CodeTheCure - Legal Documents
Privacy Policy & Terms of Service
Version 2.1. Last updated April 5, 2026.
PRIVACY POLICY
1. Overview
CodeTheCure ("we," "us," or "our") is a free cancer education site run from the United States. People use it from many countries. This policy explains what we collect, what we do with it, what choices you have, and how we try to keep it safe.
We are not a clinic or hospital. We are not a HIPAA covered entity. We do not give medical advice, diagnoses, or treatment instructions through this policy or the product.
2. Information We Collect
We ask for what we need to run the service. When you sign up with email and password we store your email, the name you pick for your account, and a hashed password. We cannot read your password in plain text. If you sign in with Google, we receive your email and name from Google and may store a profile image URL; you may not have a password on file. We also store when the account was created.
Journey focus (browser). You can pick a focus such as newly diagnosed, in treatment, survivor, caregiver, or general awareness. For the main app experience we store that label in your browser (local storage on your device) so we can personalize what you see in that browser. It is not sent to our servers as a separate account field. Clearing site data or using another device may reset it.
Optional health profile (servers). If you use features that ask for health or care details (for example cancer type or treatment phase in a saved profile), we store what you save with your account so those features work. In the EU and UK that can count as health-related or special category data. Where the law requires it, we rely on explicit consent when you submit or save that information in the product.
We store preferences you choose in the app (for example chat topic focus, notification toggles, and similar settings), mainly in your browser and, for some fields, in your account on our servers. We also collect basic session or usage metadata we need to keep the site running (for example which product areas you use at a high level). We do not maintain a separate page-by-page browsing log of every screen you opened unless we add that and describe it here.
Chat. We handle the text you send and the replies you get. Your messages are sent to our education AI backends and to model providers (for example OpenAI) so we can generate answers. We do not run a separate automated PII redaction layer (such as Microsoft Presidio) on every chat message in our current production stack. Treat chat like a general web service: avoid pasting unnecessary names, phone numbers, medical record numbers, or other identifiers when you can describe your question in general terms instead. We store conversation text on our systems so you can see history and so we can run, secure, and improve the service. Section 3 goes into more detail.
We also get ordinary technical data: which parts of the site you used, device and browser type, and sometimes country or region from network data.
We do not sell your data to brokers. We do not use it for cross-context behavioral advertising as those terms are used in certain U.S. state laws, for the ways we actually process data today.
3. How We Process Your Messages
Our education AI runs on our own services and on external model APIs. The main chat flow sends your message and conversation context to our CodeTheCure AI backend and to providers such as OpenAI (and subprocessors listed in their documentation). Other features may call OpenAI or similar APIs directly from our servers (for example generating a short conversation title, analyzing symptoms, transcribing voice, or text-to-speech). Community moderation, where we use it, may send text to OpenAI's moderation endpoint.
When we use commercial APIs, we rely on the vendor's standard API terms and data processing terms. Where a vendor offers GDPR-style data processing terms or Standard Contractual Clauses for international transfers, we use those mechanisms when they apply to our relationship and the product configuration.
We store messages and model outputs on our systems so features that depend on history work, and so we can protect the service, fix problems, and make improvements, within this policy.
4. Lawful Bases for Processing (GDPR and similar)
For people in the EU or UK, we only process personal data when a lawful basis applies. Summary:
- Contract (Article 6(1)(b)). Running your account, signing you in, giving you the features you asked for, and keeping the core product working.
- Legitimate interests (Article 6(1)(f)). Security work, fraud and abuse prevention, aggregate product analytics (including first-party analytics described in Section 19), and limited operational metrics. We balance our interests against your rights. You can object in the ways described in the rights sections.
- Consent (Article 6(1)(a)). Where we ask for consent (for example some emails or optional features), you can withdraw it. That does not undo processing that was lawful before you withdrew.
- Legal obligation (Article 6(1)(c)). When the law requires us to keep or hand over certain records, or when we must respond to a valid legal request.
5. Special Category Data (Health-Related Choices): GDPR Article 9
Labels like newly diagnosed, in treatment, or survivor can reveal something about your health. Under EU and UK law, cancer type, treatment phase, or similar fields you save in onboarding or a health profile on our systems are often special category data under Article 9. We process them when you clearly choose to submit or save that information in the product (for example completing onboarding or profile flows, including acknowledging our Terms and Privacy Policy where that step is shown). Journey focus kept only in your browser is processed on your device; if local law treats that as special category data, we rely on your clear choice in settings together with this notice. You can withdraw by changing or removing profile data, clearing browser storage, deleting your account, or writing to us. If you withdraw, some personalization may stop working.
6. Third-Party AI Providers and Sub-Processors
OpenAI and similar providers receive the text needed for each request (for example chat messages, title generation, voice transcription, text-to-speech, image generation, or moderation), subject to the limits of each feature. Our primary education backend may call more than one model or provider depending on deployment. Sub-processors beyond model APIs include our hosting and database vendors. We may change vendors over time. If the law requires notice for material changes, we will give it, including to registered users when that applies. Email codethecure@gmail.com for a current summary of sub-processors we use.
7. How We Use Your Information
We use what we collect to open and maintain your account, personalize the experience using browser-stored choices and any profile data you have saved where you have agreed, run and secure the site, send service-related messages, and meet legal duties. You can opt out of emails that are not required for the service through settings or by contacting us where that applies.
We do not sell your personal information. We do not use it for the kind of sale or sharing for cross-context behavioral advertising that California law describes, as further explained in Section 13.
8. International Data Transfers
We operate mainly in the United States. If you visit from the EU, EEA, UK, or elsewhere, data may be sent to the U.S. and processed there.
For transfers from the EU or EEA to the United States and other countries, we use appropriate safeguards as required by applicable law. That often includes the Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914 when we use vendors that offer them, together with supplementary measures or transfer assessments where required.
For transfers from the UK we use the UK International Data Transfer Addendum or another UK-approved tool when we use vendors that offer them, together with the SCCs or another allowed mechanism. For Australia, see Section 12.
9. European Union and European Economic Area (GDPR)
If you live in the EU or EEA, the GDPR applies. You may have the right to access, correct, delete, restrict processing, receive a copy of your data, object (including to some legitimate-interest processing), and not be subject to solely automated decisions with legal or similar big effects under Article 22 when that rule applies. If you think we are breaking the law, you may complain to a supervisory authority where you live.
EU Representative (contact): codethecure@gmail.com. CodeTheCure is operated from the United States. Use this address for EU/EEA privacy requests and representative inquiries.
Data Protection Officer: No DPO is designated. The nature and scale of processing do not require a DPO under applicable law. For privacy questions, contact codethecure@gmail.com.
Breaches. If a breach is likely to hurt your rights and freedoms, we will tell the lead supervisory authority without undue delay and, if we can, within 72 hours of learning of the breach, unless the breach is unlikely to risk people. If the breach is likely to create a high risk for you, we will also tell affected users without undue delay when Article 34 requires it.
Deletion requests. If you ask us to erase data, we will act without undue delay and, in any case, within 30 days of a request we can verify, unless the law allows or requires a longer window.
10. United Kingdom (UK GDPR and Data Protection Act 2018)
If you live in the UK, we treat your data under the UK GDPR and the Data Protection Act 2018. You have rights that line up with the EU list in Section 9, including access, correction, erasure, restriction, portability, objection, and rules on automated decisions, when UK law applies.
UK Representative (contact): codethecure@gmail.com. CodeTheCure is operated from the United States. Use this address for UK privacy requests and representative inquiries.
You can complain to the Information Commissioner's Office: ico.org.uk.
11. Canada (PIPEDA and Quebec Law 25)
If you live in Canada, we handle your personal information under PIPEDA where it applies, and under provincial laws when those apply instead or as well.
Quebec. If you live in Quebec, Law 25 may give you extra rights under the private-sector privacy act, including data portability in some cases, erasure or de-indexing in some cases, and information when a decision about you is based only on automated processing, when that matters.
For Canada-related privacy questions: codethecure@gmail.com, or Section 21.
12. Australia (Privacy Act 1988 and APPs)
If you live in Australia, we follow the Privacy Act 1988 and the Australian Privacy Principles. When we send personal information to the U.S. or other countries, we take reasonable steps under APP 8 so that recipients meet the APPs or something close, including through contracts.
You may complain to the Office of the Australian Information Commissioner: oaic.gov.au.
13. California (CCPA and CPRA)
California residents have rights under the CCPA as changed by the CPRA. We do not sell personal information and we do not share it for cross-context behavioral advertising, each phrase used the way those laws define them.
Sensitive personal information. Information you save in a profile (for example treatment phase) may count as sensitive under CPRA in some cases. We only use sensitive personal information in ways that are reasonably needed to deliver the service you asked for and that the law allows. You may have the right to limit some uses; use the contact below.
Do not sell or share. We do not sell or share personal information for those purposes, so you do not need to take a separate opt-out step for sale or sharing on that basis.
For requests to know, delete, or correct: codethecure@gmail.com. We will verify and answer as California law requires.
14. Future Monetization
The service is free today. If we add paid plans later, we will update this policy and tell registered users ahead of time when the law says we must. We will not fund the product by selling personal information.
15. Data Retention
We keep account data while your account stays open. When you delete your account, we delete your user record and related data stored on our systems, including conversations, shared links, patient profile and related health fields you saved, reminders, symptom entries, PDFs and sources tied to your account, push subscriptions, and similar records, subject to what the law makes us keep. Labels stored only in your browser (such as journey focus) remain on your device until you clear site data for our site.
We keep security and performance logs for a limited time, then delete or aggregate them.
16. Your Rights (General)
Where you live, you may have rights to see, fix, delete, or export your data, or to object to or limit some processing. Email codethecure@gmail.com. Region-specific rights appear in Sections 9 through 13 and in Section 24.
17. Children's Privacy
This site is not meant for children under 13. We do not knowingly collect personal information from children under 13. If we learn an account belongs to someone under 13, we will close it and delete personal information tied to it, except the small amount we may be legally required to keep.
United States. You must be at least 13. Between 13 and 17 you need a parent or guardian to agree where the law requires that.
European Union. The age at which you can consent on your own to online services varies by country (often 13 to 16). If you are below that age in your country, you need verifiable parental consent before you open an account. At sign-up we ask you to confirm that you meet the age rules that apply to you; we do not separately verify a parent's identity online today. If we add a dedicated parental verification flow later, we will describe it here.
18. Security
We use reasonable technical and organizational measures, including TLS for data in transit and protections for stored data. Only people and vendors who need access get it. No system is perfectly secure.
19. Cookies and Similar Technologies
We set strictly necessary cookies so you can stay signed in and so sessions stay secure. Those cookies fall under the "essential" exception in EU and UK ePrivacy guidance and do not need a marketing-style consent banner by themselves.
We use Vercel Web Analytics on the public site. It is a first-party analytics script from our hosting provider. It helps us see aggregate traffic and performance (for example page views and core web vitals). It is not used to sell your data or to run cross-site advertising. It is not the same thing as installing third-party ad pixels.
We do not use third-party advertising or behavioral tracking cookies for ad targeting. If you are in the EU or UK, we still do not show a cookie banner solely for optional analytics cookies because we do not use optional non-essential marketing cookies on that basis. You can disable cookies in your browser; the site may not work fully if you do.
- accessToken (httpOnly): carries your signed-in session. Typically up to seven days, or about fifteen minutes when a password change is required.
- refreshToken (httpOnly): used to obtain a new access token without logging in again. Up to seven days when issued.
20. Changes to This Policy
We may update this policy. For big changes we will email registered users at least 30 days ahead when the law requires that. Continued use after the new date may mean you accept the update where the law allows that.
21. Contact Us
General and legal: codethecure@gmail.com
Privacy and data requests: codethecure@gmail.com
Mail: CodeTheCure is operated from the United States. We do not publish a street address on this page; email codethecure@gmail.com for postal correspondence or a mailing address if required.
Website: codethecure.app
22. Other U.S. State Privacy Laws
Other states may give you extra rights. You can reach us at codethecure@gmail.com for requests. We will respond under the law that applies to you once we know where you live and what you are asking for.
23. HIPAA
For typical consumer use of the public site, we are not acting as a HIPAA covered entity or business associate. Do not use this service to send protected health information when you need a HIPAA channel.
24. Jurisdiction-Specific Addenda (Quick Reference)
Main regional sections:
- EU or EEA: Section 9
- United Kingdom: Section 10
- Canada, including Quebec: Section 11
- Australia: Section 12
- California: Section 13
TERMS OF SERVICE
1. Acceptance of Terms
If you create an account or use CodeTheCure in any way, you agree to these Terms and to our Privacy Policy. If you do not agree, stop using the site. These Terms are a binding contract between you and CodeTheCure.
2. What CodeTheCure Is
CodeTheCure is a cancer education platform. It pulls from published medical literature and from trusted groups such as the National Cancer Institute, American Cancer Society, CDC, and WHO. It explains symptoms, risk factors, and warning signs in plain language. It can point you to money help, support groups, trials, and general mental health resources. It is meant to help you get ready for real conversations with your care team, not to replace those conversations.
3. What CodeTheCure Is Not
Read this section carefully. It matters more than any other part of these Terms.
We are not a medical service. We are not your doctor. We do not give medical advice, diagnoses, or treatment plans. We are not a substitute for in-person care.
Nothing on the site is a diagnosis or an order to start, stop, or change treatment. The AI answers summarize general information from the literature. They are not tailored medical advice about your body. Symptom text reflects broad patterns from published sources, not an exam of you.
For any decision about care, talk to a licensed professional who knows you. In an emergency call your local emergency number (in the U.S., 911). Do not wait on CodeTheCure.
The service is not HIPAA compliant for storing or sharing clinical records. Use your clinic's secure portal for that kind of information.
4. Eligibility
United States. You must be at least 13. From 13 through 17 you need a parent or guardian to agree where the law says so.
European Union. The age when you can consent on your own varies by country and can be as high as 16. If you are under that age where you live, you need verifiable parental consent before you sign up. At sign-up we ask you to confirm that you meet the age rules that apply to you; we do not separately verify a parent's identity online today.
Tell the truth when you register. One person, one account, unless we tell you otherwise in writing.
5. Account Responsibilities
You keep your login private. You are responsible for what happens under your account until you tell us it was stolen and we can lock it down. Keep your email and other details current.
6. Acceptable Use
Use the site only in ways that follow these Terms and the law. Do not use it for your own business or resale without our written OK. Do not scrape, reverse engineer, or try to copy how our systems or models work. Do not send fake, dangerous, or harassing content. Do not break or bypass security. Do not mess with another user's account. Do not run bots or scripts that abuse our servers. If you are not sure whether something is allowed, ask us before you do it.
7. Health Information Disclaimer
We pull information from respected public sources and journals. Medicine changes fast. What you read here may be out of date tomorrow. Your situation is unique. The AI can still be wrong or incomplete even when we try hard to prevent that. Check anything important with a clinician before you act.
By using the education features, you agree you understand this is general information, not personal medical advice.
8. Mental Health and Crisis Support
We may link to crisis lines such as 988 in the U.S. or similar services elsewhere. Those links are for information. We are not your therapist and we do not provide treatment.
If you might hurt yourself or someone else, call your local emergency or crisis number now. In the U.S., 988 and 911 are examples. Do not rely on this website as your only support in a crisis.
9. Intellectual Property
Our branding, layout, code we own, and original text we write belong to CodeTheCure or our licensors and are protected by copyright and other laws. Facts and excerpts from NCI, ACS, WHO, and similar sources still belong to those organizations. Do not copy our original material without written permission.
10. Limitation of Liability
TO THE FULLEST EXTENT THE LAW ALLOWS, CODETHECURE AND OUR TEAM ARE NOT LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES THAT COME FROM USING OR NOT BEING ABLE TO USE THE SERVICE, EVEN IF WE KNEW DAMAGE WAS POSSIBLE.
OUR TOTAL LIABILITY FOR ALL CLAIMS TIED TO THE SERVICE IS CAPPED AT THE GREATER OF WHAT YOU PAID US IN THE TWELVE MONTHS BEFORE THE CLAIM OR ONE HUNDRED U.S. DOLLARS ($100), FOR USERS TO WHOM THAT CAP APPLIES UNDER THESE TERMS. THAT CAP APPLIES NO MATTER WHAT LEGAL THEORY YOU USE.
Nothing above limits liability where the law forbids that limit: for death or personal injury caused by our negligence, for fraud, or for anything else you cannot waive under the law where you live, including mandatory consumer laws. If you live in the EU or UK, those caps only apply where local law allows them.
Nothing in this section takes away rights you always keep under the consumer protection laws of your country when those laws cannot be contracted away.
11. Disclaimer of Warranties
THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE." WE DISCLAIM ALL IMPLIED WARRANTIES THAT THE LAW LETS US DISCLAIM, INCLUDING MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. WE DO NOT PROMISE THE SITE WILL ALWAYS RUN, STAY SECURE, OR BE ERROR-FREE. WE DO NOT PROMISE ANY CONTENT IS COMPLETE, CURRENT, OR RIGHT FOR YOUR CASE.
12. Indemnification
You agree to cover CodeTheCure and our team for claims, losses, and fees (including reasonable lawyers' fees) that come from your use of the site, your breach of these Terms, your violation of someone else's rights, or content you submit.
13. Future Paid Features
Today the service is free. If we charge later, we will show prices before we bill, get your clear agreement, and post refund rules at purchase. We will update these Terms with payment terms before we turn on paid features.
14. Termination
We may suspend or close your account if we need to, including for breaking these Terms, when the law allows. You may delete your account in settings. When access ends, we handle data as the Privacy Policy says.
15. Governing Law and Dispute Resolution
These Terms follow the laws of the State of [STATE, for example Delaware or California], USA, without sending you to another state's rules just because they conflict.
Unless the law where you live forbids it, you agree that courts in [CITY, STATE] have exclusive authority over disputes about these Terms or the site, and you consent to personal jurisdiction there.
That choice of court does not strip away rights you always have under mandatory consumer laws where you live.
16. Changes to These Terms
We may change these Terms. We will email registered users about material changes at least 30 days ahead when required. If you keep using the site after the new Terms take effect, that may mean you accept them where the law allows. If you disagree, stop using the site before the start date.
17. Severability
If one part of these Terms is invalid, the rest stays in force. Courts may narrow an invalid part instead of throwing out the whole agreement.
18. Entire Agreement
These Terms and the Privacy Policy are the full deal between you and CodeTheCure about use of the platform. They replace earlier informal understandings on the same topic.
19. Contact Us
Questions about these Terms: codethecure@gmail.com
Website: codethecure.app
Mail: CodeTheCure is operated from the United States. We do not publish a street address on this page; email codethecure@gmail.com for postal correspondence or a mailing address if required.
Our Privacy Policy is published separately. Version 2.1, last updated April 5, 2026.