Privacy Policy

Last Updated: December 2025

CRITICAL NOTICE: DO NOT enter any Protected Health Information (PHI) or personally identifiable patient data. This is an educational tool only. We collect minimal technical data, use temporary session storage, and NEVER sell your information.

Welcome to gasconsult.ai ("we," "our," "us," or "the Service"). This Privacy Policy describes our practices regarding the collection, use, disclosure, and protection of information when you use our anesthesiology consultation platform.

BY USING THIS SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS PRIVACY POLICY. If you do not agree with these terms, you must immediately discontinue use of the Service.

1. Information We Collect

We practice data minimization and collect only information necessary to operate the Service. We DO NOT require user accounts or registration. We DO NOT store long-term personal health information.

1.1 Information You Voluntarily Provide

  • Medical Queries: Clinical questions you submit about anesthesiology topics (stored temporarily during your session only)
  • Form Inputs: Data entered into pre-operative assessment tools, clinical calculators, or hypotension predictors (processed in real-time, not permanently stored)
  • Session Conversation History: Your chat interactions during an active browser session (automatically cleared when you close the browser or click "Clear Session")

1.2 Automatically Collected Technical Information

We automatically collect limited technical data for operational purposes:

  • Usage Analytics: Pages visited, features accessed, button clicks, time spent on pages (anonymized and aggregated)
  • Technical Logs: IP address (for rate limiting and abuse prevention), browser type and version, device type, operating system, referring URLs
  • Performance Data: Page load times, error messages, API response times (used solely for debugging and service optimization)
  • Session Cookies: Temporary session identifiers stored in your browser (required for chat functionality, automatically deleted on session end)

1.3 Information We DO NOT Collect

  • User accounts, passwords, or login credentials (we do not have user registration)
  • Payment information (the Service is free)
  • Long-term storage of medical queries or conversation history
  • Biometric data, precise geolocation, or device fingerprinting beyond standard web analytics
  • Social media profiles or third-party account linkages

2. How We Use Your Information

We use collected information exclusively for the following legitimate purposes:

  • Service Delivery: To process your queries, search PubMed medical literature, generate AI-assisted responses via OpenAI GPT-4o, and display clinical calculator results
  • Session Management: To maintain conversation continuity during your active browser session
  • Performance Improvement: To analyze anonymized usage patterns, identify bugs, optimize response times, and enhance user experience
  • Security & Abuse Prevention: To detect malicious activity, prevent spam, enforce rate limits (60 requests/minute per IP), and protect against unauthorized access
  • Legal Compliance: To comply with applicable laws, respond to lawful government requests, enforce our Terms of Service, and protect our legal rights

WE DO NOT: Sell your data to third parties, use your queries for targeted advertising, share identifiable information with data brokers, or use your medical questions to train AI models (OpenAI's enterprise API does not train on customer data per their data processing agreement).

3. CRITICAL WARNING: Do Not Enter Protected Health Information (PHI)

⚠️ MANDATORY NOTICE: This Service is designed for educational and informational purposes ONLY. You MUST NOT enter any Protected Health Information (PHI) or personally identifiable patient data.

Prohibited information includes, but is not limited to:

  • Patient names, initials, medical record numbers (MRNs), account numbers, or any identifiers
  • Dates of birth, admission dates, discharge dates, dates of death, or ages over 89
  • Specific geographic locations smaller than a state (addresses, ZIP codes, GPS coordinates)
  • Telephone numbers, fax numbers, email addresses, Social Security numbers, insurance ID numbers
  • Photographs, videos, biometric identifiers (fingerprints, voice recordings, facial images)
  • Device identifiers (IP addresses in medical contexts), medical device serial numbers, URLs containing PHI
  • Any case-specific details that could reasonably identify an individual patient or provider

You assume all risk and liability for any PHI you choose to enter. Use only hypothetical scenarios, de-identified case presentations, or generalized clinical questions. If you accidentally enter PHI, immediately clear your session.

4. Third-Party Services and Data Sharing

We utilize the following third-party services to operate the platform. Your data may be transmitted to these providers:

4.1 OpenAI (GPT-4o AI Model)

  • Purpose: To generate evidence-based clinical responses using AI synthesis
  • Data Shared: Your medical queries, conversation context, and PubMed search results
  • Privacy Policy: https://openai.com/privacy
  • Data Training: Per OpenAI's Enterprise API terms, your queries are NOT used to train their AI models
  • Location: OpenAI is a U.S.-based company with servers in the United States

4.2 NCBI PubMed / Entrez API

  • Purpose: To search medical literature databases for high-quality evidence (systematic reviews, meta-analyses, clinical trials)
  • Data Shared: Your search queries (medical terms extracted from your questions)
  • Privacy Policy: https://www.nlm.nih.gov/web_policies.html
  • Operator: U.S. National Library of Medicine (government agency)

4.3 No Other Third-Party Sharing

We DO NOT sell, rent, lease, or trade your information to third parties for marketing purposes. We DO NOT share data with advertisers, data brokers, or analytics companies beyond basic anonymized usage statistics. We may disclose information only if:

  • Legal Obligation: Required by law, court order, subpoena, or government request
  • Safety & Fraud Prevention: Necessary to prevent harm, investigate abuse, or protect legal rights
  • Business Transfer: In the event of a merger, acquisition, or sale of assets (you will be notified)

5. Data Security and Limitations of Liability

5.1 Security Measures We Implement

We employ industry-standard security practices to protect your information:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS 1.2+ protocols
  • Server-Side Sessions: Conversation history is stored server-side (not in cookies), reducing client-side exposure
  • Input Sanitization: All user inputs are sanitized using the Bleach library to prevent Cross-Site Scripting (XSS) attacks
  • CSRF Protection: Flask-WTF token validation prevents Cross-Site Request Forgery attacks
  • Rate Limiting: Flask-Limiter restricts requests to 60 per minute per IP address to prevent abuse and DDoS attacks
  • Access Controls: Server infrastructure uses firewalls, SSH key authentication, and principle of least privilege
  • Regular Updates: Dependencies and server software are regularly patched for security vulnerabilities

5.2 Limitations and Disclaimers

NO GUARANTEE OF ABSOLUTE SECURITY: While we implement reasonable security measures, no method of internet transmission or electronic storage is 100% secure. We cannot guarantee that unauthorized third parties will never defeat our security measures or misuse your information.

DISCLAIMER OF LIABILITY FOR DATA BREACHES: TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE DISCLAIM ALL LIABILITY FOR ANY UNAUTHORIZED ACCESS, USE, DISCLOSURE, OR MODIFICATION OF YOUR DATA. BY USING THIS SERVICE, YOU ACKNOWLEDGE AND ACCEPT THE INHERENT SECURITY RISKS OF INTERNET-BASED PLATFORMS.

USER RESPONSIBILITY: You are solely responsible for: (1) ensuring you do not enter PHI or sensitive personal information, (2) using strong passwords if accessing the Service from shared devices, (3) logging out or clearing sessions after use on public computers, and (4) maintaining the confidentiality of any information you choose to enter.

6. Data Retention and Deletion

  • Session Data (Chat History): Stored temporarily in server-side sessions during your active browser session. Automatically deleted when you close your browser, click "Clear Session," or after 24 hours of inactivity.
  • System Logs: Technical logs (IP addresses, timestamps, error messages) are retained for 90 days for debugging, security monitoring, and abuse prevention, then permanently deleted.
  • Analytics Data: Anonymized and aggregated usage statistics (page views, feature usage) are retained indefinitely for service improvement but cannot be traced back to individual users.
  • No Long-Term Storage: We do NOT maintain databases of your medical queries, conversation transcripts, or form inputs beyond the temporary session duration.
  • Manual Deletion: You can clear your session data at any time by clicking the "Clear Session" button in the chat interface or by closing your browser.

7. Your Privacy Rights (GDPR, CCPA, and Other Laws)

Depending on your location, you may have specific privacy rights under laws such as the European Union's General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and similar state/international laws.

7.1 Rights for EU/EEA Users (GDPR)

If you are located in the European Union or European Economic Area, you have the following rights:

  • Right of Access (Art. 15): Request confirmation of whether we process your data and obtain a copy
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to Restriction (Art. 18): Request limitation of processing under certain circumstances
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to Object (Art. 21): Object to processing based on legitimate interests
  • Right to Withdraw Consent (Art. 7): Withdraw consent at any time (does not affect prior processing)
  • Right to Lodge a Complaint: File a complaint with your national data protection authority

7.2 Rights for California Users (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to Know: Request disclosure of categories and specific pieces of personal information we collect
  • Right to Delete: Request deletion of your personal information (subject to exceptions)
  • Right to Opt-Out: Opt-out of the "sale" or "sharing" of personal information (Note: We do NOT sell or share your data)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Non-Discrimination: Exercise privacy rights without receiving discriminatory treatment

7.3 How to Exercise Your Rights

To submit a privacy rights request, email us at privacy@gasconsult.ai with the subject line "Privacy Rights Request." Please include: (1) your name and contact information, (2) description of your request, (3) approximate dates of service usage (if known).

Important Limitation: Due to our minimal data collection practices (no user accounts, temporary session storage only), we may have limited ability to identify or retrieve historical data associated with your use of the Service. In most cases, simply clearing your browser session will delete all temporary data.

We will respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA). We reserve the right to request additional information to verify your identity before processing requests.

8. HIPAA Compliance and Limitations

WE ARE NOT A HIPAA-COVERED ENTITY: gasconsult.ai is NOT a healthcare provider, health plan, or healthcare clearinghouse as defined under the Health Insurance Portability and Accountability Act (HIPAA). We are NOT a "Business Associate" of any covered entity.

NO HIPAA PROTECTIONS APPLY: This Service does NOT provide HIPAA-compliant safeguards for Protected Health Information (PHI). We do NOT sign Business Associate Agreements (BAAs). You MUST NOT use this Service to store, transmit, or process PHI.

HEALTHCARE PROFESSIONALS: If you are a healthcare provider, you are solely responsible for ensuring your use of this Service complies with HIPAA and other applicable healthcare privacy laws. We recommend using only de-identified, hypothetical clinical scenarios that cannot be traced to real patients.

9. Children's Privacy

This Service is intended for use by healthcare professionals and adults seeking educational medical information. We do NOT knowingly collect personal information from individuals under 18 years of age.

If we become aware that we have inadvertently collected information from a child under 18, we will take immediate steps to delete such information from our systems. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@gasconsult.ai.

10. International Data Transfers

This Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States where our servers and third-party service providers (OpenAI, hosting infrastructure) are located.

Data Protection Differences: The United States may not provide the same level of data protection as your home country, particularly for users in the European Union. The U.S. is not subject to GDPR adequacy decisions for all data transfers.

Legal Basis for Transfers: By using this Service from outside the U.S., you explicitly consent to the transfer of your information to the United States. We rely on standard contractual clauses with third-party providers where applicable.

11. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time, at our sole discretion, without prior notice. When we make changes, we will update the "Last Updated" date at the top of this page.

Material Changes: For significant changes that materially affect your privacy rights, we will provide prominent notice on the homepage or via other reasonable means. However, we are NOT obligated to provide individual notice.

Deemed Acceptance: Your continued use of the Service after changes are posted constitutes your acceptance of the revised Privacy Policy. If you do not agree to the updated terms, you must immediately discontinue use.

Responsibility to Review: You are responsible for periodically reviewing this Privacy Policy to stay informed of updates.

12. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Email: privacy@gasconsult.ai
  • Website: https://gasconsult.ai
  • Response Time: We aim to respond to inquiries within 5-7 business days

For privacy rights requests (GDPR, CCPA), please use the subject line "Privacy Rights Request" and include the specific right you wish to exercise.

13. Severability and Governing Law

If any provision of this Privacy Policy is found to be unlawful, void, or unenforceable, that provision shall be deemed severable and shall not affect the validity and enforceability of the remaining provisions.

This Privacy Policy shall be governed by and construed in accordance with the laws of the United States and the State of [Your State], without regard to conflict of law principles. Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in [Your State].

14. Acknowledgment and Consent

BY CLICKING "I ACCEPT," CONTINUING TO USE THE SERVICE, OR SUBMITTING ANY QUERIES, YOU ACKNOWLEDGE THAT:

  • You have read and understood this Privacy Policy in its entirety
  • You consent to the collection, use, and disclosure of your information as described herein
  • You understand that we are not a HIPAA-covered entity and do NOT provide HIPAA protections
  • You agree NOT to enter any Protected Health Information (PHI) or personally identifiable patient data
  • You accept the inherent security risks of internet-based services and our limitations of liability
  • You acknowledge that this is an educational tool only and NOT a substitute for professional medical advice
Final Reminder: This Service provides educational information only and is NOT medical advice. Always consult qualified healthcare professionals for clinical decision-making. NEVER enter PHI or patient-identifying information. We prioritize your privacy, collect minimal data, and never sell your information.