Your Privacy

The majority of participation on this platform is straightforward. You read a question, you select an answer or type a response, and your answer is stored directly. The text you enter in any field goes to a structured database exactly as you wrote it. No AI reads it, processes it, or interprets it at the point of submission.

Where AI does appear in the questionnaire experience, it is on the output side: the contextual narration and feedback you receive as you complete a module. That narration is AI-generated. Your responses are not. What you contribute is yours, stored as you wrote it. What the platform returns to you as context or feedback is AI-assisted.

The platform includes an optional capability for contributing text records you already have: radiology reports from your MRI imaging, results from ancestry services, lab results from your care team or MyChart, Epstein-Barr serology results, blood panels, and similar records. You paste the text as it appears. The platform processes it.

Processing these records into structured, queryable data requires AI assistance. Every area of the platform that uses AI is clearly labeled. Record contribution is entirely optional, as is every other area of the platform.

When you paste a text record for processing, it is handled by an AI model operating under a HIPAA Business Associate Agreement. This agreement is a formal legal contract that prohibits the AI provider from storing, logging, or retaining any data submitted. Your text passes through the AI layer, is processed, and is immediately discarded. It is never retained, never used to train any model, and never accessible again outside your session.

This is a fundamentally different standard from using any consumer AI tool. Most AI interfaces people encounter day to day are governed by general terms of service. This platform's AI processing is governed by a HIPAA-compliant business associate agreement, the same standard applied to any covered entity handling protected health information. Your data is protected by contract, not just policy.

The AI layer is not the only component of this platform that operates under a formal HIPAA agreement. Every part of the technology stack that handles participant data is hosted on enterprise infrastructure operating under an executed Business Associate Agreement with WeCureUs. These agreements cover every service that touches participant data, from authentication to data storage to AI processing to email delivery.

No aspect of participant data handling takes place outside of a formal BAA framework. These agreements do not make the platform HIPAA compliant on their own. Correct configuration, access controls, encryption, and audit logging are equally required and equally in place. The BAAs establish the legal accountability. The architecture and configuration enforce it.

When you paste a text record, a structured extraction process classifies the document, extracts the meaningful fields, and matches the findings to a controlled vocabulary. Only the resulting structured data is stored. The text you paste is processed once and immediately discarded; it is never retained. Each stored record is version-tagged with the vocabulary version used, so researchers know exactly what process generated any record they are querying. A separate confidence-checking pass that runs after a record is stored is a planned future enhancement, not something in place today.

Your responses are never stored alongside your name, date of birth, or any direct identifier. All data is linked to a pseudonymous code. Your account contact information, including the email address and phone number associated with your account, is stored in a completely separate system that is never joined to the research dataset. The two are architecturally designed to remain permanently separate.

No query returns results for fewer than five participants. This k-anonymity threshold is enforced at the disclosure layer before any output reaches a researcher. Individual records are never exposed.

WeCureUs uses cookies only where they are necessary for the platform to work and to keep your account secure. When you sign in to the participant portal, a single session cookie named __session is placed in your browser. It is marked HttpOnly, so no script running on the page can read it. It is marked Secure, so it is only ever sent over an encrypted connection. It is marked SameSite=Lax, which limits it to requests that originate from WeCureUs rather than being carried along from other websites. Its only job is to confirm that you are signed in as you move between pages. It holds no advertising identifier and builds no profile of you. It expires after at most fourteen days, and that window resets each time you return, so an inactive session ends on its own.

Two parts of the platform use security services that guard against automated abuse: the contact form on the public site, and the phone verification step during enrollment. These services may set their own strictly necessary cookies for the single purpose of telling a real person apart from an automated bot. They are not used to advertise to you and do not track you across other websites.

WeCureUs sets no advertising cookies, no analytics cookies, and nothing that profiles you or follows you across the web. We do not sell your data. You stay in control of cookies at all times. Every major browser lets you view, block, or delete cookies through its settings, and you can clear the WeCureUs session cookie at any time by signing out or by clearing your browser data. Blocking the session cookie will keep you from staying signed in to the participant portal, but the rest of the public site remains fully readable.

You can review, edit, or delete any response you have submitted at any time. You can stop participating at any time. You can request deletion of your entire record. None of these actions require contacting anyone. They are available directly within your account.