CRI LogoCAA Readiness Index

Data Usage Policy

Last updated: May 7, 2026

1. Overview

This Data Usage Policy explains how CAA Readiness Index collects, uses, stores, and protects data submitted through our calculator and website. We are committed to transparency about our data practices and your rights regarding your information.

2. Data Collection Methods

2.1 Account Information

When you create an account, we collect:

  • Email address (used for authentication)
  • Display name (optional)
  • Profile avatar (optional, stored in Supabase)

Storage: Account data is securely stored on Supabase servers with row-level security. Only you can access your own data.

2.2 Calculator Input Data

When you use our CRI Calculator, we collect:

  • Cumulative GPA (0.00–4.00 scale)
  • Science GPA (0.00–4.00 scale)
  • Test Type (MCAT or GRE selection)
  • Test Score (your standardized test score)

Processing: This data is sent to our backend API for real-time score calculation and returned to your browser. It is not permanently stored on the backend server.

2.3 Saved Results

When you save a CRI result, the following is stored in your Supabase account:

  • Your input values (cGPA, sGPA, test type, test score)
  • Calculated CRI score and percentile
  • Timestamp of the calculation

Signed-in users may save calculation results to their account.

2.4 CRI Calculation Logs

Each time you use the CRI Calculator we log the following:

  • Your CRI score and percentile
  • The exact cGPA, sGPA, test type, and test score you entered
  • Timestamp of the calculation
  • If you are signed in: your user ID and the display name on your profile

What other users see:The Recent Community Activity feed and Community Score Distribution render only the score, GPA range (e.g., 3.4–3.6), and test-score range from these records. Your username, email, and user ID are never displayed to other users. The full record (including your user ID) is retained on our backend for powering your dashboard's “most recent calculation” lookup and for aggregate statistical analysis.

2.5 CAA Program Response Tracker Data

When you submit data to the CAA Program Response Tracker, we collect:

  • School name and application status (interview, accepted, waitlisted, rejected)
  • Optional notes you provide

Display: Tracker submissions are displayed publicly in the aggregated community dashboard. All users can view the aggregated data.

2.6 Analytics Data

We use Google Analytics to collect anonymized usage data, including page views and navigation patterns, time spent on pages, approximate geographic location (country/region level), device and browser type, and referring websites.

3. How We Use Your Data

3.1 Score Calculation

Your academic data is used exclusively to calculate your personalized CRI score, generate z-scores and percentile rankings, create distribution charts showing your position relative to other applicants, and provide customized feedback and recommendations.

3.2 Account Management

Your account information is used to authenticate you, display your profile, and manage your saved results.

3.3 Saved Results

Your saved results data powers features like the Program Matcher, Discord Post Generator, and results history. Analytics features that use aggregated dataset statistics never expose your individual data to other users.

3.4 Community Features

Anonymized CRI calculation logs are used to populate the Recent Community Activity feed on the dashboard, showing recent calculation events with scores, GPA ranges, and test score ranges. Timestamps are jittered by ±5 minutes to further protect privacy. These same logs are used to generate the Community Score Distribution histogram, which displays aggregate score counts across 10-point buckets. No individual users can be identified from this data.

3.5 CAA Program Response Tracker

Data submitted to the CAA Program Response Tracker is aggregated and displayed publicly to help applicants understand how programs are responding across the community.

3.6 Aggregate Analysis

We analyze aggregate, anonymized data to update trend analyses, improve calculation accuracy, generate statistical insights, and identify patterns in applicant profiles. Aggregate data cannot be traced back to individual users.

3.7 Service Improvement

Analytics data helps us optimize website performance, identify technical issues, understand which features are most valuable, and make data-driven decisions about new features.

4. Data Storage and Retention

4.1 Supabase (Account and Saved Results)

Your account data, profile information, and saved CRI results are stored securely on Supabase servers with row-level security (RLS). Only you can access your own data through authenticated requests.

4.2 Local Storage (Your Browser)

Some user preferences (such as theme settings or dismissed prompts) may be stored in your browser's localStorage. This data remains on your device and is not transmitted to our servers.

4.3 Server Storage

  • Historical dataset (anonymized aggregate data, no individual identifiers)
  • Analytics data (Google Analytics stores anonymized usage data for 26 months)
  • Log files (server logs retained for 90 days for security)

4.4 Data Retention Period

  • Account data: Retained until you delete your account
  • Saved results: Retained until you delete them or delete your account
  • CRI calculation logs: Retained indefinitely for community features and aggregate analysis (linked to your user ID while signed in; never shown publicly with your identity)
  • CAA Tracker submissions: Retained until deleted by the user or account deletion
  • Analytics data: 26 months via Google Analytics (only after consent)
  • Aggregate statistics: Retained indefinitely for research purposes
  • Server logs: 90 days
  • Deleted-account records: After account deletion we retain a one-way SHA-256 hash of your email (no plaintext) plus your former user ID indefinitely for fraud and abuse prevention. The hash cannot be reversed to reconstruct your email address.

5. Data Security Measures

  • HTTPS encryption — all data transmitted is encrypted
  • Secure hosting — enterprise-grade security infrastructure
  • Access controls — limited personnel access to any stored data
  • Regular security audits — periodic reviews of our security practices
  • Anonymization — personal identifiers stripped from any stored data

6. Third-Party Services

Supabase

Provides authentication, database, and file storage for user accounts, saved results, and profile avatars. Data is secured with row-level security. Supabase Privacy Policy

Google Analytics

Tracks website usage and performance. Data collected includes anonymized usage patterns, device info, and approximate location. Opt-out available via the Google Analytics Opt-out Browser Add-on.

Vercel Analytics

Privacy-focused website analytics that tracks page views and visitor counts. Vercel Analytics does not use cookies, does not collect personal data, and does not track users across sites. Vercel Analytics Privacy Policy

7. Your Data Control Options

7.1 Account and Saved Results

  • Delete individual saved results from the Saved Results page
  • Manage your PS Swapper preferences and participation mode from Account Settings
  • Update your profile information from Account Settings
  • Delete your entire account and all associated data from Account Settings

7.2 Clear Local Data

  • Clear your browser's localStorage/cache
  • Use private/incognito browsing mode
  • Clear site data in your browser settings

7.3 Opt Out of Analytics

  • Install the Google Analytics Opt-out Browser Add-on
  • Vercel Analytics is cookie-free and collects no personal data — no opt-out needed
  • Enable “Do Not Track” in your browser settings
  • Use browser extensions that block analytics scripts

7.4 Cookie Management

You can control cookies through your browser settings. Note that disabling cookies may affect website functionality, including authentication.

8. Data Sharing and Disclosure

We DO NOT sell, rent, or trade your data.

We may share anonymized, aggregate data in published research, with educational institutions for statistical analysis (no individual data), and in public reports about applicant trends. We may disclose data if required by law, court order, or to protect our legal rights.

9. Premium Data — Permitted and Prohibited Use

9.1 Permitted Use

Premium analytics, charts, program data, and insights are provided for your personal, individual use only. You may use Premium data to inform your own academic planning and program research.

9.2 Prohibited Use

You may not:

  • Take screenshots or screen recordings of Premium content
  • Copy, transcribe, or reproduce Premium data in any format
  • Share, redistribute, publish, or publicly display Premium analytics
  • Use Premium data for commercial, academic research, or third-party purposes
  • Use automated tools or scraping to extract data from Premium pages

Violations of these restrictions may result in immediate account termination without refund. See our Terms of Service for full details.

10. Age Requirement

Our service is intended for users 18 years of age or older. CRI is built for adults applying to graduate-level professional programs. We do not knowingly collect data from anyone under 18. If we become aware of such collection, we will promptly delete the information.

11. Your Rights Under GDPR (EEA, UK, Switzerland)

If you are in the EEA, the United Kingdom, or Switzerland, you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent at any time. Email team@criscore.org from the address on your account to exercise any of these rights; we will respond within 30 days.

Legal bases: consent (analytics, marketing email), contract performance (account, calculator, saved results), legitimate interest (fraud prevention, security, aggregate research).

12. Your Rights Under CCPA/CPRA (California)

California residents may request to know, delete, or correct personal information we hold about them. We do not sell or share your personal information for cross-context behavioral advertising. Submit a verifiable request from the email on your account to team@criscore.org. We will not discriminate against you for exercising these rights.

13. Changes to This Policy

We may update this Data Usage Policy to reflect changes in our practices or legal requirements. We will post updates on this page with a revised “Last Updated” date. Significant changes will be prominently announced on our website.

14. Contact and Questions

If you have questions about our data practices, contact us at: team@criscore.org

Response time: We aim to respond within 48 hours.