Privacy Policy
Last updated: March 2025
This site is operated by Evidence-Based Health (evidencebasedhealth.me). We take your privacy seriously. This policy explains what data we collect, why, and how you can control it.
1. What we collect
When you subscribe or visit the site, we may collect:
- Email address — required to send you the newsletter
- Phone number — only if you opt in to SMS updates
- IP address — captured at subscription time for spam prevention and compliance records
- User agent / browser info — captured at subscription time
- Page you subscribed from — for internal analytics
- Cookie identifiers — if you consent to analytics or marketing cookies (see Section 5)
2. Why we collect it and legal basis
- Email newsletter — to send the weekly educational brief you signed up for. Legal basis: consent (you explicitly subscribed).
- SMS messages — only if you checked the SMS consent box at sign-up. Legal basis: consent.
- Fraud and spam prevention — IP and user agent are stored to detect abuse. Legal basis: legitimate interest.
- Remarketing audiences — if you consented, your hashed email may be used to create custom or lookalike audiences on Google and Meta. Legal basis: consent.
- Site analytics — understanding aggregate traffic patterns to improve content. Legal basis: consent (via cookie banner).
3. Third parties we share data with
We use the following services to operate this site:
- Amazon Web Services (AWS) — our hosting (Amplify), email sending (SES), SMS (SNS), and database (DynamoDB) provider. Data is stored in AWS data centers.
- Meta (Facebook) — if you accept marketing cookies, the Meta Pixel fires on page views and on subscription. We may also upload hashed email lists to create custom audiences. Meta Privacy Policy
- Google — if you accept marketing cookies, Google Ads tags fire to measure conversions and build remarketing audiences. Google Privacy Policy
- Buffer — used to schedule social media content. No subscriber data is shared with Buffer.
- Make (Integromat) — used for content automation. No subscriber PII is passed through Make.
We do not sell your personal information to third parties.
4. Prevention Profiles
If you use the Prevention Roadmap tool and choose to save your profile, we collect the following additional information:
- Year of birth — used to calculate approximate age for guideline-based suggestions. We do not collect your full date of birth.
- Sex assigned at birth — used only to apply the correct screening guidelines where they differ by reproductive biology.
- Organ / anatomy selections — checkboxes you select (e.g., “I have a colon”). Used to surface relevant screening topics.
- Optional risk flags — e.g., family history of colorectal cancer. Used only to adjust the age threshold in guideline-based suggestions.
- Email and optional phone number — used to send age-appropriate prevention reminders.
- IP address and device information — collected for abuse prevention and logging.
What we do not collect for this feature: your name, full date of birth, address, insurance information, or any clinical records. Prevention Roadmap data is never used for diagnosis, treatment decisions, employment, or insurance purposes. It is used solely to send educational, age-appropriate screening reminders.
Reminders are sent no more than once per year per screening topic. To stop reminder emails, use the unsubscribe link in any reminder email or reply STOP to any SMS. To request deletion of your prevention profile, email hello@evidencebasedhealth.me.
If you consented to remarketing, your email (hashed/encrypted before transmission) may be used to create custom audiences on Google Ads and Meta Ads for the purpose of showing you relevant educational content. You can withdraw this consent at any time by contacting us.
5. Your rights
Depending on your location, you may have the right to:
- Access — request a copy of the data we hold about you
- Correction — ask us to correct inaccurate data
- Deletion — ask us to delete your data (“right to be forgotten”)
- Unsubscribe from email — use the unsubscribe link in any email, or email us directly
- Opt out of SMS — reply STOP to any SMS we send
- Opt out of remarketing — contact us and we will remove your email from any audience lists
- California / CPRA — California residents have additional rights including the right to know, delete, and opt out of the sale or sharing of personal information. We do not sell personal information. To exercise your rights, contact us at the address below.
To exercise any of these rights, email hello@evidencebasedhealth.me. We will respond within 30 days.
6. Cookies
We use three categories of cookies:
- Essential cookies — required for the site to function. No consent needed.
- Analytics cookies — help us understand traffic patterns in aggregate. Used only with your consent.
- Marketing cookies — Meta Pixel and Google Ads tags that enable remarketing and conversion measurement. Used only with your consent.
You can change your cookie preference at any time by clearing your browser’s localStorage and reloading the page, or by contacting us.
7. Data retention
We retain subscriber records for as long as you are subscribed to our communications plus a reasonable additional period for compliance purposes (typically 2 years). If you request deletion, we will remove your data within 30 days.
8. Security
Subscriber data is stored in AWS DynamoDB with encryption at rest and in transit. Access is restricted to authorized personnel only via IAM roles with least-privilege permissions.
9. Children
This site is not directed at children under 13. We do not knowingly collect data from anyone under 13 years of age.
10. Changes to this policy
We may update this policy from time to time. Material changes will be noted by updating the “Last updated” date above. Continued use of the site or newsletter after changes constitutes acceptance.
11. Contact
Questions? Email us at hello@evidencebasedhealth.me.