Privacy, plainly
Caregivers are reading this paragraph carefully — as you should. Here's the truth about what Curacy does with your data, in language a real person can verify.
The short version
- • Audio recordings die within 60 seconds. We don't keep them. Ever.
- • Transcripts never touch our disk. They're held in memory only as long as it takes to summarize, then dropped.
- • Visit summaries and calendar events are stored on our database (Neon, US, encrypted at rest, TLS in transit) so they're available across your phone and laptop. You can export them as JSON from Account & data at any time, and re-import the file later.
- • One-tap delete for all your data, also from Account & data. Account-level deletion routes through /contact so we can hear what wasn't working — processed within 48h regardless.
- • We don't sell your data. No ad partners. The $10 you paid us is the entire business model.
- • We're not a HIPAA-covered entity and we won't pretend otherwise. Treat Curacy as a notes app for caregivers, not a clinical record system.
What we collect
From you, directly
- • Email address — for magic-link sign-in. No passwords stored anywhere.
- • Audio you upload — sent to Groq for Whisper transcription, deleted from our temporary storage within 60 seconds. Groq's own retention is documented in their DPA.
- • Transcript derived from the audio — held in memory only, sent to Anthropic for summarization, then dropped. Never written to our database, never logged.
- • Visit summary JSON (the structured output) — saved to our database, tied to your user id.
- • Calendar events — derived follow-ups, saved to our database for the subscribe-URL feature.
- • Optional context — patient name, visit type, notes you type. Same handling as the summary.
Automatically
- • Plausible analytics — cookie-less, IP-anonymized, page-level only. No event-level tracking of summary content.
- • Server logs — request paths, status codes, timestamps. We do not log request bodies, transcript contents, or summary contents.
- • Sentry error reports — stack traces only. Personal-data scrubbing is enabled at the SDK level.
Where it lives
We use these third parties (subprocessors) to run Curacy. Each has their own privacy policy you can review:
- • Neon (Postgres, US, encrypted at rest, SOC 2 Type II) — your visits and calendar events.
- • Vercel (US) — application hosting, edge cache.
- • Groq — Whisper transcription. Audio is sent here, transcribed, returned. Their retention policy is the second-line check.
- • Anthropic — Claude summarization. Transcripts pass through their API; per their commercial terms, API content is not used for training.
- • Lemon Squeezy (Merchant of Record) — handles your payment, VAT, and refunds. We never see your full card number; we get a transaction id and the email you paid with.
- • Resend (US) — sends sign-in emails and receipts. Holds your email address and the contents of those messages.
- • Plausible (EU-hosted) — cookie-less analytics; collects no personally-identifiable data.
- • Sentry — error monitoring; PII-scrubbing enabled.
Your controls
- • Export — full JSON dump of every visit and calendar event from /app/account. Park it in your iCloud / Drive / Dropbox; if Curacy disappears tomorrow you still have your medical year.
- • Re-import — feed the same file back later (e.g. on a new account). Idempotent — duplicates are skipped.
- • Delete a single visit — from history, expand the visit, click Delete this visit.
- • Delete all my data — from /app/account. Wipes summaries and calendar events; account stays so you can keep using your remaining credits.
- • Delete my account — /contact. Processed within 48 hours. We'd like to hear why first; even one sentence is enough.
- • Refund — 30-day refund policy.
HIPAA, plainly
We are not a HIPAA-covered entity. We do not sign Business Associate Agreements. If you are a clinician, a clinical practice, or a regulated entity that needs HIPAA-compliant tooling, Curacy is not the right product for you — please use a vendor who can sign a BAA.
For caregivers using Curacy on behalf of a family member: we treat your data with care and apply industry-standard security controls (encryption at rest and in transit, scoped access, audit logs on admin actions), but the protections that apply to a doctor's office under HIPAA do not automatically apply to us.
Children
Curacy is for adults. We don't knowingly collect data from anyone under 13. If you believe we have, contact us via /contact and we'll delete the records within 48 hours.
Changes to this policy
If we change anything that affects what we collect or who we share it with, we'll post a clear notice on this page. Existing data is governed by the policy in force at the time it was collected.
Last updated: May 2026. Questions: /contact.