Privacy Policy

Overview

CourseHost (operated by The Center for Medical Education, Inc., “we,” “us,” “our”) provides online medical exam preparation software. This policy explains what data we collect when you use coursehost.org and our mobile apps, how we use it, and your rights over it.

Information we collect

Information you give us

• Account info: name, email, credentials (MD, DO, RN, PA-C, etc.), the exam you're preparing for, and your target exam date.
• Payment info: billing address and payment method. Credit-card numbers are handled by our PCI-compliant payment processor (Stripe) — we never store them on our servers.
• Support communications: any emails, chat messages, or phone calls you send to our support team.

Information collected automatically

• Study activity: questions answered, time spent, accuracy, flagged items, and spaced-repetition ratings. This is the core of the product and what powers your predicted score.
• Device & log data: IP address, browser type, device model, operating system, and pages visited. Used for security and debugging.
• Cookies & similar technologies: see Cookies & tracking below.

Information from third parties

If you sign in with Google, we receive your name, email address, and profile picture from Google. We never see your Google password.

How we use your information

• Deliver the product: show you questions, update your predicted score, queue your Smart Review flashcards, and sync across your devices.
• Bill you: process payments, issue refunds, and redeem Pass Guarantees.
• Communicate with you: send study-plan reminders, product updates, and support replies. You can opt out of non-essential emails at any time.
• Improve the product: aggregate, anonymized study data helps us identify weak questions, calibrate predicted scores, and write better explanations. Your individual data is never shared with other students.
• Protect the platform: detect fraud, abuse, and unauthorized access.

When we share information

We do not sell your personal information. Period. We share data only in these specific cases:

• Service providers who help us run the product (payment processing, email delivery, analytics, customer support tooling). Each one is bound by a data-processing agreement.
• Legal requirements if we're compelled by a court order, subpoena, or applicable law. We'll notify you unless legally prohibited.
• Business transfers if CourseHost is acquired or merged; your data moves with the product, and the acquirer is bound by this policy.
• With your consent for anything outside the above — for example, if you opt in to a research study or public testimonial.

Your rights & choices

Depending on where you live, you may have the right to:

• Access — request a copy of the data we have about you
• Correct — fix anything inaccurate
• Delete — close your account and remove your data (subject to legal record-keeping requirements)
• Port — receive your study data in a machine-readable format
• Opt out — unsubscribe from marketing emails; core product emails (billing, security) are non-optional while you have an active subscription

To exercise any of these rights, email support@ccme.org or use the in-product Account → Privacy settings. We respond within 30 days.

Data security

We take reasonable technical and organizational measures to protect your data:

• All traffic between your device and our servers is encrypted over TLS 1.2+
• Passwords are stored using bcrypt with per-user salts
• Payment data is tokenized by Stripe — CourseHost never sees your card number
• Production databases are encrypted at rest
• Access to systems containing personal data is role-based, logged, and requires two-factor authentication for our staff
• We run third-party penetration tests annually

No system is 100% secure. If we ever become aware of a breach involving your data, we'll notify you as required by applicable law.

Data retention

We keep your personal data for as long as your account is active. If you close your account, we delete most data within 30 days. Some records we must retain longer:

• Billing & tax records: 7 years (US tax law)
• Support tickets: 2 years (for dispute resolution)
• Aggregated, anonymized study data: indefinitely (this cannot be tied back to you)

Cookies & tracking

We use three categories of cookies:

• Strictly necessary — keep you signed in, remember your exam preference, and prevent CSRF attacks. These cannot be disabled.
• Performance & analytics — count visits and understand which features are used (Plausible Analytics, which is privacy-respecting and doesn't cross-site track).
• Functional — remember preferences like dark mode and font size.

We do not use third-party advertising cookies.

Children's privacy

CourseHost is intended for medical students, residents, and licensed professionals. We do not knowingly collect data from anyone under 16. If you believe a minor has created an account, please email support@ccme.org and we'll delete it.

International users

CourseHost is operated from the United States. If you access it from outside the US, your data will be transferred to and processed in the US. We use Standard Contractual Clauses (EU SCCs) and the EU-US Data Privacy Framework for transfers from the EU/EEA/UK.

Users in the EU have additional rights under GDPR. California residents have additional rights under CCPA/CPRA.

Changes to this policy

We may update this policy as we add new features or comply with new laws. Material changes will be announced via email at least 30 days before they take effect. The “Last updated” date at the top always reflects the current version.

Contact us

Questions about this policy? Reach our privacy team directly.