Specimen

Privacy Policy

Last updated: June 2026

Specimen is a free biology study tool with no advertising and no tracking. This policy explains plainly what data we collect, why, and what rights you have over it.

Who we are

Specimen (specimen.site) is an independent biology study platform. For privacy matters, contact us at colin@specimen.site.

What we collect and why

If you use Specimen without an account, nothing is stored on our servers. Saved cards are kept in your browser's local storage only and never leave your device.

If you create an account, we store the following:

  • Username and hashed password — to identify you and secure your account. Your password is never stored in plain text; it is hashed using PBKDF2 with 100,000 iterations.
  • First name — only if you choose to provide it in your profile. Entirely optional.
  • Saved cards — genes, cell structures, and viruses you save, so you can access them across devices.
  • XP and level — to track your progress through quizzes and study tools.
  • Search terms you have looked up — stored to prevent XP farming (earning XP by repeatedly searching the same term). Not used for any other purpose.
  • Session token — stored in a secure HttpOnly cookie to keep you signed in. Expires after 30 days.
  • Account creation timestamp — the date and time your account was created.

What we do not collect

  • Email address
  • Real name (only an optional first name if you provide it)
  • Location or IP address
  • Device or browser fingerprint
  • Payment information
  • Browsing history outside of Specimen

We do not use advertising cookies, tracking pixels, or third-party analytics. We do not sell, rent, or share your data with any third parties.

Third-party scientific databases

Specimen retrieves data from public scientific databases to power its search features. When you search for a gene, organelle, or virus, a request is sent to one or more of the following services:

These requests are proxied through Cloudflare and are not associated with your account or identity. They are the same requests any anonymous visitor would make.

Specimen is hosted on Cloudflare. Your data is stored on Cloudflare's infrastructure within their D1 database service.

Cookies

Specimen uses a single cookie: a secure, HttpOnly session cookie that keeps you signed in to your account. It contains only a random session token — no personal data — and expires after 30 days.

We do not use advertising cookies, analytics cookies, or any third-party cookies.

How long we keep your data

Your data is kept for as long as your account exists. You can request deletion of your account and all associated data at any time by emailing colin@specimen.site. We will process deletion requests within 30 days.

If you have not created an account, no server-side data exists to delete.

Your rights

Under GDPR (EU and UK users), you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data (right to erasure)
  • Object to or restrict processing of your data
  • Data portability — receive your data in a machine-readable format
  • Lodge a complaint with your local data protection authority

Under CCPA (California users), you have the right to know what personal information we collect, request deletion, and opt out of sale (we do not sell data).

To exercise any of these rights, email colin@specimen.site. We will respond within 30 days.

Children

Specimen is intended for students and curious people of all ages. We do not knowingly collect personal information from children under 13 (or under 16 in the EU). If you are under 13, please do not create an account — you can use all of Specimen's core features without one.

If we become aware that we have collected personal data from a child under 13 without verifiable parental consent, we will delete it promptly. Parents or guardians who believe their child has created an account should contact colin@specimen.site.

Data security

Passwords are hashed using PBKDF2 with SHA-256 and 100,000 iterations before storage. Session tokens are randomly generated and stored in HttpOnly, Secure cookies inaccessible to JavaScript. All data is transmitted over HTTPS.

While we take reasonable steps to protect your data, no system is completely secure. If you believe your account has been compromised, contact us immediately at colin@specimen.site.

Changes to this policy

If we make significant changes to this policy, we will update the date at the top of this page. Continued use of Specimen after changes are posted constitutes acceptance of the updated policy.

Contact

For any privacy-related questions, requests, or concerns:
colin@specimen.site