Privacy Policy

1. Who We Are

280Bound (“we,” “us,” or “our”) is a USMLE Step 2 CK exam preparation platform operated by 280Bound LLC, a Tennessee limited liability company. You can reach us at support@280bound.com.

This Policy applies to the website and services available at https://www.280bound.com(the “Service”).

2. Information We Collect

2.1 Information You Provide

• Account information: email address, full name, and password (password is hashed and managed by Supabase Auth — we never see it in plaintext)
• Profile information: optional exam date you set during onboarding
• Referral data: your referral code and the referral code of the person who referred you, if applicable
• Feedback: written feedback you submit on individual questions
• Support communications: emails or messages you send to our support address

2.2 Information Collected Automatically

• Performance data: questions answered, selected answers, whether each answer was correct, timestamp of each response, session mode (tutor or timed), and error type classifications — stored to power your analytics dashboard and adaptive recommendations
• Subscription data: your plan status (free or pro), Stripe customer ID, Stripe subscription ID, and subscription expiration date
• Technical data: IP address, browser type, device type, and operating system — collected by Vercel (our hosting provider) as part of standard server logging

2.3 What We Do NOT Collect

• We do not store credit card numbers or full payment credentials — all payment data is handled directly by Stripe
• We do not collect real patient data, protected health information (PHI), or clinical records
• We do not collect government IDs, Social Security numbers, or sensitive health information about you personally
• We do not collect data about your USMLE scores or official examination performance

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, maintain, and improve the Service
• Personalize your experience — including performance analytics, weak-spot identification, and adaptive question recommendations
• Process subscription payments and manage your account status
• Send transactional emails (account confirmation, password reset, payment receipts)
• Respond to your support requests and feedback
• Detect, investigate, and prevent fraud, abuse, or violations of our Terms of Service
• Comply with applicable legal obligations
• Analyze aggregated, de-identified usage patterns to improve content and product features

We do not sell your personal information to third parties. We do not use your personal data to train AI models. We do not show you advertising.

4. Third-Party Service Providers

We share data with the following third-party service providers who process it on our behalf. Each provider is bound by their own privacy and security obligations.

We do not share your personal information with any other third parties except: (a) as required by law, court order, or government authority; (b) to protect our rights, safety, or property; or (c) in connection with a merger, acquisition, or sale of all or substantially all of our assets (with notice to you).

5. Data Storage and Security

Your data is stored in Supabase's secure cloud database in the United States. We implement reasonable security measures including:

• Row-level security (RLS) policies ensuring each user can only access their own data
• Passwords managed by Supabase Auth — never stored in plaintext
• HTTPS encryption for all data transmitted between your browser and our servers
• Server-side-only storage of sensitive API keys and service credentials

While we take reasonable precautions, no method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

In the event of a data breach that affects your personal information, we will notify you and applicable authorities as required by applicable law.

6. Data Retention

We retain your data for the following periods:

• Account and profile data: for as long as your account remains active, plus up to 30 days after account deletion
• Performance and response data: tied to your account; deleted when your account is deleted
• Payment records: retained per Stripe's data retention policies and applicable tax/accounting law (typically 7 years)
• Support emails: retained for up to 2 years after the support interaction
• Server logs: retained per Vercel's standard log retention policies

We may retain certain data beyond these periods where required by law, regulation, or to resolve ongoing disputes.

7. Cookies and Tracking

We use the following types of cookies and local storage:

• Essential cookies: required for authentication sessions managed by Supabase Auth. Without these, you cannot log in or use protected features.
• No advertising or tracking cookies: we do not use cookies for behavioral advertising, retargeting, or cross-site tracking.

Do Not Track:Your browser may send a “Do Not Track” (DNT) signal. We do not currently respond to DNT signals, as there is no industry-wide standard for what action to take in response. We do not engage in cross-site behavioral tracking regardless of DNT status.

8. International Data Transfers

280Bound is operated from the United States. Our data processors (Supabase, Stripe, Vercel, Resend) store and process data primarily in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the U.S., which may have different data protection laws than your country.

By using the Service, you consent to this transfer. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, see Section 12 for additional rights.

9. Children's Privacy (COPPA)

The Service is intended only for users who are at least 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at support@280bound.com and we will delete it promptly.

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you
• Correction: request that we correct inaccurate or incomplete data
• Deletion: request deletion of your account and personal data
• Portability: request your data in a machine-readable format
• Opt-out of marketing: unsubscribe from any non-transactional emails at any time

To exercise any of these rights, email us at support@280bound.com with the subject line “Privacy Request.” We will respond within 30 days (or 45 days if California law applies). We may need to verify your identity before processing your request.

11. California Residents — CCPA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

• Right to Know: the categories and specific pieces of personal information we've collected about you, the sources, our business purpose for collection, and the categories of third parties with whom we share it
• Right to Delete: request deletion of your personal information, subject to certain exceptions
• Right to Opt Out of Sale: we do not sell personal information; this right is therefore not applicable
• Right to Non-Discrimination: we will not discriminate against you for exercising your CCPA rights

To submit a CCPA request, contact us at support@280bound.com with the subject line “CCPA Request.” We will respond within 45 days as required by law.

Categories of personal information collected: identifiers (name, email, IP address); commercial information (subscription plan, payment history); internet activity (usage data, performance records); geolocation (country/region from IP); and inferences drawn from the above to power analytics and recommendations.

12. EEA, UK, and Swiss Users — GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or equivalent laws may apply to our processing of your personal data.

Legal basis for processing: We process your data based on (a) contract performance — to provide the Service you signed up for; (b) legitimate interests — to improve our service, detect fraud, and ensure security; and (c) legal obligation — to comply with applicable laws.

Your rights under GDPR include:access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, and the right to object to processing. You also have the right to lodge a complaint with your local data protection authority.

Please note that 280Bound's primary audience is U.S.-based medical students. While we respect the rights of all users, we do not currently have a formal GDPR representative in the EEA. Contact us at support@280bound.com with any GDPR-related requests.

13. Aggregate and De-Identified Data

We may use and share aggregated, de-identified data that cannot reasonably be used to identify you (for example, “users have an average first-attempt accuracy of X% on Cardiology questions”) for product improvement, research, marketing, or other lawful purposes. This data is not personal information and is not subject to this Privacy Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 14 days before the change takes effect. Non-material changes (such as clarifications) take effect upon posting with an updated effective date.

Your continued use of the Service after a policy change takes effect constitutes acceptance of the updated Policy.

15. Contact

Questions, concerns, or privacy requests? Contact us:

For account deletion requests, include “Account Deletion Request” in the subject line. We will process account deletions within 30 days.