Privacy
What we keep, and what we don't
Last updated 2026-07-15.
CardioAT is built to hold as little about you as possible. Most of the site — the tools, calculators, guidelines and calendar — collects nothing at all. Data only comes in where you choose to enter it: the Research Hub and the contact form. In plain terms:
What we collect
- What you type into a Research Hub listing or a form. When you post a project or list yourself, we store what you enter so the Hub can work. Email addresses you give for matching are stored but never published on the site. We delete the email addresses when a listing is taken down, or 30 days after it expires.
- Messages you send us. If you use the contact form, we receive your message and your email so we can reply.
- Network and bot protection. We don't keep our own access logs. Our CDN and bot-protection provider, Cloudflare, processes your IP address and browser type transiently to deliver and protect the site; we don't store them ourselves.
- Aggregate Research Hub statistics. We count how many times each listing is shown and responded to — one number per listing per day. Nothing about who viewed is recorded: no IP address, browser details, account or email is ever stored with these counts. They power the public Insights page.
How long we keep things, and why
We hold personal data only as long as it has a job to do, then it is removed automatically.
- Your listing's contact email. Kept while the listing is live (up to 60 days, renewable). Deleted as soon as the listing is taken down, or 30 days after it expires. So people can reach you while you're looking — and not after.
- A response to a listing. The responder's email and message are used to make the introduction, then kept only until the listing they answered reaches the end of its life, and removed with it. Responses left unconfirmed are dropped within 48 hours. To complete the introduction, and to keep a short record in case unwanted contact ever needs to be reported.
- Hospital membership (verified members). Your name and email are kept for up to 24 months, renewable in the final three, so we can confirm you belong to your hospital. Sign-in links last 15 minutes and work once; a signed-in session lasts up to 90 days of use and ends when you log out. We only ever store a scrambled version of these sign-in tokens, never the original. To keep hospital-only listings restricted to real members, without passwords.
- Feedback and contact messages. Not stored on the site — they are emailed straight to us and live only in our inbox.
- Technical and network data (IP address, browser). Not stored by us at all; handled transiently by Cloudflare to deliver and protect the site.
- Backups. We keep short-term backups of the Research Hub so it can be restored after a failure. Anything you delete is purged from those backups within 7 days.
- Aggregate Research Hub counts. The per-listing view and response tallies are kept indefinitely — they contain no personal data, and they are what the Insights page is drawn from — including after a listing ends. Nothing about who viewed is in them, so there is nothing that needs to expire.
What we don't do
- We don't sell or rent your information to anyone.
- We don't run advertising or third-party tracking for advertising.
- We don't publish your email address.
Who processes the data
CardioAT runs on infrastructure operated by Cloudflare (content delivery and security) and uses Resend to send email. These providers process data only to deliver the service. Nothing is shared beyond what's needed to run the site.
Asking for deletion
You can ask us to remove your listing or the details you've submitted at any time. Contact us and we'll take it down.
Changes
If this page changes, the date above updates. Questions are welcome via the contact link.
© 2026 Christian Abhayaratna · CardioAT