CRI LogoCAA Readiness Index

Privacy Policy

Last updated: May 7, 2026

This Privacy Policy describes how the CAA Readiness Index (“CRI,” “we,” “us,” or “our”) collects, uses, and protects your personal information when you use our website and services at criscore.org. By using our service you agree to the collection and use of information in accordance with this policy.

Information We Collect

Account information. When you create an account we collect your email address, display name, and optional profile avatar. Authentication is managed through Supabase.

Academic data. When you use the CRI Calculator you provide your cumulative GPA, science GPA, test type (MCAT/GRE), and test score. These values are sent to our analysis API for score computation.

Saved results. Signed-in users can save CRI calculation results including input values, CRI score, percentile rankings, and timestamps.

CRI calculation logs. Each time you use the calculator while signed in we store a record of the calculation linked to your account (your user ID and the display name on your profile). The Recent Community Activity feed and Community Score Distribution displayed on the platform render only the score, GPA range, and test-score range from these records — your username, email, and user ID are never shown to other users. Anonymous (signed-out) calculations are stored without any user ID.

CAA Program Response Tracker. If you submit to the tracker your school name, application status, and notes are stored. This data is visible to other users.

Analytics data. We collect browser type, device information, anonymized IP addresses, and pages visited through Google Analytics and Vercel Analytics.

How We Use Your Information

  • Calculate your CRI score and percentile rankings
  • Manage your account and authentication
  • Power community features (activity feed, score distributions, response tracker)
  • Improve the service through aggregate analysis
  • Send important service-related communications

Data Storage and Security

Your data is stored in Supabase with row-level security (RLS) policies ensuring users can only access their own data. All connections use HTTPS encryption. We implement industry-standard security practices but cannot guarantee absolute security.

Third-Party Services

  • Supabase — database hosting, authentication, and file storage
  • Google Analytics — usage analytics (loaded only after you accept cookies)
  • Vercel — hosting and privacy-focused edge analytics
  • Resend — transactional and broadcast email delivery

Each provider has its own privacy policy. We encourage you to review them.

Cookies and Tracking

We use strictly-necessary cookies and localStorage to maintain your authenticated session and remember theme preferences. These do not require consent.

Non-essential analytics cookies (Google Analytics) are loaded only after you grant consent via the cookie banner shown on first visit. You can change your choice at any time by clearing site data in your browser. Vercel Analytics is cookie-free.

Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data only in these circumstances:

  • With service providers (Supabase, Stripe, Vercel) as necessary to operate the platform
  • If required by law, subpoena, or legal process
  • To protect our rights, safety, or property
  • In anonymized, aggregated form for community features and research

Your Rights

  • Access your personal data through Account Settings
  • Delete individual saved results at any time
  • Delete your entire account and all associated data
  • Opt out of Google Analytics
  • Control cookies and localStorage through browser settings

Data Retention

  • Account data is retained until you delete your account
  • CRI calculation logs are retained indefinitely for community features
  • Google Analytics data is retained for 26 months (only after consent)
  • Server logs are retained for 90 days

Age Requirement

CRI is intended for adults applying to professional graduate programs. You must be at least 18 years old to create an account or use the calculator. We do not knowingly collect personal information from anyone under 18. If we learn we have collected such information we will delete it promptly.

Automated Decisions and Profiling

The CRI score, percentile rankings, and Program Matcher recommendations are generated by statistical models from the inputs you provide. These outputs are informational only; they are not used to make any decision that produces legal or similarly significant effects on you. Admissions decisions are made solely by individual programs. You may request a human review of any output by emailing team@criscore.org.

European Economic Area, UK, and Switzerland (GDPR)

If you are in the EEA, the United Kingdom, or Switzerland, the General Data Protection Regulation gives you the following rights regarding your personal data: access, rectification, erasure, restriction of processing, data portability, and objection to processing. To exercise any of these rights, email team@criscore.org. We will respond within 30 days.

Our legal bases for processing are: consent (analytics cookies, marketing email), contract performance (account, calculator, saved results), and legitimate interest (fraud prevention, service security, aggregate research). You may withdraw consent at any time without affecting prior processing.

California Residents (CCPA/CPRA)

California residents have the right to know what personal information we collect, delete it, correct it, and opt out of any sale or sharing of personal information. We do not sell or share your personal information for cross-context behavioral advertising. To submit a request, email team@criscore.org from the address on your account. We will not discriminate against you for exercising these rights.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Continued use of the service after changes constitutes acceptance of the revised policy.

Contact

Questions about this policy? Email us at team@criscore.org.