ICD Diagnostica – Cookie Policy
This Cookie Policy explains how ICD Diagnostica ("we", "us", "our") uses cookies and similar technologies on the website https://icd-diagnostica.com and the related web application (the "Service"). It tells you what these technologies are, why we use them, what categories of cookies we set, and how you can control them.
1.What are cookies?
Cookies are small text files placed on your computer or mobile device when you visit a website. They are widely used to make websites work, work more efficiently, or provide information to the site owner.
First-party cookies are set by the website owner (in this case, ICD Diagnostica). Third-party cookies are set by a domain other than the one you are visiting – typically by service providers we rely on for authentication, security, and payment.
Throughout this policy, we use the term "cookies" loosely to also cover similar technologies – including HTML localStorage, sessionStorage, IndexedDB, web beacons, and pixel tags – which are technically not cookies but serve comparable purposes (storing data on, or reading data from, your device).
2.Why we use cookies
We use cookies and similar technologies for the following purposes:
- To keep you signed in after authentication so you do not have to re-enter credentials on every page.
- To secure the Service – including bot protection (reCAPTCHA Enterprise), App Check token validation, CSRF protection, and abuse-rate limiting.
- To process payments via our payment processor Stripe.
- To remember your preferences – language (PL/EN), timezone, dark mode, ICD-11 filter set, and similar settings.
- To restore your in-session work – symptoms selected, current case, duration/episode filters – for up to one (1) hour, so a page refresh or accidental tab close does not lose your work.
- To deliver content efficiently via our content-delivery network (Cloudflare).
We do not use cookies to: track you across other websites; build advertising profiles; serve personalized advertising; sell or share data with advertising networks; carry out cross-site behavioral analytics.
3.Categories & legal basis
Under Article 5(3) of the ePrivacy Directive 2002/58/EC (as transposed into Polish law) and the GDPR (Reg. (EU) 2016/679), we classify our cookies and similar storage technologies as follows:
| Category | Legal basis | Consent required? |
|---|---|---|
| Strictly necessary | Article 5(3) ePrivacy exemption; Article 6(1)(b) GDPR (contract performance); Article 6(1)(f) GDPR (service security) | No (exempt) |
| Functional / preferences | Article 5(3) ePrivacy – "strictly necessary for an information-society service explicitly requested by the user"; Article 6(1)(b) or 6(1)(f) GDPR as applicable | No. No cookie is set on the basis of implicit consent through continued browsing. |
| Analytics | N/A – not in use | N/A |
| Marketing / advertising | N/A – not in use | N/A |
4.Strictly necessary cookies and storage
Required for the Service to function (sign-in, transactions, anti-abuse). Exempt from the consent requirement under Article 5(3) ePrivacy Directive.
| Provider | Purpose | Type | Duration |
|---|---|---|---|
| Firebase Authentication (Google) | Authenticated session, identity tokens, sign-in persistence | HTTP cookie + localStorage / IndexedDB (1st-party + 3rd-party) | Session – until sign-out |
| Firebase App Check (Google) | Per-request anti-abuse token; ensures requests originate from a legitimate browser session | IndexedDB (3rd-party) | Up to 1 hour |
| Google reCAPTCHA Enterprise | Bot detection on sign-in, registration, password-reset, and payment actions only (score-only mode; loaded only at security-event boundaries) | HTTP cookie (3rd-party) | Up to 6 months |
| Cloudflare | Bot management, DDoS protection, CDN routing | HTTP cookie (3rd-party) | 30 minutes – 1 year |
| Stripe (only on payment pages) | Payment fraud detection & transaction integrity | HTTP cookie (3rd-party) | Session – 1 year |
| ICD Diagnostica (first-party) | Authenticated user profile cache, session continuity, locale schema version | localStorage / sessionStorage | Until sign-out / account deletion |
5.Functional / preference items
These items remember the choices you make and improve your experience. They are not strictly required, but disabling them will degrade the Service.
| Name / Key | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
| Interface preferences (1st-party) | Language, timezone, theme (light / dark), cached translation strings | localStorage | Persistent until cleared | |
| In-progress session (1st-party) | Selected symptoms and current disorder for an in-progress diagnostic session, restored on page reload | localStorage | Up to 1 hour from last interaction | |
| Plan-quota counters (1st-party) | Free-plan rate-limit counters and deduplication for daily diagnostic-session quota | localStorage / sessionStorage | Up to 24 hours | |
| User filter preferences (1st-party) | ICD-11 chapter exclusions chosen by the user; synchronized to the user account when signed in | localStorage | Persistent | |
| Local search history (1st-party) | Last symptom search queries for client-side autocomplete. Stored on-device only; never transmitted to the server; never associated with any patient identifier. Cleared by the user via Account → Privacy → Clear search history or by clearing browser site data. | localStorage | Until manually cleared |
6.Analytics & performance cookies
If we add an analytics provider in the future, this Cookie Policy will be updated and (where required) we will obtain prior, informed consent through a cookie banner before any analytics cookie is placed on your device.
7.Marketing & advertising cookies
If we add advertising or remarketing in the future, this Cookie Policy will be updated and we will obtain prior, informed consent.
8.Third-party cookies
Some functions of the Service rely on third-party providers. These providers may set their own cookies on your device when you interact with their parts of the Service. Each provider is bound by its own privacy policy and (where applicable) a Data Processing Agreement with us. The list below is reproduced for cookie-context disclosure; the definitive sub-processor list with locations and transfer safeguards is at Annex A of the Data Processing Agreement:
| Provider | Purpose | Privacy policy |
|---|---|---|
| Google LLC / Google Ireland Ltd. | Firebase Authentication, Firestore, App Check, reCAPTCHA Enterprise, Cloud Functions, Cloud Storage | policies.google.com/privacy |
| Stripe Payments Europe Ltd. | Payment processing, fraud detection, Customer Portal redirect | stripe.com/privacy |
| Cloudflare, Inc. | Content delivery, DDoS protection, bot management | cloudflare.com/privacypolicy |
| Hostinger International Ltd. | Transactional e-mail delivery (SMTP) – emails do not contain tracking pixels or web beacons | hostinger.com/privacy-policy |
9.Local storage & session storage
Most of the items above are stored in the browser's localStorage or sessionStorage rather than as classic HTTP cookies. Although these technologies are not strictly "cookies", they fall within the scope of Article 5(3) ePrivacy Directive and are treated by us with the same legal-basis analysis as cookies.
You can inspect, modify, or delete localStorage/sessionStorage entries directly using your browser's developer tools (typically: F12 → Application / Storage tab). Deleting these entries will sign you out, reset preferences, and abandon any in-progress diagnostic session.
10.How to control cookies
You have several options to control cookies and similar technologies set by ICD Diagnostica:
- Account-level settings. Once signed in, you can adjust language and timezone preferences in Account → Profile → Additional information.
- Sign out. Signing out clears authentication tokens and most session-related items immediately. The remaining functional items (language, timezone) persist so that the next sign-in is still localised.
- Delete account. A full account deletion (Account → Security → Delete account) wipes server-side data within 30 days and effectively neutralises all server-linked cookies.
- Browser controls. See Section 11 below.
- Manual clear. Use F12 → Application / Storage → Clear site data to remove all cookies, localStorage, sessionStorage, and IndexedDB for icd-diagnostica.com in one click.
Please note that strictly necessary cookies cannot be rejected without rendering the Service unusable (you would not be able to sign in or process payments). Functional items can be cleared but the Service experience will be degraded (you will lose preferences, your in-progress diagnostic session, and your filter set).
11.Browser controls
All major browsers allow you to view, manage, or block cookies through their settings. The following links open the relevant help pages:
Mobile users can adjust cookie behavior in the privacy settings of their mobile browser application (Safari iOS, Chrome Android, Samsung Internet, etc.).
12.Other tracking technologies
Web beacons / pixels
We do not embed web beacons or tracking pixels in any web page or transactional e-mail. Verification, password-reset, and 2FA e-mails are plain HTML messages without tracking imagery.
Browser fingerprinting
We do not use canvas fingerprinting, font fingerprinting, audio-context fingerprinting, or any similar device-fingerprinting technique for tracking purposes. The only fingerprinting-adjacent signal in the Service is performed by Google reCAPTCHA Enterprise in score-only mode for bot detection (loaded only on sign-in / register / password-reset / payment pages – see Section 4). Google's behavioral signals are processed solely to compute the bot-risk score and are not reused by Google for advertising profiling or cross-Google-service personalization under our reCAPTCHA Enterprise terms. The Operator monitors evolving regulator guidance on reCAPTCHA (notably CNIL deliberations 2023-2025) and will reclassify or replace reCAPTCHA if its categorisation as "strictly necessary" ceases to be defensible.
Flash cookies / Local Shared Objects
The Service does not use Adobe Flash; consequently, no Flash cookies (Local Shared Objects) are set.
Service Workers
The Service may register a service worker for offline-resilience and PWA-style caching. Service workers do not store personal data and only cache static assets (HTML, CSS, JS, images) for performance. You can clear them through your browser's storage controls.
13.Do Not Track / Global Privacy Control
We honor the Global Privacy Control (GPC) signal as a valid opt-out of any sale or sharing of personal information for cross-context behavioral advertising, in line with California CCPA/CPRA § 1798.135(b)(1) Cal. Code Regs. § 7025(c). The Service does not sell or share personal information for cross-context behavioral advertising, and it does not deploy advertising, marketing, cross-site tracking, or third-party analytics cookies. The GPC signal is therefore acknowledged as effective by configuration, and no responsive action is required at the level of the Service. The same applies to the older Do-Not-Track (DNT) header: we acknowledge it, but because we do not deploy the technologies DNT was designed to suppress, no behavior changes. Strictly-necessary cookies (Section 4) remain in operation regardless because they are required for the Service to function.
14.International transfers
Some of our cookie/storage providers (Google, Stripe, Cloudflare) may process data outside the European Economic Area. Where this occurs, transfers are governed by:
- EU-US Data Privacy Framework (Commission Decision (EU) 2023/1795 of 10 July 2023, upheld by EU General Court 3 Sept 2025) – Google LLC, Stripe Inc., and Cloudflare Inc. are DPF-certified;
- Standard Contractual Clauses (Decision (EU) 2021/914) – relied upon as belt-and-braces alongside DPF certification;
- Supplementary measures following the Schrems II ruling (Case C-311/18) and EDPB Recommendations 01/2020: encryption-in-transit (TLS 1.3), encryption-at-rest, IAM access restrictions, edge-only TLS termination at Cloudflare with no application-layer payload inspection, contractual restrictions on US-government access requests, and contractual transparency-report commitments.
Hostinger International Ltd. (transactional e-mail) is established in the European Union (Lithuania) – no third-country transfer mechanism is required under Article 44 GDPR. The WHO ICD-11 API (Geneva, Switzerland) is not a sub-processor of personal data – only ICD-11 codes are queried – and Switzerland in any event benefits from a European Commission adequacy decision (Decision 2000/518/EC).
Where you contact our data-protection address, we will, on request, provide further details about the safeguards in place for any specific provider, including a copy of the relevant Standard Contractual Clauses.
15.Updates to this Cookie Policy
We may update this Cookie Policy from time to time to reflect changes in the cookies we use, our service providers, regulatory developments, or industry best practice. Material changes (e.g., introduction of analytics, advertising, or new categories of cookies, or any change that requires a new consent banner) will be notified at least thirty (30) days in advance by in-app banner and/or e-mail. Non-material updates (clarifications, corrections, sub-processor list updates, formatting) take effect immediately upon publication, with the "Last updated" date at the top of this document refreshed accordingly. Please revisit this page periodically to stay informed.
16.Contact
Correspondence
- General contact: [email protected]
- Data-protection / cookies / consent queries: [email protected]
- Data Protection Officer (Inspektor Ochrony Danych): [email protected]
- Website: https://icd-diagnostica.com
Supervisory authorities
You have the right to lodge a complaint with the competent data-protection supervisory authority (Article 77 GDPR), as well as statutory rights under the Polish Electronic Communications Law of 12 July 2024.
Withdraw consent at any time. Where any cookie or storage technology is set on the basis of your consent, you may withdraw that consent at any time via the in-app cookie settings (when displayed), by clearing browser site data, or by writing to [email protected]. Withdrawal will not affect the lawfulness of processing prior to withdrawal (Article 7(3) GDPR).