Skip to main content
LiverWatch

Privacy Policy

Last updated: 1 June 2026

LiverWatch is a free, invitation-based service that scans PubMed daily and emails you a concise digest of new hepatology articles, filtered by the topics you choose and by journal quality. This policy explains what personal data we process, why, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Data controller

The controller responsible for your personal data is [À COMPLÉTER — identité du responsable de traitement, via LIVERWATCH_PRIVACY_CONTROLLER], an individual based in France. To exercise your rights or for any privacy question, contact us at [email protected]. The lead supervisory authority is the CNIL (France).

2. What data we process

  • Account: your email address, and your password stored only as a one-way bcrypt hash (we do not store or have access to your password in plain text).
  • Preferences: the categories you subscribe to, your digest time, time zone, frequency, and your "empty digest" choice.
  • Access requests: if you request access from the landing page, your email and, optionally, a short motivation and your name, institution and country.
  • Technical data: your IP address is processed transiently (held in memory, not stored long-term) to rate-limit requests and protect the service against abuse, plus a single session cookie to keep you signed in. This cookie is strictly necessary to provide the service you requested and therefore does not require your consent (Art. 82 of the French Loi Informatique et Libertés).

Providing your email address is required to use LiverWatch — without it we cannot create an account or send you digests. The optional fields in the access-request form (motivation, name, institution, country) are not required; omitting them has no effect on whether your request is considered.

We do not use analytics, advertising, tracking cookies, or profiling; we do not sell or rent your data; and we do not carry out automated decision-making within the meaning of Art. 22 GDPR.

3. Why we process it, and our legal basis

  • Account & digest delivery (email, preferences, session cookie) — necessary for the performance of the service you requested (GDPR Art. 6(1)(b)).
  • Security & abuse prevention (transient IP processing, rate-limiting, short-term technical logs) — our legitimate interest in protecting the service and its users from abuse, fraud and denial-of-service (GDPR Art. 6(1)(f)).
  • Optional access-request fields (motivation, name, institution, country) — your consent (GDPR Art. 6(1)(a)). You may omit these fields, and you can withdraw this consent at any time by emailing [email protected]; withdrawal does not affect the lawfulness of processing carried out beforehand.

4. Who can access your data (processors)

We rely on a small number of service providers acting on our behalf under a data processing agreement:

  • Hetzner Online GmbH — server hosting, in Germany (EU).
  • Mailgun (Sinch) — email delivery, EU region.
  • Cloudflare, Inc. — DNS, CDN and security/edge protection; it processes connection data (including IP addresses) to route and protect traffic.

We query PubMed (US National Library of Medicine) to retrieve articles; no personal data about you is sent to PubMed.

5. International transfers

Your account data is hosted in the EU (Germany) and email is sent via an EU region. Cloudflare, Inc. (United States) processes connection data (including IP addresses) at the network edge; this transfer is covered by a signed Data Processing Addendum incorporating the EU Standard Contractual Clauses (controller-to-processor, Module 2).

6. How long we keep it

  • Account and preferences: for as long as your account is active; deleted when you close your account or ask us to erase it.
  • Access requests: deleted a short time after a decision (approximately 90 days for handled requests).
  • Technical and security logs: retained for up to 30 days, then deleted.

7. Your rights

Under the GDPR you can ask to:

  • access your data and receive a copy, and — where applicable — receive it in a portable format (Art. 20);
  • rectify inaccurate data;
  • erase your data ("right to be forgotten");
  • restrict certain processing;
  • withdraw your consent at any time (for the optional fields above).

Where we process your data on the basis of our legitimate interest (Art. 6(1)(f) — security and abuse prevention), you also have the right to object at any time, on grounds relating to your particular situation.

To exercise any of these, email [email protected]. You also have the right to lodge a complaint with your data protection authority — in France, the CNIL.

8. Security

We protect your data with HTTPS/TLS in transit, password hashing (bcrypt), access controls, EU hosting, and periodic encrypted backups.

9. Changes to this policy

We may update this policy; the "last updated" date above reflects the latest version. Material changes will be notified to active subscribers by email before they take effect.