the third-party services above are based in the United States. As a result, your personal data (for example, the content of a contact form submission, or Clinic chat messages and your IP address) may be transferred to and processed outside the United Kingdom and European Economic Area. These recipients include Formspree (contact form) and, for the Clinic, Anthropic, PBC, together with the client-side content delivery networks that serve library and model files (jsDelivr, for the Book and the Clinic, and Hugging Face, for the Clinic). Where data is transferred outside the UK/EEA, we rely on appropriate safeguards, such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or adequacy regulations where applicable, in accordance with each provider's terms.

6. Data Retention

We retain your contact information and messages for as long as necessary to:

• Complete our correspondence with you
• Comply with legal obligations
• Fulfill your request, should you ask for deletion

7. Your Rights

Under GDPR, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your personal data
• Restriction: Limit how we process your data
• Portability: Receive your data in a portable format
• Object: Object to certain types of processing
• Withdraw consent: Withdraw consent at any time

8. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• HTTPS encryption for data in transit
• Secure form processing through Formspree
• Limited access to personal data

9. Cookies and Browser Storage

This website does not set any cookies. We do not use analytics or marketing cookies. We do, however, use your browser's built-in Web Storage for functionality. Nothing stored in your browser is transmitted to us:

• Theme preference: Your dark-mode choice is saved under the pm-theme key in your browser's localStorage. It stays on your device and is never transmitted to us or any third party.
• Clinic conversation data: If you use the Clinic, your conversation transcript and message history, along with your model and other interface preferences, are stored in your browser's localStorage. This data persists on your device until you click "New Session" in the Clinic or clear your browser data; it is never transmitted to us.
• Clinic API key: If you supply your own Anthropic API key to use a cloud model in the Clinic, the key is held only in your browser's sessionStorage and is cleared automatically when you close the tab. It is never transmitted to us.
• Book reader preferences: The Book reading view saves your reading position, last-visit time, bookmarks, and display settings (font size, line and paragraph numbers, sidebar state) in your browser's localStorage so the Book can restore where you left off. This data stays on your device and is never transmitted to us.

10. Contact Us

For any privacy-related questions or to exercise your rights, please contact us, clearly stating your data protection request.

11. Complaints

If you're not satisfied with how we handle your data, you have the right to lodge a complaint with a supervisory authority. As we are established in the United Kingdom, our lead supervisory authority is the Information Commissioner's Office (ICO), which you can contact at ico.org.uk. You may also lodge a complaint with the data protection authority in your own country of residence.