Privacy Policy

Last updated: 20 February 2026

1. Who We Are

MedQ ("we", "us", "our") operates the website at unimedq.co.uk and provides an online question bank for medical students. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller responsible for your personal data.

If you have any questions about this policy or how we handle your data, you can reach us at contact@unimedq.co.uk.

2. What Data We Collect

a) Account Data

When you register, we collect:

  • First name and last name
  • Email address
  • Password (stored only as a bcrypt hash — we never store your plaintext password)

b) Profile Data

You may optionally provide:

  • Exam date (used for the countdown feature)

c) Usage Data

As you use MedQ, we collect:

  • Questions answered, options selected, and whether answers were correct
  • Quiz session details (topics selected, time spent, scores)
  • Flashcard review history
  • Flagged questions
  • Study streaks and daily progress

This data powers your personal analytics dashboard, focus area recommendations, and progress tracking.

d) Payment Data

If you subscribe to MedQ Premium, payment is processed by Stripe. We store only your Stripe customer ID and subscription expiry date. We do not store your card number, CVV, or full billing details — these are handled entirely by Stripe. See Stripe's Privacy Policy.

e) Technical Data

We use essential cookies and browser local storage to keep you logged in. We do not use third-party advertising or tracking cookies. See our Cookie Policy for full details.

3. Lawful Basis for Processing

Under UK GDPR, we process your data on the following bases:

  • Contract — Processing your account data, usage data, and payment data is necessary to provide the MedQ service you signed up for (Article 6(1)(b)).
  • Legitimate interests — We analyse aggregate, anonymised usage patterns to improve the service. This does not override your rights (Article 6(1)(f)).

We do not rely on consent as a basis for processing (except for optional cookies, if any are added in the future). We do not carry out automated decision-making or profiling that produces legal effects.

4. How We Use Your Data

  • Provide, maintain, and improve the MedQ service
  • Generate your personal analytics, progress tracking, and focus area recommendations
  • Process payments and manage your subscription via Stripe
  • Send you essential account communications (e.g. password resets, subscription confirmations)
  • Analyse aggregate usage patterns to improve question quality and features

We do not:

  • Sell your personal data to anyone
  • Send marketing emails (unless you opt in)
  • Share your individual study performance with other users, your university, or any third party
  • Use your data for advertising

5. Who We Share Data With

Third PartyPurposeData Shared
StripePayment processingEmail, payment details (handled by Stripe directly)
MongoDB AtlasDatabase hostingAll account and usage data (encrypted at rest)
VercelApplication hostingServer logs (IP addresses, request metadata)

All third-party processors are bound by data processing agreements and process data only on our instructions.

6. Data Storage and Security

  • Data is stored on MongoDB Atlas servers (cloud infrastructure)
  • All data in transit is encrypted using TLS
  • Data at rest is encrypted by MongoDB Atlas
  • Passwords are hashed using bcrypt with a cost factor of 10
  • Authentication uses JSON Web Tokens (JWT) with a 14-day expiry

While we take reasonable technical and organisational measures to protect your data, no system is completely secure. If we become aware of a data breach that is likely to result in a risk to your rights, we will notify you and the ICO within 72 hours as required by UK GDPR.

7. Data Retention

  • Active accounts — We retain your data for as long as your account exists.
  • Account deletion — If you delete your account, we will permanently remove your personal data and associated usage data within 30 days.
  • Payment records — We retain Stripe customer IDs and transaction records for up to 7 years to comply with UK tax and accounting obligations.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access — Request a copy of the personal data we hold about you
  • Rectification — Request correction of inaccurate or incomplete data
  • Erasure — Request deletion of your account and associated data ("right to be forgotten")
  • Data portability — Request your data in a structured, machine-readable format
  • Restriction — Request that we limit how we process your data
  • Object — Object to processing based on legitimate interests

To exercise any of these rights, email contact@unimedq.co.uk. We will respond within one month.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint.

9. International Transfers

Our hosting and database providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions, as required by UK GDPR.

10. Children

MedQ is designed for university medical students and is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by placing a prominent notice on the service. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact

For any questions about this Privacy Policy or to exercise your data rights, contact us at:

Email: contact@unimedq.co.uk