People Affected by Cancer
People Affected by Cancer
Discover trusted local help in minutes.
- Find nearby support groups, services, and transportation
- Save what matters so it’s easier to revisit
- Get a clearer starting point for next steps
Presents the CanBe App
Privacy-first cancer support
Find the support you need, when you need it
Practical cancer support, easier to discover.
CanBe connects people to local services and community organizations — and is designed to support partner-funded access with aggregate insights only
(never individual-level data).
Built with privacy-by-design principles: we aim to minimize data collection and keep partner insights aggregated (never individual-level).
Who are you?
Pick the path that matches your role and we will tailor the experience instantly.
Charities & Nonprofits
Charities & Nonprofits
Grow reach without adding staff.
- Get discovered from your public listings and events
- Reduce manual data entry and admin burden
- Understand demand with privacy-safe, aggregate signals
Researchers & Pharmaceutical Partners
Researchers & Pharmaceutical Partners
Ethical, aggregate-only insights.
- Understand access gaps and support patterns
- Designed to be aggregate-only, not individual-level
- Fund access and programs without monetizing individuals
Investors
Investors
Mission-driven growth with durable demand.
- Infrastructure play for fragmented cancer services
- Clear monetization via insights + premium workflows
- Transparent impact reporting and compliance guardrails
Week of February 9, 2026
Weekly update: auth hardening + ingestion guardrails
Last week we tightened authentication safety (recent step-up enforcement for sensitive actions, passkeys gated behind step-up, and explicit permission gating for API token issuance/revocation). We also published ingestion operator specs that make high-impact actions more consistent and auditable (screen map, list UX spec, permissions matrix, publish dashboard spec, and audit/evidence expectations). This week we will keep the `/api/v1` mobile auth surface moving toward merge-ready, link these ingestion guardrails into upcoming implementation work, and keep weekly updates refreshed on the UTC Monday cadence.
Affected
Safer sign-in and token hygiene
We tightened sensitive-action security with recent step-up checks and kept passkeys behind step-up during rollout. Token issuance/revocation is now protected by an explicit permission gate.
- Keep sign-in responses consistent and non-enumerating across web and mobile clients.
- Continue passkeys rollout behind feature flags and step-up requirements (fail-closed by default).
- Keep token rotation and revocation flows predictable so people can recover access safely.
Charities
Clearer operator actions and audit trails
We documented the ingestion UI screen map, list behavior, and a complete permissions matrix so publish/suppress actions are consistent, permission-gated, and easier to audit.
- Use the audit/evidence expectations spec to guide upcoming publish dashboard implementation.
- Keep publish/suppress actions rationale-driven with request correlation, without collecting unnecessary sensitive data.
- Align any ingestion UI changes with the list UX spec to reduce operator mistakes.
Pharma
Privacy-first verification governance
We defined audit and evidence expectations for transitions and publish runs, including explicit redaction and never-log guardrails for sensitive fields.
- Keep provenance and audit data minimal and privacy-safe (no sensitive payload logging).
- Keep WebAuthn/passkeys ceremony code easy to review without changing behavior.
- Treat feature flags as fail-closed during rollout to avoid accidental exposure.
Investors
Governed rollout and reliability
We delivered permission-gated token management and step-up enforcement, and published the ingestion guardrail specs needed for auditable publishing.
- Keep the `/api/v1` mobile auth surface stable and test-covered as it approaches merge.
- Ship ingestion publish dashboard implementation only after guardrail specs are linked and understood.
- Keep weekly updates and freshness checks in sync to avoid preventable deploy failures.
General
What changed (and what’s next)
Last week focused on authentication safety and clearer ingestion governance. This week focuses on finishing the mobile auth v1 surface and turning ingestion specs into implementation work.
- Publish progress in plain language without implying medical advice or guaranteed outcomes.
- Prefer small, reviewable changes with tests for auth- and publish-adjacent work.
- Refresh weekly updates each UTC Monday and keep config + JSON aligned.