Privacy Policy

Who we are

Bone Wizardry is an independently operated educational service based in Pennsylvania, USA. For privacy questions, contact [email protected].

What we collect

When you create an account

• Email address
• A hashed password (we never see or store your actual password in readable form)
• Account preferences and settings you choose

When you subscribe

• Payment information is collected and processed by Stripe, not by Bone Wizardry. We never see or store your full card number, CVC, or bank details.
• We receive from Stripe: subscription status, billing email, last 4 digits of card, and transaction history.

When you use the site

• Your progress through decks, quizzes, and Prescryption (so you can pick up where you left off).
• Standard server logs: IP address, browser type, pages visited, timestamps. These are used for security and debugging and are not used to build advertising profiles.

When you email us

• The contents of your message and your email address, so we can reply.
• Corrections and topic requests you submit may be used to improve site content. We don't publish your email address.

What we don't collect

• We don't run analytics (no Google Analytics, no Plausible, no Fathom, nothing).
• We don't use advertising trackers or cross-site tracking pixels.
• We don't sell, rent, or share your personal information with data brokers, advertisers, or anyone else for marketing purposes.

How we use what we collect

• To run your account and deliver the service you paid for.
• To process subscription payments through Stripe.
• To save your study progress so the site remembers where you left off.
• To respond when you email us.
• To detect abuse, debug errors, and keep the site running.
• To comply with legal obligations when required.

Who we share data with

We share data only with the service providers needed to run the site:

• Stripe: payment processing, fraud prevention, and subscription management. Stripe's privacy practices are at stripe.com/privacy.
• Our hosting provider: runs the servers that deliver the site to you.
• Email infrastructure: delivers transactional emails (receipts, password resets, support replies).

We may also disclose information if required by law, subpoena, or court order, or to protect rights, property, or safety.

Third-party links and image sources

Some lessons include image credits, source manifests, citations, or links to third-party sites such as Creative Commons, Wikimedia Commons, PubChem, government agencies, journals, or other educational sources. In-page images may be served by Bone Wizardry from local copies so viewing the lesson does not necessarily contact the original image host. If you click an external source, credit, license, or citation link, you leave Bone Wizardry and the destination site's privacy practices apply.

We do not control third-party websites and are not responsible for their privacy practices, content, or security. We do not send your Bone Wizardry account password or payment information to image source sites.

Email updates

We may offer optional email updates about new pages, site changes, and study content. These are always opt-in. We will never add you to a mailing list without your explicit consent, and every update email includes a one-click unsubscribe link. If you unsubscribe, we remove your address from the mailing list within 48 hours and won't email you again unless you re-subscribe. Transactional emails (receipts, password resets, account notices) are separate and not affected by your mailing list preferences.

Cookies and tracking

We use only the cookies necessary to keep you logged in and to make the site work. These are session and authentication cookies. We don't use advertising cookies or analytics cookies. There's no cross-site tracking. We honor the Global Privacy Control (GPC) signal where it applies.

How long we keep your data

• Active accounts: as long as your account exists.
• After account deletion: we delete your personal data within 30 days of receiving your request, except where retention is required by law (for example, payment records that Stripe and tax authorities require us to keep, and auto-renewal consent records retained for at least three years where required by law).
• Server logs: 90 days.
• Support emails: up to 2 years, then deleted.

Your rights

Regardless of where you live, you can:

• Request a copy of the personal data we have on you.
• Correct inaccurate data.
• Delete your account and associated personal data by emailing [email protected] with "Account Deletion Request" in the subject line. We'll process it within 30 days.
• Export your study progress data.

To exercise any of these rights, email [email protected]. We'll respond within 30 days. We won't discriminate against you for exercising these rights.

California residents (CCPA/CPRA)

If you live in California, you have specific rights under the California Consumer Privacy Act:

• Right to know what personal information we collect and how we use it (see above).
• Right to delete personal information.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. We don't sell or share your personal information for advertising purposes, so there's nothing to opt out of, but you have this right under California law.
• Right to limit the use of sensitive personal information. We don't use sensitive personal information beyond what's necessary to deliver the service.
• Right to non-discrimination for exercising these rights.

To exercise these rights, email [email protected] with "California Privacy Request" in the subject line. You may designate an authorized agent to make a request on your behalf.

EU/UK residents (GDPR)

If you live in the EU or UK, the legal bases we rely on are:

• Contract performance: to deliver the service you signed up for.
• Legitimate interests: site security, debugging, fraud prevention.
• Legal obligation: tax records, breach notifications.

You have the rights listed above plus the right to lodge a complaint with your local data protection authority. International transfers of EU/UK data to the United States rely on appropriate safeguards, including Standard Contractual Clauses where required.

Children

Bone Wizardry is intended for medical students and adult learners. Our terms require account holders to be at least 18. The site is not directed at children under 13, and we don't knowingly collect personal information from children under 13. If you believe a child has provided personal information, email us and we'll delete it.

Security

We use industry-standard security measures including encrypted connections (HTTPS), hashed passwords, and access controls. No system is perfectly secure. If we discover a breach affecting your personal data, we'll notify affected users without unreasonable delay and in accordance with Pennsylvania's Breach of Personal Information Notification Act and any other applicable law.

International transfers

The site is hosted in the United States. If you access it from outside the US, your data is transferred to and processed in the US, which may have different data-protection laws than your country of residence.

Changes to this policy

If we make material changes, we'll update the effective date at the top and notify active subscribers by email. Continued use after changes means you accept the updated policy.

Contact

Questions, requests, or corrections to this policy: [email protected].