This site is built on the Privacy by Design principle (Art. 25 GDPR). All data (preferences, syndromic declarations, API cache) stays exclusively on your device. No account, no advertising cookies, no third-party trackers.
If you use the syndromic surveillance form (Expert mode), your declarations constitute health data. They are stored only on your device and require explicit dual consent. You can delete them at any time from the My Data section.
1 Data Controller
| Controller | Dr. Clément MÉDEAU |
| Capacity | Medical doctor — Individual publisher (LCEN Art. 6.II) |
| Location | La Rochelle (17000), France |
| General contact | contact@breathiq.fr |
| DPO / Data contact | privacy@breathiq.fr |
2 Data processed
2.1 Data stored locally on your device (localStorage)
These data are never sent to our servers and remain in your browser:
| localStorage key | Content | Legal basis | Deletable |
|---|---|---|---|
biq-theme | Light or dark theme | Art. 6(1)(a) | Yes — My Data |
biq-lang | Chosen interface language | Art. 6(1)(a) | Yes — My Data |
biq-mode | Patient or Expert mode | Art. 6(1)(a) | Yes — My Data |
biq-consent | Consent banner response | Art. 6(1)(a) | Yes — My Data |
biq-declarations | Anonymous syndromic declarations (max 500 entries) | Art. 9(2)(i) | Yes — My Data |
biq-live-* | API cache (air quality, epidemio) — 5 min to 6 h | Art. 6(1)(f) | Yes — My Data |
2.2 Health data — Art. 9 GDPR (Syndromic surveillance form)
The syndromic declaration form (Expert mode only) allows entry of:
- Clinical syndrome type (flu-like, respiratory, diarrhoeal, febrile, neurological, haemorrhagic, cutaneous)
- Age group (child, adult, senior)
- Severity level (mild, moderate, severe, hospitalisation)
- Number of cases (numeric)
- Week of symptom onset (date)
- Laboratory result (optional)
- Approximate geographic region (rounded to 0.5° = ±55 km, if geolocation granted)
These data constitute health data under Article 9 GDPR. Protections in place:
- Explicit dual consent: Art. 6(1)(a) general + Art. 9(2)(i) specific to health data
- Storage exclusively local on the user's device (never on our servers)
- Non-persistent random identifier (8 characters, not linked to a person)
- Geolocation rounded to 0.5° (no precise position stored)
- Complete deletion possible at any time from the My Data section
- JSON export possible before deletion
2.3 Geolocation
When you grant access to your geographic position (via the dedicated modal):
- The precise position is used in working memory only (never stored)
- Coordinates are sent directly from your browser to the WAQI and Open-Meteo APIs
- For syndromic declarations: coordinates are rounded to 0.5° before storage
- No position is recorded on BreathIQ servers
2.4 Server logs (Vercel host)
The site is hosted by Vercel Inc. (San Francisco, USA). Vercel automatically collects technical logs (IP address, user-agent, timestamp) as part of server operations. These data are processed by Vercel as a processor, under standard contractual clauses (SCC) ensuring adequate protection for transfers to the United States (Art. 46 GDPR). Vercel policy: vercel.com/legal/privacy-policy
3 Legal bases
| Processing | Legal basis | GDPR Article |
|---|---|---|
| Interface preference storage (theme, language, mode) | Consent | Art. 6(1)(a) |
| API cache (air quality, epidemiological data) | Legitimate interest (performance) | Art. 6(1)(f) |
| Geolocation (care search, local air quality) | Explicit consent (dedicated modal) | Art. 6(1)(a) |
| Syndromic declarations (health data) | Explicit consent + public interest (epidemiological surveillance) | Art. 9(2)(a) + (i) |
| Vercel server logs | Legitimate interest (security, abuse prevention) | Art. 6(1)(f) |
| Privacy-first analytics (Plausible) | Legitimate interest (anonymous aggregated statistics) | Art. 6(1)(f) |
4 International data transfers
BreathIQ queries several third-party APIs for real-time data. These requests are made directly from your browser (no BreathIQ proxy) and transmit your IP address to these third parties:
| API / Service | Publisher | Location | Data transmitted | Safeguards |
|---|---|---|---|---|
| WAQI / AQICN | World Air Quality Index | United States | IP, GPS coordinates (if geoloc granted) | AQICN policy · Art. 49(1)(b) |
| OpenAQ | OpenAQ Inc. | United States | IP, query parameters | OpenAQ policy · Art. 49(1)(b) |
| Open-Meteo Air Quality | Open-Meteo GmbH | Germany (EU) | IP, GPS coordinates (if geoloc granted) | GDPR directly applicable |
| SPF — data.santepubliquefrance.fr | Santé Publique France | France (EU) | IP only (public data) | GDPR directly applicable |
| CDC — data.cdc.gov | US Centers for Disease Control | United States | IP only (public data) | Public data · Art. 49(1)(b) |
| ECDC — opendata.ecdc.europa.eu | European Centre for Disease Prevention | EU | IP only (public data) | GDPR directly applicable |
| Nominatim / Overpass API (OSM) | OpenStreetMap Foundation | EU | IP, GPS coordinates (if geoloc granted) | GDPR directly applicable |
| Umami Analytics | Umami | EU (Estonia) | Anonymous aggregated statistics — no IP stored, no cookies | GDPR directly applicable · Plausible policy |
| Google Fonts | Google LLC | United States | IP, user-agent | Art. 49(1)(b) — technical necessity |
| Vercel (host) | Vercel Inc. | United States | IP, server logs | SCC (standard contractual clauses) · Art. 46 GDPR |
5 Retention periods
| Data | Duration | User control |
|---|---|---|
| Interface preferences (theme, language, mode) | Indefinite, until deletion | "My Data" section → Reset |
| Syndromic declarations | Indefinite, max 500 rolling entries | "My Data" → Delete my declarations |
| API cache — Air quality | 5 minutes | "My Data" → Clear cache |
| API cache — Flu data (SPF, CDC) | 1 hour | "My Data" → Clear cache |
| API cache — Epidemic foci (ECDC) | 6 hours | "My Data" → Clear cache |
| GDPR consent (biq-consent) | Indefinite, until withdrawal | "My Data" → Withdraw consent |
| Precise geolocation | Session only (working memory) | — (cleared when page closes) |
| Vercel server logs | 30 days (Vercel policy) | No — Vercel processor |
| Plausible analytics | Up to 2 years (aggregated, anonymous) | No individual data stored |
6 Your GDPR rights
View your data from the My Data section or export your declarations as JSON.
Delete your declarations, cache or entire profile from My Data.
Export your syndromic declarations as JSON (dedicated button in My Data).
Withdraw consent at any time from My Data. Immediate effect.
Use "Continue without accepting" in the consent banner to restrict non-essential processing.
Any questions: privacy@breathiq.fr — response within 30 days (Art. 12 GDPR).
8 Privacy-first analytics (Plausible)
BreathIQ uses Umami Analytics, an EU-based (Estonia) privacy-first analytics service, to understand how the site is used and improve it.
What Plausible does NOT collect:
- No personal identifiers (no name, email, IP address stored)
- No cookies or persistent identifiers of any kind
- No cross-site tracking
- No device fingerprinting
What Plausible collects (aggregated, anonymous):
- Page views and unique visitor counts (calculated without storing IPs)
- Traffic sources (referrer, campaign)
- Country-level location (derived from IP, which is never stored)
- Browser type and operating system (aggregated)
Processing is based on legitimate interest (Art. 6(1)(f) GDPR), as Plausible's data collection is anonymous by design and does not require consent under GDPR or ePrivacy Directive. Plausible is hosted in the EU and subject to GDPR. Politique de données Umami →
9 Technical security
- Mandatory HTTPS with HSTS (Strict-Transport-Security)
- Strict Content Security Policy (CSP) — configured in vercel.json
- X-Frame-Options DENY (clickjacking protection)
- X-Content-Type-Options nosniff
- Referrer-Policy strict-origin-when-cross-origin
- Restrictive Permissions-Policy (camera, microphone, geolocation disabled by default)
- SRI (Subresource Integrity) on external CDN resources (Leaflet)
- No GPS field or identifier in the syndromic form (client-side control + CSP)
10 Complaints — Supervisory Authority
Under Article 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data infringes your rights.
CNIL (France) — 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Website: www.cnil.fr ·
Tel: +33 1 53 73 22 22
You may also contact the supervisory authority in your country of residence within the EU/EEA. List of authorities: edpb.europa.eu
Data Protection Officer (DPO)
Dr. Clément MÉDEAU — BreathIQ
La Rochelle (17000), France
Maximum response time: 30 days (Art. 12 GDPR)
For complex requests, extendable by 2 months with prior notice.