About:Privacy: Difference between revisions

Pharmacopedia is a medicine-reference wiki. It is operated as a small project, not a company. This page describes what Pharmacopedia collects from you, why, how long it keeps it, and what you can ask us to do with it. Plain language; if anything is unclear, ask.

Pharmacopedia (PCP) is operated by Mark Elliott, MD, who is the data controller for everything you do on the wiki: your account, your edits, your profile, your assessments, your observations, and any other content you store against your account. There is no company or entity behind the site; Mark is responsible for it personally.

PCP is one of three sides of the Pharmacopedia empire (alongside Oyami and Trykl), all operated by the same person. Each side is its own separate data controller for the personal data it collects and processes; there is no joint controller arrangement across the three. The pattern is the industry standard for OAuth federation (compare "Sign in with Google"). If you also use Oyami, its own privacy posture lives in its PRIVACY.md and it handles its own access and deletion requests for Oyami-side data.

For PCP-side access, correction, or deletion requests, contact the address at the bottom of this page.

Creating an account stores your username and password, plus an email address if you choose to add one. Email is optional but required for password reset. You can also turn on two-factor authentication, which stores a per-account secret.

If you edit pages, those edits are attached to your account by username. This is how the wiki works.

If you fill in the profile, life-story, assessments, observations, medicines, diagnoses, formal-test, vote, or report sections, the answers you give are stored against your account. Each section lets you choose who sees it (private, alias, real username). The default is private. You can change the visibility at any time, or clear the section by emptying its fields.

If you take an assessment that has been administered to you by someone else through the Administer panel, your answers are stored in an encrypted form that only you can read; the person who administered it sees only the score, never the individual responses.

If you use the iOS app, your favourite pages, recently-viewed pages, page annotations, and widget responses sync between your devices and the server.

If you read without an account, the web server records your IP address and user-agent string in its access log, the same way every web server does. Sysops can see the IP of edits made without an account.

A few outside services are involved in running the site:

• Cloudflare Turnstile is used for the account-creation and failed-login challenges. It receives the challenge interaction. It is not used for tracking or analytics elsewhere on the site.
• Gmail SMTP (Google) sends transactional email: password resets, email confirmations, watchlist notifications, and cross-user notifications. Your email address goes to Google for the purpose of delivering the message.
• Hosting is on a single virtual machine; nothing is fronted by a content-delivery network.
• Backups of the database (which includes user content) are encrypted on the host with a strong symmetric key before being copied off-site. The off-site holder cannot read the contents.
• The iOS app is the only first-party software outside the website; it authenticates against your wiki account and syncs only the data named above.

The site does not run any analytics service, advertising SDK, or third-party tracking. There is no payments integration.

Login uses session cookies and a long-lived login token if you tick "remember me". A small number of preference cookies remember your theme and similar settings between visits. No tracking cookies, no third-party cookies.

• In transit: every connection to the website and the API is HTTPS. The certificate is issued by Let's Encrypt and renewed automatically.
• Passwords: stored as PBKDF2-SHA512 hashes, never as plain text. We cannot recover a forgotten password; reset is the only path.
• Two-factor: if you enable it, the per-account secret is stored separately from your password and is required, with your password, to sign in.
• Assessments administered to you by someone else (the Administer feature) are end-to-end encrypted to the recipient using a libsodium X25519 sealed box; the response is wrapped at rest with AES-256-GCM. Recipients hold their own keypair: in passphrase mode, the private key is unwrapped from an Argon2id-derived key that lives only in the recipient's head, and the server itself cannot decrypt the responses without that passphrase. In managed mode, the wrap key is held server-side in a file outside the database, for clinicians who prefer that custody model. The mode is the recipient's choice.
• iOS app: OAuth 2.0 with PKCE; access and refresh tokens are kept in the iOS Keychain on your device. The app never holds your wiki password.
• Backups: database and content are encrypted with GPG AES-256 on the host before any copy leaves the host. The off-site holder cannot read them.

• Server access logs and error logs: rotated daily, kept for 14 days, then deleted.
• Database backups: kept up to 7 days on the host, then up to 14 days in active off-site storage. The off-site provider retains deleted copies in a recovery layer for up to 180 additional days before permanent deletion; all copies are GPG-AES256 encrypted and the provider cannot read them.
• Account data and the content you have stored against your account: kept until you ask us to delete it (see below).
• Page revision history is permanent, the same as every wiki; this is how attribution works.

• See it. Your account page (Special:MyProfile and similar) shows what you have stored. Special:Contributions lists your edits.
• Change it. Every field you have filled in can be edited or emptied through the page where you entered it.
• Export it. Email us and we will return your account data in a machine-readable form.
• Delete it. Email us and we will delete the data you have stored against your account: profile, life story, assessments, observations, medicines, diagnoses, app-sync rows, comments, feature-request entries, and similar. Your edits to wiki pages remain, with your username on them, unless you ask for a username rename as well; this is how page-revision attribution works. Encrypted off-site backups are removed from active storage after 14 days. The off-site provider keeps deleted files in a recovery layer for up to 180 additional days, during which the encrypted bundle may remain recoverable by the account operator; after that window the bundle is permanently deleted. The backup is GPG-AES256 encrypted at all times; the off-site provider cannot read it.

For any of the above, email info@pharmacopedia.wiki.

Children/minors are not allowed on Pharmacopedia. It is for mature audiences only.

If you'd like the actual details of our (world-class) security policies, they are nicely laid out here.

If we change this policy in a way that affects what we collect or how we use it, the change is announced on the Main Page and the prior version stays in the page history.

Privacy questions or requests: info@pharmacopedia.wiki.