Privacy Policy
This Privacy Policy describes how MedNow (“MedNow,” “we,” “us,” or “our”) collects, uses, discloses, and protects information about you when you visit or use mednowapp.com (the “Website”) and any related products or services (collectively, the “Services”).
By accessing or using the Website or Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use our Website or Services. Questions? Contact us at team@mednowapp.com.
1. Information We Collect
A. Automatically Collected Data
When you visit or use the Website, we and our service providers automatically collect technical and usage data, including:
- Log Data: IP address, browser type and version, operating system, device type and model, referring and exit pages, pages viewed, date and time of access, clickstream data, and time spent on pages.
- Device Information: Hardware model, operating system version, unique device identifiers, mobile carrier, and browser characteristics.
- Usage and Performance Data: Features used, quiz performance, study session durations, topics reviewed, questions answered (correctly and incorrectly), session frequency, and interaction patterns within the Services.
- Approximate Location: General geographic location (city/state/country level) derived from your IP address. We do not collect precise GPS coordinates.
- Technical Diagnostics: Error logs, crash reports, and performance data used to diagnose technical problems and improve the Services.
This data does not identify you individually and is used to analyze trends, administer the Services, troubleshoot issues, and improve platform performance.
B. Information You Provide Directly
MedNow collects personal information that you voluntarily provide when you:
- Create an account: Name, email address, and authentication credentials (managed through Google Firebase Authentication, including Google Sign-In or email/password).
- Purchase a Subscription: Billing and payment information, processed exclusively by Stripe, Inc. MedNow does not store full payment card numbers.
- Configure account settings: Exam type and target date, daily study goals, notification preferences, and other settings you choose.
- Contact us or submit feedback: Name, email address, and any content included in your message or submission.
- Register as an Educator: Institution name, role, program or class details, and certification focus area.
- Participate in surveys or promotions: Responses and contact information where voluntarily provided.
C. Information from Third-Party Sign-In Providers
If you sign in using Google Sign-In or another third-party provider, we receive profile information (such as your name, email address, and profile photo) as permitted by the permissions you grant to that provider. We collect only the information necessary to create and manage your account.
D. Information We Do NOT Collect
MedNow does not collect:
- Social Security numbers or government ID numbers;
- Protected Health Information (PHI) as defined under HIPAA;
- Biometric identifiers or biometric information (fingerprints, facial geometry, etc.);
- Financial account numbers (payment cards are handled exclusively by Stripe); or
- Real patient data, clinical records, or any information that could identify an actual patient.
3. Third-Party Service Providers
We use the following service providers to operate the Services. Each processes your data only as directed by MedNow and under contractual obligations consistent with this Policy:
Google Firebase (Google LLC)
We use Firebase Authentication for account management (including email/password and Google Sign-In) and Firebase Firestore (a NoSQL cloud database) to store account data, study progress, subscription status, and settings. Firebase is SOC 2 Type II certified. Data stored in Firestore may be processed in the United States and other regions where Google operates data centers. See Firebase's Privacy and Security documentation.
Stripe, Inc.
We use Stripe to process all payment transactions. When you provide payment information, it is transmitted directly to and stored by Stripe. MedNow does not receive or store full credit card numbers. Stripe is PCI DSS Level 1 certified. Stripe's use of your payment information is governed by Stripe's Privacy Policy.
OpenAI, L.L.C.
We use OpenAI's API to generate AI-powered quiz questions, explanations, and study materials. Certain anonymized or pseudonymized study session data (topics, question performance, difficulty preferences) may be transmitted to OpenAI to generate personalized content. We do not transmit your full name, payment details, or other sensitive personally identifiable information to OpenAI. Our data processing agreement with OpenAI prohibits OpenAI from using API-submitted data to train its public models. See OpenAI's Privacy Policy.
Resend, Inc.
We may use Resend to send transactional emails, including account notifications and service updates. Resend receives your email address for this purpose and processes it under its own privacy policy.
Vercel, Inc.
The Website is hosted on Vercel. Vercel may process technical data (IP addresses, request logs) as part of our hosting environment. See Vercel's Privacy Policy.
Google Analytics (Google LLC)
As described in Section 2, we use Google Analytics for website usage analysis. Data is processed by Google subject to Google's Privacy Policy and data processing terms.
All third-party service providers are contractually required to process your data only as directed by MedNow, to maintain reasonable security measures, and to refrain from using your data for their own independent purposes. MedNow does not sell, rent, or lease your personal information to any third party.
4. AI and Machine Learning Disclosure
- Adaptive Personalization: We analyze anonymized performance data (quiz scores, topics, session duration) to generate personalized study recommendations and adapt content difficulty to your level.
- Content Generation: AI-generated questions, explanations, and study materials are created using the OpenAI API. Anonymized session context is sent to OpenAI solely to generate relevant content for you in real time.
- Internal Improvement: We may use de-identified and aggregated usage data and feedback to improve content quality, platform features, and our AI content generation pipelines.
- No Sale to AI Developers: We do not sell your personally identifiable information to any third-party AI developer. Any third-party AI services we use are bound by contractual agreements prohibiting them from training public AI models on your data.
- No Fully Automated Adverse Decisions: MedNow does not make legally significant or similarly impactful decisions about you based solely on automated processing without human review.
5. Health-Related Data and HIPAA Clarification
MedNow is an educational platform for exam preparation and is not a covered entity, business associate, or healthcare provider under the Health Insurance Portability and Accountability Act (“HIPAA”). The information you provide to MedNow is not Protected Health Information (PHI) as defined by HIPAA.
You should not submit any actual patient data, PHI, or information capable of identifying any real patient through the Services. All clinical scenarios and case examples used in study materials are fictional and for educational purposes only.
MedNow does not collect sensitive health information about you personally (such as your medical diagnoses, prescriptions, or clinical records) unless you voluntarily disclose such information in feedback or communications, in which case it is treated as general personal information under this Policy.
6. How We Use Your Information
We use the information we collect for the following purposes:
- To create, authenticate, manage, and maintain your account;
- To provide, operate, maintain, and improve the Services;
- To personalize your study experience based on performance, preferences, and goals;
- To process payments, manage Subscriptions, and send receipts and invoices;
- To send transactional emails and service-related communications (account notices, password resets, security alerts);
- To send marketing or promotional communications where you have consented or where permitted by applicable law (you may opt out at any time);
- To analyze usage patterns and conduct internal research to improve the Services and our AI content;
- To troubleshoot technical issues and ensure the security and integrity of the Services;
- To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Use;
- To comply with legal obligations, respond to legal process, and enforce our Terms of Use and other agreements;
- To respond to your inquiries, support requests, and feedback;
- To contact you regarding inappropriate or unauthorized use of the Services; and
- For any other purpose with your consent.
7. De-Identification and Aggregated Data
MedNow may de-identify or aggregate information collected through the Services so that it no longer identifies any individual. De-identified or aggregated data is not personal information and is not subject to this Privacy Policy. MedNow may use, disclose, publish, sell, or share de-identified or aggregated data for any lawful purpose without restriction, including to analyze industry trends, improve the Services, develop new products, or share with research partners and the public.
De-identification means that information has been modified such that it cannot reasonably be used to identify an individual, either alone or in combination with other reasonably available information. MedNow implements appropriate technical and organizational measures to maintain de-identification.
8. Disclosure of Your Information
MedNow does not sell, rent, or trade your personal information. We may share your information in the following circumstances:
Service Providers
We share information with vendors performing services on our behalf (hosting, payment processing, analytics, email delivery, AI content generation) as described in Section 3. These providers may only process your data as directed by MedNow and are contractually prohibited from independent use.
Business Transfers
In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will provide notice before your personal information becomes subject to a materially different privacy policy.
Legal Requirements and Safety
We may disclose your information when required by law, subpoena, court order, or government request, or when we believe disclosure is necessary to: (i) comply with applicable law or legal process; (ii) protect the rights, property, or safety of MedNow, our users, or the public; (iii) detect, prevent, or address fraud, security, or technical issues; or (iv) enforce our Terms of Use or other agreements.
Educator-Student Context
If you are a student who joins an educator's class using an invite code, your progress data and performance metrics may be visible to your educator within that class context. Students must actively opt in to join a class. Educators may not access data of users outside their class, and may only use student data for legitimate educational purposes.
With Your Consent
We may share your information for any other purpose with your explicit, informed consent.
9. Security Incident Response
In the event of a data security incident that may affect your personal information, MedNow will:
- Promptly investigate the incident and assess the scope of exposure;
- Take reasonable steps to contain and remediate the incident;
- Notify affected users within the timeframes required by applicable law (in the U.S., typically within 30–72 hours of determining a breach has occurred, depending on state law; in the EU/UK, within 72 hours of awareness);
- Provide information about what data was involved, what steps we have taken, and what steps you can take to protect yourself; and
- Report the incident to applicable regulatory authorities as required by law.
MedNow maintains an incident response plan and conducts periodic security reviews. However, no security system is impenetrable. MedNow cannot guarantee the absolute security of your information and expressly disclaims liability for any loss, misuse, or unauthorized access, except to the extent caused by our willful misconduct or gross negligence.
10. Information Security
MedNow implements commercially reasonable technical, administrative, and physical safeguards to protect your personal information, including:
- HTTPS/TLS encryption for all data in transit;
- Firebase's enterprise-grade security infrastructure (SOC 2 Type II certified);
- Firestore security rules restricting unauthorized data access;
- HttpOnly, Secure, SameSite session cookies for authentication;
- Payment processing exclusively through PCI DSS Level 1-compliant Stripe;
- Role-based access controls limiting employee access to user data; and
- Regular internal security audits and vulnerability assessments.
Despite these measures, no transmission over the Internet or electronic storage system is 100% secure. Please review our Terms of Use for limitations on MedNow's liability for unauthorized access to your information.
11. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Services and fulfill the purposes described in this Policy. Specifically:
- Account Data: Retained for the duration of your account. Upon deletion, we will delete or anonymize personal data within thirty (30) days, except where retention is required by law.
- Payment Records: Retained as required by applicable tax and financial recordkeeping laws, typically seven (7) years.
- Usage / Performance Data: De-identified or aggregated usage data may be retained indefinitely for internal analytics and product improvement.
- Support Communications: Customer support records and feedback retained for up to two (2) years to improve our support processes.
- Legal Hold: We may retain certain data for longer periods where necessary to comply with legal obligations, resolve disputes, or enforce our agreements.
12. Updating Your Information
You have the right to access, correct, and update the personal information we hold about you. You can review and update your account information at any time through your account settings. To request deletion of your account or to correct information that cannot be updated through settings, contact team@mednowapp.com. We will respond to all verifiable requests within thirty (30) days.
13. Opting Out of Marketing Communications
You may opt out of marketing or promotional emails at any time by clicking the “unsubscribe” link in any marketing email or by contacting team@mednowapp.com. Even if you opt out of marketing, we will continue to send transactional communications (receipts, security alerts, service notifications) while your account is active.
We do not share your personal information with third parties for their own direct marketing purposes without your consent.
14. Links to Other Sites
The Website may contain links to third-party websites. MedNow is not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party sites you visit. This Privacy Policy applies solely to information collected by MedNow through the Website and Services.
15. Children's Privacy (COPPA)
The Website and Services are intended for users who are at least 18 years of age. MedNow does not knowingly collect, solicit, or use personal information from children under the age of 13 (“children”) in violation of the Children's Online Privacy Protection Act (“COPPA”).
If MedNow learns or has reason to believe a user is under age 13, it will promptly delete that user's personal information and terminate their account. If you are a parent or guardian and believe your child has provided personal information to MedNow without your consent, please contact us immediately at team@mednowapp.com with the subject line “COPPA Request” and we will take prompt action.
16. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”) provide you with the following rights.
Categories of Personal Information Collected
In the preceding 12 months, MedNow has collected the following categories:
- Identifiers: name, email address, IP address, account ID;
- Personal records: payment information (processed by Stripe, not stored by us);
- Commercial information: subscription records, transaction history;
- Internet/electronic network activity: usage data, clickstream, quiz performance, interaction history;
- Geolocation data: approximate location from IP address; and
- Inferences: study preferences, performance patterns, content recommendations.
Your California Rights
- Right to Know: Request disclosure of the specific personal information collected about you, categories of sources, business purposes, and categories of third parties with whom it is shared.
- Right to Delete: Request deletion of your personal information, subject to exceptions (e.g., completing a transaction, legal compliance, fraud prevention).
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: MedNow does not sell personal information for money. To the extent our use of analytics constitutes “sharing” for cross-context behavioral advertising, you may opt out by enabling a Global Privacy Control (GPC) signal.
- Right to Limit Sensitive Personal Information: We do not use or disclose sensitive personal information beyond the purposes permitted by the CPRA.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
To exercise these rights, contact team@mednowapp.com with subject line “California Privacy Request.” We may verify your identity before processing your request. We will respond within forty-five (45) days, with a possible forty-five (45) day extension where necessary. You may designate an authorized agent to submit a request on your behalf.
17. California Do Not Track Disclosure
California law requires disclosure of how we respond to “Do Not Track” (DNT) signals. There is no universally accepted standard for responding to DNT browser signals. We do not currently alter our data collection or use practices in response to DNT signals. However, we do honor Global Privacy Control (GPC) signals as described in Section 16.
18. International Users and Data Transfers
MedNow is operated in the United States, and our servers are located in the United States. If you access the Website from outside the United States — including from the EU, EEA, UK, Canada, or any other jurisdiction — please be aware that your information will be transferred to, processed, and stored in the United States, where data protection laws may differ from those in your country.
By using the Services, you consent to the transfer of your information to the United States. We take steps to ensure that data transferred internationally is handled in accordance with applicable legal requirements.
19. EU, EEA, and UK Users — GDPR Rights
Legal Basis for Processing
Where GDPR or UK GDPR applies, we process your personal data on the following legal bases:
- Contract: Processing necessary to perform our obligations to provide the Services.
- Legitimate Interests: Processing for operating and improving the Services, fraud prevention, and security, where not overridden by your interests or rights.
- Consent: Where you have given express consent (e.g., marketing emails). You may withdraw consent at any time.
- Legal Obligation: Processing required to comply with applicable law.
Your GDPR Rights
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete personal data.
- Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data, subject to legal retention obligations.
- Right to Restriction of Processing: Request restriction of how we process your data in certain circumstances.
- Right to Data Portability: Receive your personal data in a structured, machine-readable format and transfer it to another controller.
- Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
- Rights Related to Automated Decision-Making: Not to be subject to legally significant decisions made solely by automated means without human review.
To exercise these rights, contact team@mednowapp.com. We will respond within thirty (30) days. If you are dissatisfied with our response, you may lodge a complaint with the supervisory authority in your country of residence.
International Data Transfers (EU/UK)
Your personal data may be transferred to and processed in the United States. Where required by law, we rely on appropriate data transfer mechanisms — such as Standard Contractual Clauses adopted by the European Commission — to ensure adequate protection for transfers of personal data outside the EU/EEA/UK.
20. Required Disclosures
MedNow may disclose your personal information when required to do so by law, regulation, legal process, or government request, or when we believe in good faith that disclosure is necessary to: (i) comply with applicable law or legal process; (ii) protect and defend our rights or property; (iii) protect the personal safety of users of the Services or the public; or (iv) prevent or investigate possible wrongdoing in connection with the Services. Where permitted by law, we will attempt to notify you before disclosing your information in response to legal process.
21. Do Not Sell or Share My Personal Information
MedNow does not sell your personal information to third parties for monetary consideration. We do not share your personal information with third parties for their own direct marketing purposes without your consent.
To the extent our use of Google Analytics constitutes “sharing” personal information under California law, you may opt out by: (i) enabling the Global Privacy Control (GPC) signal in your browser; or (ii) installing the Google Analytics Opt-Out Browser Add-On.
22. Changes to This Privacy Policy
MedNow reserves the right to update this Privacy Policy at any time. We will post the revised Policy on the Website with an updated “Last Updated” date. For material changes to our data collection, use, or sharing practices, we will provide at least thirty (30) days' advance notice by prominently posting a notice on the Website and/or sending an email to the address associated with your account (where required by applicable law).
Your continued use of the Website or Services after the effective date of any revised Privacy Policy constitutes your acceptance. If you do not agree to the revised Policy, you must stop using the Services and may request account deletion.
23. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or our privacy practices:
Email: team@mednowapp.com
Subject: “Privacy Inquiry”
Website: mednowapp.com
We aim to respond to all privacy-related inquiries within thirty (30) days.