Privacy Policy

Last Updated: May 2026

1. Introduction

Med Qbank ("we", "us", or "our") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your personal data when you visit our website, and tells you about your rights under UK GDPR and the Data Protection Act 2018.

2. The Data We Collect

We collect the following categories of personal data:

  • Identity Data: Username, User ID.
  • Contact Data: Email address.
  • Technical Data: IP address (at account creation and each login), browser User-Agent string, HTTP Referer URL at registration, browser language preferences (Accept-Language header), approximate timezone, login count, and timestamps of account creation and last login. This is collected automatically from your browser and our server logs.
  • Profile Data: Your username, hashed password, quiz progress, scores, quiz history, and any AI-generated tests you create.
  • Preference Data: Whether you have opted in to display your username on the public leaderboard.
  • Referral Data: A unique referral code assigned to your account; the referral code of the person who referred you (if applicable); referral conversion and reward history.
  • Financial Data: We do not store full credit card details. Payment transactions are handled exclusively by Stripe. We store only your Stripe customer ID and subscription status/end date.

3. How We Use Your Data

We use your personal data only where the law permits. The main purposes are:

  • Performance of Contract: To register your account, authenticate you, deliver quiz content you have paid for, and manage your subscription.
  • Legitimate Interests: To analyse site traffic and improve our service (via Google Analytics); to enforce our single-session policy and detect unauthorised account sharing (via session tokens and IP logging); to prevent fraud, abuse, and denial-of-service attacks (via rate limiting and IP data); and to operate the referral programme, including fraud detection (e.g. flagging referrals originating from the same IP address as the referrer).
  • Opt-in Features: If you choose to appear on the public leaderboard, your username and score statistics will be visible to all logged-in users. You can withdraw this at any time from your Profile page.
  • Legal Obligation: To retain transaction records for tax and accounting purposes.

4. Data Security

We have implemented appropriate technical and organisational measures to protect your personal data, including:

  • Passwords are hashed using secure algorithms (scrypt/PBKDF2) and are never stored in plaintext.
  • All connections are secured via HTTPS/TLS. HTTP Strict Transport Security (HSTS) is enforced.
  • Session cookies are marked HttpOnly, Secure, and SameSite=Lax.
  • Only one active session is permitted per account at a time. Logging in on a new device immediately invalidates any existing session.
  • Database access is restricted to authorised personnel only.
  • A Content Security Policy (CSP) is enforced on all pages to mitigate cross-site scripting attacks.

5. Third-Party Services

We share data with the following trusted third parties to operate our service:

  • Stripe: Processes all payments. Your payment card details are handled entirely by Stripe and are never transmitted to our servers. Stripe Privacy Policy.
  • Google Analytics: Tracks aggregate site usage (page views, session duration, etc.) on every page for all visitors, including logged-in users. No personally identifiable information is deliberately sent to Google Analytics, but your IP address may be processed by Google. Google Privacy Policy.
  • Cloud Hosting Providers: We use cloud infrastructure to host our application and database. These providers process data only on our instructions.

Some of our third-party providers are based outside the UK/EEA. Where data is transferred internationally, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

6. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by law. If you request account deletion, your personal identifiers (email, username, IP addresses) are removed from our active database. We may retain anonymised or aggregated usage data and transaction records where required for legal, accounting, or fraud-prevention purposes.

7. Your Legal Rights

Under UK GDPR and the Data Protection Act 2018, you have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure ("right to be forgotten") of your personal data.
  • Restriction of processing in certain circumstances.
  • Object to processing based on legitimate interests.
  • Data portability where processing is based on consent or contract and carried out by automated means.

To exercise any of these rights, please contact us via the support ticket system in your dashboard. We will respond within 30 days.

8. Cookies and Browser Storage

We use the following mechanisms to store data on your device:

  • Session Cookie (session): An encrypted, server-signed cookie used to authenticate you and maintain your login state. It is marked HttpOnly (not accessible to JavaScript) and Secure (only sent over HTTPS). This cookie is essential; the service cannot function without it.
  • Analytics Cookies: Google Analytics sets cookies (such as _ga and _gid) to count visitors and measure site usage. These are analytical cookies and can be blocked via your browser settings or a tracker-blocking extension.
  • Service Worker Cache: Med Qbank is a Progressive Web App (PWA). Your browser may cache static assets (CSS, fonts) and recently visited pages on your device to enable faster loading and limited offline access. This cache is managed by a service worker and does not contain any personal data. You can clear it via your browser's developer tools or site settings.

You can configure your browser to refuse cookies, but doing so will prevent you from logging in. Blocking analytics cookies has no effect on core functionality.

9. Contact

For any privacy-related queries or to exercise your data rights, please contact us via the Help & Support section of the application.