T TNBC Atlas

Privacy policy

Short version: we collect as little about you as we can while still running the site. No accounts, no advertising, no third-party trackers, no behavioral profiling, no data sold or shared. The one thing you can opt into is our email newsletter, which you can leave at any time. The longer version is below.

What we collect

Only what is strictly needed to operate the site:

What we don’t collect

Cookies

The site uses cookies only for essential functions (for example, remembering that you closed a notice). No analytics, advertising, or tracking cookies are set. Because we use no non-essential cookies, no cookie-consent banner is required and none is shown.

The bibliography library and search

The evidence library runs entirely in your browser. The 14,000+ bibliography records are downloaded as a single static file when you load the page; everything else — search, filtering, sorting, pagination — happens locally on your device. We do not log your search terms or your filter choices.

Clicking a DOI, PMID, or open-access link in the library opens the publisher’s page in a new tab. Once you click out, the destination site’s privacy policy applies, not ours.

Third-party links

We link out to PubMed, doi.org, ClinicalTrials.gov, publisher journal pages, and patient-advocacy organizations. Those destinations have their own privacy policies; we do not control or monitor what they collect.

Hosting and where data lives

The static site is hosted on Cloudflare’s global content network. The bibliography database (when later moved off the pilot environment) will be hosted on a managed European provider (Hetzner Cloud, Germany). Aggregate analytics, when enabled, will be self-hosted in the same European environment. We avoid sending data outside the EU/EEA unless there is a documented and necessary reason.

Your rights

Because we collect so little, most data-protection requests have a simple answer: there is nothing about you to access, correct, or delete beyond what is described above. If you have submitted a contact-form message and want it deleted before the 90-day automatic deletion, write to us at the address below and we will delete it on receipt.

Under GDPR (EU/EEA), UK GDPR, and similar regimes (California CCPA/CPRA, etc.), you have rights of access, correction, deletion, restriction, portability, and objection. To exercise any of these, contact us at the address below.

Children

The site is not directed at children under 13 and we do not knowingly collect information from them. The content is written for adult patients, family members, clinicians, and researchers.

Security

The site uses HTTPS exclusively (HSTS preload), enforces a strict Content Security Policy, and is monitored for vulnerabilities through routine dependency updates. We do not retain payment information (we do not process payments). Security reports may be sent to the contact address below; we acknowledge security reports within 24 hours.

Changes to this policy

If we change this policy in a way that affects how we handle data, we will note the change in the errata and changelog page and update the last-reviewed date below. Older versions of the policy remain accessible by request.

How to contact us

Privacy questions, deletion requests, and security reports can be sent to privacy@tnbc.info.

Last reviewed: 2026-07-10. This policy reflects our current data practices; if we change how we handle data, we will note it in the errata and changelog and update this date.