Privacy Policy

Definitions

• Personal Data (or "Personal Information") means any information that relates to an identified or identifiable natural person. We use the terms interchangeably unless a specific law requires otherwise.
• Usage Data means data collected automatically through the operation of the Service, such as IP addresses, browser type, pages visited, and visit timestamps.
• Cookies are small data files stored on Your device by a website.
• You means the individual accessing or using the Service.
• Service refers to the SigMA website.

Information We Collect

Usage Data (Automatically Collected)

When You visit SigMA, Our hosting and DNS/security providers (Vercel, Inc. and Cloudflare, Inc.) automatically collect standard server log and network information, including:

• Your device's Internet Protocol (IP) address
• Browser type and version
• Pages visited, time and date of visit, time spent on pages
• Referring URL
• Device type and operating system
• TLS/SSL connection metadata

This data is collected to ensure the reliable operation of the Service, monitor for abuse, and understand aggregate usage patterns. We do not operate any additional analytics service (such as Google Analytics) beyond what Vercel and Cloudflare collect as part of standard hosting and network infrastructure.

Personal Data

SigMA does not require You to create an account, provide an email address, or submit any personal information to use the Service. We do not collect names, email addresses, or other directly identifying information through normal use of the Service.

A limited, invitation-only access control mechanism exists solely to restrict visibility of certain features that are under active development. This mechanism uses a small number of pre-configured credentials and does not constitute a user registration system. Authentication is performed entirely within Your browser — credentials are checked against values bundled in the application code and are not transmitted to any server. When authenticated, a session token (described under "Cookies and Local Storage" below) is stored that contains a username, display name, role identifier, and expiration timestamp — no other personal information is collected or stored.

Genomic and Scientific Data

All data displayed in SigMA is pre-computed and derived from published datasets.

Certain features may allow You to load local files for analysis. These files are read and processed entirely within Your browser using the JavaScript File API. No user-submitted data — genomic or otherwise — is transmitted to, received by, or stored on Our servers at any point during this process.

Cookies and Local Storage

SigMA uses a minimal set of cookies and browser local storage items, all of which are strictly functional. We do not use advertising cookies, remarketing cookies, or third-party tracking cookies of Our own.

All cookies listed above are strictly necessary for the functionality they support — session authentication, display preferences, and security/bot protection. None are used for analytics, advertising, or tracking. Because these items are essential to the operation of the Service, they do not require consent under the GDPR "cookie rules" (ePrivacy Directive, Article 5(3)) or equivalent legislation. No consent banner is therefore displayed.

How We Use Information

The limited information We collect is used exclusively to:

• Operate and maintain the Service
• Enforce access control for features under development
• Monitor server health, uptime, and performance
• Detect and prevent abuse or unauthorised access
• Protect against automated/bot traffic (via Cloudflare)
• Understand aggregate usage patterns to improve the Service

We do not use any collected information for advertising, marketing, profiling, automated decision-making, or any commercial purpose. We do not sell, rent, or trade Your information to any third party.

Client-Side Features

Certain features of SigMA operate entirely within Your browser and do not transmit data to Our servers:

• URL state Certain view settings are encoded in URL search parameters and hash fragments. This allows browser navigation (back/forward) to work correctly and enables link sharing. These parameters contain only application state, not personal data.

Third-Party Services

Cloudflare (DNS, Security, and CDN)

Our domain is managed through Cloudflare, Inc., which provides DNS resolution, TLS/SSL termination, DDoS protection, and bot management. When You access SigMA, Your request is routed through Cloudflare's global network before reaching Our hosting provider. Cloudflare collects End User log data — including IP addresses, HTTP request headers, and traffic metadata — to operate and secure its network. Cloudflare processes this data as a data processor on Our behalf. Cloudflare's privacy policy is available at cloudflare.com/privacypolicy.

Vercel (Hosting)

SigMA is hosted on Vercel, Inc. After passing through Cloudflare, requests are served by Vercel's infrastructure. Vercel collects standard server logs as described above. Vercel's privacy policy is available at vercel.com/legal/privacy-policy.

External Links

The Service may contain links to external resources such as GitHub repositories, published research papers, and laboratory websites. We have no control over and assume no responsibility for the privacy practices of these external sites.

Data Retention

Server logs retained by Our hosting and DNS providers are subject to Vercel's and Cloudflare's respective data retention policies. We do not independently store, archive, or process server logs beyond what these providers retain in the ordinary course of providing their services.

The sigma_session cookie and localStorage token expire after 7 days. The __cf_bm cookie expires after 30 minutes of inactivity. The theme localStorage item persists until You clear Your browser data. None of these are stored on Our servers beyond the session cookie being read by middleware during authenticated requests.

International Data Transfers

SigMA is operated from the United States. If You access the Service from outside the United States, Your Usage Data may be processed by Cloudflare at edge locations worldwide and by Vercel in the United States, where data protection laws may differ from those of Your jurisdiction. Where required by applicable law (including the GDPR), We rely on Vercel's and Cloudflare's data processing agreements and standard contractual clauses to safeguard international transfers.

Security

All connections to SigMA are encrypted via HTTPS/TLS, terminated at Cloudflare's edge and re-encrypted to Vercel's origin servers. The session token is a base64-encoded payload containing non-sensitive role information; it does not contain passwords. We use commercially reasonable measures to protect the Service, but no method of electronic transmission or storage is completely secure, and We cannot guarantee absolute security.

Children's Privacy

SigMA is a scientific research tool and is not directed at children under 16 years of age. We do not knowingly collect Personal Data from children under 16. If You believe a child has provided Us with Personal Data, please contact Us so that We can take appropriate action.

Your Rights Under the General Data Protection Regulation (GDPR)

If You are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, You have rights under the GDPR and equivalent local legislation.

Legal Basis for Processing

To the extent We process any Personal Data (primarily IP addresses in server logs via Vercel and Cloudflare), Our legal basis is:

• Legitimate interests (Article 6(1)(f) GDPR): We process server log data for the legitimate purposes of operating, securing, and improving an academic research resource. This processing is minimal, does not involve profiling, and does not override Your fundamental rights and freedoms.

For cookies: all cookies used by SigMA and its infrastructure providers (Cloudflare) fall within the "strictly necessary" exemption under Article 5(3) of the ePrivacy Directive, as they are required for the Service to function (session authentication, bot protection). No consent is therefore required for their use.

Your GDPR Rights

You have the right to:

• Access any Personal Data We hold about You.
• Rectification of inaccurate data.
• Erasure of Your Personal Data, under certain conditions.
• Restrict processing of Your Personal Data, under certain conditions.
• Data portability — request transfer of Your data in a structured, machine-readable format.
• Object to processing of Your Personal Data based on legitimate interests.
• Not be subject to automated decision-making , including profiling, that produces legal effects. SigMA does not engage in automated decision-making or profiling of any kind.

To exercise any of these rights, contact Us at the address below. We will respond within one month, extendable by two further months for complex requests. If You believe Our processing of Your data violates the GDPR, You have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of Your habitual residence, place of work, or place of the alleged infringement.

Your Rights Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

If You are a California resident, the CCPA (as amended by the CPRA) provides You with specific rights regarding Personal Information.

Categories of Personal Information Collected

In the preceding twelve (12) months, the only category of Personal Information We may have collected is:

• Internet or similar network activity IP addresses, browser/device identifiers, and browsing activity on the Service, collected automatically through server logs by Vercel and Cloudflare.

We do not collect sensitive Personal Information as defined under the CPRA.

Sale and Sharing of Personal Information

We do not sell Your Personal Information. We do not "share" Your Personal Information for cross-context behavioural advertising as defined under the CPRA. We have not sold or shared Personal Information in the preceding twelve (12) months.

Your CCPA/CPRA Rights

• Right to know what Personal Information We collect, use, and disclose.
• Right to delete Personal Information We have collected from You, subject to certain exceptions.
• Right to correct inaccurate Personal Information.
• Right to opt-out of sale or sharing We do not sell or share Personal Information; should this ever change, We will provide a "Do Not Sell or Share My Personal Information" link.
• Right to non-discrimination We will not discriminate against You for exercising Your rights.

To exercise these rights, contact Us at the address below. We will verify Your identity and respond within 45 days, extendable by an additional 45 days where reasonably necessary.

California Online Privacy Protection Act (CalOPPA) Compliance

In compliance with CalOPPA:

• Users can visit SigMA anonymously. No registration is required to access the Service.
• This Privacy Policy is linked from Our website footer and navigation menu.
• You will be notified of Privacy Policy changes on this page via the "Last updated" date.

Do Not Track Signals

SigMA does not operate any analytics or tracking service and does not track users across third-party websites. We honour Do Not Track (DNT) browser signals in the sense that We have no tracking infrastructure to disable. Our infrastructure providers (Vercel, Cloudflare) may process standard server/network logs regardless of DNT settings as part of providing their services; consult their respective privacy policies for details.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We encourage You to review this page periodically. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

Contact Us

If You have questions about this Privacy Policy or wish to exercise any of Your data protection rights, please contact: