1. What is a cookie?
A cookie is a small text file placed on your device (computer, tablet, smartphone) when you visit a website. It is read on subsequent visits by the server that issued it. Cookies allow information to be retained between HTTP requests, which are stateless by nature.
CRS Report is a medical web application intended for healthcare professionals. It is not hosted on a Health Data Hosting (HDS) infrastructure. Accordingly, no nominative patient data is retained beyond the practitioner's working session; data is automatically deleted after 20 minutes of inactivity. The cookies placed by CRS Report contain no medical data and no information allowing the direct identification of a patient.
2. Cookies placed by CRS Report
2.1 Strictly necessary cookies — no consent required
These cookies are essential to the delivery of the service. Disabling them would make the application unusable. They do not require your consent under Article 82 of the French Data Protection Act (loi Informatique et Libertés) and the CNIL guidelines of 17 September 2020.
NamePurposePublisherLifetime
| PHPSESSID | PHP session cookie managed by the Symfony server. Keeps authenticated admin users connected. Contains no nominative data. | crs-report.com | Session (deleted on browser close)
| evaluation_session | Contains a random encrypted identifier (SHA-256 hash) linking your browser to your current evaluation, with no patient identifier. Allows navigation between form steps without a user account. Renewed on each interaction. | crs-report.com | 20 minutes (sliding)
| cookie_consent | Records that you have been informed of this policy and have made a choice (accept or refuse analytics cookies). Prevents the banner from being shown repeatedly. | crs-report.com | 12 months
| cookie_consent_analytics | Stores your analytics cookie preference (1 = accepted, 0 = refused). | crs-report.com | 12 monthsLegal basis: Legitimate interest (Article 6.1.f GDPR) — technical operation of the service.
| PHPSESSID | PHP session cookie managed by the Symfony server. Keeps authenticated admin users connected. Contains no nominative data. | crs-report.com | Session (deleted on browser close)
| evaluation_session | Contains a random encrypted identifier (SHA-256 hash) linking your browser to your current evaluation, with no patient identifier. Allows navigation between form steps without a user account. Renewed on each interaction. | crs-report.com | 20 minutes (sliding)
| cookie_consent | Records that you have been informed of this policy and have made a choice (accept or refuse analytics cookies). Prevents the banner from being shown repeatedly. | crs-report.com | 12 months
| cookie_consent_analytics | Stores your analytics cookie preference (1 = accepted, 0 = refused). | crs-report.com | 12 monthsLegal basis: Legitimate interest (Article 6.1.f GDPR) — technical operation of the service.
2.2 Analytics cookies — subject to consent
These cookies allow us to measure application usage and improve its content. They are placed only if you have given your consent via the banner. They may be refused without affecting application functionality.
NamePurposePublisherLifetime
| _ga | Unique identifier used to distinguish visitors. Calculates session counts, pages visited and visit duration for aggregate statistical purposes. | Google LLC (Google Analytics 4 — ID: G-B4JMHGS31R) | 13 months
| _ga_B4JMHGS31R | Maintains Google Analytics 4 session state. Used to measure page transitions within a single visit. | Google LLC | 13 monthsLegal basis: Consent of the data subject (Article 6.1.a GDPR and Article 82 of the French Data Protection Act).
| _ga | Unique identifier used to distinguish visitors. Calculates session counts, pages visited and visit duration for aggregate statistical purposes. | Google LLC (Google Analytics 4 — ID: G-B4JMHGS31R) | 13 months
| _ga_B4JMHGS31R | Maintains Google Analytics 4 session state. Used to measure page transitions within a single visit. | Google LLC | 13 monthsLegal basis: Consent of the data subject (Article 6.1.a GDPR and Article 82 of the French Data Protection Act).
Data transfer outside the EU: Google Analytics 4 is published by Google LLC, headquartered in the United States. Google has activated its EU Data Boundary programme since March 2024, enabling European users' data to be processed and stored within the European Union. Appropriate contractual safeguards (European Commission standard contractual clauses) govern this processing. For more information, see Google's privacy policy and the EU Data Boundary documentation.
Configuration: send_default_pii: false — no directly identifying data (full IP address, user identifier, e-mail) is transmitted to Google Analytics.
3. Third-party resources that do not place cookies
CRS Report does not use any social networks, sharing buttons, advertising networks or profiling cookies. The following external resources are loaded but do not place persistent cookies on your device:
ResourcePurposeData transmitted
| Google Fonts (fonts.googleapis.com) | Loading the Poppins typeface | IP address, user-agent, page URL
| Sentry (ingest.de.sentry.io) | Technical error monitoring — EU servers only | Error trace, URL, user-agent. No medical or patient data.
| Google Fonts (fonts.googleapis.com) | Loading the Poppins typeface | IP address, user-agent, page URL
| Sentry (ingest.de.sentry.io) | Technical error monitoring — EU servers only | Error trace, URL, user-agent. No medical or patient data.
4. Managing your preferences
4.1 Via the consent banner
A banner is displayed on your first visit. You may:
- Accept all: authorise analytics cookies in addition to necessary cookies.
- Refuse all: authorise only strictly necessary cookies.
- Customise: enable or disable each category individually.
4.2 Modifying your choice later
You may update your preferences at any time by clicking the "Manage cookies" link at the bottom of every page of the application.
4.3 Via your browser settings
You may also configure your browser to refuse all cookies or to be alerted before they are placed:
- Chrome: Settings → Privacy and security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Preferences → Privacy
- Edge: Settings → Cookies and site permissions
Disabling strictly necessary cookies via your browser will make the CRS Report application unusable.
5. Your rights under the GDPR
In accordance with the General Data Protection Regulation (GDPR — EU 2016/679) and the amended French Data Protection Act, you have the following rights regarding data collected via cookies:
- Right of access: obtain confirmation that data concerning you is being processed and receive a copy.
- Right of rectification: have inaccurate data corrected.
- Right to erasure: request the deletion of your data.
- Right to object: object to the processing of your data for analytics purposes.
- Right to withdraw consent: withdraw your consent at any time, without affecting the lawfulness of processing based on prior consent.
- Right to lodge a complaint with the CNIL (www.cnil.fr).
To exercise these rights, contact the Data Protection Officer of the Hospices Civils de Lyon:
📧 dpo@chu-lyon.fr
📬 HCL — DPO, 3 quai des Célestins, 69002 Lyon, France
📧 dpo@chu-lyon.fr
📬 HCL — DPO, 3 quai des Célestins, 69002 Lyon, France
6. Data retention
Data collected via analytics cookies (Google Analytics) is retained for 13 months by Google, in line with CNIL recommendations.
Evaluation session data (evaluation_session) is automatically deleted server-side after 20 minutes of inactivity, and the corresponding cookie is removed at the end of or upon restart of the evaluation.
7. Changes to this policy
CRS Report reserves the right to modify this policy at any time to reflect legal, regulatory or technical developments. The update date at the top of the page is systematically refreshed. In the event of a material change affecting your rights, a notice will be displayed on your next login.
Document prepared for CRS Report — Standardised operative report web application for cytoreductive peritoneal surgery. Developed by UInnov for CICLY (HCL, Lyon Sud).
