Privacy policy

What this platform collects

When you create an account, we store the email address you sign up with, a hashed password (handled by Supabase Auth), and your date of birth (used only to confirm you are old enough to use the platform per applicable law). We never sell your contact information or share it with advertisers.

When you use the platform, we record the practice questions generated for you, your answers, the time you spent on each question, and the per-concept mastery posteriors derived from those answers. This is the data the adaptive engine needs to pick your next question — it is not visible to other users.

Encryption + access control

Every user-scoped table in our database has row-level security enabled and verified against an isolation matrix in our test suite. You cannot read or write another user’s rows, and authenticated access is gated by JWT — not by client-side checks.

If you bring your own API key (BYOK) for a model provider, that key is encrypted at rest using AES-256-GCM with a unique IV per encryption, decrypted only on the server when we dispatch a request to the provider on your behalf. The plaintext key is never returned to the browser after creation; you can only see the last four characters.

Uploaded study materials

You may upload your own notes (PDF, DOCX, TXT, MD) to give the adaptive engine context about your topics of focus. Files are stored in a per-user folder; access is gated by the storage policy and you can delete them any time from Settings › Study materials.

We extract text, split it into chunks, optionally embed those chunks (only metadata — embedding vectors and a short text excerpt), and use them to inform question generation. We never quote your notes verbatim back to other users, and we treat any text inside your uploads as untrusted: it cannot change the platform’s behavior beyond "these are the topics that interest this user."

Training data

Your data is not used to train any model. We expose a future opt-in toggle in Settings, but the platform’s code currently defaults to "no training" for all users regardless of the toggle’s state. If we ever start honoring the opt-in, this policy will change first and you will see a dated notice.

Analytics + tracking

We do not run third-party analytics on authenticated pages. The only cookies we set are session, CSRF, and a consent acknowledgement that lets you dismiss the banner shown to new visitors. We do not embed Facebook Pixel, Google Analytics, Hotjar, or similar trackers on logged-in routes.

Deletion

You can permanently delete your account at any time from Settings › Account. Deletion cascades across every user-scoped table (responses, questions, sessions, mastery, uploads, encrypted API keys, spend caps, token usage) and removes the bytes of every file you uploaded. It is not reversible.

Contact

Questions about this policy: please open an issue at github.com/dburt25/mcat-ai/issues or email the address listed on the project README.