Privacy Policy

This Privacy Policy (“Policy”) describes how Navayug Labs LLC, a California limited liability company doing business as Residency Space (“Residency Space,” “we,” “us,” or “our”), collects, uses, discloses, and otherwise processes personal information in connection with our website located at residencyspace.com and any related applications, products, and services that link to this Policy (collectively, the “Services”).

By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with this Policy, please do not use the Services.

We are committed to protecting your privacy and handling your data with transparency, especially given the sensitive nature of the medical education and residency application information you may entrust to us.

1. Information We Collect

We collect personal information in several ways depending on how you interact with the Services.

A. Information You Provide Directly

Account Information

When you create an account, we collect your full name, email address, and password. Your password is cryptographically hashed and is never stored in plain text.

Medical Education Profile

To provide personalized residency program recommendations, we collect information about your medical education and qualifications, including:

• USMLE and COMLEX examination scores (Step 1 pass/fail status, Step 2 CK score, COMLEX Level 1 and Level 2 CE scores)
• Medical school type and name
• Research publications count
• Class rank and academic honors (AOA status, honors in clerkships)
• Away rotations completed
• Visa sponsorship requirements
• Couples matching preferences
• Red flags or gaps in your application (as self-reported)
• Geographic preferences and target specialties

ERAS Application Preparation Data

If you use our ERAS preparation tools, we may also collect:

• Legal name, preferred name, and AAMC ID
• Phone number, mailing address, date of birth, and citizenship status
• Self-identification information
• Educational institutions, degrees, dates of attendance, and GPAs
• Work and volunteer experiences (titles, organizations, dates, descriptions)
• Research publications (titles, institutions, descriptions, PubMed IDs)
• Awards, honors, and certifications (including ACLS, BLS, and expiration dates)
• Hobbies, interests, and personal statement text
• Letters of recommendation details (recommender information, specialty, letter type)
• MSPE/Dean’s letter status

Application Tracking Data

When you track residency applications, we collect your application status, interview dates, personal notes, ranking positions, and AI-generated fit scores and analyses.

Payment Information

If you subscribe to a paid plan, your payment information (credit card number, billing address) is collected and processed directly by our payment processor, Stripe, Inc. We do not store your full credit card number on our servers. We receive and store only your Stripe customer ID and subscription status.

Communications

We collect information when you contact us for support or provide feedback.

B. Information Collected Automatically

When you use the Services, we automatically collect certain technical and usage information, including:

• Device & Browser Data: IP address, browser type and version, operating system, device type, and screen resolution
• Usage Data: Pages visited, features used, actions taken, timestamps, referring URLs, and session duration
• Authentication Data: Session tokens and authentication cookies managed by our infrastructure provider (Supabase)

C. Information From Public-Record Sources

We compile our residency program catalog from publicly available records, including the ACGME Public Accreditation Data System and aggregate statistics published by the National Resident Matching Program (NRMP) in its Charting Outcomes and Program Results reports. This catalog includes items such as program names, institutions, locations, accreditation identifiers, and aggregate program benchmarks. Such public-record information is used under fair use with attribution to the original source; we do not copy, mirror, scrape, or otherwise reproduce any proprietary database in whole or in substantial part, and we do not republish any subscription-gated dataset. No personal information about you is sent to or received from NRMP, ACGME, or any other public-record source.

2. How We Use Your Information

We use your personal information for the following purposes:

Providing & Improving the Services

• Creating and managing your account
• Generating personalized residency program recommendations based on your profile
• Performing AI-powered fit analysis comparing your qualifications to program characteristics
• Enabling you to track and manage residency applications
• Organizing and preparing your ERAS application materials
• Processing subscription payments and managing billing
• Responding to support inquiries and feedback

De-Identified & Aggregated Data Use

We may use information collected through the Services in de-identified or aggregated form to operate, evaluate, and improve our products. Permitted uses include:

• Building and maintaining internal datasets that power program search, fit scoring, analytics, and reporting
• Calibrating, training, evaluating, and improving our proprietary scoring rubric and other internal machine-learning models
• Generating aggregate research and benchmarking insights about residency application trends
• Auditing the quality, accuracy, and fairness of our scoring outputs
• Diagnosing and resolving technical issues with the Services

Before using your information for these purposes, we strip or hash direct identifiers (such as your name, email address, account ID, payment details, and free-text contact fields) and apply industry-standard techniques designed to reduce the risk of re-identification, particularly for small-population subgroups where match data could otherwise be linked back to an individual. Once de-identified in this manner, the information is not treated as personal information under most applicable privacy laws (including the CCPA), is not linked back to your account, and may be retained on an aggregate basis after your account is deleted.

We do not sell de-identified or aggregated data, and we do not transmit it to any third-party artificial-intelligence provider for the purpose of training that provider’s models. Where applicable law gives you a right to opt out of profiling, automated decision-making, or the use of your personal information for product-improvement purposes, you may exercise that right at any time by contacting privacy@residencyspace.com -- noting that an opt-out applies prospectively, and we cannot retrieve or reconstruct information that has already been irreversibly de-identified or aggregated.

Service Improvement & Model Calibration

From time to time we may invite you to voluntarily report your residency match outcomes (for example, the programs at which you interviewed, ranked, or matched) so that we can recalibrate our proprietary scoring rubric against real outcomes. Participation is strictly opt-in. If you choose to participate:

• We will obtain your explicit, separate consent before collecting outcome data, and you may withdraw that consent at any time
• Outcome data is used only in de-identified, aggregated form for calibration analysis -- it is severed from your identifying account fields before it is incorporated into rubric calibration
• We do not publish, sell, or share your individual outcome data, and we do not use it to train third-party AI models
• You can decline to participate without affecting your access to any other feature of the Services

Safety & Security

• Authenticating your identity and protecting your account
• Detecting and preventing fraud, abuse, and unauthorized access
• Enforcing rate limits on AI-powered features
• Maintaining the integrity and availability of the Services

Communications

• Sending transactional emails related to your account (e.g., password resets, subscription confirmations)
• Notifying you of material changes to the Services or this Policy
• Sending marketing communications only if you have opted in (you may opt out at any time)

Legal & Compliance

• Complying with applicable laws, regulations, and legal processes
• Establishing, exercising, or defending legal claims
• Enforcing our Terms of Service

3. Legal Bases for Processing

We process your personal information on the following legal bases:

• Performance of a Contract: Processing necessary to provide you with the Services you have requested, including account creation, profile analysis, and application tracking.
• Consent: Where you have given explicit consent, such as opting in to marketing communications or voluntarily providing sensitive information like examination scores.
• Legitimate Interests: Processing necessary for our legitimate business interests, including improving the Services, ensuring security, and preventing fraud, provided these interests are not overridden by your rights and freedoms.
• Legal Obligation: Processing necessary to comply with applicable laws and regulations.

4. When We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

Service Providers

We share information with trusted third-party service providers who assist us in operating the Services, subject to contractual obligations to protect your data. These include:

• Supabase, Inc. -- Database hosting, authentication, and backend infrastructure
• Google LLC (Gemini AI) -- AI-powered fit analysis and program recommendations (see Section 5 for details)
• Stripe, Inc. -- Payment processing and subscription management
• Vercel, Inc. -- Website hosting and content delivery

Legal Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to:

• Comply with a legal obligation, subpoena, court order, or governmental request
• Protect and defend the rights, property, or safety of Residency Space, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Services of any change in ownership or uses of your personal information, as well as any choices you may have.

With Your Consent

We may share your information for other purposes with your explicit consent.

5. Third-Party Services & AI Processing

AI-Powered Analysis (Google Gemini)

Numerical fit scores, sub-scores, and tier assignments are computed by Residency Space’s proprietary, deterministic scoring rubric running on our own servers. The rubric takes your profile inputs and public program benchmarks and produces an auditable numerical result. Your profile information is not required to leave our infrastructure in order to produce a fit score.

When you request a narrative explanation, program recommendation, or other generative output, we send the relevant subset of your profile information (which may include examination scores, medical school details, research experience, visa status, and preferences) along with program data and the rubric’s computed breakdown to Google’s Gemini AI API. Gemini generates plain-English summaries, strengths, and concerns that explain the rubric-produced score; it does not produce, override, or adjust the numerical score or tier.

Important disclosures about AI processing:

• Your data is transmitted to Google’s servers for processing
• Google’s use of data sent through their API is governed by their API Terms of Service
• We do not use your data to train AI models, and we have configured our API usage so that Google does not use your data for model training
• AI-generated analyses are cached in our database to reduce redundant API calls and improve performance
• AI analysis is a premium feature subject to rate limits (usage is tracked per account)

Payment Processing (Stripe)

All payment transactions are processed by Stripe, Inc. When you provide payment information, it is transmitted directly to Stripe using their secure, PCI-DSS compliant infrastructure. We never receive or store your full credit card number. Stripe’s privacy practices are governed by their Privacy Policy.

Infrastructure Providers

Your data is stored and processed using Supabase (database and authentication) and Vercel (hosting). These providers act as data processors on our behalf and are contractually obligated to protect your information. Data is encrypted at rest and in transit.

6. Cookies & Tracking Technologies

We use a minimal set of cookies and similar technologies:

Essential Cookies

• Authentication Cookies: Session cookies set by Supabase (prefixed with sb-) that are strictly necessary for you to log in and use authenticated features. These cannot be disabled without losing access to your account.

Local Storage

• Theme Preference: We store your light/dark mode preference in your browser’s local storage to maintain your display settings across visits. This data never leaves your device.

What We Do Not Use

As of the effective date of this Policy, we do not use:

• Third-party analytics cookies (e.g., Google Analytics)
• Advertising or retargeting cookies
• Social media tracking pixels
• Cross-site tracking technologies

If we introduce any non-essential cookies or tracking technologies in the future, we will update this Policy and, where required by law, obtain your consent before deploying them.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specifically:

• Account Data: Retained for as long as your account is active. Upon account deletion, we will delete or anonymize your personal information within 30 days, except as required for legal compliance.
• Profile & Application Data: Retained for as long as your account is active. You may delete individual applications or profile data at any time through the Services.
• ERAS Preparation Data: Retained for as long as your account is active. Given the sensitive nature of this data, you may request deletion at any time.
• AI Analysis Cache: Fit analyses are cached and retained for as long as your account is active to avoid redundant processing.
• Payment Records: Transaction records are retained for up to seven (7) years as required by tax and financial regulations.
• Usage & Rate-Limiting Logs: AI usage logs are retained for rate-limiting purposes and are periodically purged.
• De-Identified & Aggregated Data: Once data has been de-identified and aggregated as described in Section 2 (“De-Identified & Aggregated Data Use”), it may be retained indefinitely for product, analytics, and machine-learning purposes, even after your account is deleted.

8. Data Security

We implement commercially reasonable technical, administrative, and organizational security measures designed to protect your personal information, including:

• Encryption: All data is encrypted in transit (TLS/HTTPS) and at rest using industry-standard encryption
• Authentication Security: Passwords are cryptographically hashed; session tokens are securely managed via HTTP-only cookies
• Access Controls: Row-Level Security (RLS) is enforced on all database tables, ensuring users can only access their own data
• Key Separation: Sensitive API keys and service credentials are never exposed to client-side code; all privileged operations occur server-side
• Rate Limiting: AI-powered features are subject to per-user rate limits to prevent abuse
• Anti-Spam Protections: Public-facing forms include honeypot fields and timestamp-based validation

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Your Privacy Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete personal information
• Deletion: Request deletion of your personal information, subject to certain legal exceptions
• Portability: Request a portable copy of your personal information in a structured, commonly used, machine-readable format
• Restriction: Request that we restrict the processing of your personal information under certain circumstances
• Objection: Object to the processing of your personal information for certain purposes
• Withdrawal of Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal

To exercise any of these rights, please contact us at privacy@residencyspace.com. We will respond to your request within the timeframe required by applicable law (generally within 45 days for California residents).

We will not discriminate against you for exercising any of your privacy rights. We will not deny you services, charge you different prices, or provide a different level of quality based on your exercise of these rights.

10. Additional California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”), provides you with additional rights regarding your personal information.

Categories of Personal Information Collected

In accordance with the CCPA, the following table describes the categories of personal information we have collected in the preceding twelve (12) months:

Sale and Sharing of Personal Information

We do not sell your personal information, and we have not sold personal information in the preceding twelve (12) months.

We do not “share” your personal information for cross-context behavioral advertising as defined under the CCPA.

Your CCPA/CPRA Rights

As a California resident, you have the right to:

• Right to Know: Request that we disclose the categories and specific pieces of personal information we have collected, used, disclosed, or sold about you in the preceding twelve (12) months
• Right to Delete: Request the deletion of your personal information, subject to certain exceptions (e.g., legal compliance, completing a transaction, security purposes)
• Right to Correct: Request correction of inaccurate personal information we maintain about you
• Right to Opt-Out of Sale/Sharing: Although we do not sell or share personal information, you may submit an opt-out request at any time
• Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information to only those purposes necessary to provide the Services
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising any of your CCPA rights

How to Exercise Your Rights

You may submit a verifiable consumer request by:

• Emailing us at privacy@residencyspace.com

We will verify your identity before processing your request. For account holders, we will verify your identity by confirming your email address. For non-account holders, we may request additional information to verify your identity.

You may designate an authorized agent to submit a request on your behalf by providing the agent with written permission and verifying your own identity with us, or by providing proof that the agent has power of attorney.

We will respond to verifiable consumer requests within forty-five (45) calendar days of receipt. If we require more time (up to an additional 45 days), we will inform you of the reason and extension period in writing.

California “Shine the Light” Law

Under California Civil Code Section 1798.83, California residents may request information regarding the disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

Financial Incentive Programs

We do not offer financial incentives or price or service differences in exchange for the retention or sale of personal information.

Metrics

As required by the CCPA, we will compile and disclose metrics regarding consumer requests received, complied with, denied, and the median response time on an annual basis, once applicable thresholds are met.

11. Sensitive Personal Information

We recognize that certain information you provide -- including medical examination scores, citizenship and immigration status, and self-identification data -- may constitute sensitive personal information under applicable law.

We handle sensitive personal information with heightened care:

• We collect sensitive personal information only when you voluntarily provide it
• We use sensitive personal information only for the purposes of providing the Services you have requested (e.g., generating fit analyses, populating your ERAS preparation)
• We do not use sensitive personal information for purposes beyond what is necessary to provide the Services
• We do not sell or share sensitive personal information
• You may request deletion of your sensitive personal information at any time

Important Note on Medical Information: Residency Space is not a healthcare provider and does not provide medical advice, diagnosis, or treatment. The information you provide regarding your medical education and qualifications is used solely for the purpose of residency program matching and application management. This information is not subject to the Health Insurance Portability and Accountability Act (HIPAA), as we are not a covered entity under HIPAA. However, to the extent the California Confidentiality of Medical Information Act (CMIA) applies, we comply with its requirements.

12. Children’s Privacy

The Services are not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@residencyspace.com, and we will take steps to delete such information promptly.

If we become aware that we have collected personal information from a child under 18, we will delete that information as quickly as practicable.

13. International Data Transfers

Residency Space is operated from the United States. If you are accessing the Services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where our servers and central database are operated.

The data protection and other laws of the United States may not be as comprehensive as those in your country of residence. By using the Services, you consent to the transfer of your information to the United States.

Where required by applicable law, we will implement appropriate safeguards for cross-border transfers, including standard contractual clauses or other mechanisms recognized under applicable data protection law.

14. Do Not Track Signals

Some browsers include a “Do Not Track” (DNT) feature that signals to websites that a user does not wish to be tracked. Because there is no accepted standard for how to respond to DNT signals, the Services do not currently respond to DNT signals. However, as described in this Policy, we do not engage in cross-site tracking.

We do honor the Global Privacy Control (GPC) signal as a valid opt-out of the sale or sharing of personal information under the CCPA, to the extent applicable.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last Updated” date at the top of this Policy
• Provide prominent notice on the Services (such as a banner notification)
• Send an email notification to registered users for material changes that affect the use of your personal information

Your continued use of the Services after the effective date of any updated Policy constitutes your acceptance of the revised Policy. We encourage you to review this Policy periodically.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us: