NBMEcalc
Legal

Privacy Policy

Plain-language explanation of what we collect, why, and how to control it.

Last updated: May 17, 2026

1. Who we are

nbmecalc.com ("NBMEcalc", "we", "us", "our") operates a USMLE Step score predictor at https://nbmecalc.com. This Privacy Policy explains what we collect, why, and how to exercise your rights.

For privacy questions or to exercise rights described below, email privacy@nbmecalc.com.

2. Information we collect

2.1 Information you provide

  • Email address — when you create an account, buy a report, or subscribe to our newsletter.
  • Practice exam scores — NBME, UWSA, Free 120, AMBOSS, CMS Form scores you enter into the predictor.
  • Optional profile data — target exam date, school type (US MD/DO/IMG), notes you choose to add.
  • Payment information — handled by Stripe. We never see or store your full card number.

2.2 Information collected automatically

  • Usage data — pages visited, predictions run, features used (via privacy-friendly Plausible Analytics — cookieless, no fingerprinting).
  • Device data — browser type, OS, screen size, country (city-level only), referrer.
  • Cookies — see Section 7.

3. How we use your data

  • To run the score predictor and return your results.
  • To send the prediction PDF, account confirmations, and (if you opted in) study tips and product updates.
  • To improve the algorithm — only aggregated, anonymized data.
  • To prevent abuse and rate-limit requests.
  • To comply with legal obligations.

We never sell, rent, or trade your personal data. We never share predictor inputs with third parties for advertising.

4. Legal bases (GDPR)

  • Contract — to deliver the service you signed up for.
  • Legitimate interest — basic usage analytics, fraud prevention.
  • Consent — marketing emails, optional cookies. You can withdraw consent any time.
  • Legal obligation — tax records, lawful requests.

5. Data sharing

We share data only with these processors, under data-processing agreements:

  • Cloudflare — hosting, CDN, edge database (D1) and file storage (R2). Region-aware: EU data stays in EU edge nodes.
  • Stripe — payment processing.
  • Postal SMTP — transactional and marketing email delivery.
  • Plausible Analytics — privacy-friendly, cookieless web analytics.
  • Sentry — error monitoring (no PII captured).

We may also disclose data when required by law or to protect rights, property, or safety.

6. Data retention

  • Active account data — kept until you delete your account.
  • Predictions — kept until you delete them or your account.
  • Payment records — 7 years (tax law).
  • Magic Link tokens — auto-deleted 1 hour after issue.
  • Analytics events — 12 months, then aggregated.

7. Cookies

We use a minimal cookie set:

  • Session cookie (nb_session) — keeps you logged in. Expires after 30 days. Strictly necessary.
  • Cookie banner state (nb_cookies) — remembers your cookie choice for 30 days. Strictly necessary.
  • Analytics — none. Plausible is cookieless.

You can control cookies via your browser settings or our cookie banner.

8. Your rights

You have the right to:

  • Access a copy of your data — export as JSON from your dashboard.
  • Rectify inaccurate data — edit in your dashboard.
  • Erase your data — one-click delete from Settings → Delete account. Hard-deletes within 30 days.
  • Restrict / object to processing — email privacy@nbmecalc.com.
  • Data portability — JSON export covers everything.
  • Lodge a complaint with your local supervisory authority (e.g. ICO in the UK, CNIL in France).

EU residents: this includes all GDPR rights. California residents: this includes CCPA rights.

9. International transfers

Cloudflare provides region-aware data residency. EU user data is stored in EU edge locations. Where data is transferred outside the EEA (e.g. Stripe in the US), we rely on Standard Contractual Clauses.

10. Children

The service is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has signed up, email us and we will delete the account.

11. Security

  • HTTPS everywhere with HSTS.
  • Data encrypted at rest in Cloudflare D1.
  • Magic Link tokens are single-use, expire in 1 hour.
  • No card data stored on our servers — Stripe handles all payments.
  • Strict Content Security Policy.

12. Changes to this policy

We will email registered users at least 30 days before any material change. The "Last updated" date above always reflects the current version.

13. Contact

Questions? privacy@nbmecalc.com or our contact page.