← Back to Home

PRIVACY POLICY

Last updated: 16 December 2025

1) Who we are

StackMed is an online medical education platform (the "Service").

Controller:

Cerna Learn Ltd ("StackMed", "we", "us", "our")
Registered address: [REGISTERED ADDRESS]
Company number: [COMPANY NUMBER] (if applicable)

Contact:

Email: privacy@stackmed.co.uk

If you are in the UK, the supervisory authority is the Information Commissioner's Office (ICO). If you are in the EEA, you can also contact your local data protection authority.

2) What this policy covers

This policy explains how we collect, use, share, and protect personal data when you:

  • create or use a StackMed account;
  • use our learning features (question bank, notes, progress tracking);
  • purchase a subscription; or
  • contact support.

We aim to comply with the UK GDPR and Data Protection Act 2018. Where EU/EEA users access the Service, EU GDPR may also apply.

3) Personal data we collect

We collect the following categories of personal data:

A. Account and profile data

  • email address
  • display name (optional)
  • password (stored in hashed form by our authentication provider)
  • account settings and preferences

B. Study and usage data

  • answers you submit, test/quiz history, performance stats
  • progress indicators (e.g., completion, streaks, saved items)
  • feature usage and in-app interactions necessary to operate the Service

C. User content

  • notes, comments, and other text you choose to create in the Service

Important: Please do not include patient identifiable data or other sensitive third-party information in your notes or comments. If you choose to store special-category data in your own notes (e.g., health information), you do so at your discretion and should avoid including information about other people.

D. Payment and subscription data

Payments are processed by Stripe. We do not store full card numbers.

We may receive and store limited billing/subscription information such as:

  • billing country/postcode (if provided)
  • payment status, subscription tier, renewal/expiry dates
  • Stripe customer/subscription identifiers

E. Technical and security data

  • IP address (often transient; may be stored in security logs)
  • device/browser information (e.g., user agent)
  • timestamps, basic event logs needed to detect abuse, maintain security, and troubleshoot

4) Where we get personal data from

  • Directly from you (account creation, study actions, support requests)
  • Automatically from your device/browser when you use the Service (technical/security data)
  • From payment processors (Stripe) for subscription status and billing administration
  • From service providers that help us run the Service (e.g., hosting/logging providers)

5) How we use your personal data (purposes and lawful bases)

We only use personal data where we have a lawful basis.

A. To provide the Service (Contract)

  • create and manage your account
  • deliver question bank features, saving progress and results
  • provide customer support and operational communications (e.g., important service notices)

Lawful basis: performance of a contract (providing the Service you request).

B. To run and secure the Service (Legitimate interests)

  • prevent fraud, abuse, and unauthorised access
  • monitor reliability, debug issues, and maintain performance
  • enforce our Terms and protect our users and the Service

Lawful basis: legitimate interests (running a secure, reliable education platform). You may object to processing based on legitimate interests (see Section 10).

C. To process subscriptions and manage billing (Contract / Legal obligation)

  • manage subscriptions (activation, renewal, cancellation)
  • maintain records required for tax/accounting and fraud prevention

Lawful basis: contract and/or legal obligation.

D. Analytics (Consent, where applicable)

If enabled, we may use privacy-focused analytics to understand aggregate usage and improve the Service.

Lawful basis: consent (where required). You can withdraw consent at any time via cookie/settings controls.

E. Marketing communications (Consent)

If you opt in, we may send emails about product updates, offers, or newsletters.

Lawful basis: consent. You can unsubscribe at any time via the link in any marketing email.

6) Automated decision-making

We do not use solely automated decision-making (including profiling) that produces legal or similarly significant effects on you.

7) Who we share personal data with

We share personal data only with:

  • Service providers (processors) that help us operate the Service, such as:
    • Supabase (database hosting and authentication)
    • Vercel (hosting, performance infrastructure, and bot protection)
    • Email service provider(s) used for transactional email (if applicable): [PROVIDER NAME]
  • Payment provider:
    • Stripe (payment processing). Stripe may act as a processor and/or independent controller for certain fraud prevention, security, and compliance purposes under its own documentation.

We may also disclose information:

  • if required by law, court order, or lawful request; or
  • to protect our rights, users, and the Service (e.g., investigating abuse).

8) International data transfers

Our providers may process personal data outside the UK and/or EEA (for example, where infrastructure or support operations are located globally).

Where we make "restricted transfers", we use appropriate safeguards such as:

  • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs (as applicable); and/or
  • adequacy regulations where available,

and we take additional measures where required.

9) Data retention

We keep personal data only as long as needed for the purposes described above.

Typical retention periods:

  • Account data: kept while your account is active. If you delete your account, we delete or anonymise personal data within [30] days where feasible, subject to the exceptions below.
  • Study data and user content: kept while your account is active; deleted/anonymised on account deletion unless you request otherwise (where supported).
  • Billing/subscription records: kept for at least 6 years (or longer if required) for tax/accounting and compliance.
  • Security logs: typically up to 90 days unless needed longer to investigate security incidents or abuse.
  • Backups: residual copies may persist in backups for a limited period (typically up to [30–90] days) before being overwritten.

10) Your rights

Depending on your location and applicable law (UK/EU GDPR), you may have the right to:

  • Access: request a copy of your personal data
  • Rectification: correct inaccurate or incomplete data
  • Erasure: request deletion of personal data (and/or delete your account)
  • Restriction: ask us to limit processing in certain cases
  • Portability: receive certain data in a machine-readable format
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: where we rely on consent (e.g., marketing/analytics), you can withdraw it at any time

How to exercise your rights:

  • Use Account Settings (where available), or
  • Email privacy@stackmed.co.uk from your account email address.

We may need to verify your identity before fulfilling a request. We aim to respond within one month (and will tell you if we need more time).

11) Cookies and similar technologies

We use cookies and similar technologies (including local storage) for:

A. Strictly necessary purposes

  • authentication and session management
  • security features and bot protection

These are required for the Service to function.

B. Optional analytics (if enabled)

We only enable optional analytics where you have provided consent (where required). You can change your choice at any time via our cookie banner/settings.

Note: Clearing cookies and/or local storage via your browser will reset some preferences.

12) Security

We use reasonable technical and organisational measures designed to protect personal data, including access controls, encryption in transit (HTTPS), and least-privilege access for operational systems. No method of transmission or storage is 100% secure, but we work to protect your information.

13) Children

StackMed is intended for medical students and adult learners. It is not directed at children.

If you are under 13 (UK) you must not use the Service. If you believe a child has provided personal data, contact us at privacy@stackmed.co.uk.

14) Changes to this policy

We may update this policy from time to time. If changes are significant, we will provide notice via the Service and/or by email. The "Last updated" date shows when this policy was last revised.

15) Contact and complaints

Privacy enquiries: privacy@stackmed.co.uk

If you are unhappy with how we handle your personal data, you can complain to the ICO (UK) and/or your local EEA data protection authority.