Privacy Policy

Last updated: 5/18/2026

What we collect

• Account: email address for magic-link sign-in.
• Questionnaire: the answers you provide so we can build your routine.
• Payments: Stripe processes your card; we store the Stripe session ID and amount only.
• Operational: IP addresses are one-way hashed and used only for rate-limiting and abuse prevention.

How we use it

We use your inputs to generate and store your routine, and to improve the service in aggregate. We do not sell personal information.

Who we share it with

• Supabase (database, auth)
• Stripe (payment processing)
• Anthropic (recommendation narratives) — we do not send identifying information
• Upstash (rate-limiting)

Cookies & tracking

We use strictly necessary cookies for session/auth handling and rate-limiting. We use Vercel Analytics for aggregate, privacy-respecting page-load measurement (no cross-site tracking, no advertising identifiers). We do not deploy advertising cookies, cross-site trackers, or analytics that fingerprint individual users. Third-party services we rely on (Stripe, Supabase) may set their own session cookies scoped to their domains; see their privacy policies for detail. You can clear cookies at any time from your browser settings — doing so may sign you out.

Your rights (California — CCPA/CPRA)

California residents can request access, correction, or deletion of their data via account settings or by emailing privacy@coredose.app. We honor verified deletion requests within 30 days. We do not sell or share personal information for cross-context behavioral advertising, so opt-out rights under CPRA do not apply.

Your rights (EU/UK — GDPR & UK GDPR)

If you are in the EU, UK, or Switzerland, you have additional rights under the GDPR and UK GDPR:

• Lawful basis: we process your data under (a) consent when you complete the questionnaire and submit it, (b) contract performance for paid recommendations, and (c) legitimate interest for hashed-IP rate limiting and fraud prevention.
• Retention: account + questionnaire data is retained while your account is active and for up to 24 months after the last paid recommendation, after which it is deleted or anonymized. Stripe transaction records are retained for the legal accounting period (typically 7 years).
• Your rights: access, rectification, erasure ("right to be forgotten"), portability, restriction, objection, and the right to lodge a complaint with your supervisory authority.
• Automated decision-making: recommendation outputs are deterministic and reviewable; you can request human review of any recommendation at privacy@coredose.app.
• International transfers: some sub-processors (Supabase, Stripe, Anthropic, Vercel) are based in the US and operate under Standard Contractual Clauses or equivalent transfer mechanisms.

Exercise any of these rights by emailing privacy@coredose.app. We respond within 30 days.

Security

We encrypt data in transit and at rest, restrict service-role access to server code, and enforce row-level security on all user tables.

Contact

privacy@coredose.app