Skip to main content

Privacy Policy

Last updated: April 24, 2026 · Effective: April 24, 2026

This Privacy Policy describes how [ENTITY NAME] (“Acumen,” “we,” “us”) collects, uses, shares, and safeguards personal information when you use the Acumen website, applications, and related services (the “Service”). By using the Service you agree to this Policy. If you do not agree, do not use the Service.

1. Who We Are

Acumen is operated by [ENTITY NAME], based in Tennessee, United States. You can contact us at contact@acumen.app.

2. Information We Collect

a. Information you provide

  • Account details: name (optional), email address, password (stored hashed by our auth provider).
  • Learning activity: chief complaints selected, differentials you enter, problem-representation drafts, committed diagnoses, must-not-miss selections, saved illness scripts, and spaced-repetition review data.
  • AI interactions: prompts you submit and the AI-generated responses displayed back to you, including end-of-case debrief content.
  • Feedback: thumbs-up/thumbs-down flags and optional written feedback on AI responses.
  • Billing:if you subscribe, payment information is collected by our payment processor (Stripe) — we do not receive or store full card numbers.

b. Information collected automatically

  • Session cookies and local storage used to keep you signed in and remember preferences.
  • Usage and diagnostic data: IP address, browser type, device type, pages visited, error traces (via Sentry), approximate request volume, and rate-limit counters (via Upstash).
  • AI telemetry:model used, token counts, moderation flags, and PII-scrubbed error excerpts — stored for cost control, abuse prevention, and quality triage.

c. No Protected Health Information

Acumen is designed for synthetic cases only. Do not enter real patient identifiers or protected health information (PHI). We are not a HIPAA-covered-entity service. Automated regex filters scrub common identifier patterns before your input is sent to the AI provider, but that filtering is not perfect and is not a substitute for your own discipline.

3. How We Use Information

  • Provide, operate, and maintain the Service.
  • Generate AI tutoring responses and personalize your review queue.
  • Enforce rate limits, moderate abuse, and investigate suspected violations.
  • Process subscriptions and send service-related emails.
  • Improve content and AI behavior (using aggregated, de-identified signals — not raw AI output stored in long-lived telemetry).
  • Comply with law and protect legal rights.

We do not sell personal information and we do not use it for third-party advertising.

4. Legal Bases for Processing (EEA / UK users)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process personal data on the following legal bases under the GDPR / UK GDPR:

  • Contract: to create your account and deliver the Service you requested.
  • Legitimate interests: to secure the Service, prevent abuse, maintain quality, and analyze usage in aggregate.
  • Consent: where required (for optional communications or specific features). You may withdraw consent at any time.
  • Legal obligation: where processing is required by law.

5. Service Providers (Sub-processors)

We share limited personal information with vendors that help us operate the Service. Each is bound by contractual confidentiality and data-protection terms.

ProviderPurposeData categories
Anthropic (Claude API)AI tutoring generationYour prompts (after PII scrub) and learning-session context
SupabaseAuthentication + database hostingAccount details, session data, saved scripts, AI telemetry
StripePayment processingBilling email, payment method tokens, transaction history
SentryError monitoringError stack traces, browser and request metadata (PII-off configuration)
Upstash (Redis)Rate limiting + quota trackingUser ID, request counters, SHA-256 hashes of classifier inputs
VercelApplication hosting and CDNRequest metadata (IP, user-agent), access logs

An up-to-date list of sub-processors is maintained at this URL. Material additions will be reflected by updating this Policy.

6. International Data Transfers

The Service is hosted in the United States. If you access it from outside the U.S., your information will be transferred to and processed in the U.S. and other jurisdictions where our sub-processors operate. Where required, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses. You may contact us to request information about the specific safeguards used for a transfer.

7. Data Retention

We retain personal information for as long as your account is active. When you request account deletion, we will delete or anonymize your personal information within 30 days, subject to limited exceptions:

  • Billing and tax records retained as required by law (typically up to 7 years).
  • Security logs retained for a limited period for abuse investigation.
  • Aggregated or de-identified data that can no longer be associated with you.

8. Your Rights

Depending on where you live, you may have the following rights:

  • Access— a copy of the personal information we hold about you.
  • Correction— update or correct inaccurate information.
  • Deletion— delete your account and associated data.
  • Portability— receive your data in a structured, machine-readable format.
  • Objection or restriction of certain processing.
  • Withdrawal of consent at any time, without affecting the lawfulness of prior processing.
  • Complaint to your local data-protection authority.

To exercise any of these rights, email contact@acumen.app. We will respond within 30 days. We may need to verify your identity before acting on a request.

9. California Residents (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know the categories and specific pieces of personal information we collect, use, and disclose.
  • Right to delete personal information we have collected from you.
  • Right to correct inaccurate personal information.
  • Right to opt outof the sale or sharing of personal information — we do not sell or share personal information as those terms are defined under California law.
  • Right to limitthe use of sensitive personal information — we do not use sensitive personal information for purposes requiring a limit notice.
  • Right to non-discrimination— we will not discriminate against you for exercising these rights.

To exercise a California right, email contact@acumen.app with “California Privacy Request” in the subject line. An authorized agent may submit a request on your behalf with written authorization.

10. Security

We use reasonable administrative, technical, and physical safeguards to protect personal information — including row-level security on user tables, TLS encryption in transit, encrypted secrets storage, per-user rate limits, and input moderation. No security program is perfect. You are responsible for keeping your account credentials confidential.

11. Children

The Service is not directed to children under 18 and we do not knowingly collect personal information from children under 18. If you believe a child has provided us personal information, contact us at contact@acumen.app and we will delete it.

12. Cookies and Similar Technologies

We use session cookies and local storage strictly to keep you signed in, preserve preferences, and cache a small number of non-personal items that make the app usable offline or after page reloads. We do not use third-party advertising cookies. You can control cookies through your browser; disabling them may break sign-in.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be signaled by updating the “Last updated” date and, where appropriate, by emailing registered users. Continued use of the Service after the effective date constitutes acceptance.

14. Contact

Privacy questions or requests? Email contact@acumen.app.