Privacy Policy

Effective date: 3 July 2026 - Version 4.0

1. Who we are

LOSPOR is an independent tool operated by Kaloyan Dzhunov (contact: kaloyandjunow@gmail.com).

Each user is the sole data controller for the clinical records they enter. Kaloyan Dzhunov operates the infrastructure that stores that data. By using LOSPOR, you acknowledge that you are responsible for ensuring your use complies with applicable data protection law.

2. What we process

  • Account data: name, email address, title, institution, registration date, last login time, role, and terms acceptance records.
  • Case data: structured perioperative fields, normalized research rows, append-only intraoperative events, timestamps, institution linkage, and audit metadata. No patient names, national ID numbers, dates of birth, or hospital record numbers are intended to be stored.
  • Audit log: records of case creation, update, deletion, AI use, export, and account events.
  • Session tokens: short-lived web session cookies and mobile bearer tokens. Bearer tokens are revoked on logout.
  • PWA local data: browser localStorage may hold the bearer token, offline drafts, queued saves, and queued intraoperative events until logout or successful sync.
  • Account emails: your email address is used to send email verification links (valid 24 hours) and password reset links (valid 1 hour). Tokens are stored hashed and are single-use.

3. Legal basis

  • Account data: legitimate interest in providing the service; explicit consent recorded at registration.
  • Case data: legitimate interest for personal learning log, audit, and pseudonymised research datasets; you remain responsible for the records you enter.

4. Sub-processors

  • Supabase: PostgreSQL database hosting.
  • Vercel: application hosting and serverless functions.
  • Mistral AI: opt-in AI inference for lab report images, monitor images, and structured clinical advisor requests. Uploaded images are processed for extraction and should be cropped to remove identifiers before upload.
  • Brevo: transactional email delivery (account verification and password reset emails). Only your email address and name are shared for the purpose of sending these emails.

5. Data retention

  • Case data is retained while your account is active and processed according to the applicable institutional or research retention policy after account deactivation.
  • Audit logs are retained for security, integrity, and medico-legal traceability according to the retention policy.
  • Deleted accounts are disabled immediately, the presented mobile token is revoked, and the account is marked as deleted. Further deletion or anonymisation is processed according to the retention policy.

6. Your rights

  • Access: download a JSON export of your account and cases from Settings - Privacy & Data.
  • Deletion: delete your account from Settings - Privacy & Data. Account access is disabled immediately. Further deletion or anonymisation requests can be sent to the contact address below.
  • For other requests, contact kaloyandjunow@gmail.com.

7. Security

Passwords are hashed with bcrypt. Sessions use short-lived tokens with a revocation mechanism. All traffic is encrypted over HTTPS. Free-text fields submitted via the API are checked server-side for common identifying patterns. Controlled clinical vocabulary labels are allowlisted so valid clinical terms are not blocked. This detection is best-effort and does not guarantee that all personal identifiers are caught.

Terms of Service - Back to login