Privacy Policy
Last updated: May 23, 2026
The short version
Premed Copilot helps premed students plan, write, and prep for med school applications. We collect the minimum data needed to deliver the product, we never sell it, and your essays + stories never leave your account. This page explains the details.
What we collect
- Account info: name, email, and the OAuth identifier returned by Google when you sign in.
- Profile data you enter: MCAT score, GPA, school year, background, goals, resume, activities, and stories. This is what powers your drafts and fit analyses.
- Generated content: personal statements, activity entries, secondary essays, mock interview transcripts, and study plans you create with the AI.
- Payment info: handled by Stripe. We never see or store your card details. We only see what Stripe tells us: customer ID, what you purchased, and when.
- Calendar data (optional): if you connect Google Calendar, we read your event titles and times so the planner can work around them. We never write events without your explicit action.
- Voice mock recordings: processed live by ElevenLabs during your interview. We store the transcript and final evaluation, not the raw audio.
- Usage data: standard server logs (timestamps, page paths, IP for rate limiting). We do not use third-party ad-tracking or behavioral profiling.
How we use it
- To deliver the product: generate your drafts, plans, fit analyses, and mocks.
- To bill you correctly and handle refunds.
- To respond when you email us.
- To debug and improve the product (aggregate, never tied back to an individual).
We do not sell your data, share it with advertisers, or use your essays to train third-party AI models outside of the request that generates your draft.
Who has access
- You: always. Everything in your account is yours and visible only to you.
- Our service providers: Supabase (database + auth), Stripe (payments), Anthropic (essay generation), ElevenLabs (voice mock), Vercel (hosting), and Resend (email). Each only sees the data needed to do their job. None of them sell or share your data.
- Legal: if required by valid subpoena or court order. We will fight overreach and notify you when legally permitted.
Your rights
You can view, edit, export, or delete your data at any time:
- Edit anything from Settings.
- Delete your entire account from Settings → Danger zone. This removes everything within 30 days.
- Email us at the address below for a full data export.
If you're in the EU, UK, or California, you have additional rights under GDPR / UK GDPR / CCPA — email us and we'll honor them.
Data retention
We keep your data as long as your account is active. When you delete your account, we delete the data within 30 days. Payment records may be kept longer where required by tax / accounting law (typically 7 years).
Security
All data is encrypted in transit (HTTPS) and at rest (Supabase managed Postgres encryption). Row-level security policies ensure one user can never read another's data. Stripe handles all card data and is PCI-DSS Level 1 certified.
Contact
Questions, data requests, or concerns? Email hello@premedcopilot.com. We read everything.