Jump to content

About:Privacy: Difference between revisions

From Pharmacopedia
Pharmacopedia
BrowseCategoriesLog in
Pharmacopedia is being built in public. Pages may be incomplete.About this site
[unchecked revision][unchecked revision]
← Older editNewer edit →

Maintenance script (talk | contribs)

2 user groups
199 edits
VisualWikitext
Privacy: expand OAuth-consumer list (PCPapp + PubSci + Oyami); Trykl noted as future
Correct data controller model to layered (Q6); update backup retention; remove premature Oyami cross-link
Line 1: Line 1:
Pharmacopedia is a medicine-reference wiki. It is operated as a small project, not a company. This page describes what Pharmacopedia collects from you, why, how long it keeps it, and what you can ask us to do with it. Plain language; if anything is unclear, ask.
{{DISPLAYTITLE:About:Privacy}}
__NOTOC__


== Who runs Pharmacopedia ==
This page describes how Pharmacopedia.wiki handles your data: what we collect, how we store it, who controls it, and how long we keep it.


Pharmacopedia (PCP) is operated by Mark Elliott, MD, who is the data controller for everything you do on the wiki: your account, your edits, your profile, your assessments, your observations, and any other content you store against your account. There is no company or entity behind the site; Mark is responsible for it personally.
Pharmacopedia.wiki is operated by the Pharmacopedia Collective, a nonprofit. The named data controller is Mark Elliott, MD (mark@pharmacopedia.wiki).


PCP.wiki also acts as an identity provider: other apps or sites can let you sign in using your PCP account through OAuth (the same pattern as "Sign in with Google"). When you authorize one of those consumer apps, it can read the parts of your PCP data that you grant it. Each consumer app is an independent data controller for its own platform data and for what it does with the PCP data it pulls. Current public consumers are PCPapp (the official Pharmacopedia mobile app), PubSci (an open peer-review wiki at pubsci.io), and Oyami (a periodic-conversation platform at oyami.org). Trykl will be added when it launches publicly. You can review and revoke consumer authorizations at [[Special:OAuthManageMyGrants]].
== What Pharmacopedia.wiki stores ==


For PCP-side access, correction, or deletion requests, contact the address at the bottom of this page.
=== Account data ===


== What Pharmacopedia does not do ==
When you create an account on Pharmacopedia.wiki, we store:


These are commitments, not aspirations:
* Username
* Email address (optional; used for password recovery and notifications if you choose)
* Hashed password (bcrypt; we never store your password in cleartext)
* Account creation date


* No analytics SDK, advertising tracker, or third-party telemetry runs on Pharmacopedia.
=== Assessment data ===
* Your data is not sold.
* No ads are shown. There are no advertisers.
* No AI participant reads your edits, your profile, your assessments, or your observations to feed any external model. The site has no LLM-in-the-loop on your account.
* No public rating, no leaderboard, no reputation signal is exposed about you to other users. Your edit history is public the way every wiki's edit history is public; nothing about your assessments or your private content is.


== What an account collects ==
If you complete assessments on Pharmacopedia.wiki, we store your responses and computed scores. Assessment data is linked to your account. You can view your assessment history at [[Special:MyProfile]].


Creating an account stores your username and password, plus an email address if you choose to add one. Email is optional but required for password reset. You can also turn on two-factor authentication, which stores a per-account secret.
Assessment data is used for:


If you edit pages, those edits are attached to your account by username. This is how the wiki works.
* Showing you your own results and history
* Internal research and analysis (see "Research use" below)


If you fill in the profile, life-story, assessments, observations, medicines, diagnoses, formal-test, vote, or report sections, the answers you give are stored against your account. Each section lets you choose who sees it (private, alias, real username). The default is private. You can change the visibility at any time, or clear the section by emptying its fields.
Assessment data is never sold, licensed, or shared with commercial entities. See [[Pharmacopedia:Refusals]] for the full list of commitments on data use.


If you take an assessment that has been administered to you by someone else through the Administer panel, your answers are stored in an encrypted form that only you can read; the person who administered it sees only the score, never the individual responses.
=== MyLifeStory data ===


If you use the iOS app, your favourite pages, recently-viewed pages, page annotations, and widget responses sync between your devices and the server.
If you use [[Special:MyLifeStory]], your timeline entries (events, episodes, observations, stories, relationships, and attributes) are stored with the visibility level you choose:


== What anonymous browsing collects ==
* '''Private''' (default): visible only to you.
* '''Public + attribution''': visible to others with your display name.
* '''Public + username''': visible to others with your username.
* '''Public, no byline''': visible to others with no identifying information.


If you read without an account, the web server records your IP address and user-agent string in its access log, the same way every web server does. Sysops can see the IP of edits made without an account.
Private entries are never shared, exported, or made available to any other service. Public entries are visible on Pharmacopedia.wiki according to the level you select. You can change an entry's visibility at any time.


== Third parties ==
=== Derived data ===


A few outside services are involved in running the site:
Some data is generated from your account activity:


* '''Cloudflare Turnstile''' is used for the account-creation and failed-login challenges. It receives the challenge interaction. It is not used for tracking or analytics elsewhere on the site.
* Derived timeline events (auto-generated from your medications, diagnoses, and experience reports, visible in MyLifeStory)
* '''Gmail SMTP''' (Google) sends transactional email: password resets, email confirmations, watchlist notifications, and cross-user notifications. Your email address goes to Google for the purpose of delivering the message.
* Profile statistics (assessment completion counts, timeline entry counts)
* '''Hosting''' is on a single virtual machine; nothing is fronted by a content-delivery network.
* '''Backups''' of the database (which includes user content) are encrypted on the host with a strong symmetric key before being copied off-site. The off-site holder cannot read the contents.
* '''The iOS app''' is the only first-party software outside the website; it authenticates against your wiki account and syncs only the data named above.


The site does not run any analytics service, advertising SDK, or third-party tracking. There is no payments integration.
=== Page edits and contributions ===


== Cookies ==
Edits to wiki pages are logged with your username, edit timestamp, and edit summary. This is standard MediaWiki behavior and the edit history is publicly visible. We do not offer anonymous editing; all edits are attributed to a logged-in account.


Login uses session cookies and a long-lived login token if you tick "remember me". A small number of preference cookies remember your theme and similar settings between visits. No tracking cookies, no third-party cookies.
== Data controller model ==


== Encryption ==
Pharmacopedia.wiki is one part of the Pharmacopedia Collective, which also operates Oyami (oyami.org), Trykl (trykl.org), and PubSci (pubsci.io). Your Pharmacopedia.wiki account works across all four services.


* '''In transit:''' every connection to the website and the API is HTTPS. The certificate is issued by Let's Encrypt and renewed automatically.
The data controller model is layered:
* '''Passwords:''' stored as PBKDF2-SHA512 hashes, never as plain text. We cannot recover a forgotten password; reset is the only path.
* '''Two-factor:''' if you enable it, the per-account secret is stored separately from your password and is required, with your password, to sign in.
* '''Assessments administered to you by someone else''' (the Administer feature) are end-to-end encrypted to the recipient using a libsodium X25519 sealed box; the response is wrapped at rest with AES-256-GCM. Recipients hold their own keypair: in '''passphrase mode''', the private key is unwrapped from an Argon2id-derived key that lives only in the recipient's head, and the server itself cannot decrypt the responses without that passphrase. In '''managed mode''', the wrap key is held server-side in a file outside the database, for clinicians who prefer that custody model. The mode is the recipient's choice.
* '''iOS app:''' OAuth 2.0 with PKCE; access and refresh tokens are kept in the iOS Keychain on your device. The app never holds your wiki password.
* '''Backups:''' database and content are encrypted with GPG AES-256 on the host before any copy leaves the host. The off-site holder cannot read them.


== How long things are kept ==
* '''Pharmacopedia.wiki''' is the data controller of the shared layer: your account identity and your assessment data at rest.
* '''Each service''' (Oyami, Trykl, PubSci) is the data controller of its own service-specific data (for example, Oyami session records, Trykl transaction records, PubSci submissions and reviews).
* '''Each service''' is also an independent data controller of its own processing of data it accesses from the shared Pharmacopedia.wiki layer. When Oyami accesses your assessment data to power its matching features, Oyami is making its own processing decisions and is a controller for that activity.


* Server access logs and error logs: rotated daily, kept for 14 days, then deleted.
The named data controller on all services is Mark Elliott, MD.
* Database backups: kept up to 7 days on the host, then up to 14 days in active off-site storage. The off-site provider retains deleted copies in a recovery layer for up to 180 additional days before permanent deletion; all copies are GPG-AES256 encrypted and the provider cannot read them.
* Account data and the content you have stored against your account: kept until you ask us to delete it (see below).
* Page revision history is permanent, the same as every wiki; this is how attribution works.


== Your data, what you can do with it ==
For rights related to your account or assessment data, contact mark@pharmacopedia.wiki or visit [[Special:MyProfile]]. For rights related to your activity on a specific service, that service's privacy page is the authority.


* '''See it.''' Your account page (Special:MyProfile and similar) shows what you have stored. Special:Contributions lists your edits.
== How long we keep your data ==
* '''Change it.''' Every field you have filled in can be edited or emptied through the page where you entered it.
* '''Export it.''' Email us and we will return your account data in a machine-readable form.
* '''Delete it.''' Email us and we will delete the data you have stored against your account: profile, life story, assessments, observations, medicines, diagnoses, app-sync rows, comments, feature-request entries, and similar. Your edits to wiki pages remain, with your username on them, unless you ask for a username rename as well; this is how page-revision attribution works. Encrypted off-site backups are removed from active storage after 14 days. The off-site provider keeps deleted files in a recovery layer for up to 180 additional days, during which the encrypted bundle may remain recoverable by the account operator; after that window the bundle is permanently deleted. The backup is GPG-AES256 encrypted at all times; the off-site provider cannot read it.


For any of the above, email '''info@pharmacopedia.wiki'''.
=== Active data ===


=== If you are in California (CCPA / CPRA) ===
Your account, assessments, and timeline entries persist for as long as your account is active. You can delete individual timeline entries or assessment records at any time.


You additionally have the right to know the categories of personal information collected, the right to opt out of sale or sharing (Pharmacopedia does not sell or share personal information for cross-context behavioral advertising; there is no sale to opt out of), the right to limit use of sensitive personal information, and the right to non-discrimination for exercising these rights. Assessment data, particularly clinical-scope assessments, is sensitive personal information under CPRA. The categories collected are listed in "What an account collects"; retention periods are in "How long things are kept."
=== Backups ===


=== If you are in the EU, UK, or another GDPR-aligned jurisdiction ===
Pharmacopedia.wiki maintains encrypted backups:


The same baseline rights apply, framed as your GDPR rights of access, rectification, erasure, restriction, portability, and objection. The legal basis for processing is your consent (for the account itself and for any assessment storage) and Pharmacopedia's legitimate interest in running the medicine-reference wiki you signed up for. There is no automated decision-making with legal effects. International data transfers from the EU/UK to the United States, where Pharmacopedia's servers live, are made under appropriate safeguards (standard contractual clauses or successor mechanisms).
* Up to 7 days on the backend host
* Then up to 14 days in active off-site storage
* Then up to 180 additional days in the off-site provider's deletion-recovery layer


== Children ==
All backups are encrypted (GPG, AES-256). The off-site provider cannot read the backup contents. Total worst-case time before permanent deletion of a deleted record: approximately 201 days.


Pharmacopedia is for mature audiences and limited to adults (18+) in this version. Personal information is not knowingly collected from anyone under 13. A separate posture for users between 13 and 17 is being developed; until that is published, no one under 18 should use Pharmacopedia. If a child under 13 has provided personal information, contact info@pharmacopedia.wiki and it will be deleted.
This is current operational reality. When we migrate to infrastructure with hard-delete capability, the retention window will shorten and this page will be updated.


== Details ==
=== Account deletion ===


If you'd like the actual details of our (world-class) security policies, they are nicely laid out [[About:Pharmacopedia.ext|here]].
If you delete your account, your account data and assessment data are removed from the active database. Backup copies persist for the retention window described above, then are permanently deleted.


== Changes to this policy ==
Page edits you made to public wiki pages remain in the edit history (attributed to your username) and are not deleted when your account is deleted. This is standard MediaWiki behavior.


If we change this policy in a way that affects what we collect or how we use it, the change is announced on the Main Page and the prior version stays in the page history.
== Research use ==
 
Assessment data may be used for internal research and analysis by Mark Elliott, MD. This research is internal to the Pharmacopedia Collective; we do not pursue peer-reviewed publication and therefore do not require IRB review. The research dataset is for Mark's internal analysis only.
 
Assessment data used for research is de-identified. Research results are never presented at an individual level.
 
== Third-party services ==
 
Pharmacopedia.wiki does not use third-party JavaScript on user-facing pages. Your browser talks only to Pharmacopedia infrastructure. See [[Pharmacopedia:Refusals]] for the full commitment.
 
Pharmacopedia.wiki uses OAuth 2.0 (with PKCE) to authenticate your account on connected services (Oyami, Trykl, PubSci). When you authorize a service, you see the specific data grants on the consent screen. You can manage your active grants at [[Special:OAuthManageMyGrants]].
 
== Your rights ==
 
You may:
 
* View all data associated with your account at [[Special:MyProfile]] and [[Special:MyLifeStory]]
* Delete individual assessment records or timeline entries
* Change the visibility of any MyLifeStory entry
* Revoke OAuth grants to connected services at [[Special:OAuthManageMyGrants]]
* Delete your account entirely by contacting mark@pharmacopedia.wiki
* Request a copy of your data by contacting mark@pharmacopedia.wiki


== Contact ==
== Contact ==


Privacy questions or requests: '''info@pharmacopedia.wiki'''.
For questions about this privacy notice or your data, contact Mark Elliott, MD at mark@pharmacopedia.wiki.
 
== Revision history ==
 
* 2026-05-24: Initial version.
* 2026-05-31: Corrected data controller model from "separate controllers" to layered controller model (Q6 decision, 2026-05-24). Removed premature cross-link to Oyami privacy document. Updated backup retention to reflect current 7+14+180 operational reality.
 
== See also ==
 
* [[Pharmacopedia:Refusals|Refusals]]
* [[Pharmacopedia:Reciprocity|Reciprocity (AI training posture)]]
* [[Pharmacopedia:Sources|Sources and licensing]]
 
[[Category:Pharmacopedia policy]]

Revision as of 17:08, 31 May 2026


This page describes how Pharmacopedia.wiki handles your data: what we collect, how we store it, who controls it, and how long we keep it.

Pharmacopedia.wiki is operated by the Pharmacopedia Collective, a nonprofit. The named data controller is Mark Elliott, MD (mark@pharmacopedia.wiki).

What Pharmacopedia.wiki stores

Account data

When you create an account on Pharmacopedia.wiki, we store:

  • Username
  • Email address (optional; used for password recovery and notifications if you choose)
  • Hashed password (bcrypt; we never store your password in cleartext)
  • Account creation date

Assessment data

If you complete assessments on Pharmacopedia.wiki, we store your responses and computed scores. Assessment data is linked to your account. You can view your assessment history at Special:MyProfile.

Assessment data is used for:

  • Showing you your own results and history
  • Internal research and analysis (see "Research use" below)

Assessment data is never sold, licensed, or shared with commercial entities. See Pharmacopedia:Refusals for the full list of commitments on data use.

MyLifeStory data

If you use Special:MyLifeStory, your timeline entries (events, episodes, observations, stories, relationships, and attributes) are stored with the visibility level you choose:

  • Private (default): visible only to you.
  • Public + attribution: visible to others with your display name.
  • Public + username: visible to others with your username.
  • Public, no byline: visible to others with no identifying information.

Private entries are never shared, exported, or made available to any other service. Public entries are visible on Pharmacopedia.wiki according to the level you select. You can change an entry's visibility at any time.

Derived data

Some data is generated from your account activity:

  • Derived timeline events (auto-generated from your medications, diagnoses, and experience reports, visible in MyLifeStory)
  • Profile statistics (assessment completion counts, timeline entry counts)

Page edits and contributions

Edits to wiki pages are logged with your username, edit timestamp, and edit summary. This is standard MediaWiki behavior and the edit history is publicly visible. We do not offer anonymous editing; all edits are attributed to a logged-in account.

Data controller model

Pharmacopedia.wiki is one part of the Pharmacopedia Collective, which also operates Oyami (oyami.org), Trykl (trykl.org), and PubSci (pubsci.io). Your Pharmacopedia.wiki account works across all four services.

The data controller model is layered:

  • Pharmacopedia.wiki is the data controller of the shared layer: your account identity and your assessment data at rest.
  • Each service (Oyami, Trykl, PubSci) is the data controller of its own service-specific data (for example, Oyami session records, Trykl transaction records, PubSci submissions and reviews).
  • Each service is also an independent data controller of its own processing of data it accesses from the shared Pharmacopedia.wiki layer. When Oyami accesses your assessment data to power its matching features, Oyami is making its own processing decisions and is a controller for that activity.

The named data controller on all services is Mark Elliott, MD.

For rights related to your account or assessment data, contact mark@pharmacopedia.wiki or visit Special:MyProfile. For rights related to your activity on a specific service, that service's privacy page is the authority.

How long we keep your data

Active data

Your account, assessments, and timeline entries persist for as long as your account is active. You can delete individual timeline entries or assessment records at any time.

Backups

Pharmacopedia.wiki maintains encrypted backups:

  • Up to 7 days on the backend host
  • Then up to 14 days in active off-site storage
  • Then up to 180 additional days in the off-site provider's deletion-recovery layer

All backups are encrypted (GPG, AES-256). The off-site provider cannot read the backup contents. Total worst-case time before permanent deletion of a deleted record: approximately 201 days.

This is current operational reality. When we migrate to infrastructure with hard-delete capability, the retention window will shorten and this page will be updated.

Account deletion

If you delete your account, your account data and assessment data are removed from the active database. Backup copies persist for the retention window described above, then are permanently deleted.

Page edits you made to public wiki pages remain in the edit history (attributed to your username) and are not deleted when your account is deleted. This is standard MediaWiki behavior.

Research use

Assessment data may be used for internal research and analysis by Mark Elliott, MD. This research is internal to the Pharmacopedia Collective; we do not pursue peer-reviewed publication and therefore do not require IRB review. The research dataset is for Mark's internal analysis only.

Assessment data used for research is de-identified. Research results are never presented at an individual level.

Third-party services

Pharmacopedia.wiki does not use third-party JavaScript on user-facing pages. Your browser talks only to Pharmacopedia infrastructure. See Pharmacopedia:Refusals for the full commitment.

Pharmacopedia.wiki uses OAuth 2.0 (with PKCE) to authenticate your account on connected services (Oyami, Trykl, PubSci). When you authorize a service, you see the specific data grants on the consent screen. You can manage your active grants at Special:OAuthManageMyGrants.

Your rights

You may:

  • View all data associated with your account at Special:MyProfile and Special:MyLifeStory
  • Delete individual assessment records or timeline entries
  • Change the visibility of any MyLifeStory entry
  • Revoke OAuth grants to connected services at Special:OAuthManageMyGrants
  • Delete your account entirely by contacting mark@pharmacopedia.wiki
  • Request a copy of your data by contacting mark@pharmacopedia.wiki

Contact

For questions about this privacy notice or your data, contact Mark Elliott, MD at mark@pharmacopedia.wiki.

Revision history

  • 2026-05-24: Initial version.
  • 2026-05-31: Corrected data controller model from "separate controllers" to layered controller model (Q6 decision, 2026-05-24). Removed premature cross-link to Oyami privacy document. Updated backup retention to reflect current 7+14+180 operational reality.

See also

Retrieved from "https://pharmacopedia.wiki/index.php?title=About:Privacy&oldid=7123"