ScalpelHealth

Privacy Policy

Last updated: January 10, 2025

1. Introduction

Scalpel ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using Scalpel, you consent to the data practices described in this policy.

If you do not agree with this policy, please discontinue use of the Service.

2. Information We Collect

2.1 Information You Provide

When you register and use Scalpel, you may provide:

  • Account Information: Name, email address, password
  • Profile Information: GPA, test scores (MCAT, GRE, etc.), coursework, experiences, demographics
  • Application Data: School lists, timelines, program preferences, application materials
  • Uploaded Documents: Transcripts, test score reports, resumes, CVs
  • Communications: Messages to support, feedback, survey responses
  • Payment Information: Billing address, payment method details (processed by Stripe)

2.2 Information Automatically Collected

When you use the Service, we automatically collect:

  • Usage Data: Pages viewed, features used, time spent, click patterns
  • Device Information: IP address, browser type, operating system, device identifiers
  • Cookies and Similar Technologies: Session cookies, preference cookies, analytics cookies
  • Log Data: Access times, error logs, API requests

2.3 Information from Third Parties

  • Authentication Providers: When you sign in with Clerk (Google OAuth, email), we receive basic profile information
  • Payment Processors: Stripe provides transaction and subscription status information
  • Analytics Services: We may use Google Analytics or similar services to understand usage patterns

3. How We Use Your Information

We use your information to:

3.1 Provide and Improve the Service

  • Create and manage your account
  • Generate AI-powered program recommendations
  • Process uploaded documents with document intelligence
  • Provide personalized insights and analytics
  • Manage timelines and application tracking
  • Improve our AI models and algorithms
  • Develop new features and functionality

3.2 Process Payments

  • Process subscription payments through Stripe
  • Manage billing, invoicing, and refunds
  • Detect and prevent fraud

3.3 Communicate with You

  • Send transactional emails (welcome, payment confirmations, password resets)
  • Provide customer support
  • Send important service updates and notifications
  • Send marketing emails (you can opt out anytime)
  • Request feedback and conduct surveys

3.4 Analytics and Research

  • Understand how users interact with the Service
  • Analyze trends in admissions and program data
  • Create aggregated, anonymized statistics

3.5 Legal and Security

  • Enforce our Terms of Service
  • Comply with legal obligations
  • Protect against fraud, abuse, and security threats
  • Respond to law enforcement requests

4. How We Share Your Information

We do NOT sell your personal information to third parties. We may share your information with:

4.1 Service Providers

We share information with trusted third-party service providers who help us operate the Service:

  • Clerk: Authentication and user management
  • Stripe: Payment processing and subscription management
  • Cloud Infrastructure: Hosting, storage, and databases (AWS, Vercel, Railway, etc.)
  • AI Providers: OpenAI for AI-powered features (your data is NOT used to train their models)
  • Analytics: Google Analytics or similar (anonymized data)
  • Email Services: Transactional email delivery (SendGrid, Resend, etc.)

These providers are contractually bound to protect your information and use it only for the purposes we specify.

4.2 Aggregated Data

We may share aggregated, anonymized data that does not identify you personally (e.g., "40% of users applied to programs in California").

4.3 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or government request, or to protect our rights, property, or safety.

4.4 Business Transfers

If Scalpel is acquired, merged, or sold, your information may be transferred to the new entity. You will be notified of any such change.

4.5 With Your Consent

We may share your information with third parties when you explicitly consent.

5. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption: Data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256.
  • Access Controls: Only authorized personnel have access to user data, on a need-to-know basis.
  • Authentication: Secure authentication via Clerk with multi-factor authentication support.
  • Payment Security: We never store full credit card details. Payments are processed by PCI-compliant Stripe.
  • Regular Audits: We regularly review our security practices and infrastructure.
  • Monitoring: We monitor for suspicious activity and security threats.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as necessary to provide the Service and comply with legal obligations:

  • Active Accounts: Data is retained while your account is active
  • Deleted Accounts: After account deletion, most data is removed within 30 days
  • Legal Requirements: Some data (e.g., billing records) must be retained for tax and legal compliance (typically 7 years)
  • Anonymized Data: Aggregated, anonymized data may be retained indefinitely for analytics

7. Your Privacy Rights

7.1 Access and Update

You can access and update your profile information at any time through your account settings.

7.2 Data Portability

You can export your data (school lists, timelines, etc.) through the export features available to Pro users.

7.3 Account Deletion

You may request account deletion by contacting support@scalpel.app. We will delete your data within 30 days, except where retention is required by law.

7.4 Marketing Opt-Out

You can unsubscribe from marketing emails by clicking the "unsubscribe" link in any marketing email or updating your preferences in account settings. Note: You will still receive transactional emails (e.g., payment confirmations, password resets).

7.5 Cookie Preferences

You can control cookies through your browser settings. Note that disabling cookies may limit Service functionality.

7.6 Additional Rights (GDPR, CCPA)

If you are located in the European Economic Area (EEA), United Kingdom, or California, you may have additional rights:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Limit how we use your data
  • Right to Object: Object to processing of your data
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Withdraw Consent: Withdraw consent where processing is based on consent
  • Right to Non-Discrimination: Not be discriminated against for exercising your rights

To exercise these rights, contact us at support@scalpel.app. We will respond within 30 days.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Essential Cookies: Required for authentication and core functionality
  • Preference Cookies: Remember your settings and preferences
  • Analytics Cookies: Understand how you use the Service (Google Analytics)
  • Marketing Cookies: Track conversions from ads (if applicable)

You can control cookie preferences through your browser settings. Disabling cookies may affect Service functionality.

9. Third-Party Links

The Service may contain links to third-party websites (e.g., program websites, AAMC, AACOMAS). We are not responsible for the privacy practices of these third-party sites. We encourage you to review their privacy policies.

10. Children's Privacy

Scalpel is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you are under 18, you must have parental or guardian consent to use the Service. If we learn that we have collected information from a child under 13, we will delete it immediately.

11. International Data Transfers

Scalpel is based in the United States. If you access the Service from outside the U.S., your information will be transferred to, stored in, and processed in the United States. By using the Service, you consent to this transfer.

For EEA users: We rely on Standard Contractual Clauses approved by the European Commission for international data transfers.

12. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

12.1 Categories of Information Collected

We collect the following categories of personal information:

  • Identifiers (name, email, account ID)
  • Commercial information (subscription, payment history)
  • Internet activity (usage data, log files)
  • Education information (GPA, test scores, coursework)
  • Professional information (experiences, activities)
  • Inferences (program recommendations, admissions probability)

12.2 Sale of Personal Information

We do NOT sell your personal information to third parties.

12.3 Your CCPA Rights

  • Right to Know what personal information we collect, use, and share
  • Right to Delete your personal information
  • Right to Opt-Out of sale (not applicable - we don't sell data)
  • Right to Non-Discrimination for exercising your rights

To exercise your CCPA rights, email support@scalpel.app or use the "Do Not Sell My Personal Information" link in our footer (if applicable).

13. European Privacy Rights (GDPR)

If you are located in the EEA or UK, you have rights under the General Data Protection Regulation (GDPR):

13.1 Legal Basis for Processing

We process your personal data based on:

  • Contract: To provide the Service you've subscribed to
  • Consent: When you've given explicit consent (e.g., marketing emails)
  • Legitimate Interests: To improve the Service, prevent fraud, ensure security
  • Legal Obligation: To comply with laws and regulations

13.2 Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at: support@scalpel.app

13.3 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before the changes take effect. The "Last Updated" date at the top of this policy indicates when it was last revised.

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

  • Email: support@scalpel.app
  • Website: https://scalpel.app
  • Data Protection Officer: support@scalpel.app

By using Scalpel, you acknowledge that you have read, understood, and agree to this Privacy Policy.