Privacy Policy

Last updated: May 28, 2026

MDCAT Helper (“we”, “our”, or “us”) operates the MDCAT Helper mobile application and website (mdcathelper.com). This Privacy Policy explains how we collect, use, and protect your information when you use our app or website. By using MDCAT Helper, you agree to this policy.

1 Information We Collect

a) Information You Provide Directly

  • Full name and email address when creating an account
  • Password — stored encrypted by Firebase; we never see your plain-text password
  • WhatsApp number — collected during the in-app “Complete profile” step. Used as a contact channel for account-related and important service updates; never shared with advertisers and never used for marketing. You can change or remove it at any time from Profile → Edit Profile.
  • Profile photo (optional) — you may upload a profile picture which is displayed next to your name on the public national leaderboard inside the app. You can change or remove it at any time from Profile → Edit Profile.
  • Email verification status — a flag indicating whether you have completed the in-app one-time email verification step.
  • Other profile information you voluntarily add (display name)

b) Information Collected Automatically

  • Device information: device model, OS version, unique device identifiers
  • Usage data: MCQs attempted, scores, time spent studying, streak history
  • AI Tutor chat history: messages sent to the AI Tutor are stored to display your conversation history
  • Push notification token: to send study reminders and announcements
  • IP address & approximate location: country/city level only — we do not track precise GPS
  • App diagnostics: crash reports and performance data
  • Cookies & local storage: we use browser cookies and localStorage on our website to remember your preferences (e.g., cookie banner dismissal). See Section 4 for full details.

c) Information from Third-Party Sign-In

If you sign in with Google, we receive your name, email, and profile photo from Google. We do not receive your Google password.

d) Payment Information

  • Your subscription plan and status (Free, Pro, or Ultra Pro)
  • A purchase token from Google Play or Apple App Store to verify your subscription
  • We do NOT store your credit card or payment details. All payment processing is handled by Google Play and Apple App Store.

2 How We Use Your Information

We use the information we collect to:

  • Create and manage your user account, including verifying ownership of your email address by sending a one-time 6-digit code
  • Contact you about your account or important service updates via your provided WhatsApp number (not used for marketing or third-party promotions)
  • Provide MCQ practice, past papers, flashcards, and analytics features
  • Power the AI Tutor — your questions are sent to Anthropic’s Claude API to generate answers. Legal basis (GDPR): legitimate interest in providing the core service you signed up for
  • Display your performance analytics and national leaderboard ranking
  • Send push notifications (study reminders, announcements) — opt out any time in phone settings
  • Process and verify your subscription via Google Play or Apple App Store
  • Show advertisements to Free plan users via Google AdMob. Legal basis (GDPR): consent (obtained via your acceptance of this policy at account creation)
  • Improve the app based on aggregated usage patterns
  • Respond to support requests
  • Comply with legal obligations

3 Third-Party Services We Use

1. Firebase Authentication (Google)

Handles login, account creation, and password security.

policies.google.com/privacy →

2. Firebase Cloud Messaging (Google)

Delivers push notifications to your device.

policies.google.com/privacy →

3. Firebase Crashlytics (Google)

Receives anonymized crash reports from the mobile app when something unexpected forces it to close. Reports include the device model, OS version, app version and the stack trace that caused the crash. They do not include your name, email or anything you typed into the app.

policies.google.com/privacy →

4. Google AdMob

Shows ads to Free plan users. AdMob may collect your device’s advertising ID and usage data for ad targeting. Pro and Ultra Pro subscribers do not see banner or interstitial ads.

policies.google.com/privacy →

5. Supabase

Our primary database and file storage (used for your profile photo). Your account data, MCQ history, AI chat history and uploaded profile photo are stored on Supabase servers in the United States. For EU users, data transfers to the US are covered under Standard Contractual Clauses (SCCs) as provided by Supabase.

supabase.com/privacy →

6. Anthropic Claude AI

When you use the AI Tutor, your messages are sent to Anthropic’s Claude API to generate responses. Anthropic may retain messages to improve their AI models subject to their own privacy policy and data retention practices. If you do not want your messages potentially used for AI model training, you may contact Anthropic directly to exercise your rights under their policy.

anthropic.com/privacy →

7. Google Play Billing

Handles subscription payments for Android users. We only receive a verification token — your payment details stay with Google.

policies.google.com/privacy →

8. Apple In-App Purchase

Handles subscription payments for iOS users. We only receive a receipt token — your payment details stay with Apple.

apple.com/legal/privacy →

9. Sentry

Receives error reports from our backend so we can fix problems quickly. Reports include the failing request path, error message and stack trace. We have configured Sentry not to capture request bodies or personal data; user identifiers, where present, are minimal and used only to debug specific issues.

sentry.io/privacy →

10. Hostinger

Hosts this website (mdcathelper.com), the web version of our app (web.mdcathelper.com), and our internal admin panel (admin.mdcathelper.com) on shared hosting servers.

hostinger.com/privacy-policy →

4 Cookies & Tracking

What cookies and storage we use

  • Strictly necessary (localStorage): We store your cookie-banner dismissal preference in your browser’s localStorage so we don’t show the banner on every visit. This requires no consent as it is a functional necessity.
  • Session cookies: Firebase Authentication may set session cookies to keep you logged in to the web version of the app.
  • Advertising cookies (AdMob): On our web app, Google AdMob may set cookies or use your device’s advertising ID to show personalized ads. This only applies to Free plan users.

Advertisements

Free users see ads served by Google AdMob: banner ads, interstitial ads, and optional rewarded ads. AdMob may use your device’s advertising ID to show personalized ads.

We do not sell your personal information to advertisers.

To opt out of personalized ads: on Android go to Settings → Google → Ads → Opt out of Ads Personalization. On iOS go to Settings → Privacy & Security → Tracking and disable tracking for MDCAT Helper.

Pro and Ultra Pro subscribers do not see banner or interstitial ads. Rewarded ads remain optional on all plans.

GDPR / EU notice: If you are in the EU/EEA, we request your consent before serving personalized ads via AdMob. You may withdraw consent at any time by adjusting your device advertising settings as described above.

5 Subscriptions

  • MDCAT Helper offers three plans: Free (PKR 0), Pro (PKR 850/month), and Ultra Pro (PKR 3,350/month)
  • Subscriptions automatically renew each month unless cancelled before the renewal date
  • All subscription management is handled by Google Play (Android) and Apple App Store (iOS)
  • To cancel on Android: Google Play → Profile icon → Payments & subscriptions → Subscriptions → MDCAT Helper → Cancel
  • To cancel on iOS: Settings → Your name → Subscriptions → MDCAT Helper → Cancel Subscription
  • Refunds are handled by Google Play and Apple per their own refund policies. We cannot issue refunds directly.

6 Data Storage & Security

  • Your data is stored on Supabase servers located in the United States
  • All data transmission is encrypted using HTTPS/TLS
  • Passwords are never stored by us — Firebase Authentication manages password hashing
  • We implement industry-standard security measures including access controls and encrypted storage
  • No system is 100% secure. In the event of a data breach affecting your personal information, we will notify you as required by applicable law
  • International transfers (GDPR): Your data may be transferred to and processed in the United States. Such transfers from the EU/EEA are protected by Standard Contractual Clauses (SCCs) as provided by our service providers (Supabase, Firebase, Anthropic)

7 Data Retention

  • Account information (name, email, profile): retained while your account is active
  • MCQ attempt history and performance analytics: retained while your account is active; anonymized aggregates may be kept after account deletion
  • AI Tutor chat history: automatically deleted after 30 days
  • Push notification tokens: retained while you have the app installed and notifications enabled
  • Subscription records: retained for up to 7 years for tax and legal compliance purposes, even after account deletion
  • If you delete your account, all personal data linked to you is deleted within 30 days, except subscription records retained for legal compliance
  • Anonymized, aggregated usage data (not linked to you) may be kept indefinitely to improve the app

8 Children’s Privacy

MDCAT Helper is designed for students preparing for the MDCAT examination, which requires candidates to have completed FSc (intermediate) — typically age 17 and above.

  • Our app is intended for users aged 16 and above
  • We do not knowingly collect personal information from children under 13
  • If you believe a child under 13 has provided us with their information, please email help@mdcathelper.com and we will delete it immediately

9 Your Rights

Regardless of where you are located, you have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Update your profile information directly in the app
  • Deletion: Delete your account in the app settings, or email us at help@mdcathelper.com
  • Opt out of marketing emails: Reply with “unsubscribe” to any email from us
  • Opt out of push notifications: Adjust notification settings for MDCAT Helper in your phone settings
  • Opt out of personalized ads: Use device advertising settings (see Section 4)

To exercise any right, email us at help@mdcathelper.com. We respond within 30 days.

10 Changes to This Policy

  • We may update this Privacy Policy from time to time
  • We will notify you of significant changes via push notification or email
  • The “Last updated” date at the top of this page reflects the latest revision
  • Continued use of MDCAT Helper after changes are posted constitutes acceptance of the updated policy

11 Contact Us

For any privacy-related questions or to exercise your rights:

📧 Email: help@mdcathelper.com

🌐 Website: mdcathelper.com/contact

We aim to respond to all privacy requests within 5 business days.

12 Additional Rights for EU / EEA Users (GDPR)

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) gives you additional rights and protections.

Legal Basis for Processing

  • Contract performance: Processing your account data to provide the services you signed up for (MCQ practice, past papers, AI Tutor, analytics)
  • Legitimate interests: App improvement, fraud prevention, security, and customer support
  • Consent: Personalized advertising via AdMob (you may withdraw consent at any time)
  • Legal obligation: Retaining subscription records for tax compliance

Your GDPR Rights

  • Right of access (Art. 15): Request a copy of all personal data we hold about you
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data
  • Right to erasure / “Right to be forgotten” (Art. 17): Request deletion of your personal data
  • Right to restriction of processing (Art. 18): Request that we limit how we use your data
  • Right to data portability (Art. 20): Request your data in a structured, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing
  • Right to withdraw consent (Art. 7): Where processing is based on consent, you may withdraw at any time without affecting prior processing

International Data Transfers

Your personal data is stored on servers in the United States (Supabase) and processed by Anthropic (US) and Google (global). Transfers from the EU/EEA to the US are made under Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives equivalent protection.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe we have not handled your data correctly. A list of EU DPAs is available at edpb.europa.eu.

To exercise any GDPR right, email us at help@mdcathelper.com with the subject line “GDPR Request”. We will respond within 30 days as required by law.

13 Additional Rights for California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you specific rights regarding your personal information.

Your CCPA Rights

  • Right to Know: You may request that we disclose what personal information we collect, use, disclose, and sell about you
  • Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions
  • Right to Opt-Out of Sale: We do not sell your personal information to third parties. We share data with service providers (listed in Section 3) only as necessary to operate the app
  • Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA right — you will receive the same quality of service regardless
  • Right to Correct: You may request correction of inaccurate personal information we hold about you

Categories of Personal Information Collected (CCPA)

  • Identifiers (name, email, device ID, IP address)
  • Commercial information (subscription plan, purchase history)
  • Internet or electronic network activity (app usage, MCQ history, AI chat)
  • Geolocation data (approximate location only)
  • Inferences drawn from the above (your performance analytics, study patterns)

To exercise any CCPA right, email us at help@mdcathelper.com with the subject line “CCPA Request”. We will respond within 45 days as required by law. You may also designate an authorized agent to make a request on your behalf.