Privacy Policy

Effective Date: January 1, 2025
Last Updated: March 21, 2026

MED PREPS LLC (“Company,” “we,” “us,” or “our”) operates the NRCME Prep website located at nrcmeprep.com (the “Site”). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you visit the Site, create an account, or use our services. By using the Site, you consent to the practices described in this policy.

We are committed to protecting your privacy and handling your data responsibly. Please read this policy carefully. If you do not agree with our practices, please do not use the Site.

1. Information We Collect

1.1 Information You Provide Directly

  • Account Registration Data: When you create an account, we collect your name, email address, username, and password. We may also collect your professional title or credentials if provided.
  • Payment Information: When you purchase access to the Service, your payment is processed by our third-party payment processor, Stripe, Inc. We receive confirmation of your transaction, including the last four digits of your card, transaction amount, and date. We do not receive, store, or process your full credit card number, CVV, or other sensitive payment credentials on our servers.
  • Communications: If you contact us through our contact form, by email, or through any other channel, we collect your name, email address, and the content of your message.
  • Refund Requests: If you submit a refund request, we collect the information you provide in that request, including your account email and reason for the request.

1.2 Information Collected Automatically

  • Usage Data: We automatically collect information about how you interact with the Service, including pages visited, tests taken, questions answered, scores achieved, time spent on pages, and navigation patterns.
  • Device and Technical Data: We collect your IP address, browser type and version, operating system, device type, screen resolution, referring URL, and access times.
  • Cookies and Similar Technologies: We use cookies and similar tracking technologies to maintain your login session, remember your preferences, analyze site usage, and improve performance. See Section 5 for more information about cookies.
  • Log Data: Our servers automatically record information created by your use of the Service, including request details, IP addresses, browser types, referring pages, and timestamps.
  • Session Recordings and Heatmaps: We use Microsoft Clarity to record anonymized user sessions, including mouse movements, clicks, scrolls, and page interactions. These recordings help us understand how visitors use the Site and identify usability issues. Clarity automatically masks sensitive input fields such as passwords. No keystrokes in password or payment fields are captured.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To create and maintain your account, provide access to content, track your test progress and scores, and deliver the Service you purchased.
  • Payment Processing: To process your purchase, issue receipts, and handle refund requests.
  • Communication: To respond to your inquiries, send account confirmation and purchase receipts, notify you of important changes to the Service or our policies, and provide customer support.
  • Service Improvement: To analyze usage patterns, identify areas for improvement, develop new features, and improve the quality and accuracy of our content.
  • Security and Fraud Prevention: To detect unauthorized access, prevent account sharing, identify fraudulent activity, and protect the security and integrity of the Service.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.

We do not sell, rent, or trade your personal information to third parties. We do not send marketing or promotional emails unless you have explicitly opted in to receive them. You may opt out of marketing communications at any time.

3. How We Share Your Information

We may share your information only in the following limited circumstances:

  • Service Providers: We share data with third-party service providers who perform services on our behalf, including payment processing (Stripe), web hosting, and site analytics. These providers are contractually obligated to use your information only for the purposes of providing services to us and to maintain appropriate security measures.
  • Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
  • Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Site of any change in ownership or use of your personal information.
  • With Your Consent: We may share your information for any other purpose with your explicit consent.

4. Third-Party Services

The Service uses the following third-party services that may receive or process your data:

  • Stripe, Inc. (payment processing): Processes payment transactions securely in compliance with PCI-DSS Level 1 standards. See Stripe’s Privacy Policy.
  • Google Analytics (GA4) (site analytics): Collects anonymized usage data including pages visited, session duration, traffic sources, and device information to help us understand how visitors use the Site. Data is processed by Google LLC. See Google’s Privacy Policy.
  • Google Tag Manager (tag management): Manages the deployment of analytics and advertising tags on the Site. Google Tag Manager itself does not collect personal data but facilitates other services that may.
  • Google Ads (advertising and conversion tracking): Tracks conversions from Google search advertisements to measure advertising effectiveness. May use cookies to attribute website actions to ad clicks. See Google’s Privacy Policy.
  • Google reCAPTCHA v3 (spam and bot protection): Protects registration and login forms from automated abuse. reCAPTCHA collects hardware and software information, such as device and application data, and sends it to Google for analysis. See Google’s Privacy Policy.
  • Microsoft Clarity (session recording and heatmap analytics): Records anonymized visitor sessions including mouse movements, clicks, scrolls, and page interactions to help us understand user behavior and improve Site usability. Clarity masks sensitive input fields automatically. Session data is processed by Microsoft Corporation and may be used by Microsoft to improve its products and services. See Microsoft’s Privacy Statement.
  • Web Hosting Provider: Our hosting provider stores site data, including account information and usage data, on servers located in the United States.
  • LiteSpeed Cache: Used for site performance optimization. Caches page content to improve load times. No personally identifiable information is shared with LiteSpeed Technologies.
  • Rank Math SEO: Used for search engine optimization. May process anonymized site analytics data.

Each third-party provider is subject to its own privacy policy. We encourage you to review their policies. We are not responsible for the privacy practices of third-party services.

5. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

  • Essential Cookies: Required for the Site to function properly, including maintaining your login session and processing transactions. These cannot be disabled.
  • Functional Cookies: Remember your preferences and settings to enhance your experience.
  • Analytics Cookies: Help us understand how visitors use the Site, which pages are most popular, and how we can improve the user experience.
  • Session Recording Cookies: Used by Microsoft Clarity to record anonymized visitor sessions for heatmap and session replay analysis. These cookies identify unique sessions and track page interactions but do not capture sensitive input data such as passwords or payment details.
  • Advertising Cookies: Used by Google Ads to track conversions from advertisements and measure campaign effectiveness. These cookies help us understand which ads lead to actions on our Site.
  • Performance Cookies: Used by our caching system to deliver content faster.

You can control cookies through your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent. However, disabling cookies may affect the functionality of the Service, including your ability to log in or access purchased content. For more information about cookies, visit allaboutcookies.org.

6. Data Security

MED PREPS LLC takes the security of your personal information seriously. We implement reasonable administrative, technical, and physical safeguards designed to protect your data, including:

  • Encrypted connections (HTTPS/TLS) for all data transmitted between your browser and our servers
  • Secure, hashed password storage
  • Access controls limiting employee and contractor access to personal data on a need-to-know basis
  • Regular security updates to our server infrastructure and software

However, no method of electronic transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. You use the Service at your own risk.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. If you request account deletion, we will remove or anonymize your personal information within thirty (30) days, except where we are required by law to retain certain records, such as:

  • Payment transaction records (retained for tax and accounting purposes as required by law)
  • Records necessary for fraud prevention or legal compliance
  • Data required to resolve disputes or enforce our agreements

8. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal data:

  • Right to Access: You may request a copy of the personal data we hold about you.
  • Right to Correction: You may request that we correct inaccurate or incomplete personal data.
  • Right to Deletion: You may request that we delete your account and associated personal data, subject to the retention requirements described in Section 7.
  • Right to Opt Out: You may opt out of marketing communications at any time by following the unsubscribe instructions in any email or by contacting us directly.
  • Right to Data Portability: Where technically feasible, you may request a copy of your data in a structured, commonly used, machine-readable format.

To exercise any of these rights, please contact us through our contact page. We will respond to verified requests within thirty (30) days. We may ask you to verify your identity before processing your request.

9. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Opt Out of Sale: We do not sell your personal information. If we ever change this practice, we will provide a clear opt-out mechanism.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a CCPA/CPRA request, contact us through our contact page. We will verify your identity before processing the request and respond within 45 days.

10. International Users

The Service is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your country. By using the Service, you consent to the transfer of your information to the United States.

If you are a resident of the European Economic Area (EEA) or the United Kingdom, we process your data on the legal basis of contract performance (to deliver the Service you purchased), legitimate interests (to improve and secure the Service), and consent (where applicable). You may withdraw consent at any time by contacting us.

11. Children’s Privacy

The Service is intended for use by adults aged 18 and older. We do not knowingly collect personal information from children under the age of 13 (or 16 in the EEA). If we learn that we have collected personal data from a child under the applicable age, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us immediately.

12. Changes to This Privacy Policy

MED PREPS LLC may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last Updated” date at the top of this page and, where appropriate, notify you by email or by posting a prominent notice on the Site. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

13. Contact Information

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

MED PREPS LLC
Email: Contact Us
Website: nrcmeprep.com

We will make every reasonable effort to resolve your concerns promptly.

Mobile Applications

We offer mobile applications for iOS (and later Android). When you use the app we may collect:

  • Account information — email address and a session token, the same data as the web sign-in.
  • Practice progress — which questions you have seen, answered correctly or incorrectly, flagged for review, and your last attempt on each. Stored locally on your device and synced to our servers under your account.
  • Device information — device model, OS version, and app version, for diagnostics.
  • Apple In-App Purchase receipts — product identifier, purchase date, and expiration timestamp. Received from Apple when you make an in-app purchase.

We do not collect: precise location, contacts, photos, microphone audio, camera video, calendar, health, or any data unrelated to test preparation. We do not use third-party advertising SDKs in the app. We do not perform cross-app tracking.

In-App Purchases

The iOS app offers in-app purchases for time-tiered access to the question bank (Cram, Study, and Unlimited tiers). Purchases are processed entirely by Apple via the App Store — we never see your credit card details. Apple sends us a receipt containing the product identifier, purchase date, and expiration timestamp, which we use to grant access to the corresponding exam content across both your mobile app and the website.

In-app purchases do not auto-renew. Each purchase grants a fixed period of access. You may add additional time at any point by initiating a new purchase.

Apple’s Privacy Policy governs the App Store transaction itself: https://www.apple.com/legal/privacy/.

Account Deletion (Mobile)

The mobile app includes an in-app account deletion option, located under Settings → Delete account. Deleting your account permanently removes your user record, practice progress, and any remaining purchased access. You may also request deletion via our contact page. We retain anonymized aggregate usage statistics (no personally identifiable information) for product improvement.

Authentication and Email

When you sign in to the iOS app, we generate a 6-digit code and a magic-link token, send them to your email via Postmark, and verify the code or token when you enter it in the app. The code is single-use and expires after 15 minutes. Sign-in codes are transactional messages required to access your account; they are not marketing.

Subprocessors

We use the following third-party services to operate the Service. Each is contractually bound to handle your data only on our instructions:

  • Apple Inc.: App Store payment processing and receipt verification. Receives purchase receipts, product identifiers, transaction IDs.
  • Stripe, Inc.: Web payment processing. Receives email, last 4 of card, billing zip (Stripe handles card data directly).
  • Postmark (ActiveCampaign): Transactional email delivery (sign-in codes, receipts). Receives email address and message content.
  • Sentry (Functional Software, Inc.): Crash and error diagnostics. Receives stack traces, app version, OS version, user ID (your email).
  • PostHog, Inc.: Product analytics. Receives anonymized event names, screen names, user ID (your email).
  • Amazon Web Services: Backend hosting. Holds all account data, encrypted at rest.

Standard Contractual Clauses are in place for processors that transfer data outside the European Economic Area.

Information collected by our mobile apps

When you use our iOS app (NRCME Test Prep), we collect:

  • Contact information. Your email address, used as your account identifier.
  • User-generated content. Your practice progress: which questions you have seen, your answer to each, whether each was correct, and which you have flagged for review. Synced to our servers under your account so you can continue on any device.
  • Purchase history. When you make an in-app purchase, Apple sends us a receipt containing the product identifier, purchase date, and (for timed tiers) the expiration timestamp. We use this to verify and activate your access. We do not receive your credit-card number from Apple.
  • Identifiers. A user ID (your email address) linked across our backend, Sentry, and PostHog so we can correlate your account with diagnostics and product-analytics events.
  • Diagnostics. App version, device model, OS version, crash stack traces, and slow-frame reports. Used for debugging and reliability improvements.
  • Usage data. Anonymized event names tied to your user ID: screens visited, features used, time spent. Used to understand which parts of the app are working and where users get stuck.

We do not collect the Apple IDFA (Identifier for Advertisers). We do not perform App Tracking Transparency tracking. We do not use third-party advertising SDKs. We do not share your data with data brokers.

Apple Privacy Nutrition Labels

For our iOS apps, we declare the following categories of data collection to Apple:

  • Contact Info → Email Address (linked to identity, used for app functionality)
  • Identifiers → User ID (linked to identity, used for app functionality and analytics)
  • Purchases → Purchase History (linked to identity, used for app functionality)
  • User Content → Other User Content: your practice progress (linked to identity, used for app functionality)
  • Diagnostics → Crash Data, Performance Data (linked to identity, used for app functionality)
  • Usage Data → Product Interaction (linked to identity, used for analytics)

None of these categories are used for tracking, advertising, or sale to data brokers.

In-App Account Deletion

You may delete your account at any time from within the iOS app: Settings → Account → Delete account. You may also request deletion by emailing support@nrcmeprep.com from the address on the account.

Deletion is irreversible and removes your user record on our backend, your practice progress, any remaining purchased access tied to the account, and your Sentry and PostHog user identity (anonymized). Apple retains its own copy of your App Store purchase history per Apple’s terms; we cannot remove data Apple holds. Stripe retains payment records for tax and accounting purposes per its terms.

International Data Transfers

Apple, Postmark, Sentry, PostHog, Stripe, and AWS act as data processors under Article 28 of the GDPR. Standard Contractual Clauses (SCCs) are in place where data is transferred outside the European Economic Area. You may request a copy of the relevant SCC by emailing support@nrcmeprep.com.