Privacy Policy

Effective Date: 2026-05-18 Version: 1.0 Operator: AIClinica, Inc. ("AIClinica", "we", "us", "our") — a Delaware corporation operating https://aiclinica.com and all *.aiclinica.com subdomains (collectively, the "Service").

This Privacy Policy explains what personal information we collect, why we collect it, the legal basis on which we process it, and the rights you have. It applies to individuals worldwide, including residents of the European Economic Area ("EEA"), the United Kingdom, Switzerland, California, and the United Arab Emirates.

Important: AIClinica is a medical-board examination practice platform for medical professionals and trainees. The Service is for educational use only and is not a clinical decision-support tool. We do not process patient health information.

1. Who we are and how to contact us

Role	Contact
Data Controller	AIClinica, Inc., Delaware, USA
Privacy contact / DPO	privacy@aiclinica.com
Postal address	Provided on written request to privacy@aiclinica.com
Supervisory authority (EEA users)	Your national Data Protection Authority

2. Information we collect

We collect only what we need to operate the Service. Categories:

2.1 Information you provide

Account data: name, email, password hash, training level (medical student / PGY year / fellow), specialty interests
Profile data: optional avatar, time zone, language preference
Payment data: handled exclusively by Stripe; we receive a tokenized identifier and the last 4 digits of the card. We never receive or store full card numbers, CVVs, or expiry dates.
Communications: anything you send to support@aiclinica.com or through the in-app chat
User-generated content: your spoken or typed responses to scenarios, recordings if you opt in to voice practice

2.2 Information collected automatically

Usage data: pages visited, scenarios attempted, completion rates, session timestamps, browser type, operating system, approximate location (city-level, derived from IP)
Device data: IP address, screen size, language headers, user-agent
Cookies and similar technologies: see our Cookie Policy

2.3 Information from third parties

Authentication providers: if you sign in with Google, we receive your name, email, and profile picture per Google's consent screen
Institutional roster sync: where your institution provides bulk seat licenses, the institution administrator may upload your name + email to provision access; you are notified by email upon enrollment

2.4 Information we do NOT collect

Patient health information ("PHI") — the Service is not designed for entering real patient data and users are prohibited from doing so
Biometric data beyond voice recordings that you actively submit for practice
Sensitive categories of data (race, ethnicity, religion, political opinions, sexual orientation) — please do not submit these to the Service

3. Why we process your information (purposes and legal bases)

We process your data only when we have a lawful basis under GDPR Article 6 (and equivalent provisions in other jurisdictions):

Purpose	Legal basis
Provide and operate the Service (deliver scenarios, score responses, sync progress)	Performance of contract (Article 6(1)(b))
Process payments and prevent fraud	Performance of contract + legitimate interest (Article 6(1)(b) and 6(1)(f))
Send service-related emails (receipts, password resets, security alerts)	Performance of contract
Send marketing emails (newsletters, product updates)	Consent (Article 6(1)(a)) — opt-out at any time
Improve the Service via aggregated analytics	Legitimate interest, balanced against your rights (Article 6(1)(f))
Detect abuse, ensure platform safety	Legitimate interest
Comply with legal obligations (tax, audit, lawful orders)	Legal obligation (Article 6(1)(c))

We do not sell your personal information. We share it with carefully selected service providers ("sub-processors") under written contracts that require the same protections we apply. Current sub-processors:

Sub-processor	Purpose	Data shared	Region
Supabase (Supabase, Inc., USA)	Application database + authentication	All account + usage data	USA
Stripe (Stripe, Inc., USA)	Payment processing	Email + tokenized payment identifier	USA
Resend (Resend, Inc., USA)	Transactional + marketing email	Email + display name + email body	USA
Anthropic (Anthropic PBC, USA)	AI examiner + grading	Your scenario responses (anonymized where feasible)	USA
Deepgram (Deepgram, Inc., USA)	Speech-to-text for voice practice	Voice recordings (transient, not retained by Deepgram beyond processing)	USA
ElevenLabs (ElevenLabs Inc., USA)	Text-to-speech for examiner voice	Scenario text + voice profile selection	USA
Twilio (Twilio Inc., USA)	SMS one-time codes for admin MFA	Phone numbers of administrators only	USA
Cloudflare (Cloudflare, Inc., USA)	CDN, DDoS protection, Worker relays	All traffic metadata	Global
Google (Google LLC, USA)	Web analytics (gtag), authentication, infrastructure	Aggregated usage + sign-in events	USA

A current and authoritative list is available on request to privacy@aiclinica.com.

We may also disclose your information when required by law, court order, or to enforce our rights or protect the safety of users.

5. International data transfers

The Service is operated from the United States. When we transfer personal data out of the EEA, UK, or Switzerland, we rely on:

The European Commission's Standard Contractual Clauses (2021/914), where applicable
The UK Addendum
Adequacy decisions where in force

You may request a copy of the Standard Contractual Clauses at privacy@aiclinica.com.

6. How long we keep your information

Category	Retention period
Active account data	For the life of the account
Closed account data	Up to 30 days after closure, then irreversibly purged or anonymized for aggregate analytics
Payment records	7 years (US tax law / Stripe's mandatory retention)
Support communications	24 months after the last contact
Server logs	90 days
Backups	Up to 30 days after the production data is deleted

Aggregated, de-identified data may be retained indefinitely for product improvement and research, provided it cannot be re-identified.

7. Your rights

Depending on where you live, you have some or all of the following rights:

Access — request a copy of the data we hold about you
Rectification — correct inaccurate or incomplete data
Erasure / "Right to be forgotten" — request deletion subject to legal retention requirements above
Restriction — limit how we process your data in certain circumstances
Portability — receive your data in a structured, machine-readable format
Objection — object to processing based on legitimate interest, including direct marketing
Withdraw consent — where processing is based on consent, withdraw at any time without affecting prior lawful processing
Lodge a complaint — with your supervisory authority

To exercise any right, email privacy@aiclinica.com from the address associated with your account. We will respond within 30 days. We may request additional verification to confirm your identity. There is no fee unless a request is manifestly unfounded or excessive.

California residents (CCPA / CPRA)

You also have the right to know what categories of personal information we collect, sell, or share (we do not sell), and the right to non-discrimination for exercising your CCPA rights.

UAE residents

We comply with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. Data subjects have rights equivalent to those listed above.

8. How we secure your information

We apply industry-standard administrative, technical, and physical safeguards:

TLS 1.2+ for all data in transit
AES-256 at rest (Supabase managed encryption)
Per-user row-level security ("RLS") policies enforced at the database layer
Multi-factor authentication ("MFA") required for all administrators
Annual third-party penetration tests (institutional customers can request the executive summary)
Principle-of-least-privilege access controls for staff
Logged + audited admin actions

No system is 100% secure. If we discover a security incident affecting your personal data, we will notify you and the appropriate supervisory authority without undue delay, and in any case within the timelines required by applicable law (typically 72 hours for material breaches under GDPR).

9. Children's privacy

The Service is intended exclusively for adults age 18 and over who are pursuing or practicing in medical education or healthcare. We do not knowingly collect personal information from children under 18. If you believe a child has provided information to us, contact privacy@aiclinica.com and we will delete the account.

10. Automated decision-making and profiling

The Service uses AI to grade your responses and adapt scenario difficulty. These decisions:

Are educational scoring, not legally significant decisions
Always include a human-readable rationale ("examiner feedback")
Can be appealed by contacting support@aiclinica.com — a human reviewer will re-grade if you submit a reasoned request

We do not use automated decision-making for employment, credit, insurance, or any decision that produces legal effects.

11. Marketing communications

We send marketing emails (product updates, feature launches, exam-prep tips) only with your opt-in consent. Every marketing email contains an unsubscribe link that takes effect immediately. Service emails (receipts, security alerts, account changes) are not promotional and continue regardless of marketing preferences.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to you by email at least 30 days before they take effect. The version number and effective date at the top of this page indicate the current revision. Prior versions are available on request.

13. Contact

Inquiry	Email
Privacy questions, data subject requests	privacy@aiclinica.com
General support	support@aiclinica.com
Security disclosures	security@aiclinica.com
Press	press@aiclinica.com