Thank you everybody for your comments.

Comments on legal issues: I absolutely agree and 100% plan to get legal advice. In the meantime, if you have personal experience, I would love to learn from you.

Comments on HIPAA: I'm 99% sure this does not apply, since the site is for patients and their families, and no doctors, clinics, hospitals, or insurance companies are involved. All information comes from the family, and stays in the family.

Comments on security: This is a huge issue for me. I've followed best practices as nearly as I can, but I've also been asking around to find out who could do a comprehensive security audit, but haven't yet found anybody I trust. Does anybody have any recommendations on how to find someone?

Comments on terms of use, etc: Yes, this needs to be done, but I figured the terms of use are of no use until there's something to use.

Comments on "novice" and "learning projects": Yes this was absolutely built with love and grand intentions, and no, I'm not a novice. I wrote this because my adult daughter died of cancer recently, and we really could have used this. If I can help others deal with the pain of diseases like this, then I'm going to try. I'll work through the problems as they come up.

Aside from the security audit, I'm also looking for someone who'll do a much more professional design and L&F for the site.

Another issue I can really use advice on is how to show this to the people who need it. People who aren't dealing with the problem right now, aren't interested. How do I reach the maybe 5% to 10% of people who have the need right now?

> Comments on security: This is a huge issue for me. I've followed best practices as nearly as I can, but I've also been asking around to find out who could do a comprehensive security audit, but haven't yet found anybody I trust. Does anybody have any recommendations on how to find someone?

The best first step is to conduct a review yourself; you may want to hire or recruit a volunteer to do a security review, but you can kick it off yourself by using free, open source tools to scan your application, your code, and your environment.

Your first stop should be https://developer.mozilla.org/en-US/observatory because there are some simple, prescriptive improvements you can make.

Your second stop should be using a container or cloud security scanning tool to check for vulnerable configurations and packages. There are a myriad of tools available, like Trivy for container scanning, Prowler https://github.com/prowler-cloud/prowler or ScoutSuite https://github.com/nccgroup/ScoutSuite for scanning your cloud environments, etc

Your third stop should be https://www.zaproxy.org/, which is a free download you can use, and https://www.zaproxy.org/getting-started/ is a great way to get started. This will help you quickly identify low hanging fruit that can be found through automated scanning.

Your fourth stop should be running language appropriate static analysis tools against your application. There are too many to mention, but here is a good starting list: https://owasp.org/www-community/Source_Code_Analysis_Tools

All of these will give you quick, tactical things you can address. Once you get through any critical findings (which frequently, but not always means they are directly exploitable without additional effort) you should threat model your application, and build a plan for security - https://owasp.org/www-community/Threat_Modeling

Hey mate, it just so happens that I’m working on a very similar thing. Maybe I could help you out regarding security and local-first stuff? Drop me an email if you’re interested. Cheers.

EDIT: In any case, you could take a look at https://github.com/YousefED/Matrix-CRDT. Matrix takes care of e2ee. CRDTs give you local-first super powers.

I'm sorry for your loss, and I hope that helping others through this project helps you find some solace. IMHO, it's a mark of character that your response to having a problem is "I want to help other people so they suffer this problem less than I did."

I'm sorry about your daughter. ... I, too, recently lost a close relative to cancer, and yes, understanding and knowing how to navigate everything involved would've helped greatly.

Since we're talking about regulation here: Your site is accessible from the EU. You do not have a GDPR compliant privacy policy (or one at all). The GDPR does apply to you, if you allow Europeans to sign up.

The primary goal of your site is to store medical data. For this, you'd need a dedicated data protection officer (DPO). Article 37 1c applies to your case: https://gdpr.eu/article-37-designation-of-the-data-protectio...

1. you build app for people to add critical and highly personal there yet you haven't even provided your name, company or even a single policy that might make its users trust you, why are you hiding your identity? It looks shady due to that. I understand it is a beta, but I think you should have it as it affects how people perceive your app

2. what happens if I at some point give access to this app to my care assistant who works for the state health department or a health company? Surely, those people are covered entities, and you would be then under HIPPA laws. There is nothing you can do to stop that and if your app becomes popular enough, given enough time it will happen

3. For countries in the EU, you are subject to the GDPR legislation. Who is the data processor, data protection officer and the supervising authority for the data handled by the app?