Privacy Policy

1. Information We Collect

Information You Provide

• Account information (name, email, profile details)
• Researcher credentials and verification documents
• Project proposals and research descriptions
• Payment information (processed securely by Stripe)
• Communications with other users or our support team

Health-Related Information

Some information shared on the platform may relate to health conditions or medical research. This information is treated with enhanced security measures aligned with HIPAA principles, including encryption, access controls, and audit logging.

Automatically Collected Information

• Device information and browser type
• IP address and approximate location
• Usage patterns and page views
• Referral sources

2. How We Use Your Information

• Operating and improving the platform
• Processing contributions and payments
• Verifying researcher credentials
• Sending transactional emails and notifications
• Preventing fraud and ensuring platform security
• Complying with legal obligations
• Analytics and platform improvement (with consent)

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases as defined by GDPR Article 6:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide our services — account creation, payment processing, project management, and communications related to your use of the Platform.
• Consent (Art. 6(1)(a)): Analytics cookies, marketing communications, and processing of health-related information. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
• Legitimate interests (Art. 6(1)(f)): Fraud prevention, platform security, service improvement, and enforcement of our Terms of Service. We balance our interests against your rights and do not use this basis where your interests override ours.
• Legal obligation (Art. 6(1)(c)): Tax reporting, financial record-keeping, responding to lawful requests from public authorities, and retaining audit logs.

4. Information Sharing

We do not sell your personal information. We share information only with:

• Payment processors (Stripe) for transaction processing
• Email service providers (SendGrid) for communications
• Hosting providers (Vercel, Firebase/Google Cloud) for platform operation
• Law enforcement when legally required

All third-party service providers are contractually obligated to protect your data and may only use it for the specific purposes for which we share it.

5. HIPAA-Inspired Safeguards

Although not legally required, we implement safeguards aligned with HIPAA standards:

• Technical safeguards: Encryption at rest and in transit, secure authentication, access logging
• Administrative safeguards: Access controls, employee training, incident response procedures
• Physical safeguards: Cloud infrastructure with SOC 2 compliance (Google Cloud / Firebase)
• Audit logging: Privileged administrative actions and security events are logged, with targeted 6-year retention for health-related audit records

6. Your Rights (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under GDPR:

• Access (Art. 15): Request a copy of your personal data
• Rectification (Art. 16): Correct inaccurate personal data
• Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
• Restriction (Art. 18): Limit processing of your personal data
• Objection (Art. 21): Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@remedy.fund or submit a request in your account settings. We will respond within 30 days. If you believe your rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing transactions).
• Right to Correct: You may request that we correct inaccurate personal information.
• Right to Opt-Out: We do not sell or share your personal information for cross-context behavioral advertising. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise these rights, contact us at privacy@remedy.fund or submit a request in your account settings. We will verify your identity before processing your request.

8. Cookies and Tracking

We use cookies in the following categories:

• Essential cookies: Required for login, security, and basic functionality (no consent required)
• Analytics cookies: Help us understand usage patterns (requires consent)
• Preference cookies: Remember your settings and preferences (requires consent)

We do not use marketing or advertising cookies. You can manage your cookie preferences at any time through account settings (if signed in) or your browser settings.

9. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Specific retention periods by data category:

• Account data: Retained while your account is active. Deleted within 30 days of account closure, subject to legal retention requirements.
• Financial/transaction records: Retained for 7 years as required by tax and financial regulations.
• Health-related audit logs: Retained for 6 years in alignment with HIPAA-inspired standards.
• Analytics data: Aggregated and anonymized after 26 months.
• Communications/support data: Retained for 3 years after last interaction.

You may request deletion of your account and personal data at any time, subject to the retention periods above and applicable legal requirements.

10. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of discovery (in compliance with GDPR requirements). Notification will include the nature of the breach, data affected, and steps being taken to address it.

11. International Data Transfers

If you access the Platform from outside the United States, your data may be transferred to and processed in the United States where our servers and service providers are located. For users in the EEA, UK, and Switzerland, we ensure appropriate safeguards for international transfers through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all sub-processors
• Reliance on service providers who maintain EU-U.S. Data Privacy Framework certification where applicable

You may request a copy of the applicable transfer safeguards by contacting us at privacy@remedy.fund.

12. Children's Privacy

Remedy Fund is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact us at privacy@remedy.fund.

13. Contact Us

For questions about this Privacy Policy or to exercise your data rights, contact us at privacy@remedy.fund.