Privacy Policy
Last updated: 4 August 2025
1. Who We Are
ExamFlip ("ExamFlip", "we", "our") provides AI-powered medical-exam preparation services. The data controller is ExamFlip, Inc., La Crescenta, CA 91214, USA. Questions? Email privacy@examflip.com.
2. Scope
This Policy applies to www.examflip.com, our mobile apps, and any other services that link to it (collectively, the "Services").
3. Information We Collect
| Category | Typical examples | How we obtain it |
|---|---|---|
| Basic identifiers | Full name, email address, professional title | You provide at sign-up |
| Account credentials | Username, encrypted password | You provide |
| Service-usage data | Question attempts, scores, study-session timestamps, feature clicks | Collected automatically |
| Technical data | IP address, browser/OS, device type | Collected automatically |
| Payment-success signals | Subscription status, Stripe customer/subscription ID | Received from Stripe webhooks; no card details ever touch our servers |
What we don't collect: We never ask for government IDs, date or place of birth, Social Security/National ID numbers, health data, race/ethnicity, or biometric identifiers.
4. How We Use Your Information
- Provide & maintain the Services — create your account, display your performance dashboard, etc.
- Personalize learning via our AI engine.
- Improve and secure the platform, including debugging and preventing fraud.
- Verify payments — we receive a yes/no confirmation plus a subscription ID from Stripe webhooks. We do not store card numbers or billing addresses.
- Communicate with you about updates or — if you opt-in — marketing.
- Comply with legal obligations and enforce our Terms.
AI usage: Interaction data may be anonymized and used to fine-tune internal AI models. We never feed identifiable data into publicly available AI systems.
5. Where We Store & Process Data
| Environment | Purpose |
|---|---|
| Amazon Web Services (AWS) | Primary application servers & databases |
| Microsoft Azure | Scalable compute for AI workloads |
| Google Cloud Platform (GCP) | Off-site encrypted backups |
| Stripe, Inc. | External PCI-DSS-certified processor; holds all payment data |
6. Cookies & Similar Technologies
We do not currently set cookies or similar tracking technologies. If we introduce them in the future, this Policy will be updated and you will be notified with clear choices.
7. Your Controls & Choices
- Dashboard deletion: A self-service "Delete My Data" option lets you wipe your study history at any time.
- Full account deletion: Close your account through in-app settings or by contacting support.
- Other rights: Depending on your jurisdiction, you may access, correct, port, object to, or restrict processing of your data.
8. Data Retention
| Data type | Retention period | Deletion method |
|---|---|---|
| Study activity & performance | Until you delete it or close your account | Immediate, irreversible purge |
| Account profile | Life of account + 2 yrs for audit | Secure deletion |
| Stripe subscription metadata | Subscription life + 2 yrs | Secure deletion (card data never stored) |
9. Security
- Encryption in transit and at rest across AWS, Azure, and GCP.
- Passwords hashed and salted with industry-standard algorithms.
- Multi-cloud key management; each provider stores keys separately.
- Annual third-party penetration tests.
10. Sharing & Disclosure
| Recipient | Reason |
|---|---|
| Cloud & IT providers | Hosting, performance, security |
| Stripe | Handles the entire payment flow |
| AI processors | Generate chat responses; bound by DPAs |
| Advisors / acquirers | Business transfers, mergers |
| Authorities | Where required by law or court order |
We do not sell your personal data.
11. Your Rights
Depending on your jurisdiction, you may have rights to access, rectify, delete, or port your data; to object to or restrict certain processing; and to opt-out of marketing. We respond within one month (or 45 days for CCPA).
12. Children
The Services are intended for users 16 years or older. We do not knowingly collect data from children.
13. Changes to This Policy
Material changes will be announced at least 14 days in advance via email or in-app notice.
14. Contact
| Role | Details |
|---|---|
| Data Protection Officer | privacy@examflip.com |