Privacy Policy

Overview

This section summarizes what personal data we process and how we protect it across tools, onboarding, and paid plans.

1. Information we collect

We collect the following categories of information:

Account information. Email address, display name, and any optional profile fields you choose to fill in (university, degree, class year, bio).
Study activity. Quiz attempts, section progress, flashcard reviews, exam scores, streaks, and AI tutor messages. Used to personalize your learning path and to power the analytics page you see.
Subscription and billing data. Plan, trial status, and payment history are managed by Stripe; we store only the subscription identifier and your tier.
Technical data. IP address, browser type, device, and event logs from the app surface itself (page views, button clicks). Used for security, debugging, and product analytics.

2. Lawful basis for processing (GDPR Article 6)

For users in the EEA, UK, and Switzerland, we rely on the following lawful bases under Article 6 of the GDPR:

Performance of a contract (Art. 6(1)(b)). Account creation, study activity, AI tutor responses, subscription billing, and transactional email tied to your account.
Legitimate interests (Art. 6(1)(f)). Abuse prevention, rate limiting, security logging, error monitoring, and aggregated product analytics performed under pseudonymous identifiers. Balanced against your interests; you can object at any time using the contact below.
Consent (Art. 6(1)(a)). Non-essential cookies (PostHog analytics), marketing email, and any future advertising integrations. Consent is recorded via the cookie banner and can be withdrawn at any time from the cookie controls on this page.
Legal obligation (Art. 6(1)(c)). Retention of invoice records and tax-relevant data as required by applicable financial law.

3. How we use it

Operate the service (deliver the curriculum, run the AI tutor, process payments).
Personalize your study plan and surface relevant content.
Send transactional email (account confirmation, password reset, payment receipts) and, where you have opted in or the message is otherwise permitted, study reminders, weekly progress digests, or promotional updates. Every non-transactional email includes a one-click unsubscribe link.
Detect and prevent abuse.
Improve the product (aggregated analytics; never sold).

4. Retention

We keep your data only as long as needed for the purpose it was collected:

Account data. Retained while your account exists. On deletion, your account enters a 30-day grace period and is then permanently purged by our nightly account-purge job. Soft-deleted flashcards follow the same 30-day TTL.
Study activity logs. Behavioral events surface in the export endpoint for the past 90 days; aggregated metrics may be retained longer for product analytics under pseudonymous IDs.
Billing records. Stripe retains invoice and payment records for a minimum of 7 years to satisfy tax law (US IRS / EU VAT). We mirror the subscription identifier and tier; the full invoice history lives with Stripe.
Error / security logs. Sentry traces and access logs are retained for 90 days, then automatically expired.
Analytics events. PostHog events are retained for 12 months. On account deletion we issue a PostHog person-delete so your events are scrubbed alongside the database record.

We use only a limited set of providers to operate the platform—Supabase (authentication and database hosting); Vercel (hosting, cdn, edge runtime, and deployment logs); Stripe (payments, subscriptions, tax, invoices, and customer portal); Resend (transactional and permitted lifecycle email); PostHog (consent-gated product analytics); Sentry (error monitoring and performance diagnostics); OpenRouter, Anthropic, and OpenAI (ai tutor and generated study assistance); Cloudflare Turnstile (bot mitigation); Have I Been Pwned Passwords (compromised-password screening); Upstash (redis cache and rate limiting). Each receives only the minimum data needed, and we do not sell or share your data for advertising. Disclosures are limited to legal requirements, safety needs, and service operations.

Provider	Data involved	Purpose	Transfer posture
Supabase	Account identifiers, authentication records, profile fields, study progress, quiz/exam activity, deletion/export records, and operational audit records.	Create accounts, maintain sessions, store product data, enforce access controls, and process privacy-rights workflows.	Primary database region is hosted in the United States; access is limited to application and admin workflows.
Vercel	Request metadata such as IP address, user agent, route, timestamp, headers needed for security, and limited application logs.	Serve the web application, route traffic, apply security headers, run serverless functions, and diagnose uptime issues.	Traffic may be processed through Vercel's global edge network; serverless functions are configured for US East where applicable.
Stripe	Billing contact details, plan, subscription status, payment metadata, invoice records, tax details, and refund records. Card data is handled by Stripe, not stored by us.	Process subscriptions, renewals, cancellations, refunds, invoices, taxes, and payment disputes.	Stripe may process data in the United States and other regions under its payment-processing and data-transfer terms.
Resend	Email address, message metadata, delivery events, unsubscribe tokens, suppression status, and template identifiers.	Send account, billing, study-reminder, digest, invite, and permitted marketing messages with unsubscribe handling.	Email delivery infrastructure may process message metadata in the United States and other delivery regions.
PostHog	Pseudonymous distinct IDs, cookie-consent state, page views, feature events, tier/plan labels, UTM attribution, and device/browser metadata. We do not intentionally send names or email addresses.	Measure feature usage, conversion funnels, retention, and product quality after analytics consent is granted.	Analytics is governed by your cookie choice and Global Privacy Control signal; account deletion triggers person deletion where available.
Sentry	Error traces, route names, release identifiers, browser/device metadata, and scrubbed diagnostic context. We configure PII scrubbing and keep session replay disabled unless separately reviewed.	Detect crashes, diagnose regressions, and protect application reliability and security.	Diagnostic events may be processed by Sentry infrastructure in the United States or other configured regions under Sentry's data-processing terms.
OpenRouter, Anthropic, and OpenAI	AI tutor prompts, generated-answer context, conversation metadata, and the minimum account/study context needed to answer. Users should not paste sensitive records or third-party copyrighted prep materials into prompts.	Generate tutor responses, explanations, summaries, and study help requested by the user.	AI requests may be processed by model providers or routing infrastructure outside your region under their provider terms.
Cloudflare Turnstile	Challenge token, IP address, browser/device signals, and security metadata needed to verify that signup traffic is not automated abuse.	Protect signup and account creation from bots, credential-stuffing, and abuse.	Challenge verification may use Cloudflare's global network and security-processing infrastructure.
Have I Been Pwned Passwords	The first five characters of a SHA-1 password hash and request metadata needed to check whether a signup password appears in known breach corpuses. We do not send the password, full hash, email address, or account identifiers.	Reject known-compromised signup passwords and reduce credential-stuffing risk.	The partial-hash range check is performed by the security service's public k-anonymity API.
Upstash	Identifier-only rate-limit keys, counters, TTLs, and ephemeral cache records. We do not intentionally store plain email addresses or message content in rate-limit keys.	Throttle abuse, enforce fair usage, reduce duplicate requests, and support operational reliability.	Cache data is ephemeral and scoped to reliability/security workflows.

We review providers before adding them. If a vendor materially changes what data is processed or why, we update this policy and, where required, ask for fresh consent.

6. Your rights (GDPR Articles 15–22, CCPA § 1798.100–.130)

You can, at any time, exercise the following rights. We respond to verified requests within 30 days (GDPR) / 45 days (CCPA).

Right of access (Art. 15) & portability (Art. 20).From your account settings, download a structured JSON archive of your study history, subscription, and adaptive learning data.
Right to erasure / “right to be forgotten” (Art. 17).Submit a deletion request from settings. Your account enters a 30-day grace period (so you can recover an accidental delete), then is permanently purged by the nightly account-purge job — including a PostHog person-delete so your analytics profile is scrubbed too. Trashed flashcards follow the same 30-day TTL.
Right to rectification (Art. 16).Edit profile fields from your account page; for fields you can’t edit yourself, email the contact below.
Right to restrict / object (Arts. 18, 21). You can object to analytics processing by declining non-essential cookies in the consent banner, and to marketing email via the unsubscribe link in any non-transactional message.
Right to withdraw consent (Art. 7). Reopen the consent banner from the cookie controls on this page at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Do Not Sell or Share. We do not sell personal information or share it for cross-context behavioral advertising. We treat Global Privacy Control signals as an opt-out from any future sale/share processing.
Right to lodge a complaint (Art. 77). EEA users may complain to their national supervisory authority; UK users to the ICO; California users to the California Privacy Protection Agency.

7. Children

The service is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18, and do not sell or share the personal information of users under 18 for cross-context behavioral advertising under any circumstance. If you believe a minor used the Service, contact us so we can delete the account.

8. Security

Data in transit is encrypted with TLS. Data at rest is encrypted by Supabase. We rotate secrets, restrict admin access to least privilege, gate destructive actions behind rate limits + typed confirmation, and log security-sensitive events with PII scrubbed. We do not write user passwords, API keys, JWTs, or authorization headers to logs or error traces. No system is perfectly secure, and you use the service at your own risk.

9. International transfers

Your account data, study activity, and authentication records are stored in the United States via Supabase (Postgres, primary region us-east-1 / AWS Northern Virginia). Application traffic is served from Vercel’s global edge network; serverless functions run primarily in iad1 (US East). Payments are processed by Stripe (United States); transactional email by Resend (United States); product analytics by PostHog and error monitoring by Sentry. Where required, we rely on appropriate transfer safeguards such as Data Processing Agreements, standard contractual clauses, or equivalent contractual protections with our subprocessors.

10. Cookies and similar technologies

We use a small number of cookies and local-storage entries:

Strictly necessary (always on). Authentication session cookies (Supabase), CSRF tokens, and your consent preference itself. Without these, login and payments cannot function. These are not opt-outable.
Analytics (consent required). PostHog page-view and event cookies, used to understand which features get used. You can decline these from the cookie banner; declining stops new events from being recorded.
Marketing (consent required). Currently we do not set marketing cookies. If we add them, your existing consent choice will apply and you can revisit it from this page.

You can withdraw analytics consent at any time from the control below. Strictly necessary cookies remain because the service cannot operate without them.

11. AI and study content

AI tutor messages, generated flashcards, study notes, and free-text answers may contain personal information you choose to provide. Submitted files are not accepted in the launch build. Do not paste copyrighted commercial prep materials or sensitive medical, financial, or admissions records into free-text fields. AI messages are processed for your account features and are not used to train public models by MCAT Prep Academy. Copyright and IP complaints about user-submitted or generated study material should use the DMCA and copyright policy.

12. Changes

We will email you about material changes to this policy before they take effect, and will note the “Last updated” date at the top.

13. Contact — Privacy Requests

For privacy questions and to exercise any of the GDPR / CCPA rights listed above, contact us:

Email: vatsinllc@gmail.com
Postal: 1111 Board Street, Davidson, NC 28036

We aim to respond to verified requests within 30 days (GDPR) / 45 days (CCPA). Verification may require you to sign the request from the email address associated with your account.