Privacy Policy | StackMed

1) Who we are

StackMed is an online medical education platform (the "Service").

Controller:

Cerna Learn Ltd ("StackMed", "we", "us", "our")
Registered address: ADDITIVE-X, College Business Park, Kearsley Road, Ripon, North Yorkshire, HG4 2RN, United Kingdom
Company number: 16938528

Contact:

Email: [email protected]

If you are in the UK, the supervisory authority is the Information Commissioner's Office (ICO). If you are in the EEA, you can also contact your local data protection authority.

2) What this policy covers

This policy explains how we collect, use, share, and protect personal data when you:

create or use a StackMed account;
use our learning features (question bank, notes, progress tracking);
purchase a subscription; or
contact support.

We aim to comply with the UK GDPR and Data Protection Act 2018. Where EU/EEA users access the Service, EU GDPR may also apply.

3) Personal data we collect

We collect the following categories of personal data:

A. Account and profile data

email address
display name (optional)
password (stored in hashed form by our authentication provider)
account settings and preferences

B. Study and usage data

answers you submit, test/quiz history, performance stats
progress indicators (e.g., completion, streaks, saved items)
feature usage and in-app interactions necessary to operate the Service

C. User content

notes, comments, and other text you choose to create in the Service

Important: Please do not include patient identifiable data or other sensitive third-party information in your notes or comments. If you choose to store special-category data in your own notes (e.g., health information), you do so at your discretion and should avoid including information about other people.

D. Payment and subscription data

Payments are processed by Stripe. We do not store full card numbers.

We may receive and store limited billing/subscription information such as:

billing country/postcode (if provided)
payment status, subscription tier, renewal/expiry dates
Stripe customer/subscription identifiers

E. Technical and security data

IP address (often transient; may be stored in security logs)
device/browser information (e.g., user agent)
timestamps, basic event logs needed to detect abuse, maintain security, and troubleshoot

4) Where we get personal data from

Directly from you (account creation, study actions, support requests)
Automatically from your device/browser when you use the Service (technical/security data)
From payment processors (Stripe) for subscription status and billing administration
From service providers that help us run the Service (e.g., hosting/logging providers)

5) How we use your personal data (purposes and lawful bases)

We only use personal data where we have a lawful basis.

A. To provide the Service (Contract)

create and manage your account
deliver question bank features, saving progress and results
provide customer support and operational communications (e.g., important service notices)

Lawful basis: performance of a contract (providing the Service you request).

B. To run and secure the Service (Legitimate interests)

prevent fraud, abuse, and unauthorised access
monitor reliability, debug issues, and maintain performance
enforce our Terms and protect our users and the Service

Lawful basis: legitimate interests (running a secure, reliable education platform). You may object to processing based on legitimate interests (see Section 10).

C. To process subscriptions and manage billing (Contract / Legal obligation)

manage subscriptions (activation, renewal, cancellation)
maintain records required for tax/accounting and fraud prevention

Lawful basis: contract and/or legal obligation.

D. Analytics (Consent, where applicable)

If enabled, we may use privacy-focused analytics to understand aggregate usage and improve the Service.

Lawful basis: consent (where required). You can withdraw consent at any time via cookie/settings controls.

E. Marketing communications (Consent)

If you opt in, we may send emails about product updates, offers, or newsletters.

Lawful basis: consent. You can unsubscribe at any time via the link in any marketing email.

6) Automated decision-making

We do not use solely automated decision-making (including profiling) that produces legal or similarly significant effects on you.

7) Who we share personal data with

We share personal data only with:

Service providers (processors) that help us operate the Service, such as:
- Supabase (database hosting and authentication)
- Vercel (hosting, performance infrastructure, and bot protection)
Payment provider:
- Stripe (payment processing). Stripe may act as a processor and/or independent controller for certain fraud prevention, security, and compliance purposes under its own documentation.

We may also disclose information:

if required by law, court order, or lawful request; or
to protect our rights, users, and the Service (e.g., investigating abuse).

8) International data transfers

Our providers may process personal data outside the UK and/or EEA (for example, where infrastructure or support operations are located globally).

Where we make "restricted transfers", we use appropriate safeguards such as:

the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs (as applicable); and/or
adequacy regulations where available,

and we take additional measures where required.

9) Data retention

We keep personal data only as long as needed for the purposes described above.

Typical retention periods:

Account data: kept while your account is active. If you delete your account, we will delete or anonymise personal data within a reasonable period, subject to the exceptions below.
Study data and user content: kept while your account is active and deleted or anonymised following account deletion, subject to technical and legal constraints.
Billing/subscription records: kept for at least 6 years (or longer if required) for tax/accounting and compliance.
Security logs: kept only for as long as reasonably necessary to investigate security incidents, prevent abuse, and maintain the Service.
Backups: residual copies may remain in backups for a limited period before they are overwritten in the ordinary course.

10) Your rights

Depending on your location and applicable law (UK/EU GDPR), you may have the right to:

Access: request a copy of your personal data
Rectification: correct inaccurate or incomplete data
Erasure: request deletion of personal data (and/or delete your account)
Restriction: ask us to limit processing in certain cases
Portability: receive certain data in a machine-readable format
Objection: object to processing based on legitimate interests
Withdraw consent: where we rely on consent (e.g., marketing/analytics), you can withdraw it at any time

How to exercise your rights:

Use Account Settings (where available), or
Email [email protected] from your account email address.

We may need to verify your identity before fulfilling a request. We aim to respond within one month (and will tell you if we need more time).

11) Cookies and similar technologies

We use cookies and similar technologies (including local storage) for:

A. Strictly necessary purposes

authentication and session management
security features and bot protection

These are required for the Service to function.

B. Optional analytics (if enabled)

We only enable optional analytics where you have provided consent (where required). You can change your choice at any time via our cookie banner/settings.

Note: Clearing cookies and/or local storage via your browser will reset some preferences.

12) Security

We use reasonable technical and organisational measures designed to protect personal data, including access controls, encryption in transit (HTTPS), and least-privilege access for operational systems. No method of transmission or storage is 100% secure, but we work to protect your information.

13) Children

StackMed is intended for medical students and adult learners. It is not directed at children.

If you are under 13 (UK) you must not use the Service. If you believe a child has provided personal data, contact us at [email protected].

14) Changes to this policy

We may update this policy from time to time. If changes are significant, we will provide notice via the Service and/or by email. The "Last updated" date shows when this policy was last revised.

15) Contact and complaints

Privacy enquiries: [email protected]

If you are unhappy with how we handle your personal data, you can complain to the ICO (UK) and/or your local EEA data protection authority.

1) Who we are

StackMed is an online medical education platform (the "Service").

Controller:

Cerna Learn Ltd ("StackMed", "we", "us", "our")
Registered address: ADDITIVE-X, College Business Park, Kearsley Road, Ripon, North Yorkshire, HG4 2RN, United Kingdom
Company number: 16938528

Contact:

Email: [email protected]

If you are in the UK, the supervisory authority is the Information Commissioner's Office (ICO). If you are in the EEA, you can also contact your local data protection authority.

2) What this policy covers

This policy explains how we collect, use, share, and protect personal data when you:

create or use a StackMed account;
use our learning features (question bank, notes, progress tracking);
purchase a subscription; or
contact support.

We aim to comply with the UK GDPR and Data Protection Act 2018. Where EU/EEA users access the Service, EU GDPR may also apply.

3) Personal data we collect

We collect the following categories of personal data:

A. Account and profile data

email address
display name (optional)
password (stored in hashed form by our authentication provider)
account settings and preferences

B. Study and usage data

answers you submit, test/quiz history, performance stats
progress indicators (e.g., completion, streaks, saved items)
feature usage and in-app interactions necessary to operate the Service

C. User content

notes, comments, and other text you choose to create in the Service

D. Payment and subscription data

Payments are processed by Stripe. We do not store full card numbers.

We may receive and store limited billing/subscription information such as:

billing country/postcode (if provided)
payment status, subscription tier, renewal/expiry dates
Stripe customer/subscription identifiers

E. Technical and security data

IP address (often transient; may be stored in security logs)
device/browser information (e.g., user agent)
timestamps, basic event logs needed to detect abuse, maintain security, and troubleshoot

4) Where we get personal data from

Directly from you (account creation, study actions, support requests)
Automatically from your device/browser when you use the Service (technical/security data)
From payment processors (Stripe) for subscription status and billing administration
From service providers that help us run the Service (e.g., hosting/logging providers)

5) How we use your personal data (purposes and lawful bases)

We only use personal data where we have a lawful basis.

A. To provide the Service (Contract)

create and manage your account
deliver question bank features, saving progress and results
provide customer support and operational communications (e.g., important service notices)

Lawful basis: performance of a contract (providing the Service you request).

B. To run and secure the Service (Legitimate interests)

prevent fraud, abuse, and unauthorised access
monitor reliability, debug issues, and maintain performance
enforce our Terms and protect our users and the Service

Lawful basis: legitimate interests (running a secure, reliable education platform). You may object to processing based on legitimate interests (see Section 10).

C. To process subscriptions and manage billing (Contract / Legal obligation)

manage subscriptions (activation, renewal, cancellation)
maintain records required for tax/accounting and fraud prevention

Lawful basis: contract and/or legal obligation.

D. Analytics (Consent, where applicable)

If enabled, we may use privacy-focused analytics to understand aggregate usage and improve the Service.

Lawful basis: consent (where required). You can withdraw consent at any time via cookie/settings controls.

E. Marketing communications (Consent)

If you opt in, we may send emails about product updates, offers, or newsletters.

Lawful basis: consent. You can unsubscribe at any time via the link in any marketing email.

6) Automated decision-making

We do not use solely automated decision-making (including profiling) that produces legal or similarly significant effects on you.

7) Who we share personal data with

We share personal data only with:

Service providers (processors) that help us operate the Service, such as:
- Supabase (database hosting and authentication)
- Vercel (hosting, performance infrastructure, and bot protection)
Payment provider:
- Stripe (payment processing). Stripe may act as a processor and/or independent controller for certain fraud prevention, security, and compliance purposes under its own documentation.

We may also disclose information:

if required by law, court order, or lawful request; or
to protect our rights, users, and the Service (e.g., investigating abuse).

8) International data transfers

Our providers may process personal data outside the UK and/or EEA (for example, where infrastructure or support operations are located globally).

Where we make "restricted transfers", we use appropriate safeguards such as:

the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs (as applicable); and/or
adequacy regulations where available,

and we take additional measures where required.

9) Data retention

We keep personal data only as long as needed for the purposes described above.

Typical retention periods:

Account data: kept while your account is active. If you delete your account, we will delete or anonymise personal data within a reasonable period, subject to the exceptions below.
Study data and user content: kept while your account is active and deleted or anonymised following account deletion, subject to technical and legal constraints.
Billing/subscription records: kept for at least 6 years (or longer if required) for tax/accounting and compliance.
Security logs: kept only for as long as reasonably necessary to investigate security incidents, prevent abuse, and maintain the Service.
Backups: residual copies may remain in backups for a limited period before they are overwritten in the ordinary course.

10) Your rights

Depending on your location and applicable law (UK/EU GDPR), you may have the right to:

Access: request a copy of your personal data
Rectification: correct inaccurate or incomplete data
Erasure: request deletion of personal data (and/or delete your account)
Restriction: ask us to limit processing in certain cases
Portability: receive certain data in a machine-readable format
Objection: object to processing based on legitimate interests
Withdraw consent: where we rely on consent (e.g., marketing/analytics), you can withdraw it at any time

How to exercise your rights:

Use Account Settings (where available), or
Email [email protected] from your account email address.

We may need to verify your identity before fulfilling a request. We aim to respond within one month (and will tell you if we need more time).

11) Cookies and similar technologies

We use cookies and similar technologies (including local storage) for:

A. Strictly necessary purposes

authentication and session management
security features and bot protection

These are required for the Service to function.

B. Optional analytics (if enabled)

We only enable optional analytics where you have provided consent (where required). You can change your choice at any time via our cookie banner/settings.

Note: Clearing cookies and/or local storage via your browser will reset some preferences.

12) Security

13) Children

StackMed is intended for medical students and adult learners. It is not directed at children.

If you are under 13 (UK) you must not use the Service. If you believe a child has provided personal data, contact us at [email protected].

14) Changes to this policy

We may update this policy from time to time. If changes are significant, we will provide notice via the Service and/or by email. The "Last updated" date shows when this policy was last revised.

15) Contact and complaints

Privacy enquiries: [email protected]

If you are unhappy with how we handle your personal data, you can complain to the ICO (UK) and/or your local EEA data protection authority.