CRI LogoCAA Readiness Index

Data Usage Policy

Last updated: March 15, 2026

1. Overview

This Data Usage Policy explains how CAA Readiness Index collects, uses, stores, and protects data submitted through our calculator and website. We are committed to transparency about our data practices and your rights regarding your information.

2. Data Collection Methods

2.1 Account Information

When you create an account, we collect:

  • Email address (used for authentication)
  • Display name (optional)
  • Profile avatar (optional, stored in Supabase)

Storage: Account data is securely stored on Supabase servers with row-level security. Only you can access your own data.

2.2 Calculator Input Data

When you use our CRI Calculator, we collect:

  • Cumulative GPA (0.00–4.00 scale)
  • Science GPA (0.00–4.00 scale)
  • Test Type (MCAT or GRE selection)
  • Test Score (your standardized test score)

Processing: This data is sent to our backend API for real-time score calculation and returned to your browser. It is not permanently stored on the backend server.

2.3 Saved Results

When you save a CRI result, the following is stored in your Supabase account:

  • Your input values (cGPA, sGPA, test type, test score)
  • Calculated CRI score and percentile
  • Timestamp of the calculation

Only Premium accounts may save results (up to 5). Free accounts cannot save results.

2.4 Payment Information

If you purchase Premium, payment is processed by Stripe. We do notstore your credit card number, CVV, or full billing details. Stripe provides us with a customer ID and payment status. Stripe's handling of your payment data is governed by their Privacy Policy.

2.5 Personal Statement Swapper Data

When you use the PS Swapper, we collect:

  • First name and last name (shared with your matched reviewer)
  • Email address (for contact between matched users)
  • Personal statement file (PDF, DOC, DOCX, or TXT, max 10 MB) or Google Docs link
  • PS Swapper preferences (participation mode, daily limits)
  • Match history (sender and reviewer pairings)
  • Notification state (read status, accept/deny actions)

Storage: Uploaded files are stored in a private Supabase Storage bucket. Files are shared only with your matched reviewer and are deleted once a submission is fully resolved or denied with no re-match available.

2.6 CRI Calculation Logs

Each time you use the CRI Calculator, the following anonymized data is logged:

  • Your CRI score and percentile
  • GPA range (e.g., 3.5–3.6) and test score range
  • Test type (MCAT or GRE)
  • Timestamp of the calculation

Privacy: Calculation logs are fully anonymized. No username, email, or user ID is attached. This data powers the Community Activity Feed and Community Score Distribution features.

2.7 CAA Program Response Tracker Data

When you submit data to the CAA Program Response Tracker, we collect:

  • School name and application status (interview, accepted, waitlisted, rejected)
  • Optional notes you provide

Display: Tracker submissions are displayed publicly in the aggregated community dashboard. All users can view the aggregated data.

2.8 Analytics Data

We use Google Analytics to collect anonymized usage data, including page views and navigation patterns, time spent on pages, approximate geographic location (country/region level), device and browser type, and referring websites.

3. How We Use Your Data

3.1 Score Calculation

Your academic data is used exclusively to calculate your personalized CRI score, generate z-scores and percentile rankings, create distribution charts showing your position relative to other applicants, and provide customized feedback and recommendations.

3.2 Account Management

Your account information is used to authenticate you, display your profile, manage your saved results, and process your Premium access (if applicable).

3.3 Personal Statement Swapper

Your PS Swapper data is used to anonymously match you with a peer reviewer, facilitate the exchange of personal statement feedback, enforce daily limits and prevent duplicate submissions, and send real-time notifications about match status. Your personal statement is shared only with your matched reviewer and is not used for any other purpose.

3.4 Saved Results and Premium Features

Your saved results data powers features like the Program Matcher, Discord Post Generator, and results history. Premium analytics features use aggregated dataset statistics — your individual data is never shared with other users.

3.5 Community Features

Anonymized CRI calculation logs are used to populate the Recent Community Activity feed on the dashboard, showing recent calculation events with scores, GPA ranges, and test score ranges. Timestamps are jittered by ±5 minutes to further protect privacy. These same logs are used to generate the Community Score Distribution histogram, which displays aggregate score counts across 10-point buckets. No individual users can be identified from this data.

3.6 CAA Program Response Tracker

Data submitted to the CAA Program Response Tracker is aggregated and displayed publicly to help applicants understand how programs are responding across the community.

3.7 Aggregate Analysis

We analyze aggregate, anonymized data to update trend analyses, improve calculation accuracy, generate statistical insights, and identify patterns in applicant profiles. Aggregate data cannot be traced back to individual users.

3.8 Service Improvement

Analytics data helps us optimize website performance, identify technical issues, understand which features are most valuable, and make data-driven decisions about new features.

4. Data Storage and Retention

4.1 Supabase (Account and Saved Results)

Your account data, profile information, and saved CRI results are stored securely on Supabase servers with row-level security (RLS). Only you can access your own data through authenticated requests.

4.2 Stripe (Payment Data)

Payment data is managed by Stripe. Your sensitive payment details (card numbers, CVV) are stored exclusively by Stripe in PCI-DSS compliant infrastructure and are never stored on our servers.

4.3 Local Storage (Your Browser)

Some user preferences (such as theme settings or dismissed prompts) may be stored in your browser's localStorage. This data remains on your device and is not transmitted to our servers.

4.4 Server Storage

  • Historical dataset (anonymized aggregate data, no individual identifiers)
  • Analytics data (Google Analytics stores anonymized usage data for 26 months)
  • Log files (server logs retained for 90 days for security)

4.5 Data Retention Period

  • Account data: Retained until you delete your account
  • Saved results: Retained until you delete them or delete your account
  • PS Swapper files: Deleted when a submission is resolved or denied with no re-match; removed when you delete your account
  • PS Swapper match history: Retained for duplicate-reviewer prevention; removed when you delete your account
  • Payment records: Retained by Stripe per their data retention policy
  • CRI calculation logs: Retained indefinitely in anonymized form for community features
  • CAA Tracker submissions: Retained until deleted by the user or account deletion
  • Analytics data: 26 months via Google Analytics
  • Aggregate statistics: Retained indefinitely for research purposes
  • Server logs: 90 days

5. Data Security Measures

  • HTTPS encryption — all data transmitted is encrypted
  • Secure hosting — enterprise-grade security infrastructure
  • Access controls — limited personnel access to any stored data
  • Regular security audits — periodic reviews of our security practices
  • Anonymization — personal identifiers stripped from any stored data

6. Third-Party Services

Supabase

Provides authentication, database, and file storage for user accounts, saved results, and profile avatars. Data is secured with row-level security. Supabase Privacy Policy

Stripe

Processes Premium payments. Stripe is PCI-DSS Level 1 compliant. We never see or store your full card details. Stripe Privacy Policy

Google Analytics

Tracks website usage and performance. Data collected includes anonymized usage patterns, device info, and approximate location. Opt-out available via the Google Analytics Opt-out Browser Add-on.

Vercel Analytics

Privacy-focused website analytics that tracks page views and visitor counts. Vercel Analytics does not use cookies, does not collect personal data, and does not track users across sites. Vercel Analytics Privacy Policy

7. Your Data Control Options

7.1 Account and Saved Results

  • Delete individual saved results from the Saved Results page
  • Manage your PS Swapper preferences and participation mode from Account Settings
  • Update your profile information from Account Settings
  • Delete your entire account and all associated data from Account Settings

7.2 Access Plan Management

  • Manage your Premium access from Account Settings or the Stripe billing portal
  • View your payment history through the Stripe billing portal

7.3 Clear Local Data

  • Clear your browser's localStorage/cache
  • Use private/incognito browsing mode
  • Clear site data in your browser settings

7.4 Opt Out of Analytics

  • Install the Google Analytics Opt-out Browser Add-on
  • Vercel Analytics is cookie-free and collects no personal data — no opt-out needed
  • Enable “Do Not Track” in your browser settings
  • Use browser extensions that block analytics scripts

7.5 Cookie Management

You can control cookies through your browser settings. Note that disabling cookies may affect website functionality, including authentication.

8. Data Sharing and Disclosure

We DO NOT sell, rent, or trade your data.

We may share anonymized, aggregate data in published research, with educational institutions for statistical analysis (no individual data), and in public reports about applicant trends. We may disclose data if required by law, court order, or to protect our legal rights.

9. Premium Data — Permitted and Prohibited Use

9.1 Permitted Use

Premium analytics, charts, program data, and insights are provided for your personal, individual use only. You may use Premium data to inform your own academic planning and program research.

9.2 Prohibited Use

You may not:

  • Take screenshots or screen recordings of Premium content
  • Copy, transcribe, or reproduce Premium data in any format
  • Share, redistribute, publish, or publicly display Premium analytics
  • Use Premium data for commercial, academic research, or third-party purposes
  • Use automated tools or scraping to extract data from Premium pages

Violations of these restrictions may result in immediate account termination without refund. See our Terms of Service for full details.

10. Children's Data

Our service is intended for individuals 18 years or older, or those with parental consent. We do not knowingly collect data from children under 13. If we become aware of such collection, we will promptly delete the information.

11. Changes to This Policy

We may update this Data Usage Policy to reflect changes in our practices or legal requirements. We will post updates on this page with a revised “Last Updated” date. Significant changes will be prominently announced on our website.

12. Contact and Questions

If you have questions about our data practices, contact us at: team@criscore.org

Response time: We aim to respond within 48 hours.