Home

Privacy Policy

Effective: May 2, 2026·Last updated: May 13, 2026·Version v1.3

Information, not medical advice. MedSideInfo aggregates publicly-available reference information for reference only; it is not medical advice, a diagnosis, or a substitute for consulting a qualified healthcare provider. See our Terms of Service for full disclosure.

MedSideInfo helps you compare medicine side effects across common medical reference sources. This page explains what we collect, why we collect it, who we share it with, and the rights you have over your information.

Two commitments up front: we never sell data that identifies you — and we don’t show ads today. The detail below explains what each means and where we’ve preserved flexibility.

On selling data: we never sell personally identifyingdata — data that names you, identifies your account, or could be reasonably linked back to you. This commitment binds MedSideInfo and any successor entity. If material business changes ever required revisiting it, we would publish notice on this page and offer affected users a chance to delete their data before any change took effect.

On advertising: we do not show ads on MedSideInfotoday, and we have no plans to in the near term. We’re not making a forever commitment, because we may eventually offer a paid ad-free tier alongside an ad-supported free tier — a common pattern for sustainable independent services. If we ever introduce ads, we would (1) notify users before any change takes effect via the version bump + last-updated date on this page, (2) never use third-party advertising cookies that follow you off-site, and (3) never base ad targeting on your medicine cabinet or health searches.

What we collect

From everyone (anonymous)

  • Search queries and pages you visit on the site.
  • Browser type, operating system, screen size.
  • Your IP address, truncated to its network prefix (we discard the last octet so it cannot identify your specific connection).

From signed-in users (with your account)

  • Email address (required for account recovery).
  • OAuth tokens from Google, when you sign in with Google. We never see your Google password.
  • The medicines you save to your cabinet.
  • Scans of prescription documents, leaflets, or pill bottles — only if you explicitly upload them and only for the extraction the upload triggers. Stored in private Vercel Blob and deleted on a rolling schedule (default: 30 days, sooner on request).

What we do NOT collect

  • Social Security numbers or government IDs.
  • Financial data, credit card numbers, or payment details.
  • Your full home address.
  • Your full health record. We never connect to EHR systems.

How we use what we collect

  • To run the search service: take your medicine name, look it up across sources, return results.
  • To personalize your cabinet (the saved medicines list) so it persists across devices.
  • To improve our source coverage and the accuracy of our medicine-name resolver — using aggregated, de-identified query patterns only.
  • To send transactional emails (account verification, password resets, sign-in alerts).
  • To respond to questions you send us via the feedback form.

We do not use your data to train external AI models. We do not sell, rent, or trade identifying data about you. We do notshow ads today. See the top of this page for the precise scope of those commitments and what optionality we’ve preserved.

Third-party processors

We use the following vendors to operate the service. Each has access only to the data needed for its specific role.

  • Vercel — hosts the site and serves the API. Also stores private blobs (e.g. uploaded scan documents).
  • InsForge — runs our database and authentication.
  • Fireworks AI — performs the LLM inference that normalizes side-effect text. Inputs are the source text and the medicine name; we do not retain results outside our cache. Fireworks does not retain inputs beyond the inference window.
  • TinyFish — fetches public medical reference pages on our behalf. TinyFish only accesses publicly-published source pages; we do not pass user data to it.
  • Mixedbread — embeddings for the medicine-name resolver. We send only the medicine string the user typed.
  • PostHog — product analytics (page views, feature usage). You can opt out — see "Cookie policy" below.
  • ElevenLabs — text-to-speech for the side-effect playback feature. The text we send is the side-effect description; ElevenLabs does not retain it.
  • Resend — transactional email delivery (verification, password reset, alerts).
  • Sentry — error tracking. Stack traces only; we do not send page content.
  • Axiom — application logs.

We may add or remove processors over time. Material changes will be reflected in this page and the version number bumped.

Your rights

Whether you live in California (CCPA/CPRA), the EU/UK (GDPR), or elsewhere, you have these rights:

  • Access: request a copy of the data we hold about you.
  • Export: request your data in a portable format.
  • Correction: ask us to fix data that's wrong.
  • Deletion: ask us to delete your account and associated data.
  • Opt-out: for analytics tracking, see "Cookie policy" below.

To exercise any of these, submit a privacy/data request through the button below.

Submitting through this form posts your request to our admin queue and emails our privacy team at privacy@medsideinfo.comin the same action — single channel, two paths so we don’t miss it. Our service-level commitment: we acknowledge requests within 5 business days, and complete access, export, correction, and deletion requests within 30 calendar days (target: 7). For export, we deliver a structured download (JSON or CSV) by email. For deletion, we remove your data from our database AND from the third-party processors that hold it on our behalf within the same window.

If you’ve never signed in: the only personal data we hold for you is the truncated IP-address prefix (we discard the last octet) and any analytics events tied to your browser. To remove the analytics events, opt out of PostHog tracking (set Do Not Track in your browser, or send us a request) and clear cookies for medsideinfo.com. We have no account-level data to delete because no account exists.

Lawful bases for EU/UK users (GDPR)

If you are in the EU, the UK, or another jurisdiction with GDPR-style rules, the lawful bases on which we process your personal information:

  • Contract (Art. 6(1)(b)):for the data we need to run the service for you — account creation, authentication, serving search results, persisting your cabinet, processing the scans you upload.
  • Consent (Art. 6(1)(a) + Art. 9(2)(a)):for health-related data — medicines you save, scans you upload, symptom-check inputs. Health data is “special category” under Art. 9 and we rely on your explicit consent, given when you take each action. You can withdraw consent at any time, with no impact on processing already done.
  • Legitimate interest (Art. 6(1)(f)):for security, fraud prevention, and improving the service using aggregated, de-identified usage patterns — balanced against your interests, with the de-identification step as the primary safeguard.
  • Legal obligation (Art. 6(1)(c)): when we must retain or disclose data to comply with applicable law (a court order, regulatory request, or similar).

Your GDPR rights (access, rectification, erasure, restriction, portability, objection, automated-decision protections, complaint to a supervisory authority) are honored under the same SLA above.

Cookie policy

We use the smallest set of cookies that lets the service work:

  • Strictly necessary — keeps you signed in. We can't turn this off without breaking authentication.
  • Analytics — PostHog uses a single first-party cookie to deduplicate your sessions for product-usage stats. You can opt out by visiting our feedback page and telling us, or by sending Do Not Track from your browser.

We do notuse third-party advertising cookies today, and we will not introduce cross-site tracking cookies even if we ever add an ad-supported tier — that’s a permanent commitment regardless of how the ad question evolves.

Children's privacy

MedSideInfo is intended for users 13 and older. We do not knowingly collect data from children under 13 (COPPA). If you believe a child under 13 has provided us with personal information, please submit a request below and we will delete it.

International transfers

Our infrastructure runs primarily in the United States. If you access the service from outside the US, your data is transferred to and processed in the US. By using MedSideInfo you consent to this transfer.

Data retention

  • Account data (email, cabinet) — kept as long as your account is active. Deleted on request or 90 days after account deletion.
  • Search history — anonymized after 90 days.
  • Scan-document uploads — deleted after 30 days by default; sooner on request.
  • Analytics events — retained for 12 months in aggregate form.

How we'll notify you of changes

If we make material changes to this policy, we will (1) update the “Last updated” date at the top of this page and (2) bump the version number. Continued use of the service after a change constitutes acceptance of the new policy. We do not currently push individual notifications about policy changes; please check this page periodically.

Contact

Questions or concerns about this policy? Submit a privacy request and we’ll respond.