Privacy Policy

The USMLE Drill ("we," "us," or "our") operates theusmledrill.com. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data. By using our service, you agree to this policy.

1. Information we collect

Account information. When you sign up, we collect your name, email address, and a hashed (encrypted) password. We never store your password in plain text.

Payment information. We use Stripe to process payments. We do not store your credit card number, CVV, or full card details on our servers. Stripe handles all payment data under their own privacy policy and PCI-DSS compliance. We only store a Stripe customer ID and subscription ID.

Usage data. We track your study activity — questions answered, drill sessions, missed questions, streaks, and daily goal progress — to power your personal dashboard and analytics.

Communications. If you contact us by email or submit feedback through the app, we retain those messages to respond and improve the service.

2. How we use your information

• To create and manage your account
• To process your subscription and send billing-related notifications
• To provide and personalize the study experience (progress tracking, streaks, recommendations)
• To send transactional emails (welcome email, password reset, subscription updates)
• To monitor and fix technical errors via error tracking (Sentry)
• To prevent abuse, fraud, and unauthorized access

We do not sell, rent, or share your personal information with third parties for marketing purposes.

3. Third-party services

We use the following third-party services that may process your data:

• Stripe — payment processing (stripe.com/privacy)
• Resend — transactional email delivery (resend.com/privacy)
• Neon — database hosting (neon.tech/privacy)
• Vercel — hosting and infrastructure (vercel.com/legal/privacy-policy)
• Sentry — error monitoring (sentry.io/privacy)

4. Cookies and local storage

We use a single authentication cookie (auth_token) to keep you logged in. This cookie is HTTP-only and expires after 30 days.

We also use browser local storage for your theme preference and onboarding state. No advertising or tracking cookies are used.

5. Data retention

We retain your account data for as long as your account is active. If you cancel your subscription, your account and study data remain accessible. If you request account deletion, we will permanently delete your data within 30 days. To request deletion, email us at contact@theusmledrill.com.

6. Data security

All data is transmitted over HTTPS. Passwords are hashed using bcrypt. Payment data is handled exclusively by Stripe. We implement reasonable technical and organizational measures to protect your data against unauthorized access, alteration, or disclosure.

7. Your rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data
• Object to or restrict certain processing
• Data portability (receive your data in a machine-readable format)

To exercise any of these rights, contact us at contact@theusmledrill.com.

8. Children's privacy

Our service is intended for medical students and healthcare professionals. We do not knowingly collect personal information from anyone under the age of 18.

9. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a notice in the app. Continued use of the service after changes constitutes acceptance of the updated policy.

10. Contact

If you have any questions about this Privacy Policy, contact us at:
contact@theusmledrill.com