Legal/Medical Research Engine

Our Application (Backend)

• Rate Limiting: IP addresses are temporarily used in memory for rate limiting (preventing abuse). This data is stored in memory only and is automatically cleared when the server restarts (typically within 24 hours or upon server restart).
• Request Logging: IP addresses may appear in server logs for security and debugging purposes. These logs are automatically rotated and deleted after a maximum retention period of 30 days. Logs older than 30 days are permanently deleted.
• No Database Storage: IP addresses are NOT stored in any database or persistent storage.
• No Cross-Request Tracking: IP addresses are not used to track users across requests or build user profiles.

Third-Party Infrastructure (Vercel & Railway)

Important: This service is hosted on third-party infrastructure providers who may log IP addresses as part of their standard operations:

• Vercel (Frontend Hosting): Vercel may log IP addresses for security, analytics, and service operation. Please refer to Vercel's Privacy Policy for details on their IP address handling.
• Railway (Backend Hosting): Railway may log IP addresses for security and service operation. Please refer to Railway's Privacy Policy for details on their IP address handling.
• No Control: We do not control or have access to IP address logs maintained by these third-party providers.
• Data Processing Agreement: These providers act as data processors under GDPR. Their logging practices are governed by their own privacy policies and GDPR compliance measures.

Your Rights Regarding IP Addresses

• Right to Information: You have the right to know how your IP address is processed (this section provides that information).
• Right to Object: If you have concerns about IP address processing, you can contact us (see Contact section).
• Third-Party Rights: For IP addresses logged by Vercel or Railway, please contact those providers directly using their privacy policies.

Legal Basis for IP Address Processing

Under GDPR Article 6, IP addresses are processed based on:

• Legitimate Interest: IP addresses are processed for security (preventing abuse, DDoS attacks) and service operation (rate limiting, debugging).
• Necessity: IP address processing is necessary for the technical operation of the service and cannot be avoided when using standard web infrastructure.
• Minimization: We minimize IP address processing to only what is necessary for service operation and security.

Location

• All processing happens on our servers (hosted on Railway infrastructure)
• No data is sent to external AI services or third-party APIs
• Processing is done locally on our infrastructure
• Note: Infrastructure providers (Vercel, Railway) may log IP addresses as part of their standard operations (see IP Address Handling above)

Data Flow

1. User submits a query → Query is anonymized (PII removed)
2. Query is processed → Documents are retrieved and analyzed
3. Answer is generated → Response is sent to user
4. Query is immediately discarded → No storage or logging
5. IP address used only for rate limiting → Stored in memory temporarily, not persisted

Article 5 - Principles of Processing

• Lawfulness: Processing is necessary for providing the service
• Purpose Limitation: Data is only used for document search
• Data Minimization: Only minimal data needed for processing
• Storage Limitation: No data storage = no retention issues
• Integrity and Confidentiality: All processing is local and secure

Article 6 - Lawful Basis

Legitimate Interest: Providing public access to legal/medical information.No Consent Required: No personal data processing.

User Rights (Articles 15-22)

Since we don't store personal data, GDPR user rights are not applicable:

• Right to Access (Article 15): N/A - No personal data stored
• Right to Rectification (Article 16): N/A - No personal data stored
• Right to Erasure (Article 17): N/A - No personal data stored
• Right to Restrict Processing (Article 18): N/A - No personal data stored
• Right to Data Portability (Article 20): N/A - No personal data stored
• Right to Object (Article 21): N/A - No personal data stored

Right to Lodge Complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR. For IP addresses processed by our infrastructure providers (Vercel, Railway), you may also contact their respective data protection authorities.

Note: Since we do not store personal data, complaints would primarily relate to IP address processing by infrastructure providers. Please refer to Vercel's and Railway's privacy policies for their respective complaint procedures.

Infrastructure Providers (Data Processors)

This service uses third-party infrastructure providers who act as data processors under GDPR:

Note: These providers may log IP addresses as part of their standard infrastructure operations. We do not control or have access to these logs. Please refer to their privacy policies for details on IP address handling and your rights.

Data Transfers to Third Countries

• Legal Basis: Data transfers are necessary for the technical operation of the service and are based on legitimate interest (GDPR Article 6(1)(f)).
• US-EU Data Privacy Framework: Vercel and Railway may rely on the EU-US Data Privacy Framework adequacy decision (where applicable) or Standard Contractual Clauses (SCCs) for data transfers to the United States.
• Data Processing Agreements: We rely on our infrastructure providers' GDPR-compliant data processing agreements, which include appropriate safeguards for international data transfers.
• Minimization: Only IP addresses (necessary for service operation) are subject to potential international transfers. No other personal data is transferred.
• Your Rights: You have the right to object to data transfers. However, please note that international transfers may be necessary for the service to function. For details on your rights regarding transfers, please refer to Vercel's and Railway's privacy policies.

Note: As a portfolio/showcase project, we minimize data processing to the absolute minimum necessary for service operation. International data transfers are limited to what is technically necessary for hosting infrastructure.

No Additional Third-Party Services

Beyond infrastructure hosting, this service operates independently:

• No analytics services (Google Analytics, etc.)
• No external AI APIs (OpenAI, Anthropic, etc.)
• No external data processors
• No tracking or advertising services