Last updated: March 17, 2026
Step Forward ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, and your rights regarding your data. This policy applies to all users of stepforward.study and complies with the Brazilian General Data Protection Law (LGPD), the EU General Data Protection Regulation (GDPR), and other applicable privacy legislation.
Account data: Name, email address, and password (stored as a bcrypt hash — we never store your password in plain text). The USMLE step you are studying for.
Study data: Question attempts (answers, correctness, time spent), session history, review card progress, flashcard data, bookmarks, and performance analytics derived from your activity.
Payment data: Payment information is collected and processed directly by Stripe. We do not store credit card numbers, CVVs, or full payment details on our servers. We may store a Stripe customer ID and subscription status.
Technical data: IP address (for rate limiting and security), browser type, and device information (collected automatically via server logs). We do not use tracking cookies or third-party analytics tools at this time.
We use your data to:
We do not sell your personal data. We do not use your data for advertising. We do not share individual study performance with third parties.
We share data with the following third-party services, strictly for operating the platform:
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, payment info (handled by Stripe directly) |
| Resend | Transactional email | Email address, name |
| Vercel | Hosting and CDN | IP address, request logs |
| Neon (PostgreSQL) | Database hosting | All account and study data (encrypted at rest) |
All providers are GDPR-compliant and process data under appropriate safeguards. If we add new providers, this policy will be updated accordingly.
We use minimal browser storage:
sf_session): An httpOnly JWT cookie for authentication. Essential for the Service to function. Expires after 30 days.sf-theme): Stored in localStorage to remember your light/dark mode choice. Not sent to our servers.We do not use advertising cookies, analytics cookies, or any third-party tracking.
We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g., financial records for tax purposes).
Anonymized, aggregated study data (used for benchmarks and Service improvement) may be retained indefinitely as it cannot be traced back to you.
Depending on your location, you may have the following rights:
LGPD (Brazil): You have all rights listed above under the Lei Geral de Protecao de Dados. Our legal basis for processing is the performance of a contract (providing the Service) and legitimate interest (security and improvement).
GDPR (EU/UK): You have all rights listed above. You may also lodge a complaint with your local data protection authority.
To exercise any right, email privacy@stepforward.study. We will respond within 15 business days.
We implement industry-standard security measures including: encrypted connections (HTTPS/TLS), hashed passwords (bcrypt), httpOnly session cookies, rate limiting on authentication endpoints, and encrypted data at rest in our database. However, no system is 100% secure, and we cannot guarantee absolute security.
Your data is processed on servers located in the United States (us-east-1 region). If you are located outside the US, your data is transferred to and processed in the US. We ensure appropriate safeguards are in place through our providers' compliance with GDPR standard contractual clauses and other applicable frameworks.
Step Forward is not intended for users under 18 years of age. We do not knowingly collect data from minors. If we become aware that a user is under 18, we will promptly delete their account and data.
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.