This Privacy Policy explains what personal data MedSchoolSOS collects, why, how it is protected, and the rights you have over it. We've written it to be honest and specific to how the service actually works — not a generic template.
Who is responsible for your data
MedSchoolSOS is operated by Mohamed Shembesh and Mahmoud Abdelaal, two individuals operating jointly, based in Hungary. For data-protection purposes we are the data controller.
For any privacy question, or to exercise your rights, contact us at privacy@medschoolsos.com.
What we collect, why, and our legal basis
We only collect what the service needs to work. Under the EU General Data Protection Regulation (GDPR), every use of your data needs a lawful basis. Here is ours, in plain terms:
| Data | Why we have it | Legal basis (GDPR Art. 6) |
|---|---|---|
| Email address | To create and secure your account, sign you in, and send essential service emails (confirmation, password reset) | Performance of our contract with you — Art. 6(1)(b) |
| Name (optional) | To personalise your account, if you choose to give it | Performance of contract — Art. 6(1)(b) |
| Password | To protect your account. It is hashed by our authentication provider; we never see or store it in readable form | Performance of contract — Art. 6(1)(b) |
| Billing data (Stripe customer & subscription IDs, status, renewal date, billing country) | To take payment, run your subscription, and keep the accounting records the law requires | Contract — Art. 6(1)(b); and legal obligation — Art. 6(1)(c) |
| Learning data (topic progress, quiz attempts, your private notes and sketches) | To run the study features and show you your own progress | Performance of contract — Art. 6(1)(b) |
| Technical data (IP address, request and error logs) | To keep the service available, prevent abuse (rate limiting), and fix faults | Our legitimate interests in a secure, working service — Art. 6(1)(f) |
An email address and a password are required to create an account — without them we can't provide the service. Your name is optional. Where we rely on our legitimate interests, you can object to that processing (see "Your rights").
Card details never reach our servers. Payment is handled entirely by Stripe, our payment processor. We receive only a customer reference, the subscription status, and your billing country.
What we do NOT do
- We do not sell, rent, or trade your personal data.
- We do not use it for advertising, and we run no third-party advertising or analytics trackers.
- We do not profile you or make automated decisions that have legal or similarly significant effects on you.
- We do not use your data to train any AI model, and the product contains no AI features that process your data.
A note on "health" data
MedSchoolSOS is a study tool. The medical material in it is educational content, not information about your health. We do not ask you for, and do not knowingly process, special-category health data about you. Your notes are private to your account and are not read by us in the ordinary course of running the service.
Who else processes your data (subprocessors)
To run the service we rely on a small number of trusted providers. They process data only on our instructions. You can see the full, current list at https://medschoolsos.com/subprocessors.
| Provider | What they do for us | Data involved | Location | Privacy policy |
|---|---|---|---|---|
| Supabase, Inc. | User accounts, authentication, and database hosting | Email, optional name, hashed password, Stripe customer & subscription IDs, learning progress, quiz attempts, and notes | European Union (Ireland) | Policy |
| Stripe (Stripe Payments Europe, Ltd. / Stripe, Inc.) | Payment processing and subscription billing | Name, email, billing country, and card details (handled by Stripe — never stored by us) | Ireland and United States | Policy |
| Vercel Inc. | Application hosting and content delivery | IP address, request metadata, and server logs | United States | Policy |
| Cloudflare, Inc. (R2) | File storage and delivery of downloadable Anki decks | Download request metadata (including IP address) | United States / global edge network | Policy |
| Functional Software, Inc. (Sentry) | Error monitoring and diagnostics | Technical error and request metadata (personal data scrubbed before sending) | United States | Policy |
| Upstash, Inc. | Rate limiting (abuse protection) | Short-lived request counters keyed on IP address | United States / global | Policy |
Our web fonts are self-hosted (downloaded at build time and served from our own domain), so loading a page does not send your data to a font provider.
International data transfers
Some of the providers above are based in, or process data in, the United States. Where your personal data is transferred outside the European Economic Area, that transfer is covered by appropriate safeguards — typically the European Commission's Standard Contractual Clauses and the provider's own data-processing agreement. You can ask us for more detail at privacy@medschoolsos.com.
How long we keep it
- Account and learning data — for as long as you have an account. When you delete your account, this data is deleted (see "Your rights" below).
- Billing and accounting records — kept for 8 years, as required by the Hungarian Accounting Act (Act C of 2000), even after you close your account.
- Backups and technical logs — kept only for a short period (generally up to 90 days) and then deleted.
Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- rectify data that is wrong or incomplete;
- erase your data ("right to be forgotten");
- restrict or object to certain processing;
- port your data — receive it in a portable, machine-readable format;
- withdraw consent at any time, where we rely on consent.
Two of these are built into the product: from your Account page you can export your data (a downloadable copy) and permanently delete your account. For anything else, email privacy@medschoolsos.com and we will respond within one month.
If you believe we have mishandled your data, you can complain to the Hungarian supervisory authority:
Hungarian National Authority for Data Protection and Freedom of Information (NAIH) Falk Miksa utca 9-11, 1055 Budapest, Hungary Web: https://naih.hu · Email: ugyfelszolgalat@naih.hu · Phone: +36 (1) 391-1400
Children
The service is intended for adults (18+) in medical training. It is not directed at children, and we do not knowingly collect data from anyone under 18.
How we protect your data
We use row-level security so your data is only accessible to you, encryption in transit (HTTPS), hashed passwords, rate limiting against abuse, and error logs that are scrubbed of personal data before they leave our systems. No system is perfectly secure, but we take reasonable, layered measures.
Cookies
We use only essential cookies needed to keep you signed in. We do not use advertising or analytics cookies. See our Cookie Policy for detail.
Changes to this policy
If we make a material change, we will update the date below and, where appropriate, tell you. Continued use after a change means you accept the updated policy.
Contact
Privacy questions: privacy@medschoolsos.com General support: support@medschoolsos.com