Anspar Foundation • Effective: November 27, 2025
This Concise General Privacy Policy contains the essential information from the Comprehensive Privacy Policy necessary to comply with GDPR. In the event of a discrepancy, the Comprehensive Privacy Policy shall apply.
Anspar Foundation, privacy@anspar.org, is the data controller (GDPR) and covered entity (HIPAA). DPO: dpo@anspar.org.
Account info (name, email, DOB), health data (epistaxis events, severity, duration), clinical trial data (assessments, e-signatures), device/usage data, audit logs. Sources: you, healthcare providers (with consent), automated collection.
Service delivery (contract), research (consent), clinical trials (consent + legal obligation), security (legitimate interest), legal compliance (legal obligation). Health data: explicit consent (GDPR Art 9(2)(a)) or research (Art 9(2)(j)).
We don't sell data. Partners (opt-in only): research organizations, clinical trial sponsors, your healthcare providers—only with your explicit consent for services you request. Service providers: cloud hosting, security (under contract). Legal: regulators, courts when required.
Data may transfer to the U.S. using Standard Contractual Clauses or EU-U.S. Data Privacy Framework.
Account: life + 3 years. Health data: 7 years. Clinical trial data: 25 years (EU Annex 11). Audit logs: match source data.
All users: access, correct, delete (subject to legal retention), portability, withdraw consent.
HIPAA: access, amend, accounting of disclosures, restrict, confidential communications.
GDPR: above + object, restrict processing.
California: know, delete, correct, opt-out of sale (we don't sell), limit sensitive data use, non-discrimination.
Contact privacy@anspar.org. Response: 30 days (HIPAA), 1 month (GDPR), 45 days (CCPA).
Encryption (TLS 1.2+, AES-256), access controls, audit trails, breach notification (HIPAA: 60 days, GDPR: 72 hours).
Trial participants: data integrity requirements apply—original entries cannot be deleted, corrections stored as annotations, e-signatures legally binding, 25-year retention. Withdrawal stops future collection; existing data is retained per regulations.
Under 13 (U.S.) / 16 (EU): parental consent required.
Contact us first: privacy@anspar.org. Or: HHS Office for Civil Rights (HIPAA), your EU supervisory authority (GDPR), California Privacy Protection Agency (CCPA). We won't retaliate.
Use of specific systems (opt-in) may be governed by Privacy Policy Amendments as documented in the applicable system.
Material changes posted here with updated date; email notice for significant changes.