Privacy Policy

We collect the following types of information:

• Account information: Email address, display name, and password when you create an account. If you sign in with Google, we receive your email address and name from Google.
• Usage data: Practice session history, question responses, flagged questions, and search queries used with the AI-powered search feature
• Curriculum data: When you upload a syllabus document, we collect the file name, file size, and a cryptographic hash of the file content. We extract learning objectives from the document and store those objectives along with the resulting study plan. We do not store the uploaded file itself.
• Analytics data: Page views, navigation events, and sign-in/sign-up events
• Technical data: Browser type, device information, error reports, and performance metrics

We use collected information to:

• Provide and maintain the Service
• Track your learning progress across sessions
• Power AI-assisted search to help you find relevant practice questions
• Generate personalized study plans from uploaded curriculum documents by matching extracted learning objectives against our question bank
• Identify gaps in our question bank and improve content coverage
• Improve the quality and reliability of the platform
• Monitor and resolve errors and performance issues
• Understand how the Service is used so we can improve it

User authentication is handled by Supabase, which stores your email address, display name, and hashed password. Authentication sessions are managed via secure, HTTP-only cookies.

You may also sign in using Google OAuth 2.0. When you sign in with Google, Supabase receives your email address and name from Google. We do not receive or store your Google password.

We do not store passwords in plain text. Supabase handles authentication security including password hashing, rate limiting on login attempts, and session management.

Guest users (those who have not created an account) can use the Service without providing any personal information. Guest session data — including practice history and flagged questions — is stored exclusively in your browser's sessionStorage.

This data is not transmitted to our servers, is not accessible to us, and is automatically cleared when you close your browser tab.

The Service includes an AI-powered search feature that helps you find relevant practice questions by topic. When you use this feature:

• Your search query is sent to an external AI service for processing
• Your query, the AI response, and metadata about the results (such as match quality and coverage gaps) are stored on our servers
• We use stored queries to identify gaps in our question bank and improve the platform

Search queries are associated with your user account if you are signed in. This data is deleted when you delete your account.

The Service allows you to upload a syllabus or curriculum document (PDF or Word) to generate a personalized study plan. When you upload a document:

• Your document is read into memory and processed immediately. It is never written to disk or stored on our servers.
• A cryptographic hash (SHA-256) of the file is computed to detect duplicate uploads and avoid reprocessing.
• The document content is sent to Anthropic's Claude API for extraction of learning objectives.
• After processing, the raw file content is discarded. Only the following are retained: file name, file size, file hash, extracted learning objectives, and the generated study plan.

Curriculum data is associated with your user account and protected by row-level security. It is deleted when you delete your account. We do not share your curriculum content with educational institutions, other users, or any third parties beyond the processing described above.

We use PostHog for product analytics. PostHog collects:

• Page views and navigation events
• Sign-in and sign-up events (including authentication method)

For authenticated users, PostHog receives your email address and display name for user identification. Guest users are not personally identified in analytics.

Analytics data is used to understand how the Service is used and to improve it. We do not use analytics for advertising or behavioral targeting.

We use Sentry for error monitoring, performance tracking, and session replay. Sentry may collect:

• Error stack traces and diagnostic information
• Browser and device metadata
• Page URLs where errors occurred
• Performance metrics (page load times, API response times)
• Network request logs

Sentry's session replay feature records a sample of user sessions to help us diagnose issues. Replays capture page interactions, DOM changes, and network activity. A small percentage of sessions are recorded at random; sessions where errors occur are always recorded.

Sentry data is used solely for diagnosing and fixing issues. It is only collected in production and is not used for advertising or user profiling.

We share data only with the service providers necessary to operate the platform:

• Supabase: Database hosting and authentication
• Anthropic: AI processing for search queries and curriculum document analysis
• PostHog: Product analytics
• Sentry: Error monitoring, performance tracking, and session replay
• Vercel: Application hosting and edge delivery
• Upstash: Rate limiting infrastructure

When you use AI-powered features such as search or curriculum upload, your data is processed by Anthropic's Claude API.

We do not sell, rent, or trade your personal information. We do not share data with advertisers or data brokers.

We implement appropriate security measures to protect your data:

• All data transmitted over HTTPS (TLS encryption in transit)
• Row-Level Security (RLS) policies ensuring users can only access their own data
• Rate limiting on API endpoints and authentication flows
• Secure, HTTP-only cookie-based session management
• Input validation and sanitization across all endpoints

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

We retain your account data, practice history, search queries, study plans, and extracted learning objectives for as long as your account is active. If you delete your account, your personal data is removed from our systems. Uploaded curriculum files are never stored and cannot be retrieved after processing.

Anonymized, aggregated data (such as overall question difficulty metrics) may be retained indefinitely to improve the Service.

You have the right to:

• Access: View all personal data associated with your account
• Export: Download your practice history and account data
• Delete: Permanently remove your account and all associated data via the Settings page
• Correct: Update your account information at any time

To exercise these rights, visit your Settings page or contact us through GitHub.

The Service is intended for medical students and professionals. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will take steps to remove that information.

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically.

Continued use of the Service after changes constitutes acceptance of the updated policy.

For questions about this Privacy Policy or your data, please open an issue on our GitHub repository.