weMS

Privacy Policy

Last updated: 2026-04-21

Introduction

weMS is a private social community for people living with Multiple Sclerosis. This Privacy Policy explains what personal data we collect, why, how we use it, and the rights you have over that data under the EU General Data Protection Regulation (GDPR) and equivalent laws.

Who is the data controller

The data controller is the weMS team. For any privacy question or to exercise your rights, please contact privacy@wems.example.com.

Data we collect

Account: email, display name, password hash, optional avatar and bio, chosen language. MS health profile: MS type, year of diagnosis, current treatments, reported symptoms, mobility level and your visibility preferences for each of these fields. Content you create: posts, resource links, comments, likes, saves, reposts, reports. Technical: minimal session cookies; with your consent, Google Analytics 4 cookies (_ga, _ga_*) for aggregate traffic measurement. No advertising cookies.

Lawful basis for processing

Account data is processed on the basis of the contract you enter into when you register (Art. 6(1)(b) GDPR). Your MS health profile is classified as special-category data (Art. 9 GDPR) and is only processed with your explicit consent, which you give by choosing to fill in those fields and by adjusting the visibility settings. You may withdraw consent at any time.

Sensitive health data

Health-related data is only visible to other users to the extent you set in your visibility controls. We never sell or share this data with advertisers. You can export, edit or delete this data at any time from Settings.

Cookies

We set strictly-necessary cookies — a session cookie issued by NextAuth to keep you signed in, and a language preference cookie — without asking. With your consent, we also load Google Analytics 4, which sets two cookies on your browser: _ga (identifies your browser for aggregate stats, expires after 2 years) and _ga_<container-id> (used to maintain session state, expires after 2 years). The data controller for these analytics cookies is Google Ireland Limited; we use them only to measure aggregate site traffic and have no contract for advertising. The legal basis is your consent under Art. 6(1)(a) GDPR. You can withdraw consent at any time via the "Cookie preferences" link in the footer; we do not set any advertising cookies.

Sub-processors

We rely on the following processors to operate the service: Cloudinary (image hosting), your chosen OAuth provider (Google, Facebook or X) if you sign in with one, and our infrastructure provider for database and hosting. Each has their own privacy terms and Data Processing Agreements.

Data retention

We retain your account data for as long as your account exists. When you delete your account, your personal data and MS profile are removed, and related content is deleted or anonymised. Backups are rotated within 30 days.

Your rights

Under GDPR you have the right to access, rectify, export, restrict, object to, and erase your personal data, plus the right to lodge a complaint with your local supervisory authority. From Settings you can at any time: (1) download a JSON export of your data, (2) edit or delete any field, (3) delete your entire account.

Contact

For any question about this policy or to exercise your rights, email privacy@wems.example.com.