Privacy Policy

Effective Date: June 12, 2026
Last Updated: June 12, 2026

1. Introduction & Scope

This Privacy Policy applies to the MedTrack iOS application and the medtrackapp.com website operated by MedTrack LLC ("MedTrack," "we," "our," or "us"). By using the MedTrack app or website, you consent to the data practices described in this policy.

2. What We Collect

a) Account Information

• Email address
• Display name (if you provide one)
• Profile photo URL (if you sign in with Google/Apple and they expose one)
• Authentication provider identifier (Google sub, Apple user identifier, or email)

b) MCAT Performance Data

• Practice block scores (date, section, # correct, # questions, raw percentage)
• MCAT exam scores you enter (overall + section subscores)
• Review queue items you flag
• Computed practice accuracy + projected MCAT range (derived, not user-entered)

c) AMCAS-Style Experience Data

• Clinical hours, volunteer hours, shadowing hours, research hours
• Per-experience descriptions, dates, supervisor info, location
• Self-reported data

d) School Targets

• List of target medical schools you add
• Tier classification (reach / target / safety) — computed by the app
• School-specific notes

e) AI Advisor Conversation History

• Full chat transcripts between you and the AI Advisor
• Stored to maintain context across sessions

f) Practice Interview History

• Interview transcripts (text)
• Voice recordings during live interviews — see Section 5 "AI Features & Voice Data" for full disclosure of audio handling
• Rubric grades + AI feedback
• Date, duration, completion status

g) Subscription & Billing Data

• Subscription state (free / trial / active / expired)
• Subscription tier (Premium)
• Practice Interview consumables owned + used this month
• Monthly reset dates
• We do NOT store credit card or full payment information — Apple handles all payment processing

h) Referral Data

• Referral code you generated for yourself
• Referral code you redeemed (if any)
• Pending referral state

i) Device & Usage Data

• iOS version, device model, app version, build number
• Crash reports + non-fatal error logs (via Firebase Crashlytics)
• IP address (transient, used for authentication only — not stored long-term in our database)
• Approximate region (derived from IP at sign-in)

j) Cookies & Web Tracking (medtrackapp.com only)

• Essential cookies for site functionality
• We do NOT use third-party advertising trackers, retargeting pixels, or analytics that build behavioral profiles

3. How We Use Your Information

• Operate the app's core features (track MCAT, log hours, manage school list)
• Authenticate users and prevent unauthorized account access
• Compute personalized projections (Projected MCAT range, practice accuracy, MedTrack Score)
• Generate AI-powered features (Advisor responses, Practice Interview grading, AI feedback)
• Provide customer support
• Detect, prevent, and respond to security incidents and abuse
• Comply with legal obligations
• Improve the app — aggregated, anonymized analytics only

4. Third-Party Services & Sub-Processors

MedTrack uses the following third-party services. Each processes specific data as part of our app functionality:

Service	Provider	What data is shared	Purpose
Firebase Authentication	Google LLC	Email, auth provider ID, IP (transient)	User sign-in
Cloud Firestore	Google LLC	All user-generated data (MCAT scores, hours, schools, chats, interview history)	App database
Cloud Functions	Google LLC	Auth tokens, function call payloads	Backend logic execution
Firebase Crashlytics	Google LLC	Crash reports, device info, app version, anonymized user ID	Crash reporting
Firebase Storage	Google LLC	User-uploaded media (if used)	Media storage
OpenAI Realtime API	OpenAI, Inc.	Voice audio streams + transcripts during Practice Interviews; AI Advisor chat messages	Voice interview AI, conversational AI advisor
OpenAI Chat Completions API	OpenAI, Inc.	AI Advisor message text + context	AI Advisor responses
RevenueCat	RevenueCat, Inc.	Anonymized user ID, subscription events, IAP receipts	Subscription state management
Apple App Store / IAP	Apple Inc.	Payment information, IAP receipts	Subscription billing

Privacy policies:

• Google/Firebase: https://policies.google.com/privacy
• OpenAI: https://openai.com/policies/privacy-policy
• RevenueCat: https://www.revenuecat.com/privacy
• Apple: https://www.apple.com/legal/privacy/

Sign-in providers (depending on which you use):

• Sign in with Apple: https://www.apple.com/legal/privacy/
• Sign in with Google: https://policies.google.com/privacy

These sub-processors may be located outside your home jurisdiction (most are US-based). Data transfers are subject to appropriate safeguards, including Standard Contractual Clauses for EU transfers.

5. AI Features & Voice Data [LEGAL REVIEW RECOMMENDED]

MedTrack uses OpenAI's Realtime API to provide live voice Practice Interview sessions. During a Practice Interview, audio is transmitted from your device directly to OpenAI's servers via an authenticated WebSocket connection. OpenAI processes the audio to generate AI interviewer responses in real time.

MedTrack does NOT directly store raw audio recordings of Practice Interviews on our servers. Transcripts of interviews are stored in your account so you can review your performance.

OpenAI's data handling for the Realtime API is governed by their privacy policy and API data usage terms. As of June 12, 2026, OpenAI's stated policy for API customers is that input/output is not used to train OpenAI models unless explicitly opted in. Refer to OpenAI's current policy at https://openai.com/policies/api-data-usage-policies for the latest terms.

AI Advisor: Your messages and the context window of your conversation are sent to OpenAI for processing. Responses are generated by GPT models. AI Advisor outputs are AI-generated content and may contain inaccuracies. AI Advisor is NOT a substitute for guidance from licensed admissions counselors, physicians, or medical educators.

All AI features rely on third-party AI providers. We may change AI providers in the future and will update this policy accordingly.

6. Data Sharing & Disclosure

We may share your data beyond the sub-processors listed above only in the following circumstances:

• With your consent
• To comply with legal process (subpoenas, court orders, lawful government requests)
• To enforce our Terms of Service or protect rights, property, or safety
• In connection with a corporate transaction (merger, acquisition, asset sale) — with notice to users
• In aggregated, de-identified form for research, statistics, or product improvement

7. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account deletion request (see Section 8).
• MCAT + experience + school + advisor + interview data: Retained while your account is active; deleted on account deletion.
• Subscription records: Retained for 7 years for tax/accounting compliance even after account deletion (only billing-relevant fields, not personal content).
• Crash logs: Retained 90 days then auto-purged by Firebase.
• Backup snapshots: Rotated and purged within 90 days of account deletion (Firebase backup retention).

8. Account Deletion

You can request account deletion through the app:

1. Open the MedTrack app → Settings → Account & data requests
2. Tap "Request deletion" to open a pre-filled email with your account identifier
3. Send the email; we will respond within 7 days confirming deletion

Upon processing:

• Account, MCAT data, experience hours, target schools, advisor history, practice interview history, and authentication credentials are permanently deleted from our systems within 7 days of the request
• Backup snapshots are purged within 90 days of the deletion
• Subscription records retained per Section 7 retention rules (billing-relevant fields only)

Direct path: Email medtrack.info@gmail.com directly from the address associated with your account if you cannot access the app.

Deletion is permanent and cannot be reversed.

9. Your Rights (US — including California Privacy Rights / CCPA / CPRA) [LEGAL REVIEW RECOMMENDED]

For California residents under CCPA/CPRA, you have the following rights:

• Right to know what categories of personal information are collected, sources, purposes, and categories of third parties with whom it's shared
• Right to access specific pieces of personal information collected in the prior 12 months
• Right to delete personal information (see Section 8)
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing — We do not sell or share personal information as defined under the CCPA.
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising any of these rights

How to exercise these rights: Email medtrack.info@gmail.com from your account email, with subject line "California Privacy Rights Request." We will respond within 45 days.

For non-California US users, we extend the same rights on a best-effort basis. Note that Virginia, Colorado, Connecticut, Utah, and other state privacy laws may apply.

10. Your Rights (EU / UK / EEA — GDPR) [LEGAL REVIEW RECOMMENDED]

If you are located in the European Union, United Kingdom, or European Economic Area, you have the following rights under GDPR:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure / "right to be forgotten" (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Rights related to automated decision-making (Article 22) — the projected MCAT score and MedTrack Score are computed algorithmically; you have the right to understand how

Legal basis for processing (GDPR Article 6):

• Performance of a contract (operating the app you signed up for)
• Legitimate interest (security, fraud prevention, product improvement)
• Consent (for optional features you explicitly enable)

Data Protection Officer: medtrack.info@gmail.com

Supervisory authority: EU users have the right to lodge a complaint with their local Data Protection Authority.

11. Children's Privacy

MedTrack is intended for users 17 and older (matching the App Store age rating).

• The app is not directed to children under 13. We do not knowingly collect personal information from children under 13.
• If you believe a child under 13 has provided us with personal information, please contact medtrack.info@gmail.com and we will delete the information.
• Users between 13 and the age of majority in their jurisdiction should obtain parental or guardian consent before using the app.

12. Security

• Encryption in transit (TLS 1.2+) for all data between the app and our servers
• Encryption at rest in Firebase / Google Cloud (AES-256, managed by Google)
• Firebase Authentication for identity management
• Firestore Security Rules enforcing per-user data access (a user can only read/write their own data)
• Server-only fields for subscription state and quota (writable only by Cloud Functions with the Admin SDK, never directly by clients)
• Crashlytics for incident detection

No security system is impenetrable. We cannot guarantee absolute security of data transmitted via the internet.

13. International Data Transfers

MedTrack is operated from the United States. Data may be transferred, stored, and processed in the US and other countries where our sub-processors operate. For EU/UK users, transfers are subject to Standard Contractual Clauses or equivalent safeguards.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification or email. Continued use after changes constitutes acceptance.

15. Contact Us

For privacy questions, data requests, or to exercise any rights:

Email: medtrack.info@gmail.com
Mail: MedTrack LLC, [BUSINESS_ADDRESS]