1. Introduction
MedPrep ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data Controller
MedPrep is the data controller responsible for your personal data. For data protection queries, contact us at: medprep.contact@proton.me
3. Information We Collect
3.1 Personal Information
- Name and email address (provided during registration)
- Account credentials (encrypted passwords)
- Profile information (optional)
3.2 Usage Data
- Questions attempted and answers selected
- Study progress and performance metrics
- Login times and session duration
- Device information (browser type, IP address, operating system)
3.3 Cookies and Tracking
- Essential cookies for authentication and security
- Functional cookies for user preferences (dark mode, etc.)
- Analytics cookies to improve our service
4. How We Use Your Data
We use your personal data for the following purposes:
- Service Delivery: To provide access to the Platform and its features
- Account Management: To create and manage your account
- Progress Tracking: To save your study progress and performance
- Service Improvement: To analyze usage patterns and improve content
- Communication: To send service updates and educational content (with your consent)
- Security: To protect against fraud and unauthorized access
- Legal Compliance: To comply with legal obligations
5. Legal Basis for Processing
We process your personal data based on:
- Contract: To fulfill our contract with you (providing the service)
- Legitimate Interests: To improve our service and prevent fraud
- Consent: For marketing communications (you can withdraw anytime)
- Legal Obligation: To comply with applicable laws
6. Data Sharing and Third Parties
We do not sell your personal data. We may share data with:
- Service Providers: Hosting, email services, analytics (under strict contracts)
- Legal Requirements: When required by law or to protect rights
- Business Transfers: In case of merger or acquisition (you will be notified)
We ensure all third parties comply with UK GDPR and provide adequate data protection.
7. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption of data in transit (SSL/TLS)
- Encrypted password storage
- Regular security audits and updates
- Access controls and authentication
- Secure hosting infrastructure
8. Data Retention
We retain your personal data for as long as your account is active or as needed to provide services. If you close your account, we will delete or anonymize your data within 30 days, except where we must retain data for legal or regulatory purposes.
9. Your Rights Under UK GDPR
You have the following rights:
- Right to Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restrict Processing: Limit how we use your data
- Right to Data Portability: Receive your data in a structured format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent for marketing communications
To exercise these rights, contact us at: medprep.contact@proton.me
10. Cookies
We use cookies to enhance your experience. Before placing non-essential cookies, we will ask for your consent via our cookie banner. You can change your preferences at any time through the cookie settings banner.
Cookie categories:
- Essential: Required for authentication and security (no consent needed as they are necessary for the Platform to function)
- Functional: Remember your preferences (dark mode, etc.) - requires consent
- Analytics: Help us understand usage patterns - requires consent
You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect Platform functionality.
11. International Data Transfers
Your data may be transferred to and processed outside the UK/EEA by our service providers:
- Hosting: Vercel Inc. (United States) - our platform hosting provider
- Authentication: Services may involve data processing in various jurisdictions
These transfers are protected by Standard Contractual Clauses (SCCs) approved by the UK Government under UK GDPR Articles 46. We only transfer data to countries or organizations that provide adequate protection as required by UK GDPR.
12. Children's Privacy
The Platform is intended for medical professionals and students aged 18 and over. We do not knowingly collect data from individuals under 18.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or Platform notification. Continued use after changes constitutes acceptance.
14. Complaints
If you have concerns about how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): www.ico.org.uk