Privacy Policy

Welcome to MortiScope. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you visit our web application.

MortiScope is an academic thesis project developed by undergraduate students for the purpose of assisting forensic analysis of Chrysomya megacephala images for Post-Mortem Interval (PMI) estimation (the estimated time that has passed since death).

We adhere to the principles of transparency, legitimate purpose, and proportionality as mandated by the Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA) of the Philippines. Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, you can refrain from accessing the application.

To ensure clarity, the following terms are defined as follows:

• Personal Information: Refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information. This includes common identifiers like your name, email address, and professional affiliation.
• Sensitive Personal Information: Refers to personal information about an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; health, education, genetic or sexual life; and crimes or alleged crimes.
• Data Subject: Refers to an individual whose personal information is processed. In the context of this application, this refers to you, the user.
• Forensic Data: Refers to the specific scientific data you upload, including high-resolution images of insect specimens, case notes describing the environment, and technical metadata. We understand this may include sensitive or privileged case information.

We collect information to provide, improve, and secure our service. The types of data we collect include:

A. Personal Information You Provide

When you register for an account or use our features, you voluntarily provide:

• Identity Data: We collect your full name, email address, and professional title/affiliation to verify your identity as a researcher or student and to manage your account access.
• Authentication Data: If you choose to sign in using a third-party provider such as Google, LinkedIn, Microsoft, ORCID), we receive a unique "provider ID" (a secure code that identifies you without revealing your password) and confirmation that your email is verified.
• Case Data: This encompasses all the details you enter about a specific forensic case, including case names, notes, and temperature readings, which are critical for accurate PMI estimation.

B. Forensic Data

The core function of MortiScope involves the processing of images you upload:

• Images: We process the photographs of Chrysomya megacephala (blow flies) and related evidence that you upload. These images are analyzed by our AI to determine the species and development stage.
• Metadata: We extract technical details hidden inside your image files (EXIF data), such as the date and time the photo was taken and GPS coordinates. We also store the location details you manually enter (Region, Province, City, Barangay).

C. Automatically Collected Technical Data

When you access the Service, our servers automatically record information to ensure security and functionality. This information is stored in our database to manage your active sessions and security history:

• Device Information: We store a hashed version of your IP address. Hashing is a security process that turns an actual data into a random string of characters (using SHA-256), allowing us to recognize your device for security without storing your actual data or identity. We also record your web browser type and operating system.
• Location Data: We use your IP address to look up your approximate general location using a database called geoip-lite. This helps us understand where our users are coming from without tracking your precise movements. We do not store your raw IP address.
• Session Logs: We record login timestamps, session duration, and actions taken within the app to detect unauthorized access and ensure the system is working correctly.

We use the collected data for specific, limited purposes:

1. To Provide the Service:
   • To authenticate your identity and manage your account, ensuring only you can access your data.
   • To process uploaded images using our deep learning model, which analyze visual patterns to identify species and estimate PMI.
   • To securely store and organize your case history so you can retrieve your past analyses at any time.
2. For Security and Safety:
   • To monitor for suspicious activity, such as repeated failed login attempts or access from unusual locations.
   • To prevent the upload of prohibited content such as malware and illegal imagery.
3. For Academic Research:
   • To validate the accuracy of our AI models by comparing the AI's predictions against expert verification.
   • To aggregate anonymized statistics for our thesis report. We will never publish your specific case data, images, or any details that could compromise ongoing investigations or reveal the identity of victims/suspects without your explicit written consent.

We do not sell, trade, or rent your personal identification information to others. We do not share your data with advertisers or commercial business partners.

We may share generic anonymized and aggregated demographic information (not linked to any personal identification information) solely for academic and research purposes such as thesis defense presentations or academic publications.

We may share your information with third-party service providers who perform services for us or on our behalf and require access to such information to do that work. These third parties are:

• Amazon Web Services (AWS): We use AWS S3 to securely store your uploaded forensic images. AWS is a global leader in cloud security and ensures your data is protected from physical loss.
• Inngest: We use Inngest to manage background processing jobs. This ensures that your image analysis requests are queued and processed reliably, even during high traffic.
• Neon: We use Neon (PostgreSQL) to host our database containing user accounts and case metadata. It provides enterprise-grade security and encryption at rest.
• Render: We use Render to host our Python/FastAPI backend services. Your images are temporarily processed by these servers to generate analysis results.
• Vercel: We use Vercel to host and deploy the web application, ensuring secure access from anywhere.
• Resend: We use Resend to deliver important system emails to you, such as account verification codes and password reset links.

These third parties are prohibited from using your personal information for any purpose other than to provide this assistance and are contractually obligated to protect your data.

What happens if a third-party provider is compromised?

We carefully select reputable service providers (like AWS and Neon) that adhere to high security standards. However, no system is immune to risks. If one of our third-party providers suffers a data breach that affects your information, we will:

1. Notify you immediately upon receiving confirmation from the provider.
2. Work with the provider to mitigate the impact.
3. Inform the National Privacy Commission (NPC) if required by law.

We will retain your Personal Information and Forensic Data only for as long as is necessary for the purposes set out in this Privacy Policy.

• Account Data: Retained until you delete your account.
• Forensic Images: Retained for the duration of the thesis project with the expected completion date of January 2026 or until you manually delete the case/image.
• Session Logs: Retained for 30 days for security auditing, then automatically deleted.

What happens if I delete my account?

If you choose to delete your account via the settings page, your request enters a 30-day grace period. During this time, your account is deactivated but your data is retained in case you change your mind. You can restore your account by logging in within this period.

After the 30-day grace period expires, your personal profile, authentication data, and all associated case data are permanently removed from our database. This process is irreversible. We may retain anonymized system logs for a brief period as required for security auditing.

Upon the conclusion of the thesis project, all data may be securely archived or permanently deleted in accordance with university research data management policies.

We use administrative, technical, and physical security measures to help protect your personal information.

• Encryption: All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS/SSL). This acts like a secure tunnel, making your data unreadable to anyone who might try to intercept it.
• Access Control: Access to the database and storage buckets is restricted to the core development team.
• Authentication: We use industry-standard OAuth (a secure way to log in using your existing accounts like Google without sharing your password) and session management to prevent unauthorized account access.

What happens if there is a data breach?

In the unlikely event of a data breach that compromises your personal information, we are committed to notifying you via email within 72 hours of confirming the incident, as required by the Data-privacy Act. We will explain what data was affected and what steps we are taking to secure your account.

While we have taken reasonable steps to secure the personal information you provide to us, please be aware that despite our efforts, no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against any interception or other type of misuse.

As a Data Subject under the Data Privacy Act of 2012, you are entitled to the following rights:

1. Right to be Informed: You have the right to know whether your personal data shall be, are being, or have been processed. This privacy policy fulfills this right by explaining what data we collect, how we use it, and who we share it with. You may also contact us at any time to ask specific questions about how your data is being processed, such as which AI models have analyzed your images or which team members have accessed your case files.
2. Right to Access: You have the right to reasonable access to your personal data. You can view your account information (name, email, affiliation) in your profile settings at any time. If you want more detailed information about the data we store, such as session logs, hashed IP addresses, or the full history of your uploaded images, you can request a comprehensive data report by contacting us.
3. Right to Rectification: You have the right to dispute the inaccuracy or error in your personal data and have the service correct it immediately. You can update your profile information (name, email, affiliation) directly in your account settings. If you notice errors in your case data such as incorrect temperature readings or location details, you can edit the case information at any time. If you believe there is an error in our system that you cannot fix yourself, please contact us and we will correct it promptly.
4. Right to Erasure or Blocking: You have the right to suspend, withdraw or order the blocking, removal or destruction of your personal data from our filing system. You can delete individual cases and images at any time through the application interface. To delete your entire account and all associated data, you can use the account deletion feature in your settings, which initiates a 30-day grace period before permanent deletion. If you want your data blocked (made inaccessible but not deleted) for a specific reason, please contact us to discuss your requirements.
5. Right to Damages: You have the right to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data. If you believe you have suffered harm from our mishandling of your personal data, such as unauthorized disclosure of your case information or failure to correct inaccurate data, you may file a complaint with the National Privacy Commission (NPC) and seek legal remedies under Philippine law, including compensation for damages.
6. Right to Data Portability: You have the right to obtain a copy of your data in an electronic or structured format that you can use with other services. This includes your account information, all case data, uploaded images, and analysis results. We will provide this data in a machine-readable format (such as JSON for text data and original file formats for images) so you can easily transfer it to another system or keep it for your own records.

To exercise any of these rights, please contact us using the information below.

Can I download my data?

Yes. You have the right to request a copy of your personal data and the forensic data you have uploaded. To do this, please contact us at mortiscope@gmail.com. We will provide your data in a structured, commonly used digital format (such as JSON) within a reasonable timeframe.

We use cookies and similar tracking technologies to track the activity on our service and hold certain information.

• Session Cookies: We use session cookies (specifically JSON Web Tokens) to keep you logged in. These are small digital keys stored on your device that prove you are who you say you are as you move from page to page. If you are inactive for 30 days, these cookies will expire, and you will be automatically logged out for your security.
• Security Cookies: We use security cookies to detect and prevent security risks, such as someone trying to guess your password or hijack your session. These cookies help us identify and block suspicious activity.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our service.

If you have questions or comments about this privacy policy, or if you wish to exercise your rights as a data subject, please contact the developers at: