Privacy Policy
Last updated: April 2026
Our Commitment
ElfSurgery is built with privacy as a core principle. We understand that researching gender-affirming surgery is sensitive, and we take your privacy seriously.
Data We Collect
We collect minimal data necessary to operate the service:
- Reviews: Content you submit, optional email for notifications
- Verification documents: Temporarily stored, deleted after verification
- Basic analytics: Page views (aggregated, no user tracking)
- IP address hash: A one-way hash of your IP for rate limiting and fraud prevention (cannot be reversed to identify you)
Data We Don't Collect
- Real names (unless you choose to share)
- Raw IP addresses (only stored as irreversible hashes)
- Browsing history across sites
- Third-party tracking cookies
Cookies
We don't use tracking or advertising cookies. Google reCAPTCHA, which we use to prevent spam, may set cookies and collect usage data subject to Google's Privacy Policy.
Review Processing
All submissions pass through automated filtering before synthesis and moderation:
- PII Removal: Names, emails, phone numbers, specific dates, and other identifying details are stripped before any human sees them
- Content Moderation: Reviews are checked for spam, harassment, and policy violations
- Human Oversight: Flagged reviews are manually reviewed before any action
Only the censored version of your review is ever displayed publicly. Originals are encrypted and stored solely for legal compliance; they are never accessed unless required by law, and all access attempts are logged.
Verification Documents
If you upload a document to verify your review, it is encrypted during transit and storage, and permanently deleted within 48 hours of verification regardless of outcome.
Encryption & Security
- In Transit: All data encrypted via TLS (HTTPS)
- At Rest: Original review submissions encrypted using AES-256-GCM
- Access Logging: All decryption attempts logged for audit
- Minimal Access: Moderators only see censored versions
Data Retention
- Approved reviews: Retained indefinitely as part of the directory
- Rejected/pending reviews: 90 days for audit, then deleted
- Verification documents: Deleted within 48 hours
- IP hashes: Retained with their associated reviews
- Email addresses: Deleted on request
Service Providers
We use these providers to operate ElfSurgery. They process data on our behalf:
- Vercel — hosting
- Supabase — database
- Resend — email
- Google reCAPTCHA — spam prevention
- Anthropic — AI moderation and review synthesis
We do not sell, rent, or share personal data with third parties for marketing. We do not share reviewer information with surgeons or clinics.
Your Rights
You can:
- Delete your reviews at any time
- Request a copy of your data
- Request deletion of all your data
- Opt out of any communications
If you are in the EEA, UK, or Switzerland, you can additionally: restrict processing, object to processing based on legitimate interests, request data portability, and lodge a complaint with your local data protection authority.
Lawful Basis (GDPR)
For users in the EEA, UK, or Switzerland: we process data on the basis of legitimate interests (operating a healthcare directory in the public interest), consent (where you voluntarily submit content), and legal obligation (where we must retain records).
Healthcare Provider Data
We list publicly available professional information about healthcare providers. Providers may request correction of inaccurate information at hello@elfsurgery.com.