Privacy Policy

1. Controller

Gefyra GmbH
Otto-Hahn-Str. 9
48161 Münster, Germany
Email: sh@gefyra.de

2. What data is processed?

Browser session data (local only)

The following data is stored exclusively in your browser and is never transmitted to our servers:

• sessionStorage: Active validation jobs for the current browser session (package name, canonical URL, result hash). This data is automatically deleted when the browser tab is closed.
• localStorage: An anonymous client ID (randomly generated UUID with no personal reference) and recently used FHIR package names for autocomplete suggestions.

No cookies are set.

Server-side: validation jobs and rate limiting

When you start a validation, the following data is processed server-side:

• Input data: Package name, canonical URL, and selected EU profiles are submitted to our Cloudflare Workers infrastructure and to GitHub Actions to perform the validation, and stored for up to 90 days.
• Validation result: Results (compliance reports) are stored under a deterministic hash of the input data — not linked to any personal identifier.
• Validation history: Results are associated with your anonymous client ID so you can access your own history view. The client ID contains no personal reference.
• Rate limiting: To limit the number of concurrent jobs, a cryptographic one-way hash of your IP address is stored temporarily for up to one hour. The IP address itself is not stored; the hash cannot be used to recover it.

Infrastructure providers

• Cloudflare, Inc. (hosting, edge computing, KV storage) — Cloudflare may process connection data (including IP addresses) in its own capacity as infrastructure operator. More information: cloudflare.com/privacypolicy
• GitHub, Inc. (FHIR validation via GitHub Actions) — Input data required for validation is transmitted to GitHub. More information: GitHub Privacy Statement

3. Legal basis

Processing is based on Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures) for providing the service, and Art. 6(1)(f) GDPR (legitimate interest) for rate limiting to protect the infrastructure.

4. Retention periods

• Validation results and metadata: up to 90 days
• Rate-limiting hash: up to 1 hour
• Local browser data: until manually cleared (sessionStorage) or indefinitely (localStorage) — stored only in your own browser

5. Your rights

You have the right to access, rectify, erase, and restrict processing of your personal data, as well as the right to data portability. Because we do not directly link data to your identity, requests can only be processed on the basis of your client ID. Please contact us at: sh@gefyra.de

You also have the right to lodge a complaint with a supervisory authority. The competent authority for Gefyra GmbH is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (ldi.nrw.de).