Privacy Policy

Our Commitment

Your privacy matters to us. This policy explains what data we collect, how we use it, and your rights. We've written this in plain language because we believe you shouldn't need a law degree to understand how your data is handled.

The short version: We collect what we need to provide the service, we don't sell your data, and you can delete everything at any time.

1. What We Collect

Account Information

Email address (required for account)
Name (as you provide it)
Password (stored securely hashed, we can never see it)
Program type you're applying to

Application Data

Schools you're applying to and their statuses
Academic information (GPA, test scores) you enter
Essays and personal statements you upload
Documents (transcripts, letters, etc.)
Interview schedules and practice sessions
Tasks, deadlines, and timeline data

Email Data (If Connected)

When you connect your email, we access:

Emails from medical schools and application services (AMCAS, etc.)
Email metadata (sender, subject, date) to identify relevant emails
Email content to extract application updates

We only process emails related to your applications. We filter by sender domain (university emails, application services) and do not read personal emails from friends, family, or unrelated services.

Interview Practice Data

Voice recordings from practice sessions
Your responses to interview questions
AI-generated feedback and scores
Competency tracking over time

Technical Data

IP address and approximate location
Browser type and device information
Pages visited and features used
Error logs for debugging

2. How We Use Your Data

Provide the service: Track your applications, update statuses, generate timelines
Email intelligence: Parse incoming emails to detect secondaries, interviews, decisions
AI features: Power interview practice, essay feedback, and school recommendations
Improve the product: Understand how features are used to make them better
Send notifications: Deadline reminders, important updates (you can opt out)
Customer support: Help you when you contact us

3. What We Don't Do

We don't sell your data. Ever. To anyone.
We don't share your data with schools. Your application data is never sent to admissions committees.
We don't use your essays to train AI. Your personal content is not used to improve our models without explicit consent.
We don't read irrelevant emails. Personal emails are filtered out before processing.
We don't show you ads. We make money from subscriptions, not advertising.

4. Data Storage & Security

Your data is stored securely:

Encrypted in transit (HTTPS) and at rest
Hosted on secure cloud infrastructure (MongoDB Atlas, Vercel)
Documents stored in private cloud storage with signed URLs
Passwords hashed using industry-standard algorithms
Regular security reviews and updates

No system is 100% secure. If we discover a breach affecting your data, we will notify you promptly.

5. Third-Party Services

We use these services to operate URGrad:

Stripe: Payment processing (we never see your full card number)
Google/Microsoft/Yahoo: Email OAuth when you connect your inbox
OpenAI/Anthropic: AI models for interview practice and essay feedback
MongoDB Atlas: Database hosting
Vercel: Application hosting

Each of these services has their own privacy policy. We only share the minimum data necessary for each service to function.

6. Your Rights

You have the right to:

Access your data: Download a copy of your information
Correct your data: Update inaccurate information
Delete your data: Request complete deletion of your account
Disconnect email: Revoke email access at any time
Opt out of emails: Unsubscribe from marketing communications

To exercise these rights, visit your account settings or contact us at privacy@urgrad.com.

7. Account Deletion

When you delete your account, we will:

Delete your profile and account information
Delete all application data (schools, essays, documents)
Delete all email data we've stored
Delete interview recordings and practice history
Delete all stored files and documents

What we retain: We may keep anonymized, aggregated data (e.g., "X users applied to school Y") that cannot identify you. We also retain Stripe payment records as legally required for tax and accounting purposes.

Deletion is permanent and cannot be undone. Allow up to 30 days for complete deletion from all systems and backups.

Delete your account →

8. Data Retention

We retain your data for as long as your account is active. After deletion:

Most data: Deleted immediately
Backups: Purged within 30 days
Payment records: Retained for 7 years (legal requirement)
Anonymized analytics: Retained indefinitely

9. Cookies

We use cookies for:

Authentication: Keep you logged in
Preferences: Remember your settings (dark mode, etc.)
Analytics: Understand how the site is used

We don't use cookies for advertising or tracking across other websites.

10. Children's Privacy

URGrad is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

11. International Users

URGrad is based in the United States. If you're accessing from outside the US, your data will be transferred to and processed in the US. By using URGrad, you consent to this transfer.

For EU/UK users: We process your data under legitimate interests (providing the service you signed up for). You have additional rights under GDPR including data portability and the right to lodge a complaint with your local data protection authority.

12. Changes to This Policy

We may update this policy from time to time. If we make significant changes, we'll notify you via email and/or a prominent notice on the site. Continued use after changes constitutes acceptance.

13. Contact Us

Questions about privacy? Contact us at privacy@urgrad.com