Privacy Policy

Last updated: 26 May 2026

1. Data Controller

FractaLPK is operated by Carlos A. Pérez Aparicio (Cartagena, Spain). Contact: cperapa@fractalpk.es.

2. Data We Collect

• Contact information submitted through the contact form or email (name, email, organisation, message).
• Datasets uploaded by clients for the sole purpose of generating their fractional PK analysis report. These are processed transiently and never retained (see §5).

  Clients warrant that uploaded datasets contain only anonymised or pseudonymised data with no direct identifiers (name, full date of birth, contact details, or any other field permitting re-identification of an individual subject). FractaLPK is designed for pre-screening of pharmacokinetic models and does not process special categories of personal data under GDPR Article 9. Clients remain solely responsible for ensuring the lawful basis under which their source data was originally collected.

• Technical server logs (IP address, timestamp, requested URL, user agent) for security and diagnostics.

3. Legal Basis

Processing is based on GDPR Article 6(1):

• (a) Consent — when you contact us voluntarily.
• (b) Performance of a contract — when you commission an analysis.
• (f) Legitimate interest — for security logs and fraud prevention.

4. Server Location & International Transfers

The service runs on managed cloud infrastructure hosted in the European Union (Frankfurt, Germany region), with a managed in-memory store used only for transient job state. No client dataset is transferred or stored outside the European Economic Area (EEA).

5. Retention — Ephemeral Processing

FractaLPK operates on an ephemeral-pure basis. Your uploaded dataset is processed in memory to compute the report; it is never written to long-term storage and is never used for training or shared with any third party.

• Uploaded CSV (raw): never written to disk. Held in memory only for the duration of the fit, then discarded.
• Job state and generated PDF: held in the managed in-memory store with a 1-hour technical TTL, automatically purged thereafter. The report is delivered through a single-use link; downloading the report triggers immediate deletion of both the PDF and the associated metadata. If you lose the link, the analysis must be re-run.
• Contact correspondence and access-form captures (name, email, organisation, use case): retained for up to 12 months to operate the service and respond to you, then auto-purged by our daily retention sweep. Deletable on request at any time.
• Audit log (structured records of job state changes, downloads served, deletions, and other privacy-relevant events — never the dataset content): retained for up to 12 months as evidence of correct processing and to satisfy GDPR accountability obligations under Article 5(2).
• Technical server logs (IP, timestamp, URL — never dataset content): retained for up to 30 days by our hosting provider for security and diagnostic purposes.

In exceptional cases (e.g. a customer who failed to download the report through their single-use link within the 1-hour window), an explicit, time-bounded retention extension may be granted on request. Such extensions are logged in the audit trail.

6. Your Rights

Under GDPR Articles 15–22 you have the right to:

• Access (Art. 15), rectify (Art. 16), erase (Art. 17) your personal data.
• Restrict processing (Art. 18), object to processing (Art. 21).
• Data portability (Art. 20).

To exercise these rights, email cperapa@fractalpk.es. You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, www.aepd.es).

7. Cookies & Tracking

This website does not use tracking cookies or third-party analytics services that profile individual users.

8. Security Measures

TLS 1.2+ for all data in transit, encryption at rest, access restricted to the operator, and secure deletion protocols.

9. Processors and Sub-processors

To deliver the service, FractaLPK relies on the data processors listed in our Data Processing Agreement (DPA). These include Render Inc. (hosting), Upstash (queue), Resend (email), IONOS SE (DNS), and Stripe Payments Europe Ltd. (payment processing, when enabled). All sub-processors are located within the European Union except as noted in the DPA for incidental payment-related transfers under standard contractual clauses.

Each processor receives only the minimum data required for its function. See /dpa for the full sub-processor list and contractual obligations under GDPR Article 28.