Privacy Policy

Last updated: April 2026

Project Med School ("we", "us") is committed to protecting your personal data. This policy explains what data we collect, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.

1. Who we are

Project Med School is the data controller for personal data collected through projectmedschool.com. Contact us at hello@projectmedschool.com with any privacy questions.

2. What data we collect

Account data

When you register, we collect your email address and a hashed password. This is used to authenticate you and manage your account.

Usage data

We record your practice sessions — which questions you answered, whether you answered correctly, and time taken. This data powers your progress dashboard and allows us to improve the question bank.

Payment data

Payments are processed by Stripe. We do not store your card details. We receive confirmation of payment status and subscription period from Stripe.

Technical data

We collect standard server logs including IP addresses and browser information for security and debugging purposes. We use Vercel for hosting and Supabase for database storage.

3. How we use your data

• To provide the Service and maintain your account
• To show you your progress and analytics
• To process payments and manage subscriptions
• To send transactional emails (account verification, password reset)
• To improve the question bank and Service quality
• To comply with legal obligations

4. Legal basis for processing

We process your data on the following bases: Contract — to provide the Service you have signed up for. Legitimate interests — to improve the Service and prevent fraud. Legal obligation — where required by law.

5. Data sharing

We share your data only with the following third parties, all of whom are bound by appropriate data processing agreements:

• Supabase — database and authentication (EU servers)
• Vercel — hosting and content delivery
• Stripe — payment processing
• Zoho — transactional email delivery

We do not sell your data to third parties. We do not use your data for advertising.

6. Data retention

We retain your account data for as long as your account is active. Session and usage data is retained for up to 3 years to power your progress history. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it by law.

7. Your rights

Under UK GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Restriction — limit how we process your data
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests

To exercise any of these rights, contact us at hello@projectmedschool.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

We use essential cookies only — specifically, a session token stored in your browser's localStorage to keep you signed in. We do not use advertising, tracking, or analytics cookies.

9. Security

We take reasonable technical and organisational measures to protect your data, including encrypted connections (HTTPS), hashed passwords, and row-level security on our database. No system is completely secure; if you become aware of any security issue, please contact us immediately.

10. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email. Continued use of the Service after changes constitutes acceptance.

11. Contact

For any privacy-related questions or to exercise your rights, contact us at hello@projectmedschool.com.