Privacy Policy

1. About Our Product — No Real Patient Data

Before discussing visitor privacy, one important clarification: PatientDatasets.com sells 100% synthetic patient records. These records are AI-generated and do not contain or derive from any real patient information. HIPAA does not apply to our products. There is no real Protected Health Information (PHI) in our datasets.

This Privacy Policy governs the personal information of our website visitors and customers — not the synthetic patient data we sell.

2. Information We Collect

2.1 Information You Provide

• Email address — when you sign up for a free sample, complete a purchase, or subscribe to updates
• Payment information — processed securely by Stripe. We never store credit card numbers.
• Name and institution — when purchasing instructor resources (for license verification)
• Support inquiries — emails sent to our support address

2.2 Automatically Collected Information

• Usage data — pages visited, time on site, referring URLs (via standard web analytics)
• Device and browser information — browser type, operating system, screen resolution
• IP address — used for analytics and fraud prevention; not linked to individual identities
• Cookies and similar technologies — session management and basic analytics (see Section 11)

3. Legal Basis for Processing (GDPR)

For visitors in the European Economic Area (EEA) and United Kingdom, we process your personal data under the following legal bases:

• Contractual necessity — to fulfill your purchase, deliver downloads, and send order confirmations
• Legitimate interests — analytics, fraud prevention, watermark monitoring, and site security, where these interests are not overridden by your rights
• Consent — for optional marketing emails; you may withdraw consent at any time
• Legal obligation — for record retention required by applicable law (e.g., tax and accounting records)

4. How We Use Your Information

• Order fulfillment — to deliver your dataset download link and send order confirmations
• Email updates — if you opt in, to notify you of new datasets, workbooks, and annual updates
• Customer support — to respond to questions and resolve technical issues
• License management — to verify instructor credentials and manage academic licenses
• IP protection — email addresses are linked to watermarked dataset batches for piracy monitoring
• Site improvement — to understand which pages are most useful and improve the experience
• Legal compliance — to meet applicable tax, accounting, and regulatory obligations

5. Email Communications

When you provide your email address, you may receive:

• Your free sample download link (transactional — not subject to opt-out)
• Order confirmations and receipts (transactional — not subject to opt-out)
• Occasional product update notifications (marketing — requires opt-in)

You can unsubscribe from marketing emails at any time using the unsubscribe link in any email, or by contacting us at support@patientdatasets.com. We will process your request within 10 business days.

6. Data Sharing & Third Parties

We do not sell your personal information. We share it only with the following service providers:

• Stripe — payment processing. Your payment data is governed by Stripe's Privacy Policy.
• Google — email capture via Google Sheets/Forms (where applicable). Governed by Google's Privacy Policy.
• Netlify — website hosting and CDN. Processes server logs and basic analytics.
• Law enforcement or regulators — if required by applicable law, valid legal process, or court order

We require all third-party service providers to maintain appropriate security measures and to use your data only as instructed by us.

7. Dataset Watermarking & License Monitoring

Purchased datasets contain invisible watermarks tied to the purchaser's order record. We actively monitor public file-sharing platforms — including GitHub, Kaggle, Reddit, and Hugging Face — for unauthorized redistribution of licensed datasets.

If an unauthorized copy is identified, we will use the purchaser's contact information on record to initiate our enforcement process as described in our Terms of Service.

This monitoring practice is a disclosed condition of purchase. By purchasing, you acknowledge that datasets are watermarked and linked to your order.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy or as required by law. Specific retention periods:

• Purchase records and invoices — 7 years (required for tax and accounting compliance)
• Email addresses (marketing list) — until you unsubscribe or request deletion
• Email addresses (transactional / order records) — 7 years, linked to purchase records
• License records (instructor / academic) — duration of the license plus 2 years
• Watermark registry — indefinitely, for IP protection and enforcement purposes
• Support correspondence — 3 years from last contact
• Analytics data — 26 months in aggregate form; individual-level data deleted after 14 months

After the applicable retention period, data is securely deleted or anonymized.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right to access — request a copy of the personal data we hold about you
• Right to correction — request correction of inaccurate or incomplete data
• Right to deletion — request deletion of your data, subject to our legal retention obligations
• Right to restrict processing — ask us to pause processing of your data in certain circumstances
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests, including direct marketing
• Right to withdraw consent — withdraw consent for marketing emails at any time without affecting prior lawful processing
• Right to lodge a complaint — file a complaint with your national data protection authority (EEA/UK residents)

To exercise any of these rights, contact us using either method in Section 15. We will respond within 30 days (or within the timeframe required by applicable law).

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know — the categories and specific pieces of personal information collected about you, and how it is used and shared
• Right to delete — request deletion of personal information we have collected, subject to exceptions
• Right to correct — request correction of inaccurate personal information
• Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising
• Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by CPRA
• Right to non-discrimination — we will not discriminate against you for exercising your rights

Categories of personal information collected: Identifiers (name, email, IP address); commercial information (purchase history); internet activity (browsing behavior on our site); inferences drawn from this information (product preferences).

To submit a California privacy request, contact us using either method in Section 15. We will respond within 45 days and maintain records of requests for 24 months as required by CPRA.

11. Cookies & Tracking

This website uses a minimal set of cookies:

• Strictly necessary cookies — session management and security. Cannot be disabled without breaking site functionality.
• Analytics cookies — aggregate usage data (pages visited, session duration). No cross-site tracking. No advertising networks.

We do not use third-party advertising cookies, behavioral tracking pixels, or retargeting networks. You can disable cookies in your browser settings; this may affect certain site functions such as cart management.

12. Data Security

We implement industry-standard technical and organizational security measures, including:

• HTTPS encryption for all data in transit
• Payment processing handled entirely by Stripe — card data never touches our servers
• Access controls limiting who can view customer data
• Regular review of security practices and third-party service providers

No method of transmission over the internet is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify you and applicable regulators within the timeframes required by law.

13. International Data Transfers

PatientDatasets.com is operated from the United States. If you access our services from the EEA, UK, or other regions with data protection laws, your personal data may be transferred to and processed in the United States.

For transfers from the EEA or UK, we rely on applicable transfer mechanisms including Standard Contractual Clauses (SCCs) where required by GDPR. Our third-party processors (Stripe, Google, Netlify) maintain their own transfer mechanisms and adequacy certifications.

14. Children's Privacy

Our services are intended for healthcare students and professionals aged 18 and older. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA). If you believe a child has provided us with personal information, contact us at support@patientdatasets.com and we will promptly delete it.

15. Changes to This Policy

We may update this Privacy Policy periodically. The "Last updated" date at the top reflects the most recent revision. For material changes, we will provide prominent notice on this page and notify active customers by email at least 30 days before the change takes effect.

Continued use of our services after the effective date of a revised policy constitutes acceptance of the changes.

16. How to Contact Us

For privacy-related questions, requests, or complaints, you may reach us by either of the following methods:

• Email: support@patientdatasets.com
• General support: support@patientdatasets.com

We will acknowledge your request within 5 business days and provide a substantive response within 30 days (45 days for California residents).

EEA and UK residents who are not satisfied with our response may lodge a complaint with their national data protection authority — for example, the ICO (UK), the CNIL (France), or the relevant supervisory authority in their EU member state.