Privacy Policy

CureQuest (the “Service”) is operated by the individual developer behind github.com/KoreanSage, reachable at privacy@curequest.io. This document covers data collected via curequest.io and any subdomain we operate.

CureQuest acts as the data controller for your account information and content. For users in the EU/UK, “controller” has its GDPR / UK GDPR Art.4 meaning.

We collect only what the Service needs to function. The short version:

• Account info (email, password hash, nickname) — for sign-in and to attribute the things you post. Removed when you delete your account.
• Stuff you create (prompts, AI results, forum posts, comments, bookmarks, Lab templates and drafts) — kept while the item exists, then a 30-day soft delete before permanent removal.
• Lab Notebook logos uploaded on the Lab Branding settings page — removed when you clear the branding or delete your account.
• Your consent record — kept 5 years after account deletion in case of a consent-related claim (GDPR Art.7 record-keeping standard; gives us audit trail against the version of the consent text you agreed to).
• IP address + User-Agent — used only for rate-limit counters; expires on each window boundary. Server access logs live 7 days on Vercel.
• Safety logs — every AI call records the prompt, which safety guards fired, and the consent version you agreed to. Kept 2 years to defend against safety claims, then purged. You can email privacy@curequest.io to purge your own rows earlier (we'll honor it within 30 days unless an open dispute blocks it).

• No third-party analytics or advertising trackers (no Google Analytics, no Facebook pixel, no Hotjar).
• No precise location, no biometric data, no information from your device beyond standard HTTP headers.
• No personal medical data beyond what you explicitly type. Layer 1 of the input guard actively detects and refuses personal medical questions and emergency symptoms.
• No content of pages you visit or buttons you click — except optionally via Sentry session replay, which is off by default and only enabled if you ticked the optional consent box at signup or in Profile → Settings.

Every experiment is private by default. You can flip it to “public” — that posts to the Explore feed and generates a shareable /s/[shareId] URL. Private experiments are only visible to you and to reviewers you explicitly invite (Lab Mode reviewer invites). Enforcement is at the database level via Postgres Row-Level Security policies.

Lab teams: members of a team can view team-scoped templates and drafts. Removing a member or deleting the team revokes access at the next request.

We use the following sub-processors. Each item lists what they see, where the data is processed, and the legal basis for the transfer.

Adding or replacing a processor is announced 30 days in advance on the changelog and by in-app notification to registered users.

Your data is processed across multiple regions by the sub-processors in Section 5 — Supabase in Seoul, Upstash Redis in Tokyo, Google Gemini in US/EU, Sentry in the US, and Vercel + Cloudflare R2 on global edge networks. By creating an account you accept that operating the Service requires this geographic distribution; if you object, don't create an account.

• Recipients: see Section 5 table.
• Purpose: operating the Service — auth, rate limiting, AI generation, error monitoring, hosting.
• Categories: account data, prompts, AI outputs, IP/UA for rate limiting.
• Period: as long as you have an account, plus the retention windows in Section 2.
• Safeguards: TLS 1.2+ in transit; each processor's contractual data-processing terms (DPAs); EU/UK users transferred under the EU Standard Contractual Clauses where applicable.

By default we set only strictly-necessary cookies:

• Supabase auth session cookies — required for sign-in. Set HttpOnly, Secure, SameSite=Lax.
• Theme preference (light/dark) — a single first-party cookie/localStorage entry.
• Cookie consent record — stores your choice on the consent banner so we don't re-prompt every visit.

Optional Sentry session replay is loaded only if you opt in (signup or Profile → Settings). It records page interactions with text masked + media blocked; you can revoke in one click.

We do not use any analytics or advertising cookies.

We honor the standard data-subject rights that apply under US state privacy laws (CCPA / CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA), GDPR Art.12–22, and UK GDPR, without requiring you to identify which one applies:

• Access / portability — email privacy@curequest.io and we'll send a JSON archive of every row we hold about you within 30 days (GDPR Art.15 / CCPA §1798.110).
• Rectification — change your nickname, theme, and other profile fields directly in Profile → Settings; corrections to other records via privacy@curequest.io.
• Deletion (right to be forgotten) — delete individual experiments (soft-delete + 30-day permanent purge) or your entire account (cascades to all UGC + lab data). Audit logs follow the Section 2 retention policy unless you specifically request earlier purge.
• Withdrawal of consent — flip optional consents off in Profile → Settings; required consents can only be withdrawn by deleting the account.
• Object / restrict processing — email privacy@curequest.io. We respond within 30 days (GDPR Art.12 ③).
• Opt out of “sale” or “sharing” — we do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
• Lodge a complaint — US users: your state attorney general or the FTC. EU/UK users: your local data protection authority.

Data in transit: TLS 1.2+. Passwords: bcrypt-hashed by Supabase. Row-Level Security policies enforce that users can only read their own private data; team-scoped reads use security-definer helper functions to avoid recursion. The service-role key (bypasses RLS) is used only in: (a) sign-up trigger that creates the public user row, (b) the cron job that snapshots Gemini cost into gemini_costs, (c) audit-log inserts.

We run Sentry with a custom scrubber that redacts API keys, JWTs, Bearer tokens, Stripe keys, Google API keys, and known prompt-bearing field names from every event before it leaves the server.

Breach notification: we will notify affected users by email without unreasonable delay — and within 72 hours where feasible — of becoming aware of a personal-data breach (GDPR Art.34 / US state breach-notification statutes such as Cal. Civ. Code §1798.82).

We require a 14+ age confirmation at sign-up — above COPPA's 13-year US floor, so no parental-consent flow is required. If we learn an account belongs to someone under 14 we will delete it and any associated data. Email privacy@curequest.io.

We bump the document version (today: v7.0-2026-04) on every meaningful change. The full diff lives at /legal/changelog. Material changes (new processors, new categories of data, shorter retention windows being lengthened) trigger an in-app notification + email to registered users at least 14 days before they take effect; continued use after the effective date constitutes acceptance.

Privacy questions, access / deletion / correction requests: privacy@curequest.io

Security vulnerability reports: security@curequest.io (also see /.well-known/security.txt).

DMCA / copyright takedown: see Terms §10 and email dmca@curequest.io.