Sugi Atlas

Atlas / Privacy

Privacy

This notice applies to all services hosted on sugi.bio, including:

  • the main site at sugi.bio
  • Sugi Atlas — the biomedical reference pages at sugi.bio/atlas/
  • the BioBTree REST API at sugi.bio/biobtree/api
  • the BioBTree MCP server at sugi.bio/biobtree/mcp

All of these share the same data posture: no personal data is collected beyond what is technically necessary to serve the response. No third-party analytics, no advertising, no tracking pixels, no cross-site profiling. We deliberately ship none of it.

In one sentence

No Google Analytics. No Plausible, no Meta Pixel, no LinkedIn tag, no Hotjar. No tracking cookies. Where the site uses your browser’s localStorage (Sugi Atlas only), it stores nothing more than UI preferences such as your theme choice and whether the on-page navigation panel is collapsed — that data never leaves your device. Server access logs (IP, browser/client, timestamp, URL) are retained for 30 days for security and operations, then deleted. The same applies to API and MCP request logs.

What technically happens when you make a request

When you request any sugi.bio URL — a page, an API endpoint, or an MCP call — three things happen:

1. Your client → a CDN edge. A CDN provider serves cached responses from the edge to deliver responses quickly. The provider processes your IP, client user-agent, and request path to handle the response. The provider is US-headquartered; transfers are covered by the EU-US Data Privacy Framework (adequacy decision, July 2023).

2. CDN → origin server (EU, Germany). For un-cached or dynamic requests (every API and MCP call, and any page not held in cache), the CDN forwards to a dedicated server hosted in Germany. The origin’s nginx access log records the request (IP, user-agent, timestamp, URL, status, and — for API/MCP — request paths and query parameters as part of the URL). Logs rotate and are deleted after 30 days.

3. For Sugi Atlas pages only — your browser itself. A small amount of UI state (theme dark/light, whether the floating table of contents is collapsed, and similar layout preferences) is stored in localStorage. No identifiers, no behavior tracking, no analytics. Clearing your browser data wipes it. Static API and MCP endpoints do not set anything client-side.

That is the entire data flow. There is no other data path.

Note on API and MCP request contents

The BioBTree API and MCP server accept scientific queries — gene symbols, drug names, disease identifiers, ontology IDs, and similar. These query strings appear in URLs and request bodies and are logged as part of the standard request line. They are scientific identifiers, not personal data. We do not profile, segment, or analyse requester behaviour; the underlying access logs are deleted after 30 days as described above.

Lawful basis under GDPR

  • Server / API / MCP logs: Article 6(1)(f) — legitimate interest in operating and securing the service.
  • localStorage UI state (Sugi Atlas pages): strictly necessary to remember the requested visual setting; ePrivacy / PECR “strictly necessary” exemption applies — no consent needed.

Atlas pages link to many primary biomedical databases — UniProt, Ensembl, ChEMBL, ClinVar, ClinicalTrials.gov, and others — and to source papers. Once you click an outbound link you are on those sites; their own privacy policies apply.

Your rights under GDPR

Under Articles 15–22 you have the right to access, rectify, erase, restrict, or object to processing of any personal data we hold about you. In practice this is limited to the 30-day window of access logs. To exercise a right, or to ask anything else, write to the contact below. You also have the right to lodge a complaint with your local data protection supervisory authority.

Data controller

Tamer Gür
[email protected]

Changes to this policy

This page is versioned alongside the site’s source code. Material changes will be noted here with a new “last updated” date.

Last updated: 2026-06-04