NOT MEDICAL ADVICE.  For information only. In an emergency, call your local emergency number immediately.

Privacy Policy

Last updated: May 28, 2025

Overview

VirusWatch ("we", "our", "us") operates the website at viruswatch.health (the "Site"). This Privacy Policy explains what information we collect, how we use it, and your rights with respect to your data. We are committed to protecting your privacy and processing your data in accordance with applicable data protection laws including the EU General Data Protection Regulation (GDPR).

VirusWatch is a public health education resource. We do not require account registration. Our data practices are minimal and focused on improving the educational experience. If you use the AI assistant, your question — which may contain health-related information — is sent to third-party AI providers to generate a response. See the AI Assistant section below for details.

Information We Collect

1. Analytics Data (Google Analytics)

We use Google Analytics 4 (GA4) to understand how visitors use our Site. Google Analytics collects anonymised data including: pages visited, time on page, approximate geographic region (country/city level), device type and browser, referral source (how you found us). This data is processed by Google LLC under their Privacy Policy. We do not use Google Analytics for advertising or remarketing. Your IP address is anonymised before transmission.

2. Local Storage (Browser Cache)

To improve performance, VirusWatch stores certain data in your browser's localStorage — not on our servers. This includes: disease data cache (to reduce API calls), news article cache (1-hour cache), AI assistant response cache (24-hour cache), user interface preferences (language, display settings). This data never leaves your device and can be cleared at any time by clearing your browser's site data.

3. Newsletter Subscriptions (Formspree)

When you submit an email address through our newsletter or contact forms, that data is processed by Formspree Inc. (USA). Formspree stores your email to enable form submission and may process it according to their privacy policy at formspree.io/legal.

  • What we collect: email address only.
  • Why: to send outbreak information newsletters.
  • Retention: until you unsubscribe.
  • Deletion: email [email protected] to request deletion of your data.
  • Formspree privacy policy: formspree.io/legal

We use this email only for sending health alert newsletters. You may request to unsubscribe or delete your email by contacting [email protected].

4. AI Assistant Queries

AI questions are transmitted to the VirusWatch API and may be processed by Groq or OpenAI to generate a response. Provider processing and retention depend on their current policies and the account configuration. Do not include your name, date of birth, address, medical-record number, health-card number, or other identifying information in your question.

What our Worker does (audited from deployed source code at worker.js):

  • Questions are not stored by us. Your question is passed directly from our Cloudflare Worker to Groq or OpenAI to generate a response. We do not write it to a database or log file.
  • IP addresses. Your IP is used only for rate limiting (100 requests per 60-second window). It is stored in Cloudflare KV as a counter key with a 60-second TTL and is then automatically deleted. It is not linked to your question or retained beyond 60 seconds for this purpose.
  • Cloudflare infrastructure logging. Cloudflare Workers may retain access logs (URL, IP, timestamp, HTTP status) at the infrastructure level according to Cloudflare's Privacy Policy. We do not enable Workers Logs or any feature that captures request/response bodies.
  • Browser cache. A normalised version of your question and the AI response is cached in your browser's localStorage for 24 hours to avoid repeat API calls. This data stays on your device and is never sent to our servers.
  • Groq Inc. receives your question to generate a response. Groq's published API terms state that customer API data is not used to train models, but actual data retention depends on account configuration — including whether Zero Data Retention (ZDR) is enabled on the API account. See the Groq Privacy Policy for current terms.
  • OpenAI Inc. is used as a fallback if Groq is unavailable. OpenAI's published API data usage policy states that API inputs are not used to train models by default, but retention periods and processing may vary by account type and settings. See the OpenAI Privacy Policy for current terms.
  • Coordinates. If you use the nearby care finder, your coordinates are normally transmitted through the VirusWatch API (api.viruswatch.health) to request nearby OpenStreetMap results. If that service is unavailable, the browser may contact OpenStreetMap services directly. We do not intentionally store coordinates, but technical infrastructure providers may process request metadata according to their own policies.
  • Safety system prompt. Every request is processed by our safety prompt that instructs the AI not to diagnose conditions, prescribe medicines, or reveal personal information. This prompt is enforced server-side.

We do not sell or share queries with third parties for advertising.

5. Device Location (Nearby Care Finder)

The VirusWatch chat assistant can help you find nearby pharmacies, clinics, urgent care centres, and hospitals. This uses either a location you type manually (city, postal code, neighbourhood) or, optionally, your device's GPS location.

  • Permission required — never automatic: We do not request your device location on page load or automatically at any time. Location access is only requested if you explicitly ask for nearby care in the chat and then confirm you allow it.
  • Purpose disclosed before access: Before requesting your location, the assistant displays: "Precise GPS coordinates are not stored. A city or postal code you enter may be saved locally in your browser so it can be reused."
  • GPS coordinates: If you grant GPS access, your precise coordinates are used only for the immediate nearby-care search query. Coordinates are transmitted through our API and not intentionally stored by us. They are not saved to localStorage or analytics systems. Cloudflare and OpenStreetMap infrastructure may retain request metadata per their own policies.
  • Typed location may be saved locally: A city or postal code you enter manually may be saved in your browser's localStorage only so you can reuse it in a later session. This data never leaves your device.
  • Not sent to analytics: Your location is not transmitted to Google Analytics or advertising networks. It is transmitted to our API (api.viruswatch.health) and then to OpenStreetMap Overpass API endpoints to retrieve nearby facility data.
  • OpenStreetMap Overpass API: Your coordinates or typed location are proxied through the VirusWatch API to public Overpass API servers operated by the OpenStreetMap community. If the VirusWatch API is unavailable, the browser may contact Overpass servers directly. See the OpenStreetMap Privacy Policy.
  • Manual alternative always available: You can always type a city, postal code, or neighbourhood instead of granting device location access. GPS is optional.
  • No geolocation tracking: We do not build location profiles, track your movement, or retain any location history.

How We Use Your Data

  • To analyse site usage and improve content quality (Google Analytics)
  • To provide fast, cached responses for returning visitors (localStorage)
  • To send outbreak alert newsletters to subscribers (Formspree)
  • To generate AI health education responses (Groq/OpenAI via our API proxy)
  • To search for nearby health facilities when explicitly requested, using a location you type or device GPS you permit (coordinates not intentionally stored by us)
  • To detect and prevent abuse of our API endpoints (Cloudflare)

We do not sell your data. We do not use your data for advertising, profiling, or any commercial purpose beyond operating this educational website.

Cookies

VirusWatch uses the following cookies:

  • Google Analytics cookies (_ga, _ga_*, _gid): Set by Google Analytics for session tracking and analytics. These are third-party cookies. You can opt out via Google Analytics Opt-out Browser Add-on.
  • Google Translate cookies: If you use the Google Translate widget to translate the site, Google sets cookies to remember your language preference. These are governed by Google's Privacy Policy.
  • localStorage (not cookies): We use localStorage rather than cookies for our own data caching. localStorage data is not transmitted to servers and is not shared with third parties.

We do not use advertising cookies, tracking pixels, or social media tracking cookies of our own.

Third-Party Services

  • Google Analytics (Google LLC): Website analytics. Google Privacy Policy
  • Google Fonts (Google LLC): Typography. Fonts are loaded from Google servers. Google Fonts Privacy
  • Google Translate (Google LLC): Optional page translation widget. Google Privacy Policy
  • Cloudflare Inc.: CDN, DDoS protection, and our Worker API. Cloudflare Privacy Policy
  • Groq Inc.: AI language model API (for AI assistant queries, server-side). Groq Privacy Policy
  • OpenAI (OpenAI Inc.): Fallback AI model (server-side only). OpenAI Privacy Policy
  • Formspree Inc.: Newsletter form submissions. Formspree Privacy Policy
  • disease.sh / Johns Hopkins: COVID-19 data API. Accessed server-side, no personal data transmitted.
  • WHO GHO API: Disease statistics. Accessed server-side, no personal data transmitted.
  • OpenStreetMap / Overpass API (OpenStreetMap Foundation): Nearby facility data for the care finder. Your coordinates or typed location are normally proxied through the VirusWatch API before reaching Overpass endpoints; direct browser-to-Overpass contact may occur if the API is unavailable. OpenStreetMap Privacy Policy
  • Nominatim (OpenStreetMap Foundation): Geocoding service that converts typed city/postal code queries to coordinates for the care finder. Geocoding requests may be proxied through the VirusWatch API or sent directly to nominatim.openstreetmap.org. OpenStreetMap Privacy Policy

Your Rights (GDPR)

If you are in the European Economic Area (EEA), you have the following rights under GDPR:

  • Right of access: You may request a copy of any personal data we hold about you.
  • Right to erasure: You may request deletion of your personal data. For newsletter subscribers: email [email protected] or [email protected] to request unsubscription or data deletion.
  • Right to object: You may object to processing based on legitimate interests. To opt out of Google Analytics, use the Google Analytics opt-out add-on.
  • Right to data portability: You may request your data in a portable format.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw at any time.

To exercise any of these rights, email: [email protected]. We will respond within 30 days.

Children's Privacy

VirusWatch is designed for general public health education and is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has submitted personal information to us, please contact [email protected] and we will delete it promptly.

Data Security

We take reasonable technical measures to protect the Site and our API against unauthorised access, including Cloudflare DDoS protection, HTTPS encryption for all connections, and server-side storage of API keys (never exposed in client-side code). However, no internet transmission is 100% secure and we cannot guarantee absolute security.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "last modified" date. For significant changes, we will make a reasonable effort to notify users via the website.

Contact

For privacy-related enquiries, data subject requests, or to report concerns: [email protected]

VirusWatch is operated as an independent public health education platform.