Privacy Policy

1. Who is responsible for your data

The data controller is Behind The Knife LLC, a company incorporated in Ohio, USA.

• Address: 9500 Euclid Ave, A30, Cleveland OH 44118, USA.
• Contact: hello@behindtheknife.org for all privacy-related requests, including access, deletion, and objections to processing.

2. EU representative

We are in the process of appointing an EU representative under Article 27 of the GDPR. Until appointment is complete, EU/EEA data subjects may exercise their rights by contacting us directly at hello@behindtheknife.org. We will update this section with the representative's name and contact address once finalised.

3. What personal data we collect

We group the data we process into the following categories. Not every category applies to every user — for example, voice data is only collected if you use the oral-board simulator.

• Account identity. Email address, name, role (e.g., resident, attending, student), account status, content and notification preferences, and the date you created your account.
• Authentication metadata. Login timestamps, session tokens, and the device identifiers required to keep you signed in. Provided by AWS Cognito.
• Usage data. Pages visited, features used, clicks, scroll depth, web-vitals measurements, errors encountered, and (where consented) session recordings with all form inputs masked.
• Voice and AI data. Voice recordings, transcripts, AI-generated feedback, and performance scores collected when you use the oral-board simulator. See §12 for how AI providers process this data.
• Payment metadata. Transaction status, amount, and Stripe customer/invoice IDs. BTK does not see or store your payment-card numbers — they are entered directly into Stripe.
• Notification tokens. Push notification device tokens issued by Firebase Cloud Messaging when you opt in to notifications.
• Network metadata. IP address, User-Agent, referer, and approximate geolocation derived from IP. Captured on every request for security and debugging. Some pages cause your browser to contact third parties directly — podcast pages fetch audio and artwork from Audioboom, and the oral-board entry page checks ElevenLabs's public status endpoint to confirm the voice service is up. In each case the third party receives only your IP address and User-Agent, and only because your browser made the request.

4. Why we process it (and our lawful basis)

Under the GDPR we must state a lawful basis for each purpose. The table below maps each category from §3 to the basis we rely on.

• Provide the Service (account, authentication). Lawful basis: performance of a contract (Art 6(1)(b)). You cannot opt out of this without closing your account.
• Send the newsletter. Lawful basis: consent (Art 6(1)(a)) — newsletter sign-up is always explicit, either through the footer subscribe form (visitors without an account) or the "Subscribe to BTK newsletter" toggle in your account preferences. You can withdraw at any time via the unsubscribe link or by toggling the preference off. When you delete your account we additionally send a hashed (MD5) version of your email to Mailchimp so it can remove you from any audience you joined; the lawful basis for that step is compliance with our deletion obligations under Arts 17 and 19.
• Product analytics and error tracking. Lawful basis: consent (Art 6(1)(a)) in the EU/EEA, UK, Brazil, and South Africa; legitimate interest with a right to object elsewhere (Art 6(1)(f)). Manage via the cookie banner — see §11.
• Marketing measurement. Lawful basis: consent (Art 6(1)(a)). The Global Privacy Control browser signal automatically denies this category where detected.
• Run the oral-board simulator. Lawful basis: performance of a contract (Art 6(1)(b)) for real-time generation of feedback. Where authorised staff internally review de-identified excerpts to refine the Simulator's prompts, scenarios, and educational features, our basis is legitimate interest (Art 6(1)(f)). Behind the Knife does not train AI models on your data. You can object at any time by emailing us — see §12.
• Process payments. Lawful basis: performance of a contract (Art 6(1)(b)) and legal obligation (Art 6(1)(c)) for tax and accounting records.
• Send push notifications. Lawful basis: consent (Art 6(1)(a)) given via your browser or device permissions.
• Operate, debug, and secure the Service. Lawful basis: legitimate interest (Art 6(1)(f)) — server logs, fraud prevention, abuse detection.

5. Who we share data with (processors and recipients)

We rely on the third-party providers below to operate the Service. Each one acts as a data processor on our behalf under a written data processing agreement, and handles only the data necessary for its stated purpose.

• PostHog Inc. Product analytics, session replay, error tracking. Region: EU (Frankfurt). For EU/EEA users, no cross-border transfer applies; for users outside the EU, data is processed in the EU under PostHog's standard contractual terms.
• Google LLC (Google Tag Manager, Google Analytics 4, Google Ads, Firebase Remote Config, Firebase Cloud Messaging). Site analytics, ad-conversion measurement, push-notification delivery, and remote configuration. Region: USA. Transfer mechanism: EU-US Data Privacy Framework with Standard Contractual Clauses as a fallback. Firebase Analytics is not currently wired into the consumer web app — site analytics run on Google Analytics 4.
• Amazon Web Services, Inc. (Cognito, S3, CloudFront, API Gateway, Lambda, SES). Authentication, hosting, content delivery, transactional email. Region: United States — production traffic is processed in AWS us-east-1; our development environment runs in us-east-2. Transfer mechanism: EU-US Data Privacy Framework with Standard Contractual Clauses as a fallback.
• Stripe, Inc. Payments and subscription management. Region: USA. Transfer mechanism: EU-US Data Privacy Framework.
• ElevenLabs, Inc. Real-time voice generation and speech-to-text for the oral-board simulator. Region: USA. Transfer mechanism: Standard Contractual Clauses. In addition to the live exam session, our oral-board entry page makes a brief request to ElevenLabs's public status endpoint (status.elevenlabs.io) to check whether the voice service is available before you start an exam — that request happens whether or not you go on to use the simulator and exposes only your IP address and User-Agent to ElevenLabs.
• OpenAI, L.L.C. Server-side scoring and feedback generation for the oral-board simulator. Region: USA. Transfer mechanism: EU-US Data Privacy Framework. Per OpenAI's API terms, your inputs are not used to train OpenAI's models.
• Intuit Inc. (Mailchimp). Newsletter delivery. Region: USA. Transfer mechanism: EU-US Data Privacy Framework with Standard Contractual Clauses as a fallback. Mailchimp receives your email address only when you explicitly subscribe — either through the footer subscribe form or the "Subscribe to BTK newsletter" toggle in your account preferences. When you delete your account we additionally send Mailchimp a hashed (MD5) version of your email so it can remove you from any audience you joined.
• Audioboom Group plc. Hosts Behind The Knife podcast media. Podcast pages on the Service load artwork and audio from Audioboom's infrastructure; we play the audio through our own player rather than embedding the Audioboom player, so no Audioboom cookies or scripts are loaded — but your browser still contacts Audioboom directly to fetch the file, which means Audioboom receives your IP address and User-Agent. Region: United Kingdom (with onward US infrastructure). Transfer mechanism: the European Commission's UK adequacy decision for EU/EEA → UK transfers, and the UK Extension to the EU-US Data Privacy Framework or Standard Contractual Clauses for UK → US onward transfers.
• YouTube (Google LLC). Embedded podcast video player. We use the youtube-nocookie domain so no cookies are set until you interact with a player. Region: USA. Transfer mechanism: EU-US Data Privacy Framework.

We may also disclose personal data when required by law (subpoenas, court orders, regulatory requests) or to protect the rights, safety, or property of BTK, our users, or the public.

6. International data transfers

BTK is a US company, and most of our processors are based in the United States. When we transfer personal data of EU/EEA, UK, or Swiss residents to the US, we rely on the EU-US Data Privacy Framework (and the UK and Swiss extensions where applicable) for DPF-certified processors, and on the European Commission's Standard Contractual Clauses as a fallback. Audioboom is based in the United Kingdom, so EU/EEA → UK transfers rely on the European Commission's UK adequacy decision, and Audioboom's onward UK → US transfers rely on the UK Extension to the EU-US Data Privacy Framework or Standard Contractual Clauses. Product analytics (PostHog) is hosted in the EU, so for EU/EEA visitors no cross-border transfer applies to that category.

7. How long we keep your data

We are honest with you about retention: today we do not run automated deletion or anonymisation schedules for most categories. The bounds below describe either limits enforced by our processors, retention required by law, or our default of "kept while your account is active". You can always ask us to delete specific data — see §8.

• Session recordings (PostHog). Automatically deleted after 30 days by PostHog. We do not have the ability to extend this.
• Behavioural analytics events (PostHog). Retained according to PostHog's default for our plan. We are reviewing whether to configure a shorter explicit limit.
• Payment metadata (Stripe and BTK accounting). Retained for at least 7 years to satisfy US tax and accounting obligations. We do not delete payment records before then.
• Account identity, AI transcripts, performance scores, voice recordings, push notification tokens, and server access logs. Retained for as long as you have an account with us. We do not auto-delete or auto-anonymise these on a schedule today. If you close your account or ask us to remove specific data, we will action that request manually — see §8.

We will revisit this section when we introduce automated retention schedules, and update the document history in §14 accordingly.

8. Your rights

Depending on where you live you may have some or all of the following rights with respect to your personal data:

• Access — receive a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your personal data ("right to be forgotten").
• Restriction — limit how we process your data.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — at any time, where consent is the lawful basis.
• Lodge a complaint — with your local data protection authority.

To exercise any of these rights, email hello@behindtheknife.org or use the contact form and select the appropriate category. We will respond within 30 days for GDPR/UK GDPR requests and 45 days for CCPA requests, and may ask you to verify your identity before fulfilling sensitive requests. Some data may be retained where required by law (for example, payment records for tax purposes) — see §7.

9. California and other US state disclosures (CCPA/CPRA and equivalents)

If you are a California resident — or a resident of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Iowa, New Jersey, Delaware, New Hampshire, or Minnesota — you have rights under your state's privacy law that mirror or extend the GDPR rights listed in §8. The categories of personal information we have collected, disclosed, or shared in the past 12 months are listed in §3 (we do not collect any other categories).

Sensitive personal information. Voice recordings and any biometric-derived data are treated as Sensitive Personal Information ("SPI") under the CPRA. We use SPI solely to operate the oral-board simulator and for the de-identified model improvement use described in §4. You may limit our use of SPI to the operational purpose by emailing us.

Sale and sharing. BTK does not "sell" personal information for money. We do "share" personal information for cross-context behavioural advertising when you grant the Marketing cookie category. To opt out, click "Privacy choices" in the footer (or any link labelled Do Not Sell or Share My Personal Information) and deny the Marketing category. We honour the Global Privacy Control browser signal automatically — you do not need to opt out separately if your browser sends GPC.

Verification. For most requests, matching the email associated with your account is sufficient verification. For requests involving sensitive data, we may ask you to confirm via a one-time code sent to that email. We do not charge a fee for requests, and we do not offer financial incentives in exchange for your data.

10. Children

The Service is intended for adult medical professionals and trainees, age 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact us at hello@behindtheknife.org and we will delete the associated data.

11. Cookies and similar technologies

We use first-party cookies and similar technologies to keep you signed in, remember your preferences, and (with your consent) measure how the Service is used. We split cookies into three categories:

• Functional — sign-in, cart, security, fraud prevention. Always on; the Service does not work without these.
• Analytics — used to understand which features get used so we can improve them. Processors: PostHog, Google Analytics 4.
• Marketing — used to measure ad effectiveness for campaigns we run. Processors: Google Tag Manager, Google Ads.

You set your preferences when you first visit the Service. You can change them at any time by clicking "Privacy choices" at the bottom of any page, which re-opens the consent banner. Browser-level controls (clearing or blocking cookies, sending Global Privacy Control) also work.

12. AI and automated processing

The oral-board simulator uses artificial intelligence to generate spoken prompts, transcribe your responses, and produce educational feedback and scores. Specifically:

• Voice generation and speech-to-text. Provided by ElevenLabs, Inc. Your voice and the agent's audio stream are processed in real time.
• Scoring and feedback. Provided by OpenAI, L.L.C. Your transcript and scenario context are sent to OpenAI's API to generate the feedback you see. Per OpenAI's API terms, this data is not used to train OpenAI's models.
• Internal product improvement. Authorised Behind The Knife staff may internally review transcripts and scores to refine the simulator's prompts, scenarios, and educational features; we limit access to those staff and use only de-identified excerpts in any product-improvement work. Behind the Knife does not train AI models on your data. OpenAI scores via its API, and per OpenAI's API terms your inputs are not used to train OpenAI's models. ElevenLabs is used for real-time voice synthesis and speech-to-text only. The lawful basis for this internal review is our legitimate interest in improving the simulator (Art 6(1)(f)); you have a right to object at any time. To object, email hello@behindtheknife.org; we will action the request without affecting your access to the simulator.
• Right to human review. AI-generated scores and feedback are educational estimates, not final professional assessments. You can request human review of any AI-generated assessment by emailing hello@behindtheknife.org.
• Prohibition on Protected Health Information (PHI). The simulator is for educational simulation only. You agree not to input, speak, or upload any Protected Health Information (as defined by HIPAA) or any real patient details into the simulator. BTK is not liable for any HIPAA violations resulting from your submission of real patient data into the AI tools.

13. Security and breach notification

We rely on the following safeguards to protect your data: TLS 1.2+ for all data in transit (enforced by our cloud providers), encryption at rest provided by our cloud infrastructure for account, payment, and content storage, authenticated and permission-scoped access to backend APIs, and automatic masking of all form inputs in any session recordings we capture. We capture application errors via PostHog so we can investigate and respond to incidents. No system is perfectly secure, however, and we cannot guarantee absolute protection.

If a personal data breach occurs that is likely to result in a high risk to your rights and freedoms, we will notify you via the email address registered to your account without undue delay, and notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. We will also comply with breach notification timelines under US state laws (typically 30–90 days).

14. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we update the "Last updated" date at the top and increment the version number. Material changes (for example, adding a new processor or a new processing purpose) are also announced by email to registered users at least 14 days before they take effect, so you have time to review and, if you object, close your account.

15. Contact

For any privacy question, request, or complaint, email hello@behindtheknife.org or write to Behind The Knife LLC, 9500 Euclid Ave, A30, Cleveland OH 44118, USA. EU/EEA residents may also contact our EU representative once appointed (see §2).