Information we collect

We collect the information you provide when subscribing or signing in, typically your email address and, when provided, your name. We may also collect subscription consent, member status, email confirmation status, delivery events, unsubscribe requests, consent version, consent timestamp, email engagement metadata, and subscription source.

How we use subscriber data

We use subscriber data to deliver the newsletter, manage member access, send account links, document consent, prevent abuse, measure aggregate email performance, improve the service, and respond to support or privacy requests.

PHI, ePHI, credentials, and incident data

Do not submit PHI/ePHI, credentials, logs, incident details, sensitive operational data, or confidential third-party information through subscription forms, replies, or support requests. Clinical Cyber Dispatch is an informational publication and does not require PHI or ePHI to provide the service.

Third-party processors

Clinical Cyber Dispatch is operated on Ghost and may use Ghost membership services, email-delivery providers, analytics, payment processors, hosting providers, and security/logging services to operate the publication, deliver email, authenticate members, process payments where applicable, secure the service, and maintain audit records.

Processor and subprocessor categories include: (1) hosting/infrastructure providers, (2) membership/authentication providers, (3) email-delivery providers, (4) analytics/measurement providers, (5) payment processors (before paid launch), (6) fraud/abuse prevention providers, (7) backup/storage providers, and (8) security/logging providers. Payment processor name, support contact, and terms links will be published before any paid checkout is enabled.

HIPAA position and breach notification

We do not intend to create, receive, maintain, or transmit PHI on behalf of covered entities or business associates through the subscriber workflow. No HIPAA business associate relationship is created absent a separate written agreement. If PHI is inadvertently submitted or if a security event appears to involve subscriber data, we will investigate, limit access, preserve relevant evidence, and delete improperly submitted PHI where feasible. HIPAA breach notification obligations, if any, depend on the facts, the role of the parties, and applicable agreements.

GDPR and CCPA rights

Depending on your location, you may request access, correction, deletion, portability, restriction, or objection to processing of your personal information. California residents may request disclosure or deletion of covered personal information and may opt out of sale or sharing where applicable. We do not sell subscriber lists.

Protection, retention, and deletion

Subscriber information is stored in Ghost and related operational systems with access limited to publication operations. We use administrative access controls, provider-supported transport encryption, and reasonable operational safeguards. Retention targets: active subscriber profile data while account is active; unsubscribe/suppression records up to 36 months; consent and audit records up to 36 months; billing records per processor/tax requirements (typically 7 years); security logs typically 30-180 days unless needed for an active investigation.

Deletion requests are handled by email to ceo.clinicalcyber@proton.me. We verify requestor control of the account email before deletion. Some records may be retained when required for legal, security, anti-fraud, or accounting obligations.

Payments, cancellation, and refunds

If paid subscriptions are offered, payment information is processed by the payment processor and not stored directly by Clinical Cyber Dispatch except for payment status, plan, billing identifiers, and related records needed for subscription administration. Paid checkout will remain disabled until payment processor details, cancellation flow, renewal terms, and refund policy are published in checkout and account management.

Security and vulnerability reporting

For security concerns, vulnerability reports, account deletion, or data deletion requests, contact ceo.clinicalcyber@proton.me. Include only non-sensitive summary information in the first message.

Contact

For privacy, retention, or deletion requests, contact ceo.clinicalcyber@proton.me.