Privacy Policy
Effective date: June 7, 2026 · Last updated: June 22, 2026
1. Who We Are
Data Controller: Medlobby LLC, Sheridan, Wyoming, United States.
For all privacy-related matters, contact our Privacy Officer at privacy@medlobby.com.
Platform: Medlobby operates the medical education platform at medlobby.com and related subdomains including app.medlobby.com, auth.medlobby.com, and medlobby.com/blog (collectively, the "Platform").
2. Data We Collect
Account & Identity Data
Full name, email address, hashed password (bcrypt, never stored in plain text), professional status, country, graduation year, and optional profile photo. Retention: Duration of account + 30 days post-deletion.
Learning & Performance Data
Questions answered, quiz scores, session history, saved bookmarks, annotations, AI chat messages, progress across clinical modules, and vocabulary entries. Retention: Duration of account.
Subscription & Payment Data
We use Stripe and PayPal as payment processors. We receive payment status, subscription tier, and invoice references. We never store raw card details. Retention: 7 years (legal/tax obligation).
Preferences & Settings
Theme preferences, playback rate, audio settings, exam scope, and other personalisation settings. Retention: Duration of account.
Authentication Data
HTTP-only refresh token cookie (ml_rt) on the .medlobby.com domain for secure single sign-on across Medlobby subdomains. This cookie does not track you across third-party websites. Retention: 30 days rolling.
Usage & Technical Data
IP address, browser type, device information, pages visited, feature interactions, and server logs collected for security and analytics. Retention: 90 days for server logs; 14 months for analytics.
Cookie & Consent Data
Your cookie consent preferences are stored locally in your browser (medlobby_cookie_consent). Retention: 1 year in browser storage.
3. Legal Basis for Processing (GDPR Article 6)
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) |
| Delivering platform features and learning content | Contract (Art. 6(1)(b)) |
| Processing subscription payments | Contract (Art. 6(1)(b)) |
| Sending transactional emails (password resets, receipts) | Contract (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Improving platform performance and reliability | Legitimate interests (Art. 6(1)(f)) |
| Analytics cookies and usage tracking | Consent (Art. 6(1)(a)) |
| Marketing emails and newsletters | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations (tax records) | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, you have the right to object (see Section 7).
Where we rely on consent, you have the right to withdraw it at any time without affecting prior processing.
4. Third-Party Data Processors
We share personal data only with the following processors, each under a Data Processing Agreement or equivalent legal safeguard:
Stripe (Payment Processing)
Stripe, Inc. — San Francisco, California, USA. Processes payment card data and subscription billing. Stripe is certified PCI-DSS Level 1. Data transferred to the US under Standard Contractual Clauses. Stripe Privacy Policy.
PayPal (Payment Processing)
PayPal Holdings, Inc. — San Jose, California, USA. Alternative payment method for subscriptions. Data transferred to the US under Standard Contractual Clauses. PayPal Privacy Policy.
Google Analytics / Google Tag Manager
Google LLC — Mountain View, California, USA. Analytics and usage measurement. Only activated after you grant analytics consent via our cookie banner. We use Consent Mode v2 — no analytics data is sent before consent is given. Data transferred to the US under Standard Contractual Clauses. Google Privacy Policy.
Cloudflare Turnstile (CAPTCHA)
Cloudflare, Inc. — San Francisco, California, USA. Bot protection on our login and registration forms. Turnstile processes minimal browser attributes to verify humanity without tracking. Cloudflare Privacy Policy.
Brevo (Transactional Email)
Sendinblue SAS — Paris, France. Sends transactional emails including account verification, password resets, and receipts. Data processed within the EU. Brevo Privacy Policy.
5. International Data Transfers
Medlobby LLC is based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States.
We ensure such transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms. Where we engage processors, we verify that adequate protections are in place before any transfer occurs.
6. Cookies
We use cookies and similar technologies for essential functionality, analytics (with your consent), and session management. For a full list of all cookies we set, their purpose, duration, and opt-out instructions, please read our Cookie Policy.
Essential cookies cannot be disabled as they are required for the Platform to function. Analytics cookies are only set after you give explicit consent via our cookie banner.
7. Your Rights Under GDPR
If you are located in the EEA, UK, or Switzerland, you have the following rights:
Right of Access (Art. 15)
Request a copy of all personal data we hold about you. Use the Download My Data button in your account settings or email privacy@medlobby.com.
Right to Rectification (Art. 16)
Correct inaccurate or incomplete personal data. You can update your name, email, and profile details directly in your account settings.
Right to Erasure / Right to be Forgotten (Art. 17)
Request deletion of your personal data. Use the Delete My Account option in your account settings or email privacy@medlobby.com. We will process deletion within 30 days. Some data may be retained longer where required by law (e.g., payment records for 7 years).
Right to Data Portability (Art. 20)
Receive a copy of your personal data in a structured, machine-readable JSON format. Use the Download My Data button in your account settings.
Right to Restriction of Processing (Art. 18)
Request that we limit how we process your data while a dispute is being resolved — for example if you contest data accuracy, if processing is unlawful, or if you have objected to processing.
Right to Object (Art. 21)
Object to processing based on legitimate interests (see Section 3). You may also object to processing for direct marketing at any time — we will comply immediately.
Right to Withdraw Consent
If processing is based on your consent, you may withdraw it at any time by clicking the cookie icon in the bottom-left corner of any Medlobby page, or by emailing privacy@medlobby.com. Withdrawal does not affect the lawfulness of prior processing.
Right to Lodge a Complaint (Art. 77)
You have the right to lodge a complaint with your local supervisory authority:
- EU: Your national Data Protection Authority (list at edpb.europa.eu)
- UK: Information Commissioner's Office — ico.org.uk
We ask that you contact us first at privacy@medlobby.com so we can try to resolve your concern directly.
8. Security
We implement industry-standard technical and organisational security measures including:
- TLS 1.2+ encryption for all data in transit
- Bcrypt password hashing (salted, never stored in plain text)
- HTTP-only and Secure cookie flags on authentication tokens
- Rate limiting and brute-force protection on all authentication endpoints
- Regular dependency audits and security patching
No system is completely secure. If you believe your account has been compromised, contact us immediately at security@medlobby.com.
9. Data Retention Summary
| Data Category | Retention Period |
|---|---|
| Account & identity data | Active account + 30 days post-deletion |
| Learning & progress data | Active account |
| Payment records | 7 years (legal/tax obligation) |
| Authentication cookies | 30 days rolling |
| Server & access logs | 90 days |
| Analytics data | 14 months |
| Cookie consent preferences | 1 year (browser-side) |
| Password reset tokens | 1 hour (auto-expired) |
10. Children's Privacy
The Platform is intended for users aged 18 and over. We do not knowingly collect personal information from minors. If we become aware a user is under 18, we will delete their account and data promptly. Contact privacy@medlobby.com if you believe a minor has registered.
11. Changes to This Policy
We may update this Privacy Policy periodically. For material changes, we will notify you by email or a prominent banner on the Platform at least 14 days before the change takes effect.
12. Contact Us
Medlobby LLC
Sheridan, Wyoming, United States
- Privacy enquiries: privacy@medlobby.com
- General support: support@medlobby.com
Last Updated: June 22, 2026

