Privacy Notice
Last updated: 22 April 2026
1. Who we are
MedMaster is operated as a personal project. For questions about this notice, contact us at privacy@medmaster.app.
2. What data we collect
- Account data — email address and authentication tokens (via Supabase Auth).
- Study data — flashcard review ratings, quiz answers, SAQ/essay submissions, and FSRS scheduling state.
- Usage data — pages visited, features used, and session timestamps (server logs only; no third-party analytics).
We do not collect payment card details directly — payments are processed by Stripe, who have their own privacy policy.
3. How we use your data
- Provide and personalise the learning experience (FSRS scheduling, progress tracking).
- Grade SAQ and essay responses using the Gemini AI API (Google). Submissions are sent to Google's servers for processing and are not stored by Google beyond their standard API data-handling terms.
- Generate and store vector embeddings of lesson content via Jina AI for semantic search. User answers are not sent to Jina.
- Process subscription payments via Stripe.
4. Legal basis (GDPR)
Where GDPR applies, we process your data under the following bases:
- Contract — to provide the service you signed up for.
- Legitimate interests — to improve platform reliability and detect abuse.
- Consent — for any optional communications (e.g. product update emails).
5. Data retention
Account and study data is retained for as long as your account is active. When you delete your account, all personal data is permanently deleted within 30 days, including FSRS states, quiz attempts, and SAQ/essay submissions.
6. Third-party processors
| Processor | Purpose | Data sent |
|---|---|---|
| Supabase | Database & auth | All account & study data |
| Google (Gemini) | AI grading of SAQ/essays | Question text & student answer |
| Jina AI | Embedding lesson content | Lesson & flashcard text only |
| Stripe | Payment processing | Email, subscription tier |
| Vercel | Hosting & edge delivery | IP address, request logs |
7. Your rights
Under GDPR and UK GDPR you have the right to:
- Access a copy of your personal data.
- Rectify inaccurate data.
- Erasure ("right to be forgotten") — request account deletion at any time via your profile settings or by emailing us.
- Restrict or object to processing.
- Data portability (study data exported as JSON on request).
To exercise any right, email privacy@medmaster.app. We will respond within 30 days.
8. Cookies
MedMaster uses only essential cookies: a session cookie issued by Supabase Auth to keep you logged in. No advertising or tracking cookies are used.
9. AI grading consent
When you first submit an SAQ or essay, we ask for your consent to send your answer to Google Gemini for grading. You can withdraw that consent at any time below — you will be asked again on your next submission.
10. Changes to this notice
If we make material changes we will update the date at the top of this page and, where appropriate, notify you by email.