Privacy Policy

PRIVACY POLICY

1. Overview

CodeTheCure ("we," "us," or "our") is a free cancer education site run from the United States. People use it from many countries. This policy explains what we collect, what we do with it, what choices you have, and how we try to keep it safe.

We are not a clinic or hospital. We are not a HIPAA covered entity. We do not give medical advice, diagnoses, or treatment instructions through this policy or the product.

2. Information We Collect

We ask for what we need to run the service. When you sign up with email and password we store your email, the name you pick for your account, and a hashed password. We cannot read your password in plain text. If you sign in with Google, we receive your email and name from Google and may store a profile image URL; you may not have a password on file. We also store when the account was created.

Journey focus (browser). You can pick a focus such as newly diagnosed, in treatment, survivor, caregiver, or general awareness. For the main app experience we store that label in your browser (local storage on your device) so we can personalize what you see in that browser. It is not sent to our servers as a separate account field. Clearing site data or using another device may reset it.

Optional health profile (servers). If you use features that ask for health or care details (for example cancer type or treatment phase in a saved profile), we store what you save with your account so those features work. In the EU and UK that can count as health-related or special category data. Where the law requires it, we rely on explicit consent when you submit or save that information in the product.

We store preferences you choose in the app (for example chat topic focus, notification toggles, and similar settings), mainly in your browser and, for some fields, in your account on our servers. We also collect basic session or usage metadata we need to keep the site running (for example which product areas you use at a high level). We do not maintain a separate page-by-page browsing log of every screen you opened unless we add that and describe it here.

Chat. We handle the text you send and the replies you get. Your messages are sent to our education AI backends and to model providers (for example OpenAI) so we can generate answers. We do not run a separate automated PII redaction layer (such as Microsoft Presidio) on every chat message in our current production stack. Treat chat like a general web service: avoid pasting unnecessary names, phone numbers, medical record numbers, or other identifiers when you can describe your question in general terms instead. We store conversation text on our systems so you can see history and so we can run, secure, and improve the service. Section 3 goes into more detail.

We also get ordinary technical data: which parts of the site you used, device and browser type, and sometimes country or region from network data.

We do not sell your data to brokers. We do not use it for cross-context behavioral advertising as those terms are used in certain U.S. state laws, for the ways we actually process data today.

3. How We Process Your Messages

Our education AI runs on our own services and on external model APIs. The main chat flow sends your message and conversation context to our CodeTheCure AI backend and to providers such as OpenAI (and subprocessors listed in their documentation). Other features may call OpenAI or similar APIs directly from our servers (for example generating a short conversation title, analyzing symptoms, transcribing voice, or text-to-speech). Community moderation, where we use it, may send text to OpenAI's moderation endpoint.

When we use commercial APIs, we rely on the vendor's standard API terms and data processing terms. Where a vendor offers GDPR-style data processing terms or Standard Contractual Clauses for international transfers, we use those mechanisms when they apply to our relationship and the product configuration.

We store messages and model outputs on our systems so features that depend on history work, and so we can protect the service, fix problems, and make improvements, within this policy.

4. Lawful Bases for Processing (GDPR and similar)

For people in the EU or UK, we only process personal data when a lawful basis applies. Summary:

• Contract (Article 6(1)(b)). Running your account, signing you in, giving you the features you asked for, and keeping the core product working.
• Legitimate interests (Article 6(1)(f)). Security work, fraud and abuse prevention, aggregate product analytics (including first-party analytics described in Section 19), and limited operational metrics. We balance our interests against your rights. You can object in the ways described in the rights sections.
• Consent (Article 6(1)(a)). Where we ask for consent (for example some emails or optional features), you can withdraw it. That does not undo processing that was lawful before you withdrew.
• Legal obligation (Article 6(1)(c)). When the law requires us to keep or hand over certain records, or when we must respond to a valid legal request.

5. Special Category Data (Health-Related Choices): GDPR Article 9

Labels like newly diagnosed, in treatment, or survivor can reveal something about your health. Under EU and UK law, cancer type, treatment phase, or similar fields you save in onboarding or a health profile on our systems are often special category data under Article 9. We process them when you clearly choose to submit or save that information in the product (for example completing onboarding or profile flows, including acknowledging our Terms and Privacy Policy where that step is shown). Journey focus kept only in your browser is processed on your device; if local law treats that as special category data, we rely on your clear choice in settings together with this notice. You can withdraw by changing or removing profile data, clearing browser storage, deleting your account, or writing to us. If you withdraw, some personalization may stop working.

6. Third-Party AI Providers and Sub-Processors

OpenAI and similar providers receive the text needed for each request (for example chat messages, title generation, voice transcription, text-to-speech, image generation, or moderation), subject to the limits of each feature. Our primary education backend may call more than one model or provider depending on deployment. Sub-processors beyond model APIs include our hosting and database vendors. We may change vendors over time. If the law requires notice for material changes, we will give it, including to registered users when that applies. Email codethecure@gmail.com for a current summary of sub-processors we use.

7. How We Use Your Information

We use what we collect to open and maintain your account, personalize the experience using browser-stored choices and any profile data you have saved where you have agreed, run and secure the site, send service-related messages, and meet legal duties. You can opt out of emails that are not required for the service through settings or by contacting us where that applies.

We do not sell your personal information. We do not use it for the kind of sale or sharing for cross-context behavioral advertising that California law describes, as further explained in Section 13.

8. International Data Transfers

We operate mainly in the United States. If you visit from the EU, EEA, UK, or elsewhere, data may be sent to the U.S. and processed there.

For transfers from the EU or EEA to the United States and other countries, we use appropriate safeguards as required by applicable law. That often includes the Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914 when we use vendors that offer them, together with supplementary measures or transfer assessments where required.

For transfers from the UK we use the UK International Data Transfer Addendum or another UK-approved tool when we use vendors that offer them, together with the SCCs or another allowed mechanism. For Australia, see Section 12.

9. European Union and European Economic Area (GDPR)

If you live in the EU or EEA, the GDPR applies. You may have the right to access, correct, delete, restrict processing, receive a copy of your data, object (including to some legitimate-interest processing), and not be subject to solely automated decisions with legal or similar big effects under Article 22 when that rule applies. If you think we are breaking the law, you may complain to a supervisory authority where you live.

EU Representative (contact): codethecure@gmail.com. CodeTheCure is operated from the United States. Use this address for EU/EEA privacy requests and representative inquiries.

Data Protection Officer: No DPO is designated. The nature and scale of processing do not require a DPO under applicable law. For privacy questions, contact codethecure@gmail.com.

Breaches. If a breach is likely to hurt your rights and freedoms, we will tell the lead supervisory authority without undue delay and, if we can, within 72 hours of learning of the breach, unless the breach is unlikely to risk people. If the breach is likely to create a high risk for you, we will also tell affected users without undue delay when Article 34 requires it.

Deletion requests. If you ask us to erase data, we will act without undue delay and, in any case, within 30 days of a request we can verify, unless the law allows or requires a longer window.

10. United Kingdom (UK GDPR and Data Protection Act 2018)

If you live in the UK, we treat your data under the UK GDPR and the Data Protection Act 2018. You have rights that line up with the EU list in Section 9, including access, correction, erasure, restriction, portability, objection, and rules on automated decisions, when UK law applies.

UK Representative (contact): codethecure@gmail.com. CodeTheCure is operated from the United States. Use this address for UK privacy requests and representative inquiries.

You can complain to the Information Commissioner's Office: ico.org.uk.

11. Canada (PIPEDA and Quebec Law 25)

If you live in Canada, we handle your personal information under PIPEDA where it applies, and under provincial laws when those apply instead or as well.

Quebec. If you live in Quebec, Law 25 may give you extra rights under the private-sector privacy act, including data portability in some cases, erasure or de-indexing in some cases, and information when a decision about you is based only on automated processing, when that matters.

For Canada-related privacy questions: codethecure@gmail.com, or Section 21.

12. Australia (Privacy Act 1988 and APPs)

If you live in Australia, we follow the Privacy Act 1988 and the Australian Privacy Principles. When we send personal information to the U.S. or other countries, we take reasonable steps under APP 8 so that recipients meet the APPs or something close, including through contracts.

You may complain to the Office of the Australian Information Commissioner: oaic.gov.au.

13. California (CCPA and CPRA)

California residents have rights under the CCPA as changed by the CPRA. We do not sell personal information and we do not share it for cross-context behavioral advertising, each phrase used the way those laws define them.

Sensitive personal information. Information you save in a profile (for example treatment phase) may count as sensitive under CPRA in some cases. We only use sensitive personal information in ways that are reasonably needed to deliver the service you asked for and that the law allows. You may have the right to limit some uses; use the contact below.

Do not sell or share. We do not sell or share personal information for those purposes, so you do not need to take a separate opt-out step for sale or sharing on that basis.

For requests to know, delete, or correct: codethecure@gmail.com. We will verify and answer as California law requires.

14. Future Monetization

The service is free today. If we add paid plans later, we will update this policy and tell registered users ahead of time when the law says we must. We will not fund the product by selling personal information.

15. Data Retention

We keep account data while your account stays open. When you delete your account, we delete your user record and related data stored on our systems, including conversations, shared links, patient profile and related health fields you saved, reminders, symptom entries, PDFs and sources tied to your account, push subscriptions, and similar records, subject to what the law makes us keep. Labels stored only in your browser (such as journey focus) remain on your device until you clear site data for our site.

We keep security and performance logs for a limited time, then delete or aggregate them.

16. Your Rights (General)

Where you live, you may have rights to see, fix, delete, or export your data, or to object to or limit some processing. Email codethecure@gmail.com. Region-specific rights appear in Sections 9 through 13 and in Section 24.

17. Children's Privacy

This site is not meant for children under 13. We do not knowingly collect personal information from children under 13. If we learn an account belongs to someone under 13, we will close it and delete personal information tied to it, except the small amount we may be legally required to keep.

United States. You must be at least 13. Between 13 and 17 you need a parent or guardian to agree where the law requires that.

European Union. The age at which you can consent on your own to online services varies by country (often 13 to 16). If you are below that age in your country, you need verifiable parental consent before you open an account. At sign-up we ask you to confirm that you meet the age rules that apply to you; we do not separately verify a parent's identity online today. If we add a dedicated parental verification flow later, we will describe it here.

18. Security

We use reasonable technical and organizational measures, including TLS for data in transit and protections for stored data. Only people and vendors who need access get it. No system is perfectly secure.

19. Cookies and Similar Technologies

We set strictly necessary cookies so you can stay signed in and so sessions stay secure. Those cookies fall under the "essential" exception in EU and UK ePrivacy guidance and do not need a marketing-style consent banner by themselves.

We use Vercel Web Analytics on the public site. It is a first-party analytics script from our hosting provider. It helps us see aggregate traffic and performance (for example page views and core web vitals). It is not used to sell your data or to run cross-site advertising. It is not the same thing as installing third-party ad pixels.

We do not use third-party advertising or behavioral tracking cookies for ad targeting. If you are in the EU or UK, we still do not show a cookie banner solely for optional analytics cookies because we do not use optional non-essential marketing cookies on that basis. You can disable cookies in your browser; the site may not work fully if you do.

• accessToken (httpOnly): carries your signed-in session. Typically up to seven days, or about fifteen minutes when a password change is required.
• refreshToken (httpOnly): used to obtain a new access token without logging in again. Up to seven days when issued.

20. Changes to This Policy

We may update this policy. For big changes we will email registered users at least 30 days ahead when the law requires that. Continued use after the new date may mean you accept the update where the law allows that.

21. Contact Us

General and legal: codethecure@gmail.com
Privacy and data requests: codethecure@gmail.com
Mail: CodeTheCure is operated from the United States. We do not publish a street address on this page; email codethecure@gmail.com for postal correspondence or a mailing address if required.

Website: codethecure.app

22. Other U.S. State Privacy Laws

Other states may give you extra rights. You can reach us at codethecure@gmail.com for requests. We will respond under the law that applies to you once we know where you live and what you are asking for.

23. HIPAA

For typical consumer use of the public site, we are not acting as a HIPAA covered entity or business associate. Do not use this service to send protected health information when you need a HIPAA channel.

24. Jurisdiction-Specific Addenda (Quick Reference)

Main regional sections:

• EU or EEA: Section 9
• United Kingdom: Section 10
• Canada, including Quebec: Section 11
• Australia: Section 12
• California: Section 13

See also our Terms of Service. Version 2.1, last updated April 5, 2026.