OtoResidENT
PricingAccountSign in
Back to home

Privacy Policy

Effective date: [[OWNER: effective date, e.g. July 1, 2026]]

This policy is a good-faith starting template, not legal advice. The business owner and an attorney must review it — and complete every [[OWNER: …]] field — before launch, including obligations under GDPR, CCPA/CPRA, and any other applicable laws.

This Privacy Policy explains how [[OWNER: legal company / entity name]] (“OtoResidENT”, “we”, “us”) collects, uses, and shares information when you use the OtoResidENT study application (the “Service”).

1. Information we collect

  • Account information. Your email address and any profile details you provide (such as display name, PGY level, or training program). We use passwordless magic-link sign-in, so we do not store passwords.
  • Billing information. When you subscribe, our payment processor (Stripe) collects and processes your payment details. We receive limited billing metadata (e.g. subscription status, plan, last four digits, billing country) but never your full card number.
  • Usage data. Study activity such as topics read, flashcard reviews, case scores, bookmarks, and progress, used to power your dashboard and spaced repetition.
  • AI tutor content. The questions and messages you send to the AI tutor, processed to generate responses.
  • Technical data. Standard log data (IP address, device/browser type, timestamps) and cookies used for authentication and basic analytics.

2. What we do not collect

We do not collect protected health information (PHI). OtoResidENT is not a HIPAA covered entity or business associate and must not be used to store or process identifiable patient data. The AI tutor is configured to refuse identifiable clinical scenarios.

3. How we use information

  • to provide, maintain, and personalize the Service;
  • to process subscriptions, billing, and free trials;
  • to power study features such as progress tracking and spaced repetition;
  • to communicate with you about your account, security, and updates;
  • to monitor, secure, debug, and improve the Service; and
  • to comply with legal obligations and enforce our Terms.

4. Cookies & similar technologies

We use strictly necessary cookies to keep you signed in and to operate the Service, and we may use limited analytics cookies to understand aggregate usage. You can control cookies through your browser settings; disabling necessary cookies may break sign-in. [[OWNER: if you add analytics/marketing cookies or a consent banner, describe them and the legal basis here.]]

5. Third-party service providers

We share data with vendors who process it on our behalf to run the Service:

  • Supabase — authentication and database hosting (account and usage data).
  • Stripe — subscription billing and payment processing.
  • OpenAI and/or Anthropic — large-language-model processing for the AI tutor and content pipeline (your prompts are sent to generate responses).

These providers are bound by their own terms and data-processing agreements. We do not sell your personal information. [[OWNER: confirm the final list of subprocessors and their data-processing locations; add any analytics or email vendors you use.]]

6. Data retention

We retain your information for as long as your account is active and as needed to provide the Service. After account deletion, we delete or anonymize personal data within a reasonable period, except where we must retain it for legal, tax, accounting, or legitimate business purposes. [[OWNER: specify exact retention periods.]]

7. Data storage & security

Data is stored with our providers in the United States. We use reasonable technical and organizational measures to protect your information, but no method of transmission or storage is completely secure. [[OWNER: confirm hosting regions and security commitments.]]

8. Your rights

Depending on where you live, you may have rights to access, correct, delete, export, or restrict the processing of your personal data, and to object to certain processing or withdraw consent. To exercise these rights, contact us at privacy@otoresident.com. We will respond as required by applicable law. [[OWNER: add jurisdiction-specific disclosures (e.g. CCPA/CPRA categories, GDPR legal bases, EU/UK representative) as needed.]]

9. Children's privacy

The Service is not directed to children under 18, and we do not knowingly collect their personal information.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Service or by email, and the effective date above will be updated.

11. Contact

Questions or privacy requests? Contact [[OWNER: legal company / entity name]] at privacy@otoresident.com (or support@otoresident.com), [[OWNER: registered business mailing address]].

Privacy Policy · OtoResidENT