Privacy Policy
Last updated: April 25, 2026.
This Privacy Policy explains how Board Pearls, LLC, Minneapolis, Minnesota ("Board Pearls," "we," "us," "our") collects, uses, stores, and shares personal data when you visit boardpearls.com or use any Board Pearls product or service (together, the "Service").
1. Information we collect
1.1 Information you provide
- Account identifiers. Email address (required); password stored only as a bcrypt hash; display name optional.
- Profile preferences. Board-exam target date, training level, institution. All optional; only stored if you enter them.
- Payment information. Billing name, billing country, last four digits of payment card. Full card numbers are processed by Stripe and never touch Board Pearls servers.
- Communications. Content of support emails and messages you send us.
1.2 Information collected automatically
- Usage data. Chapters opened, questions answered, correct/incorrect outcomes, time per session, podcast episodes played. Retained for the life of the account plus 90 days after closure.
- Device and technical data. Browser type and version, operating system, referring URL, pages visited. 30 days in server logs; aggregated thereafter.
- Coarse geolocation. Country and region inferred from IP address. 30 days in server logs.
- Cookies. Session token, theme preference, CSRF token. See Section 5.
We do not collect precise geolocation, mobile advertising identifiers, or browser fingerprints.
1.3 Information from third parties
We do not currently receive personal data from any third-party source. We do not purchase data from data brokers. If this changes, we will update this policy before collecting such data.
2. How we use your information
- Provide, operate, and maintain the Service, including authenticating your account and unlocking subscription content (performance of contract).
- Show you your own progress: questions seen, accuracy, chapter completion (performance of contract).
- Send transactional messages: verification, password reset, billing receipts, security alerts (performance of contract).
- Send product-update emails to subscribers who opt in (your consent).
- Improve the Service by measuring aggregate engagement and identifying broken content (legitimate interest).
- Detect, investigate, and prevent fraud, abuse, and Terms of Service violations (legitimate interest).
- Comply with legal obligations such as tax records and lawful process (legal obligation).
What we do not do. We do not sell personal data. We do not process personal data for targeted advertising. We do not use your data to build behavioral, psychological, or ability profiles for marketing or research. We do not engage in automated decision-making that produces legal or similarly significant effects on you. Your progress indicators are product features you control, not evaluative profiling.
3. How we share information
Service providers. Companies that help us operate the Service under written agreements restricting their use of your data:
- Stripe: payment processing (United States).
- Resend: transactional email delivery (United States).
- Cloudflare: DNS, DDoS protection, edge caching (global edge network).
- Hetzner: server hosting (European Union).
Legal compliance. We may disclose personal data when required by a valid subpoena, court order, search warrant, or regulatory demand. Where legally permitted, we will notify you before disclosure so you may seek a protective order or other remedy.
Business transfers. If Board Pearls is acquired by or merges with another entity, personal data may be among the transferred assets. Any acquiring entity will be bound by the terms of this Privacy Policy with respect to data collected before the transfer. If the acquiring entity wishes to process your data under materially different terms, it must provide at least 30 days' notice and, where required by law, obtain your consent before doing so.
We do not disclose personal data to third parties for their own marketing purposes.
4. Data storage, retention, and security
4.1 Where your data lives
Board Pearls application servers and databases are hosted on Hetzner infrastructure in the European Union. Transactional email is routed through Resend (United States) and payment data is processed by Stripe (United States). For transfers from the EU to US-based service providers, see Section 7.
4.2 Retention
- Active account data: life of account.
- Usage data and progress records after account closure: deleted within 90 days.
- Email address and billing records after account closure: up to 7 years where required for tax, accounting, or dispute-resolution obligations under Minnesota and federal law, then deleted.
- Server access logs (including IP addresses): 30 days, then rotated.
4.3 Security
We protect your data with TLS 1.2 or higher on every connection, bcrypt password hashing, least-privilege database access controls, rate-limited authentication endpoints, and regular dependency and infrastructure patching. No internet-facing system can guarantee absolute security. You are responsible for keeping your password confidential and notifying us at [email protected] if you believe your account has been compromised.
4.4 Breach notification
If we become aware of a security breach affecting your personal data, we will notify affected users by email and by notice on the Service without unreasonable delay, consistent with Minnesota Statutes § 325E.61 and, for EEA/UK users, Articles 33–34 of the GDPR. Notification will describe the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed.
5. Cookies and similar technologies
- Session token. Keeps you signed in. Essential. 30 days or until sign-out.
- Theme preference. Remembers light/dark mode. Functional. 1 year.
- CSRF token. Prevents cross-site request forgery. Essential. Session only.
We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies.
Analytics. We may use a self-hosted, cookie-free analytics tool (such as Plausible or Umami) to measure aggregate page performance. These tools do not use cookies, do not collect personal data, and do not track individual users. IP addresses are hashed or truncated before any storage. If we adopt an analytics provider that uses cookies or collects personal data, we will update this policy and, for users in the EEA/UK, obtain consent before deployment.
Do-Not-Track. We do not engage in cross-site tracking. All users are treated identically regardless of browser Do-Not-Track settings.
6. Your rights
- Access / Confirm: Confirm whether we process your personal data and request a copy of it.
- Correction: Correct inaccurate or incomplete data via your account settings or by contacting us.
- Deletion: Request deletion of your account and associated data, subject to retention exceptions in Section 4.2.
- Portability: Request a machine-readable export (JSON) of your account data.
- Opt out of sale: We do not sell personal data; this right is satisfied by default.
- Opt out of targeted advertising: We do not process data for targeted advertising; this right is satisfied by default.
- Opt out of profiling: We do not engage in profiling that produces legal or similarly significant effects.
- Restrict processing (EEA/UK): Request that we limit processing to storage only while a dispute is resolved.
- Withdraw consent: Where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing.
How to exercise your rights. Email [email protected] from the email address associated with your account. We acknowledge receipt within 10 business days and complete the request within 45 days. If we need additional time (up to 45 additional days), we will notify you of the reason.
Verification. We verify your identity by sending a confirmation link to the email address on your account. If you cannot access that email address, we may request alternative verification sufficient to confirm you are the account holder.
Appeal. If we decline your request in whole or in part, we will explain the reason in writing. You may appeal by emailing [email protected] with the subject line "Privacy Rights Appeal." We will respond within 45 days. If the appeal is denied, you may file a complaint with the Minnesota Attorney General's Office or, for EEA/UK users, your local data protection authority.
No retaliation. We will not deny service, change pricing, or degrade quality because you exercise any privacy right.
7. Minnesota Consumer Data Privacy Act
Minnesota residents have rights under the Minnesota Consumer Data Privacy Act (Minn. Stat. Ch. 325O), effective July 31, 2025, including the rights to confirm, access, correct, delete, and obtain a portable copy of personal data, and to opt out of the sale of personal data, targeted advertising, and certain profiling.
Board Pearls does not sell personal data, does not process personal data for targeted advertising, and does not engage in profiling in furtherance of decisions that produce legal or similarly significant effects on consumers.
Sensitive data. We do not process sensitive data as defined by the MCDPA. The optional profile fields you may provide (training level, institution, exam date) are preferences you enter voluntarily for your own use within the Service. We do not collect health data, precise geolocation, racial or ethnic origin, biometric identifiers, or data concerning minors.
Data protection assessments. We evaluate our processing activities for heightened risk as required by the MCDPA. As of this policy's effective date, our processing does not involve targeted advertising, sale of personal data, or profiling for significant decisions, and does not require a formal data protection assessment. We will conduct and document assessments if our processing activities change.
To exercise your MCDPA rights, see Section 6. If your request is denied, you may appeal as described in Section 6. If the appeal is denied, you may contact the Minnesota Attorney General at:
Office of the Minnesota Attorney General 445 Minnesota Street, Suite 1400 St. Paul, MN 55101 (651) 296-3353 · ag.state.mn.us
8. European users (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland:
Data controller. Board Pearls, LLC, Minneapolis, Minnesota, United States. Email: [email protected].
Legal bases. The lawful basis for each processing purpose is set out in Section 2.
International transfers. Your data is hosted in the European Union. Where data is transferred to US-based service providers (Stripe, Resend), those transfers are protected by the EU-U.S. Data Privacy Framework where the provider is a certified participant, or by Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) of the GDPR. You may request a copy of the applicable transfer safeguards by contacting us.
Additional rights. In addition to the rights in Section 6, you may object to processing based on legitimate interests, in which case we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You may also lodge a complaint with your supervisory authority. If you are unsure which authority to contact, you may contact the authority of the EU member state in which you reside or work.
9. Children and minors
Board Pearls is designed for physicians, medical residents, and medical students who are at least 18 years of age. We do not direct the Service to anyone under 18 and do not knowingly collect personal data from anyone under 18. If you believe a minor has provided personal data to us, contact [email protected] and we will delete it promptly.
10. Changes to this policy
We may update this Privacy Policy. If we make a material change, meaning a change to the categories of data collected, the purposes of processing, or the categories of third parties with whom data is shared, we will:
- Post the updated policy on this page with a new effective date;
- Email active subscribers at least 30 days before the change takes effect; and
- For changes that affect processing based on your consent, request renewed consent before the change applies to you.
Non-material changes (clarifications, formatting, typographical corrections) take effect upon posting.
11. Contact us
Board Pearls, LLC Minneapolis, Minnesota Email: [email protected]
We aim to respond to all privacy inquiries within 10 business days.