janesmedicaljournal.app

Privacy Policy

App Name: Jane’s Medical Journal

Introduction

This Privacy Policy serves as the fundamental transparency mechanism dictating how the account management gateway collects, processes, transmits, and ultimately destroys user data. By clarifying these processes, we ensure transparency and compliance with global regulatory frameworks.

Data Collection and Authentication Specifics

This policy explicitly details the data points collected strictly at the account management tier. Authentication systems operate by collecting specific telemetry necessary for identity verification, session state validation, and security logging. The documentation of these categories satisfies the transparency requirements of global privacy laws, including the CCPA’s “Notice at Collection” and the GDPR’s Article 13 mandates.

We collect identity credentials, encompassing user-provided names, email addresses, and encrypted password hashes. We also collect authentication artifacts, which include secure authorization tokens and stateful session identifiers required to maintain access across the platform. Furthermore, we transparently collect security telemetry. This includes IP addresses, browser user-agent strings, timestamped login attempts, and geolocation data inferred from network routing, all of which are strictly utilized to detect anomalous login behaviors, brute-force attacks, and unauthorized account access.

Third-Party Sharing and Sub-processor Disclosures

Authentication portals inherently rely on external services to facilitate essential account management functions. We utilize third-party entities strictly as service providers or data processors, rather than third parties acquiring data for their own independent commercial use.

We utilize third-party email service providers specifically for transmitting password reset links, account verification codes, and critical security alerts. If the portal supports Multi-Factor Authentication (MFA), we may use SMS gateways to transmit one-time passcodes. The data shared with these entities is strictly limited to the absolute minimum necessary, and these entities are contractually prohibited from retaining, using, or selling this data for marketing or behavioral profiling. No data collected at the authentication tier will ever be shared with, sold to, or monetized by third-party advertisers or data brokers.

Jurisdictional Nuances: CCPA/CPRA and GDPR Mandates

To accommodate a global user base, our practices address distinct regional rights:

California Residents (CCPA/CPRA): We furnish a specific “Notice at Collection” prior to or at the point of data acquisition, informing residents of the categories of personal information collected, the business purposes for its use, and specific retention periods. Consumers have the Right to Know, Right to Correct inaccurate data, Right to Delete, and Right to Opt-Out of the sale or sharing of their data. We explicitly declare that we do not “sell” personal information for monetary or other valuable consideration.

European Union Residents (GDPR): We establish a strict lawful basis for processing under Article 6—such as the performance of a contract for basic account provisioning. Inactive accounts will be permanently purged after a defined temporal limit, and we provide a direct protocol for EU users to initiate a Data Subject Access Request (DSAR) or exercise their Right to Data Portability.