About:Privacy: Difference between revisions

Pharmacopedia is a medicine-reference wiki. It is operated as a small project, not a company. This page describes what Pharmacopedia collects from you, why, how long it keeps it, and what you can ask us to do with it. Plain language; if anything is unclear, ask.

Pharmacopedia (PCP) is operated by Mark Elliott, MD, who is the data controller for everything you do on the wiki: your account, your edits, your profile, your assessments, your observations, and any other content you store against your account. There is no company or entity behind the site; Mark is responsible for it personally.

PCP.wiki also acts as an identity provider: other apps or sites can let you sign in using your PCP account through OAuth (the same pattern as "Sign in with Google"). When you authorize one of those consumer apps, it can read the parts of your PCP data that you grant it. Each consumer app is an independent data controller for its own platform data and for what it does with the PCP data it pulls. The currently public consumer is PCPapp, the official Pharmacopedia mobile app. You can review and revoke consumer authorizations at Special:OAuthManageMyGrants.

For PCP-side access, correction, or deletion requests, contact the address at the bottom of this page.

These are commitments, not aspirations:

• No analytics SDK, advertising tracker, or third-party telemetry runs on Pharmacopedia.
• Your data is not sold.
• No ads are shown. There are no advertisers.
• No AI participant reads your edits, your profile, your assessments, or your observations to feed any external model. The site has no LLM-in-the-loop on your account.
• No public rating, no leaderboard, no reputation signal is exposed about you to other users. Your edit history is public the way every wiki's edit history is public; nothing about your assessments or your private content is.

Creating an account stores your username and password, plus an email address if you choose to add one. Email is optional but required for password reset. You can also turn on two-factor authentication, which stores a per-account secret.

If you edit pages, those edits are attached to your account by username. This is how the wiki works.

If you fill in the profile, life-story, assessments, observations, medicines, diagnoses, formal-test, vote, or report sections, the answers you give are stored against your account. Each section lets you choose who sees it (private, alias, real username). The default is private. You can change the visibility at any time, or clear the section by emptying its fields.

If you take an assessment that has been administered to you by someone else through the Administer panel, your answers are stored in an encrypted form that only you can read; the person who administered it sees only the score, never the individual responses.

If you use the iOS app, your favourite pages, recently-viewed pages, page annotations, and widget responses sync between your devices and the server.

If you read without an account, the web server records your IP address and user-agent string in its access log, the same way every web server does. Sysops can see the IP of edits made without an account.

A few outside services are involved in running the site:

• Cloudflare Turnstile is used for the account-creation and failed-login challenges. It receives the challenge interaction. It is not used for tracking or analytics elsewhere on the site.
• Gmail SMTP (Google) sends transactional email: password resets, email confirmations, watchlist notifications, and cross-user notifications. Your email address goes to Google for the purpose of delivering the message.
• Hosting is on a single virtual machine; nothing is fronted by a content-delivery network.
• Backups of the database (which includes user content) are encrypted on the host with a strong symmetric key before being copied off-site. The off-site holder cannot read the contents.
• The iOS app is the only first-party software outside the website; it authenticates against your wiki account and syncs only the data named above.

The site does not run any analytics service, advertising SDK, or third-party tracking. There is no payments integration.

Login uses session cookies and a long-lived login token if you tick "remember me". A small number of preference cookies remember your theme and similar settings between visits. No tracking cookies, no third-party cookies.

• In transit: every connection to the website and the API is HTTPS. The certificate is issued by Let's Encrypt and renewed automatically.
• Passwords: stored as PBKDF2-SHA512 hashes, never as plain text. We cannot recover a forgotten password; reset is the only path.
• Two-factor: if you enable it, the per-account secret is stored separately from your password and is required, with your password, to sign in.
• Assessments administered to you by someone else (the Administer feature) are end-to-end encrypted to the recipient using a libsodium X25519 sealed box; the response is wrapped at rest with AES-256-GCM. Recipients hold their own keypair: in passphrase mode, the private key is unwrapped from an Argon2id-derived key that lives only in the recipient's head, and the server itself cannot decrypt the responses without that passphrase. In managed mode, the wrap key is held server-side in a file outside the database, for clinicians who prefer that custody model. The mode is the recipient's choice.
• iOS app: OAuth 2.0 with PKCE; access and refresh tokens are kept in the iOS Keychain on your device. The app never holds your wiki password.
• Backups: database and content are encrypted with GPG AES-256 on the host before any copy leaves the host. The off-site holder cannot read them.

• Server access logs and error logs: rotated daily, kept for 14 days, then deleted.
• Database backups: kept up to 7 days on the host, then up to 14 days in active off-site storage. The off-site provider retains deleted copies in a recovery layer for up to 180 additional days before permanent deletion; all copies are GPG-AES256 encrypted and the provider cannot read them.
• Account data and the content you have stored against your account: kept until you ask us to delete it (see below).
• Page revision history is permanent, the same as every wiki; this is how attribution works.

• See it. Your account page (Special:MyProfile and similar) shows what you have stored. Special:Contributions lists your edits.
• Change it. Every field you have filled in can be edited or emptied through the page where you entered it.
• Export it. Email us and we will return your account data in a machine-readable form.
• Delete it. Email us and we will delete the data you have stored against your account: profile, life story, assessments, observations, medicines, diagnoses, app-sync rows, comments, feature-request entries, and similar. Your edits to wiki pages remain, with your username on them, unless you ask for a username rename as well; this is how page-revision attribution works. Encrypted off-site backups are removed from active storage after 14 days. The off-site provider keeps deleted files in a recovery layer for up to 180 additional days, during which the encrypted bundle may remain recoverable by the account operator; after that window the bundle is permanently deleted. The backup is GPG-AES256 encrypted at all times; the off-site provider cannot read it.

For any of the above, email info@pharmacopedia.wiki.

You additionally have the right to know the categories of personal information collected, the right to opt out of sale or sharing (Pharmacopedia does not sell or share personal information for cross-context behavioral advertising; there is no sale to opt out of), the right to limit use of sensitive personal information, and the right to non-discrimination for exercising these rights. Assessment data, particularly clinical-scope assessments, is sensitive personal information under CPRA. The categories collected are listed in "What an account collects"; retention periods are in "How long things are kept."

The same baseline rights apply, framed as your GDPR rights of access, rectification, erasure, restriction, portability, and objection. The legal basis for processing is your consent (for the account itself and for any assessment storage) and Pharmacopedia's legitimate interest in running the medicine-reference wiki you signed up for. There is no automated decision-making with legal effects. International data transfers from the EU/UK to the United States, where Pharmacopedia's servers live, are made under appropriate safeguards (standard contractual clauses or successor mechanisms).

Pharmacopedia is for mature audiences and limited to adults (18+) in this version. Personal information is not knowingly collected from anyone under 13. A separate posture for users between 13 and 17 is being developed; until that is published, no one under 18 should use Pharmacopedia. If a child under 13 has provided personal information, contact info@pharmacopedia.wiki and it will be deleted.

If you'd like the actual details of our (world-class) security policies, they are nicely laid out here.

If we change this policy in a way that affects what we collect or how we use it, the change is announced on the Main Page and the prior version stays in the page history.

Privacy questions or requests: info@pharmacopedia.wiki.