Privacy Policy

1. Information We Collect

Information You Provide

• Account information (name, email, profile details)
• Researcher credentials and verification documents
• Project proposals and research descriptions
• Payment information (processed securely by Stripe)
• Communications with other users or our support team

Health-Related Information

Some information shared on the platform may relate to health conditions or medical research (for example, information a contributor chooses to provide about why they are funding a particular project, or information a researcher includes in their project description). Health-related information is protected by the security controls described in Section 5, and is treated as "sensitive personal information" under applicable U.S. state privacy laws and as a "special category" of personal data under GDPR Article 9 (see Section 6).

Automatically Collected Information

• Device information and browser type
• IP address and approximate location
• Usage patterns and page views
• Referral sources

2. How We Use Your Information

• Operating and improving the platform
• Processing contributions and payments
• Verifying researcher credentials
• Sending transactional emails and notifications
• Preventing fraud and ensuring platform security
• Complying with legal obligations
• Analytics and platform improvement (with consent)

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases as defined by GDPR Article 6:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide our services — account creation, payment processing, project management, and communications related to your use of the Platform.
• Consent (Art. 6(1)(a)): Analytics cookies, marketing communications, and processing of health-related information. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
• Legitimate interests (Art. 6(1)(f)): Fraud prevention, platform security, service improvement, and enforcement of our Terms of Service. We balance our interests against your rights and do not use this basis where your interests override ours.
• Legal obligation (Art. 6(1)(c)): Tax reporting, financial record-keeping, responding to lawful requests from public authorities, and retaining audit logs.

4. Information Sharing

We do not sell your personal information. We share information only with:

• Payment processors (Stripe) for transaction processing
• Email service providers (SendGrid) for communications
• Hosting providers (Vercel, Firebase/Google Cloud) for platform operation
• Law enforcement when legally required

All third-party service providers are contractually obligated to protect your data and may only use it for the specific purposes for which we share it.

5. Security Controls

Remedy Fund is not a HIPAA-covered entity and does not represent that its controls satisfy HIPAA requirements. We apply industry-standard security controls to protect personal information, including:

• Technical controls: Encryption at rest and in transit, secure authentication, access logging
• Administrative controls: Role-based access, employee training, incident-response procedures
• Infrastructure controls: Cloud hosting on providers with SOC 2 compliance (Google Cloud / Firebase, Vercel)
• Audit logging: Privileged administrative actions and security events are logged, with targeted 6-year retention for audit records relating to health-related information

6. Your Rights (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under GDPR:

• Access (Art. 15): Request a copy of your personal data
• Rectification (Art. 16): Correct inaccurate personal data
• Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
• Restriction (Art. 18): Limit processing of your personal data
• Objection (Art. 21): Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@remedy.fund or submit a request in your account settings. We will respond within 30 days. If you believe your rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing transactions).
• Right to Correct: You may request that we correct inaccurate personal information.
• Right to Opt-Out: We do not sell or share your personal information for cross-context behavioral advertising. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

Sensitive Personal Information

Under CPRA, certain categories of personal information are treated as "sensitive personal information" (SPI). We may collect the following SPI categories:

• Account credentials (such as login passwords)
• Health-related information voluntarily provided by users

We use SPI solely for the purposes for which it was collected — to operate the platform, process contributions, communicate with users, comply with legal obligations, and prevent fraud or security incidents. We do not use SPI to infer characteristics about you, and we do not disclose SPI for cross-context behavioral advertising. Because our use of SPI is limited to these purposes, we do not currently offer a separate "Limit the Use of My Sensitive Personal Information" mechanism. If our use changes, we will update this Policy and provide the appropriate limit-use option.

To exercise these rights, contact us at privacy@remedy.fund or submit a request in your account settings. We will verify your identity before processing your request.

7a. Washington Consumer Health Data (MHMDA)

The following section applies to Washington State residents under Washington’s My Health My Data Act (MHMDA). This is a starter notice; if you are a Washington resident, please review it carefully and contact us with any questions.

Consumer Health Data We Collect

We may collect "consumer health data" as defined by MHMDA only to the extent you voluntarily provide it — for example, information about a medical condition that motivates your contribution to a particular research project, or information a researcher includes in their published project description. We do not infer health data from your activity on the platform. We do not collect biometric or genetic data.

Sources, Purposes, and Sharing

• Sources: Information you provide directly through the platform.
• Purposes: Operating the platform, processing your contribution, publishing researcher-authored project content, and fulfilling our legal obligations.
• Sharing: We share consumer health data only with service providers acting on our behalf under contract (payment processor, email delivery, hosting). We do not sell consumer health data. We do not share consumer health data with third parties for marketing or advertising.

Your Rights Under MHMDA

• Right to access your consumer health data
• Right to deletion of your consumer health data
• Right to withdraw consent to our collection and processing of your consumer health data
• Right to appeal a denial of any of the above rights

We do not sell consumer health data and will not do so without first obtaining your separate, valid authorization as required by MHMDA. To exercise any MHMDA right or appeal a denial, contact us at privacy@remedy.fund.

7b. Other U.S. State Privacy Rights

If you reside in Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, or another U.S. state with a comprehensive consumer privacy law, you may have the following rights, subject to the specific terms of your state’s law:

• Right to access the personal data we hold about you
• Right to correct inaccurate personal data
• Right to delete your personal data
• Right to portability — receive your data in a portable format
• Right to opt out of targeted advertising, sale of personal data, or profiling with significant effects
• Right to appeal a denial of any of the above rights

We do not engage in targeted advertising or sale of personal data. We do not use profiling that produces legal or similarly significant effects. Health-related information is treated as sensitive data and is processed only with your consent.

Colorado residents: we recognize browser-based universal opt-out signals (Global Privacy Control) where applicable.

To exercise these rights or appeal a denial, contact us at privacy@remedy.fund. We will verify your identity and respond within the time period required by your state’s law (generally 45 days, extendable).

8. Cookies and Tracking

We use cookies in the following categories:

• Essential cookies: Required for login, security, and basic functionality (no consent required)
• Analytics cookies: Help us understand usage patterns (requires consent)
• Preference cookies: Remember your settings and preferences (requires consent)

We do not use marketing or advertising cookies. You can manage your cookie preferences at any time through account settings (if signed in) or your browser settings.

9. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Specific retention periods by data category:

• Account data: Retained while your account is active. Deleted within 30 days of account closure, subject to legal retention requirements.
• Financial/transaction records: Retained for 7 years as required by tax and financial regulations.
• Audit logs relating to health-related information: Retained for 6 years as a targeted security and compliance measure.
• Analytics data: Aggregated and anonymized after 26 months.
• Communications/support data: Retained for 3 years after last interaction.

You may request deletion of your account and personal data at any time, subject to the retention periods above and applicable legal requirements.

10. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of discovery (in compliance with GDPR requirements). Notification will include the nature of the breach, data affected, and steps being taken to address it.

11. International Data Transfers

If you access the Platform from outside the United States, your data may be transferred to and processed in the United States where our servers and service providers are located. For users in the EEA, UK, and Switzerland, we ensure appropriate safeguards for international transfers through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all sub-processors
• Reliance on service providers who maintain EU-U.S. Data Privacy Framework certification where applicable

You may request a copy of the applicable transfer safeguards by contacting us at privacy@remedy.fund.

12. Children's Privacy

Remedy Fund is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact us at privacy@remedy.fund.

13. Contact Us

For questions about this Privacy Policy or to exercise your data rights, contact us at privacy@remedy.fund.