Data Usage Policy

Last Updated: February 23, 2026

1. Overview

This Data Usage Policy explains how CAA Readiness Index collects, uses, stores, and protects data submitted through our calculator and website. We are committed to transparency about our data practices and your rights regarding your information.

2. Data Collection Methods

2.1 Account Information

When you create an account, we collect:

Email address (used for authentication)
Display name (optional)
Profile avatar (optional, stored in Supabase)

Storage: Account data is securely stored on Supabase servers with row-level security. Only you can access your own data.

2.2 Calculator Input Data

When you use our CRI Calculator, we collect:

Cumulative GPA (0.00–4.00 scale)
Science GPA (0.00–4.00 scale)
Test Type (MCAT or GRE selection)
Test Score (your standardized test score)

Processing: This data is sent to our backend API for real-time score calculation and returned to your browser. It is not permanently stored on the backend server.

2.3 Saved Results

When you save a CRI result, the following is stored in your Supabase account:

Your input values (cGPA, sGPA, test type, test score)
Calculated CRI score and percentile
Timestamp of the calculation

Free accounts may save up to 1 result. Premium accounts may save up to 3 results.

2.4 Payment Information

If you subscribe to Premium, payment is processed by Stripe. We do not store your credit card number, CVV, or full billing details. Stripe provides us with a customer ID, subscription status, and billing period dates. Stripe's handling of your payment data is governed by their Privacy Policy.

2.5 Personal Statement Swapper Data

When you use the PS Swapper, we collect:

First name and last name (shared with your matched reviewer)
Email address (for contact between matched users)
Personal statement file (PDF, DOC, DOCX, or TXT, max 10MB) or Google Docs link
PS Swapper preferences (participation mode, daily limits)
Match history (sender and reviewer pairings)
Notification state (read status, accept/deny actions)

Storage: Uploaded files are stored in a private Supabase Storage bucket. Files are shared only with your matched reviewer and are deleted once a submission is fully resolved or denied with no re-match available.

2.6 Analytics Data

We use Google Analytics to collect anonymized usage data, including page views and navigation patterns, time spent on pages, approximate geographic location (country/region level), device and browser type, and referring websites.

3. How We Use Your Data

3.1 Score Calculation

Your academic data is used exclusively to calculate your personalized CRI score, generate z-scores and percentile rankings, create distribution charts showing your position relative to other applicants, and provide customized feedback and recommendations.

3.2 Account Management

Your account information is used to authenticate you, display your profile, manage your saved results, and process your Premium subscription (if applicable).

3.3 Personal Statement Swapper

Your PS Swapper data is used to anonymously match you with a peer reviewer, facilitate the exchange of personal statement feedback, enforce daily limits and prevent duplicate submissions, and send real-time notifications about match status. Your personal statement is shared only with your matched reviewer and is not used for any other purpose.

3.4 Saved Results and Premium Features

Your saved results data powers features like the Program Matcher, Discord Post Generator, and results history. Premium analytics features use aggregated dataset statistics — your individual data is never shared with other users.

3.5 Aggregate Analysis

We analyze aggregate, anonymized data to update trend analyses, improve calculation accuracy, generate statistical insights, and identify patterns in applicant profiles.

Note: Aggregate data cannot be traced back to individual users.

3.6 Service Improvement

Analytics data helps us optimize website performance, identify technical issues, understand which features are most valuable, and make data-driven decisions about new features.

4. Data Storage and Retention

4.1 Supabase (Account and Saved Results)

Your account data, profile information, and saved CRI results are stored securely on Supabase servers with row-level security (RLS). Only you can access your own data through authenticated requests.

4.2 Stripe (Payment Data)

Payment and subscription data is managed by Stripe. Your sensitive payment details (card numbers, CVV) are stored exclusively by Stripe in PCI-DSS compliant infrastructure and are never stored on our servers.

4.3 Local Storage (Your Browser)

Some user preferences (such as theme settings or dismissed prompts) may be stored in your browser's localStorage. This data remains on your device and is not transmitted to our servers.

4.4 Server Storage

Historical dataset (anonymized aggregate data, no individual identifiers)
Analytics data (Google Analytics stores anonymized usage data for 26 months)
Log files (server logs retained for 90 days for security)

4.5 Data Retention Period

Account data: Retained until you delete your account
Saved results: Retained until you delete them or delete your account
PS Swapper files: Deleted when a submission is resolved or denied with no re-match; removed when you delete your account
PS Swapper match history: Retained for duplicate-reviewer prevention; removed when you delete your account
Subscription records: Retained by Stripe per their data retention policy
Analytics data: 26 months via Google Analytics
Aggregate statistics: Retained indefinitely for research purposes
Server logs: 90 days

5. Data Security Measures

HTTPS encryption — all data transmitted is encrypted
Secure hosting — enterprise-grade security infrastructure
Access controls — limited personnel access to any stored data
Regular security audits — periodic reviews of our security practices
Anonymization — personal identifiers stripped from any stored data

6. Third-Party Services

Supabase

Provides authentication, database, and file storage for user accounts, saved results, and profile avatars. Data is secured with row-level security. Supabase Privacy Policy

Stripe

Processes Premium subscription payments. Stripe is PCI-DSS Level 1 compliant. We never see or store your full card details. Stripe Privacy Policy

Google Analytics

Tracks website usage and performance. Data collected includes anonymized usage patterns, device info, and approximate location.

Opt-out available via the Google Analytics Opt-out Browser Add-on.

7. Your Data Control Options

7.1 Account and Saved Results

Delete individual saved results from the Saved Results page
Manage your PS Swapper preferences and participation mode from Account Settings
Update your profile information from Account Settings
Delete your entire account and all associated data from Account Settings

7.2 Subscription Management

Cancel your Premium subscription from Account Settings or the Stripe billing portal
View your billing history through the Stripe billing portal

7.3 Clear Local Data

Clear your browser's localStorage/cache
Use private/incognito browsing mode
Clear site data in your browser settings

7.4 Opt Out of Analytics

Install the Google Analytics Opt-out Browser Add-on
Enable "Do Not Track" in your browser settings
Use browser extensions that block analytics scripts

7.5 Cookie Management

You can control cookies through your browser settings. Note that disabling cookies may affect website functionality, including authentication.

8. Data Sharing and Disclosure

We DO NOT sell, rent, or trade your data.

We may share anonymized, aggregate data in published research, with educational institutions for statistical analysis (no individual data), and in public reports about applicant trends. We may disclose data if required by law, court order, or to protect our legal rights.

9. Premium Data — Permitted and Prohibited Use

9.1 Permitted Use

Premium analytics, charts, program data, and insights are provided for your personal, individual use only. You may use Premium data to inform your own academic planning and program research.

9.2 Prohibited Use

You may not:

Take screenshots or screen recordings of Premium content
Copy, transcribe, or reproduce Premium data in any format
Share, redistribute, publish, or publicly display Premium analytics
Use Premium data for commercial, academic research, or third-party purposes
Use automated tools or scraping to extract data from Premium pages

Violations of these restrictions may result in immediate account termination without refund. See our Terms of Service for full details.

10. Children's Data

Our service is intended for individuals 18 years or older, or those with parental consent. We do not knowingly collect data from children under 13. If we become aware of such collection, we will promptly delete the information.

11. Changes to This Policy

We may update this Data Usage Policy to reflect changes in our practices or legal requirements. We will post updates on this page with a revised "Last Updated" date. Significant changes will be prominently announced on our website.

12. Contact and Questions

If you have questions about our data practices, contact us at: criscore.org@gmail.com

Response time: We aim to respond within 48 hours.

13. Your Rights Summary

You have the right to:

Know what data we collect and how we use it
Access any data we store about you
Request correction of inaccurate data
Delete your saved results at any time
Delete your account and all associated data
Cancel your Premium subscription at any time
Opt out of analytics tracking
Clear your local data at any time
File a complaint with relevant data protection authorities