CRI LogoCAA Readiness Index

Privacy Policy

Last updated: March 15, 2026

This Privacy Policy describes how the CAA Readiness Index (“CRI,” “we,” “us,” or “our”) collects, uses, and protects your personal information when you use our website and services at criscore.org. By using our service you agree to the collection and use of information in accordance with this policy.

Information We Collect

Account information. When you create an account we collect your email address, display name, and optional profile avatar. Authentication is managed through Supabase.

Academic data. When you use the CRI Calculator you provide your cumulative GPA, science GPA, test type (MCAT/GRE), and test score. These values are sent to our analysis API for score computation.

Saved results. Premium users can save up to 5 CRI calculation results including input values, CRI score, percentile rankings, and timestamps.

PS Swapper data. If you use the Personal Statement Swapper we collect your name, email, and uploaded personal statement files. Files are stored in Supabase Storage and deleted after the review process concludes.

Payment information. Payments are processed by Stripe. We receive only a Stripe customer ID and subscription status — we never see or store your payment card details.

CRI calculation logs. We store anonymized records of CRI calculations (scores and metrics without email or user ID) to power community features like score distributions and activity feeds.

CAA Program Response Tracker. If you submit to the tracker your school name, application status, and notes are stored. This data is visible to other users.

Analytics data. We collect browser type, device information, anonymized IP addresses, and pages visited through Google Analytics and Vercel Analytics.

How We Use Your Information

  • Calculate your CRI score and percentile rankings
  • Manage your account, authentication, and Premium access
  • Match you with reviewers in the PS Swapper
  • Power community features (activity feed, score distributions, response tracker)
  • Improve the service through aggregate analysis
  • Send important service-related communications

Data Storage and Security

Your data is stored in Supabase with row-level security (RLS) policies ensuring users can only access their own data. All connections use HTTPS encryption. Payment processing is handled by Stripe (PCI-DSS Level 1 compliant). We implement industry-standard security practices but cannot guarantee absolute security.

Third-Party Services

  • Supabase — database hosting, authentication, and file storage
  • Stripe — payment processing
  • Google Analytics — anonymized usage analytics
  • Vercel — hosting and edge analytics

Each provider has its own privacy policy. We encourage you to review them.

Cookies and Tracking

We use cookies and localStorage to maintain your session, remember theme preferences, and collect anonymized analytics. Google Analytics uses cookies to track page views and interactions. You can disable cookies in your browser settings though some features may not function properly.

Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data only in these circumstances:

  • With service providers (Supabase, Stripe, Vercel) as necessary to operate the platform
  • If required by law, subpoena, or legal process
  • To protect our rights, safety, or property
  • In anonymized, aggregated form for community features and research

Your Rights

  • Access your personal data through Account Settings
  • Delete individual saved results at any time
  • Delete your entire account and all associated data
  • Opt out of Google Analytics
  • Control cookies and localStorage through browser settings

Data Retention

  • Account data is retained until you delete your account
  • PS Swapper files are deleted after the review process
  • Anonymized CRI calculation logs are retained indefinitely for community features
  • Google Analytics data is retained for 26 months
  • Server logs are retained for 90 days

Children's Privacy

Our service is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn we have collected such information we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Continued use of the service after changes constitutes acceptance of the revised policy.

Contact

Questions about this policy? Email us at team@criscore.org.