Privacy Policy
Last updated: April 13, 2026
SterileProtocol respects your privacy. This policy explains what data we collect, how we use it, and your rights regarding that data. We do not sell your personal information to third parties.
1. Information We Collect
Account Information
When you create an account, we collect:
- Email address — used for authentication and account recovery.
- Name (optional) — used to personalize your experience.
- Password — stored as a salted scrypt hash; we never store or see your plaintext password.
Usage Data
When you use the Service, we automatically collect:
- Quiz answers and performance data — certification track, question responses, accuracy rates, study streaks, and spaced repetition scheduling. This powers your progress dashboard and adaptive learning engine.
- Instrument search queries — search terms entered in the GUDID lookup. This is not linked to your account unless you are logged in.
- Feedback submissions — bug reports, feature requests, and question flags you submit through the feedback widget.
Technical Data
We collect standard web server logs including IP addresses, browser type, and page visit timestamps for security monitoring and performance optimization. We use a minimal analytics pixel for aggregate traffic measurement.
2. How We Use Your Information
| Data | Purpose | Legal Basis |
|---|---|---|
| Email & name | Account authentication, personalization | Contract performance |
| Quiz performance | Adaptive learning, progress tracking, spaced repetition | Contract performance |
| Search queries | Caching GUDID results for faster future lookups | Legitimate interest |
| Feedback | Product improvement, bug fixes | Legitimate interest |
| Server logs | Security monitoring, abuse prevention | Legitimate interest |
| Subscription data | Payment processing, access control | Contract performance |
3. Data Sharing
We share data only with the following third-party services, and only as necessary to operate the Service:
- Stripe — processes subscription payments. Stripe receives your payment information directly; we do not store credit card numbers.
- Neon (PostgreSQL hosting) — hosts our database. All data is stored in the United States.
- Render — hosts our web application infrastructure.
We do not sell, rent, or share your personal data with advertisers or data brokers.
4. Data Retention
- Account data is retained for as long as your account is active. If you request account deletion, we will delete your data within 30 days.
- Quiz performance data is retained for as long as your account is active to maintain your progress and spaced repetition schedules.
- Server logs are retained for 90 days, then automatically purged.
- GUDID cache data (public FDA data) is retained indefinitely to improve search performance.
5. Data Security
We implement the following security measures:
- Passwords are hashed using scrypt with unique per-user salts.
- All data in transit is encrypted via TLS (HTTPS).
- Database connections use SSL encryption.
- Authentication tokens expire after 30 days.
- Admin access is restricted and logged.
6. Your Rights
You have the right to:
- Access your personal data — your dashboard shows your quiz history and progress.
- Correct inaccurate data — contact us to update your account information.
- Delete your account and all associated data — email us at the address below.
- Export your data — upon request, we will provide your data in a machine-readable format.
7. Cookies and Local Storage
SterileProtocol uses:
- localStorage to store your authentication token (sp_token) and a minimal analytics visitor ID (polsia_vid). No third-party tracking cookies are used.
- IndexedDB to cache protocol data for offline access via the service worker.
We do not use advertising cookies or third-party tracking pixels beyond our own minimal analytics beacon.
8. eIFU / GUDID Instrument Search
The instrument search feature is publicly accessible without authentication. Search queries submitted without a logged-in account are not linked to any personal data. Cached device results are sourced from the U.S. FDA GUDID public API and openFDA, and are public domain data.
9. Children's Privacy
SterileProtocol is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us for removal.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact
For privacy inquiries, data deletion requests, or questions about this policy, contact us at [email protected].