Legal

Privacy Policy

Privacy Policy — meetcorda.com

Effective date: May 25, 2026 Last updated: June 2, 2026

Corda helps families hold the small, important details of caregiving — appointments, medications, providers, the things you remember at 2 a.m. This policy explains what we collect when you visit meetcorda.com (our marketing site, blog, quiz, and waitlist), how we use it, and the choices you have.

If you use the Corda mobile app, a separate, more detailed in-app Mobile Privacy Policy (open the Corda app → Settings → Privacy & data → Legal) applies to information you put into the app.

Who we are: Corda is operated by [Corda Health, Inc.] (the "Company," "we," "us"). Questions or requests: legal@meetcorda.com.

1. Notice at collection

At a glance, here's what we collect on the website and why. California residents — this section is your CCPA/CPRA Notice at Collection.

Category	What it is	Why we collect it	Retention
Identifiers	Email address, name (if you provide it), waitlist signup metadata	Send waitlist updates, beta invites, transactional email	Until you unsubscribe or delete; then up to 30 days in backups
Quiz responses	Answers you give in the caregiving readiness quiz	Generate your personal result, improve the product	Up to 24 months tied to your email; aggregated indefinitely
Internet / device activity	IP address, browser type, pages viewed, referrer, basic event analytics	Operate the site, security, measure marketing	12 months (PostHog), then aggregated
Inferences	Stage of caregiving, content interests	Personalize emails and content recommendations	Until you delete or unsubscribe

We do not collect biometric data, precise geolocation, government ID numbers, financial account numbers, or children's data on the website.

2. Categories of personal information we collect

Using the CCPA's standard categories, on the website we collect:

Identifiers — name, email, IP address.
Customer records — waitlist entries, support correspondence.
Commercial information — none currently (the website does not sell anything).
Internet or other electronic network activity — pages visited, clicks, referrer, device/browser info, anonymized event analytics.
Geolocation data — only coarse (country/region) inferred from IP. We do not collect precise location.
Audio, electronic, or visual information — none on the website. (Audio/visual data is handled by the mobile app, governed by the in-app Mobile Privacy Policy (open the Corda app → Settings → Privacy & data → Legal).)
Professional or employment information — none.
Education information — none.
Inferences — caregiver stage, interests, derived from quiz answers and content engagement.
Sensitive personal information — we treat caregiving context (e.g., the role you play caring for someone) as a sensitive inference. We do not collect government IDs, financial accounts, precise location, race, religion, union membership, genetic data, sexual orientation, or health diagnoses through the website.

3. How we use information

We use information you give us to:

Operate and improve the website, blog, and quiz.
Send you the emails you signed up for (waitlist updates, beta invites, occasional product news).
Respond to support and inquiries.
Measure which content and pages are useful, in aggregate.
Detect, prevent, and investigate fraud, abuse, or security incidents.
Comply with legal obligations.

We do not use your information for cross-context behavioral advertising, and we do not allow third parties to do so through our site.

4. How we share information

We share personal information only with service providers ("sub-processors") that help us operate Corda, under contracts that limit their use to providing services to us:

Sub-processor	What they do	Where data is processed
Vercel	Website hosting, edge functions, OG image rendering	United States
Supabase	Database, authentication, file storage	United States
PostHog	Product and marketing analytics	United States (PostHog Cloud US)
Resend	Transactional and waitlist email	United States

A current list of sub-processors will be maintained at [meetcorda.com/legal/subprocessors]. We will notify users in-app or by email of material changes before new sub-processors begin processing personal information.

We may also disclose information when required by law, to protect our rights or the safety of users, or in connection with a merger, acquisition, or sale of assets (with notice to you).

5. Sale and sharing of personal information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We do not use third-party advertising cookies on meetcorda.com. There is therefore no "Do Not Sell or Share My Personal Information" link to provide — but if our practices ever change, we will post the required link and update this policy with at least 30 days' notice.

6. Sensitive personal information (CPRA)

Corda may collect information that California law classifies as sensitive personal information, such as caregiver role or health-related inferences derived from quiz answers. We use sensitive personal information only for the purposes permitted under California Civil Code §1798.121 — to perform the services you asked for, to ensure security and integrity, and to operate the business. We do not use sensitive personal information to infer characteristics about you for marketing or advertising purposes.

You have the right to limit our use of sensitive personal information. See Section 8 for how.

7. Your privacy rights

Depending on where you live, you have some or all of these rights under U.S. state privacy laws (CCPA/CPRA in California; VCDPA in Virginia; CPA in Colorado; CTDPA in Connecticut; UCPA in Utah; TDPSA in Texas; DPDPA in Delaware; OCPA in Oregon; MTCDPA in Montana; IPDPA in Indiana; NHDPA in New Hampshire; NJDPA in New Jersey; TIPA in Tennessee; and similar laws as they take effect):

Right to know / access — what personal information we have about you.
Right to delete — your information, subject to legal exceptions.
Right to correct — inaccurate information.
Right to portability — receive a copy of your information in a portable format.
Right to opt out of sale or sharing for cross-context behavioral advertising (we do not engage in either).
Right to opt out of targeted advertising (we do not engage in targeted advertising).
Right to opt out of profiling that produces legal or similarly significant effects (we do not perform such profiling).
Right to limit the use of sensitive personal information to permitted purposes.
Right to non-discrimination — we will not deny you service, charge you a different price, or provide a different quality of service because you exercised a right.
Right to appeal — if we deny a request, you may appeal by replying to our decision email.

Authorized agents may submit requests on your behalf with written permission and verifiable proof of identity.

8. How to exercise your rights

Email legal@meetcorda.com with the request and the email address associated with your account. We will:

Acknowledge your request within 10 business days.
Verify your identity — usually by confirming control of the email address on file. For sensitive requests (deletion, full export) we may ask for additional verification proportionate to the sensitivity of the data.
Respond within 45 days. If we need more time, we will tell you why and may extend by up to 45 additional days (90 days total).

You can also unsubscribe from any marketing email using the link in the email itself.

9. Children's privacy

Corda is built for adult caregivers. The website is not directed to children under 13, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, email legal@meetcorda.com and we will delete it promptly in line with COPPA §312.5.

10. How we protect your information

Corda's security program is being built to align with the SOC 2 Type II Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy. We have not yet completed a SOC 2 Type II audit; the controls described below describe our current practices, not a certification.

Encryption in transit: TLS 1.2 or higher for all connections to Corda services.
Encryption at rest: AES-256 for databases and object storage at our infrastructure providers (Supabase, Vercel).
Access controls: Role-based access for our team; database row-level security; least-privilege defaults; multi-factor authentication for production systems.
Sub-processor diligence: We select providers who maintain SOC 2 or equivalent attestations and who contractually commit to security and confidentiality.
Monitoring and logging: Production access and changes are logged.
Incident response: We have an internal process to investigate, contain, and notify users of incidents that affect their personal information, consistent with applicable law.

No system is perfectly secure. If you suspect a vulnerability, email legal@meetcorda.com.

11. Data retention

We keep personal information only as long as necessary for the purposes described in this policy:

Waitlist signups: until you unsubscribe or request deletion; backups purge within 30 days.
Quiz responses: 24 months tied to your email; aggregated, de-identified data may be kept indefinitely.
Website analytics (PostHog): 12 months at the event level, then aggregated.
Support correspondence: up to 24 months after resolution.
Legal/audit records: as required by applicable law.

12. International data transfers

Corda is operated from the United States, and our service providers process data in the United States. If you access Corda from outside the U.S., your information will be transferred to and processed in the U.S., which may have different data protection laws than your country.

13. Google user data and Calendar access

When you choose to sign in with Google or connect your Google Calendar, Corda requests the following Google OAuth scopes:

openid, email, profile — to identify you and create or sign you into your Corda account.
calendar.readonly and calendar.events.readonly — read-only access used solely to display your existing calendar events and appointments inside Corda. We never create, edit, or delete events in your Google Calendar.

Corda's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

We use Google user data only to provide the calendar features you request.
We do not sell Google user data, and we do not use it for advertising.
We do not transfer Google user data to others except as necessary to provide the feature, comply with applicable law, or in connection with a merger or acquisition with notice to you.
We do not allow humans to read your Google data unless you give explicit consent, it is necessary for security or to comply with law, or the data has been aggregated and anonymized.

Google access and refresh tokens are stored encrypted and used only to fetch your calendar on your behalf. You can revoke Corda's access at any time in your Google Account permissions or by disconnecting the calendar in Corda's settings.

14. Changes to this policy

We may update this policy as Corda and the law evolve. For material changes, we will give you at least 30 days' notice by email and by posting a banner on the site. Non-material changes will be reflected by updating the "Last updated" date above.

15. Contact

Email: legal@meetcorda.com Mail: [Corda Health, Inc.], [Street Address], [Wilmington, DE 19801]