Privacy policy

CUIZ is designed with data minimisation in mind. Under normal operation, we do not expect you to enter identifiable patient data into the system. In particular, you should avoid names, national identifiers, insurance numbers or any other information that could directly identify an individual. If you are unsure whether a specific piece of information counts as personal or sensitive data, the safest option is not to submit it to CUIZ at all.

When you use CUIZ, we process a limited set of information that is necessary to provide the service – mainly technical logs (IP address, browser type, device information), basic account details (name, email address, and where relevant your professional role) and a small amount of usage information (such as login timestamps, which sections of the interface you open, and high‑level, aggregated statistics about queries).

We use this information to keep access to the system secure, to detect misuse, to improve the service over time and – where appropriate – to provide reporting to collaborating institutions. We consistently follow the principle of data minimisation: we do not collect more information than we need, and we delete or anonymise data once it is no longer required for the purposes described.

The main legal bases for processing are performance of a contract (providing the service you signed up for), CUIZ’s legitimate interests (for example security, troubleshooting and abuse prevention) and, in some cases, your consent – for instance if you opt in to receive updates, invitations to pilot projects or allow the use of optional analytics tools that are not essential for the core service.

We may share personal data with a small number of trusted processors such as cloud infrastructure providers, email delivery tools or payment processors. We require appropriate contractual safeguards to ensure that these providers process data in line with applicable data protection law and only for the specified purposes. We do not sell your personal data and we do not share it with third parties for their independent marketing purposes.

Where necessary, data may be transferred outside the European Economic Area. In such cases we rely on recognised legal mechanisms – for example Standard Contractual Clauses approved by the European Commission – to ensure a level of protection essentially equivalent to that in the EU. We can provide more detailed information about individual providers on request.

We retain personal data only for as long as it is needed for the purposes outlined above or as required by law (for example accounting and tax rules). Account data is typically kept for as long as your account remains active; technical logs are retained for a limited period that is sufficient to secure the system and investigate incidents.

Depending on your jurisdiction, you may have rights of access, rectification, erasure, restriction of processing, objection to certain types of processing and data portability. You may also have the right to lodge a complaint with your local data protection authority if you are concerned about how we handle your personal data.

If you have questions about privacy or data protection in connection with CUIZ, you can contact us using the details published on the main CUIZ website. Where you use CUIZ under an institutional agreement, the exact conditions of data processing may be further specified in the contract between your organisation and CUIZ.