Privacy Policy

addon.life (“addon,” “we,” “our,” or “us”) operates addon.life and related services. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform, and describes your rights under applicable privacy law, including the EU General Data Protection Regulation (GDPR).

By using addon, you agree to the practices described in this policy. If you do not agree, please discontinue use of the service.

Account data. Your email address, collected when you create an account or sign up for early access. Stored encrypted at rest (AES-256-GCM).

Health data. Cancer type and subtype, drug regimen, genetic mutations, and food allergies that you enter to generate your personalized report. Stored encrypted at rest.

Genomic data. Genomic report PDFs you optionally upload. These are processed to extract mutation data and are stored encrypted. Genomic data is treated with the highest level of sensitivity — we do not sell, license, or share it with any third party, and we do not use it for research without your explicit, separate consent.

Usage data. Foods and supplements you check, regimen lists you build, and basic session information (browser type, device type, referring URL). Used to improve the service and maintain your session.

Payment data. Payments are processed by Stripe. We do not store your card number, CVV, or full payment details — only a Stripe customer ID and transaction status.

We use your data for the following purposes:

• To generate personalized precision nutrition recommendations based on your cancer profile.
• To maintain your account and provide continued access to your reports.
• To process payments and fulfill subscriptions via Stripe.
• To communicate with you about your account, reports, and service updates.
• To improve the accuracy and quality of the underlying knowledge graph and scoring engine.

We do NOT sell your data. We do not share your personal or health data with advertisers, data brokers, or any third parties for commercial purposes.

We share data only with: Stripe (payment processing) and Reducto (PDF parsing — genomic upload data passed anonymized, without name or email). No other third-party data sharing occurs.

Encryption at rest. PII (email address) and all health data — including your full report, patient inputs, and genomic mutations — are encrypted at rest using AES-256-GCM.

Encryption in transit. All data transmitted between your browser and our servers is encrypted via TLS 1.2+.

Database. Hosted on Neon (PostgreSQL) with TLS enforced at the connection level and private networking where available.

Authentication. Sessions are managed via HMAC-signed cookies (session_token). Cookies are HttpOnly, Secure, and SameSite=Strict.

While no system is perfectly secure, we take reasonable and industry-standard precautions to protect your information and review our security practices regularly.

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with applicable privacy law, you have the following rights regarding your personal data:

• Right of access. Request a copy of the personal data we hold about you.
• Right to rectification. Request correction of inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”). Request permanent deletion of your personal data from our systems.
• Right to data portability. Request your data in a structured, machine-readable format.
• Right to restrict processing. Request that we limit how we use your data in certain circumstances.
• Right to object. Object to processing based on legitimate interests.
• Right to withdraw consent. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at info@addon.life. We will respond within 30 days.

Essential cookies. We use one essential cookie: session_token, which authenticates your session and expires after 30 days. This cookie is required for the service to function and cannot be disabled.

No analytics or advertising cookies. We do not use third-party analytics cookies (Google Analytics, Mixpanel, etc.) or advertising/tracking cookies. We do not share cookie data with advertisers.

You can manage your cookie preferences via our cookie banner, which appears on your first visit. Rejecting non-essential cookies has no effect on service functionality, as we do not use non-essential cookies.

Account and report data are retained for as long as your account is active or as needed to provide continued access to your reports.

Genomic uploads are retained only for the duration needed to extract mutation data. Once extraction is complete, raw PDF files are eligible for deletion. You may request immediate deletion of your genomic data at any time.

If you request account deletion, we will remove your personal data within 30 days, except where retention is required by applicable law (e.g. financial records for tax purposes, which may be retained for up to 7 years).

addon is operated from the United States. Your data may be processed in the US by our infrastructure providers (Neon for database hosting, Fireworks AI for LLM inference). If you are located in the EEA or UK, this constitutes a transfer of personal data to a third country.

We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for EU-to-US data transfers, where applicable. By using addon, you consent to these transfers subject to the protections described in this policy.

addon is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected data from someone under 18, we will promptly delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the service. If we make material changes, we will notify you by updating the date at the top of this page and, where appropriate, through the email associated with your account.

Continued use of addon after changes are posted constitutes acceptance of the updated policy. We encourage you to review this page periodically.