Privacy Policy

1. Who We Are

CareDeeper AI ("CareDeeper AI", "we", "our", or "us") operates the website caredeeperai.com and the CareDeeper AI mobile and web application (collectively, the "Service"). We are committed to protecting your personal information and your right to privacy.

If you have questions about this policy, contact us at privacy@caredeeperai.com.

2. Information We Collect

2.1 Information You Provide Directly

• Account credentials: Your email address and a password-derived encryption key. We store a cryptographic hash of your password (bcrypt) — never the password itself.
• Health data: Blood test results, biomarker values, and any health notes you enter. This data is encrypted on your device using a key derived from your password before it is transmitted to our servers. We cannot read it.
• Supplement and goal data: Any supplements, health goals, or notes you add within the app.
• Payment information: Billing details are processed directly by Stripe and are never stored on our servers. We receive only a subscription status token.

2.2 Information Collected Automatically

• Usage logs: Standard server logs including IP address, browser type, pages accessed, and timestamps. These are retained for up to 30 days for security and debugging purposes.
• Device information: Browser type, operating system, screen resolution, and general device category (mobile/desktop).
• Cookies and local storage: We use a session token cookie (JWT) to keep you logged in. We do not use advertising cookies or third-party tracking pixels.

2.3 Information We Do Not Collect

• We do not collect precise GPS location data.
• We do not access your contacts, camera, or microphone.
• We do not build advertising profiles or sell data to data brokers.

3. How We Use Your Information

We use the information we collect to:

• Create and manage your account and authenticate you securely
• Generate AI-powered analysis of your blood test results using the Anthropic Claude API (your encrypted data is decrypted only on your device; only the relevant biomarker values needed for a specific query are sent to the AI model)
• Process subscription payments via Stripe and manage your plan
• Send transactional emails (account verification, password reset, subscription receipts)
• Detect and prevent fraud, abuse, and security incidents
• Comply with applicable legal obligations
• Improve the reliability and performance of the Service

We do not use your health data to train AI models, conduct research, or for any purpose beyond delivering the features you use.

4. AI Analysis and Third-Party Services

4.1 Anthropic Claude API

When you request an AI analysis, biomarker values relevant to your query are transmitted to Anthropic's API to generate a response. We use Anthropic's API under a data processing agreement. Anthropic does not use API data to train its models. See Anthropic's privacy policy for details.

4.2 Stripe

Subscription billing is handled entirely by Stripe, Inc. Your payment card details are entered directly into Stripe's secure interface and are never transmitted to or stored on our servers. See Stripe's privacy policy.

4.3 Email Delivery

Transactional emails (account verification, password reset) are delivered via our configured SMTP provider. We send only necessary system emails — no marketing without explicit opt-in.

4.4 Hosting

Our servers are hosted on Replit's cloud infrastructure. Your encrypted data is stored in a SQLite database on our server. The physical servers are located in the United States.

5. Data Security

We take security seriously:

• Encryption at rest: All health data is encrypted client-side before transmission. Our server stores an encrypted blob it cannot decrypt without your password.
• Encryption in transit: All data is transmitted over HTTPS/TLS.
• Password hashing: Passwords are hashed using bcrypt with a high work factor.
• Authentication: Sessions are managed via signed JWT tokens with expiry.
• Rate limiting: API endpoints are rate-limited to prevent brute-force attacks.

No method of electronic storage or transmission is 100% secure. While we implement industry-standard safeguards, we cannot guarantee absolute security. In the event of a data breach, we will notify affected users as required by applicable law.

6. Data Retention

We retain your account data for as long as your account is active. If you delete your account, all personal data and encrypted health records are permanently deleted within 30 days. Server logs are retained for up to 30 days then automatically purged.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your account and all associated data ("right to be forgotten"). You can initiate this from within the app or by emailing us.
• Portability: Export your data in a machine-readable format via the app's export feature.
• Objection: Object to certain types of processing.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact privacy@caredeeperai.com. We will respond within 30 days.

8. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

9. International Transfers

Our servers are located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We implement appropriate safeguards for any such transfers in accordance with applicable law.

10. Cookies

We use the following cookies and similar technologies:

• auth_token (essential): A JWT authentication cookie that keeps you logged in. Expires after 30 days. Cannot be disabled without losing access to your account.
• Local storage: We use browser local storage to cache your encrypted health data on your device for offline access and performance.

We do not use analytics cookies, advertising cookies, or any third-party tracking technologies on the app. The marketing website (caredeeperai.com) does not use any tracking cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and update the "Last updated" date at the top of this page. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.