Privacy Policy

Last updated: March 2026

Who we are

MedLit AI Digest (medlit.io) is a professional medical literature monitoring service for NHS clinicians, consultants, surgeons, and healthcare researchers. The service is operated by its founder, a Consultant Transplant Surgeon based in the United Kingdom.

Contact: [email protected]

What data we collect

We collect only what is necessary to provide the service:

  • Email address — used for account authentication and to deliver your weekly digest.
  • Display name and specialty — provided during onboarding, used to personalise your digest.
  • Research interests — the plain-English description you provide, used to build your monitoring profile.
  • Generated newsletters — stored so you can view past digests in your dashboard.
  • Click patterns — which papers you open (collected but not yet active; reserved for future profile refinement).

We do not collect payment information (no payments are taken during the free beta). We do not collect IP addresses, device fingerprints, or browsing history beyond standard server logs.

How we use your data

Your data is used only to:

  • Authenticate your account and maintain your session.
  • Build your personalised research profile and generate your weekly digest.
  • Store your past newsletters so you can access them in your dashboard.
  • Contact you about service updates relevant to your account (no marketing without consent).

Where your data is stored

All user data is stored in Supabase (PostgreSQL database hosted in eu-west-2, London, UK). Your data does not leave the United Kingdom. The backend pipeline runs on Railway (EU region). The frontend is hosted on Vercel (EU edge).

We use Supabase Row Level Security (RLS) to ensure each user can only access their own data. The service role key (used by the pipeline to write newsletter results) is never exposed to the browser.

Third parties

We do not sell, rent, or share your personal data with third parties for marketing or any other purpose. The following third-party services are used to operate the service:

  • Supabase — database and authentication (London, UK)
  • Anthropic — AI model API used to parse interests and generate paper summaries. Your research interests and anonymised paper abstracts are sent to Anthropic's API; no personal identifiers are included in these requests.
  • NCBI/PubMed — National Library of Medicine's public API. Paper searches are performed using your research profile; no personal data is sent.
  • Vercel — frontend hosting
  • Railway — backend pipeline hosting (EU region)

Your rights (UK GDPR)

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data (you can update your interests and profile from your dashboard).
  • Erasure — request deletion of your account and all associated data.
  • Portability — request your data in a portable format.
  • Restriction — ask us to stop processing your data while a dispute is resolved.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

Data retention

We retain your data for as long as your account is active. If you request account deletion, all personal data (email, name, interests, newsletters) will be permanently deleted within 30 days. Anonymised aggregate statistics (e.g. total number of users) may be retained indefinitely.

Cookies

We use a single session cookie set by Supabase Auth to maintain your login state. No tracking cookies, advertising cookies, or analytics cookies are set. No third-party cookies are used.

Changes to this policy

If we make material changes to this policy, we will notify registered users by email before the changes take effect. The “last updated” date at the top of this page reflects the most recent revision.