Privacy Policy
1. The short version
Caduceus is built with privacy as the default. We do not track you, show ads, sell data, or run analytics. Most of your learning data lives only on your own device. The only personal data we store on a server is what you voluntarily provide when you create an account (email, name, school, optional profile photo).
2. What Caduceus is
Caduceus ("we", "our", "the app") is a free educational application for medical students, residents, and healthcare trainees. It is published by an individual developer and is not affiliated with any medical institution, government body, or commercial medical content provider.
Caduceus provides reference material, clinical simulations, flashcards, and quizzes. It is not a clinical decision-support tool and must not be used for patient care.
3. What data we collect
Data stored only on your device (never sent anywhere)
- Your study progress, streaks, and solved case counts
- Your bookmarks and custom flashcard decks
- Your app preferences (dark mode, notifications, sound settings)
- Which cases and drugs you've viewed
This information is kept in your phone's local storage. It is never transmitted.
Data stored on our authentication server (Supabase)
If you create an account, we store only what is strictly necessary to let you sign back in across devices:
- Your email address (used as your login)
- A hashed, salted password (we never see or store your plain-text password)
- Your chosen display name and full name (optional)
- Your school and year of study (optional — you type this yourself)
- Your profile photo, if you choose to upload one (optional)
- The date your account was created and last updated
If you sign in as a guest, none of this is collected. Guest mode works entirely offline.
Data we do NOT collect
- ❌ Analytics or usage tracking
- ❌ Location data
- ❌ Device identifiers, advertising IDs, or fingerprinting
- ❌ Contact lists, calendars, or any other personal files
- ❌ Payment information (Caduceus is free)
- ❌ Any data for advertising purposes
4. Third-party data sources (read-only)
Caduceus fetches medical reference content from these public APIs. These requests are read-only and contain no identifying information about you — only the name of the drug or disease you are researching:
- openFDA (U.S. Food and Drug Administration) — drug labels. Privacy policy
- NIH PubMed (U.S. National Library of Medicine) — peer-reviewed literature. Privacy policy
- ClinicalTrials.gov (NIH) — active clinical trials. Terms
5. Authentication and storage provider
Account data is stored on Supabase, an open-source backend platform. Supabase stores the data in a PostgreSQL database hosted in Frankfurt, Germany (European Union). Supabase acts as our data processor. Supabase privacy policy.
The Caduceus database has Row Level Security enabled, which means each user's data is cryptographically isolated — no user can read or modify another user's profile, even if they wanted to.
6. Your rights
You have the right to:
- Access your data — it is all visible in the Edit Profile screen
- Edit your data at any time from Edit Profile
- Delete your data — use Settings → Reset App to erase all local data, and contact us to delete your server account
- Export your data — contact us and we will provide a copy
- Withdraw consent at any time by deleting your account
These rights are guaranteed under the EU General Data Protection Regulation (GDPR) and similar laws in your jurisdiction.
7. Children
Caduceus is intended for medical students, residents, and healthcare trainees — typically aged 18 and above. We do not knowingly collect data from children under 13. If you believe a child has created an account, contact us and we will delete it.
8. Data retention
Account data is retained as long as you have an active Caduceus account. If you delete your account, your data is permanently removed from our database within 30 days.
9. Security
All traffic between the app and our servers is encrypted with TLS 1.2 or higher. Passwords are hashed using industry-standard bcrypt. We use Row Level Security policies to ensure one user cannot access another user's data. However, no system is perfectly secure — if you believe your account has been compromised, contact us immediately.
10. Changes to this policy
If this policy changes materially, we will update the "last updated" date above and, if you have an account, notify you in-app. Continued use of Caduceus after a policy update constitutes acceptance of the new policy.
11. Contact
For privacy questions, data access requests, or account deletion, email us at:
support@caduceus.app