Privacy Policy

Last reviewed: 2026-04-22

Overview

This Privacy Policy explains what data we collect when you visit Symptomatik.com (“Symptomatik,” “the Service”), why we collect it, how long we keep it, and the rights you have over it. Symptomatik is a pre-launch multilingual health information website. Today the site is read-only: there are no user accounts, no passwords, no payment forms, no comment sections, and nothing you can submit. The only personal data we process is a small amount of analytics information about your visit.

Symptomatik is operated by Digital Savages LLC, a Texas limited liability company with its registered address at 701 Tillery Street, 2840, Unit 12, Austin, TX 78702, United States. For the purposes of the EU and UK General Data Protection Regulation (GDPR/UK GDPR), Digital Savages LLC is the data controller.

If you have questions about this policy or want to exercise any of the rights described below, write to us at privacy@symptomatik.com.

Because Digital Savages LLC is a Texas-incorporated entity, the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, also applies where relevant; Texas residents may exercise the rights listed in the US section below.

The English version of this policy is the authoritative text. Polish and Spanish translations are provided for convenience.

Scope

This policy applies to symptomatik.com and its language variants (including /pl/ and /es/ paths). It does not cover third-party websites we link to; those sites have their own privacy policies. It also does not cover our planned future services (for example user accounts, Premium subscriptions, or AI-powered features), which will be introduced with updates to this policy before launch.

Definitions (short)

Personal data / personal information: any information relating to an identified or identifiable individual.
Processing: any operation performed on personal data, including collection, storage, use, and deletion.
Controller: the entity that decides why and how personal data is processed (that’s us).
Processor: a third party that processes personal data on our behalf under contract.

What data we collect

Because the site has no accounts, forms, or other submission mechanisms, we do not collect names, email addresses, phone numbers, health information, payment details, or any content you create. We do not operate a newsletter and we do not ask you to “sign up.”

The data we do collect falls into three narrow buckets:

1. Cloudflare Web Analytics (cookieless, aggregated)

Every visit to Symptomatik loads a small first-party analytics beacon from Cloudflare (beacon.min.js). This beacon is cookieless: it does not set any cookies, it does not write to localStorage, it does not fingerprint your device, and it does not assign you an individual identifier. It reports aggregated, anonymized data such as page URL, referrer, approximate country, browser family, and basic performance timings. Cloudflare does not use this data to build a profile of you.

2. Google Analytics 4 — only if you accept optional cookies

If, and only if, you click Accept on our cookie banner, we load Google Analytics 4 (GA4). GA4 sets two first-party cookies — _ga and _ga_<container-id> — which are used to distinguish unique visitors and persist session state. We have configured GA4 data retention to 14 months, we rely on GA4’s built-in behavior of not logging or storing full IP addresses, and we have disabled Google Signals and cross-device advertising features. If you decline the banner or ignore it, no GA4 cookies are loaded.

A summary of every cookie and similar technology used on Symptomatik is available in our Cookie Policy.

3. Server and security logs

Cloudflare acts as our CDN and web application firewall. As part of routing your request, Cloudflare temporarily processes your IP address, request URL, timestamp, HTTP status, user agent, and related security telemetry. These logs exist to keep the site online and to block abuse (denial-of-service attacks, credential stuffing, vulnerability probing). They are held for roughly 30 days and are not used to profile you.

How we collect it

Automatically, when your browser loads a page (Cloudflare Analytics beacon and server logs).
Automatically, only after you click Accept (GA4 cookies).
Via your browser’s localStorage, where we store your cookie-banner decision as a single key named symptomatik_cookie_consent with a value of accepted or rejected. This is used to avoid re-showing the banner on every page.

We do not use pixels from advertising networks, session-replay tools, heat-map tools, or fingerprinting libraries.

Purposes of processing

We process the data described above to:

Operate and maintain the site and keep it reasonably secure.
Understand aggregate traffic patterns (which pages are read, which languages are used) so we can prioritize what to build next.
Comply with our legal obligations, including responding to data-subject rights requests.

We do not process your data for advertising, profiling, credit decisions, or any other automated decision-making. See “No automated decision-making” below.

Processing activity	Legal basis (GDPR Art. 6)	Why
Cloudflare Web Analytics (cookieless, aggregate)	Art. 6(1)(f) Legitimate interests	ePrivacy Art. 5(3) is not triggered because no information is stored on or read from your device; GDPR Art. 6(1)(f) applies to the minimal processing of HTTP request metadata. No cookies, no identifiers, no individual profiling — the balancing test favors this limited processing.
Cloudflare security / WAF / server logs	Art. 6(1)(f) Legitimate interests	Network and information security (see GDPR Recital 49).
Google Analytics 4 (after banner click)	Art. 6(1)(a) Consent	Non-essential cookies require prior informed consent under ePrivacy Directive / PECR. You can withdraw consent at any time.
Responding to data-subject rights requests	Art. 6(1)(c) Legal obligation	Required by GDPR and US state privacy laws.

We do not rely on “performance of a contract,” “vital interests,” or “public interest” as legal bases for any of the processing above.

Cookies and similar technologies

A detailed inventory — with cookie names, purposes, providers, durations, and categories — lives in our dedicated Cookie Policy. In short: one first-party storage item is strictly necessary (your consent choice), Cloudflare’s analytics beacon sets no cookies, and the two GA4 cookies load only if you accept.

Recipients and third-party processors

We share data only with the service providers we need to run the site. We do not sell personal information and we do not share it for cross-context behavioral advertising.

Cloudflare, Inc. (San Francisco, CA, USA) — CDN, DDoS protection, WAF, and Cloudflare Web Analytics. Cloudflare, Inc. self-certifies under the EU-US Data Privacy Framework.
Google LLC (Mountain View, CA, USA) — Google Analytics 4, only if you consent via the banner. Google LLC self-certifies under the EU-US Data Privacy Framework.

If we add new processors in the future (for example hosting, email delivery, authentication, payments, or AI inference providers) we will update this section before they go live.

International data transfers

Digital Savages LLC is established in the United States, and our processors above are also US-based. If you access Symptomatik from the EU, UK, Switzerland, or another jurisdiction outside the US, your data will be transferred to and processed in the United States.

For such transfers we rely on:

The EU-US Data Privacy Framework (and its UK and Swiss extensions) where the receiving organization is certified. Cloudflare and Google are certified under the DPF as of the Effective date of this policy; if certification lapses, we will update the transfer mechanism accordingly.
The European Commission’s Standard Contractual Clauses (SCCs) as a fallback contractual safeguard.

You can request a copy of the safeguards in force by writing to privacy@symptomatik.com.

Retention

We keep data only as long as we need it:

Cloudflare Web Analytics: up to 6 months, per Cloudflare’s configuration.
Cloudflare server / security logs: 30 days.
Google Analytics 4: 14 months (explicitly configured).
Cookie-consent record (symptomatik_cookie_consent in your browser): persists until you clear site data; we re-prompt at most every 12 months.
Records of data-subject rights requests and our responses: 3 years after the request is closed, to document compliance.

When a retention period expires, data is deleted or anonymized.

Your rights

You have the right to:

Access — ask whether we process data about you, and obtain a copy (Art. 15).
Rectification — ask us to correct inaccurate or incomplete data (Art. 16).
Erasure — ask us to delete data we hold about you (Art. 17).
Restriction — ask us to limit processing in defined circumstances (Art. 18).
Data portability — receive data you provided in a machine-readable format (Art. 20).
Object — object to processing based on legitimate interests, on grounds relating to your situation (Art. 21).
Not be subject to automated decision-making that produces legal or similarly significant effects (Art. 22). We do not carry out any such decision-making — see below.
Withdraw consent at any time, where processing is based on consent (Art. 7(3)).
Lodge a complaint with a supervisory authority (Art. 77).

If you are in the United States

Depending on your state of residence, you may have the following rights under laws including the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA):

Right to know what personal information we collect and how we use it.
Right to delete personal information we hold about you.
Right to correct inaccurate personal information.
Right to opt out of the “sale” or “sharing” of personal information — we do not sell or share, but you can still exercise the right.
Right to opt out of targeted advertising — we do not engage in it, but you can still exercise the right.
Right to limit use of sensitive personal information (CPRA).
Right to non-discrimination for exercising any right above.
Right to appeal a denial of a rights request.

How to exercise your rights

Email privacy@symptomatik.com with a short description of your request and the jurisdiction you’re writing from. Because we do not operate accounts, we will usually only need the email address you’re writing from to correlate the request; if we need more to verify your identity we will ask for the minimum necessary.

We acknowledge receipt within 10 business days (matching the CCPA requirement).
We substantively respond within the statutory timelines: one month under GDPR (extendable by up to two further months where the request is complex or numerous — we will tell you if we extend), and 45 days under CCPA (extendable once for another 45 days where permitted).
We honor Global Privacy Control (GPC) signals as a valid opt-out signal for US state-law rights.
There is no charge for reasonable requests.

Right to complain to a supervisory authority

If you believe we have mishandled your data, we’d prefer you contact us first — but you always have the right to complain to your local data-protection authority, including:

UODO (Urząd Ochrony Danych Osobowych) — Poland — https://uodo.gov.pl
CNIL — France — https://www.cnil.fr
ICO (Information Commissioner’s Office) — United Kingdom — https://ico.org.uk
AEPD (Agencia Española de Protección de Datos) — Spain — https://www.aepd.es
California Privacy Protection Agency (CPPA) and the California Attorney General — California, USA — https://cppa.ca.gov

Residents of other EU member states may lodge a complaint with their own national DPA.

Children’s privacy

Symptomatik is not directed at children. You must be at least 13 years old (US) or 16 years old (EU/UK/EEA) to use the site. We do not knowingly collect personal data from children below these ages. If you believe a child has provided personal data to us, contact privacy@symptomatik.com and we will delete it.

We do not sell personal information for money or other valuable consideration, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA and analogous state laws. Because of that, we do not display a “Do Not Sell or Share My Personal Information” link — but you remain free to exercise your statutory rights by emailing privacy@symptomatik.com.

No automated decision-making

We do not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. We do not score, rank, or categorize individuals.

We are planning AI-powered features (for example lab-result explanations and a symptom checker) for later releases of Symptomatik. When those launch, we will update this policy, clearly describe what the AI does, and provide the information required by GDPR Art. 22 and analogous US rules. Those features will be informational only and will not replace a qualified healthcare professional — see our Medical Disclaimer.

Security

We rely on industry-standard technical and organizational safeguards, including TLS encryption in transit (HTTPS), Cloudflare’s network and WAF protections, limited administrative access, and the principle of least privilege. No online service can guarantee absolute security, and we don’t claim to — we claim a reasonable, proportionate posture for a site of this scope.

We are designed to comply with applicable data-protection laws. We do not claim HIPAA coverage: Symptomatik provides general health information, we are not a “covered entity” or “business associate,” and nothing on this site should be treated as a protected health record. Please also read our Medical Disclaimer before relying on any information on the site.

Changes to this policy

We may update this policy from time to time. The Effective date and Last updated values at the top reflect the current version. For material changes we will display a banner on the site for at least 30 days in advance. Because we do not hold email addresses, we cannot notify users individually.

Contact

Privacy matters: privacy@symptomatik.com
Legal notices: legal@symptomatik.com
General: hello@symptomatik.com
Postal: Digital Savages LLC, 701 Tillery Street, 2840, Unit 12, Austin, TX 78702, United States