Privacy Policy

ModernATC, LLC (“ModernATC,” “we,” “our”) is a South Carolina limited liability company that operates the ModernATC study system. You can reach us at hello@modernatc.com.

• Account data: email address, password (hashed), optional display name. If you sign in with Google, we receive your name, email address, and Google account identifier from Google in place of a password.
• Study data: your reviews, ratings, FSRS card states, deck progress, and timing, required for the Service to function.
• Billing data: if you purchase a plan, Stripe processes your payment. We store the resulting Stripe customer ID, plan/price ID, subscription status, and period boundaries. We do not store full card numbers, CVC, or bank credentials.
• Audio (Pro tier): the Phraseology Pro module transmits short audio clips to our speech-to-text providers (Groq, with OpenAI as a fallback) for scoring. ModernATC does not store these clips on its own servers; the providers process them under their respective data-retention and privacy terms.
• Operational data: request logs, IP address (in hashed form on the public waitlist endpoint), user-agent strings, and error reports, used to keep the Service running and secure.

• To provide and personalize the Service (FSRS scheduling).
• To process payments and manage subscriptions.
• To send transactional email (receipts, password reset, .65 change-package notices).
• To detect and prevent abuse: credential stuffing, scraping, fraudulent payments.
• To comply with legal obligations.

We do not sell your personal information, and we do not use your study data to train third-party AI models.

• Supabase for auth and database hosting (US regions).
• Vercel for application hosting and edge compute.
• Stripe for payment processing.
• Resend for transactional email.
• Groq (primary) and OpenAI (fallback) for speech-to-text scoring of Phraseology Pro audio.
• Googleas an optional sign-in identity provider — we receive your name, email address, and Google account identifier when you choose “Continue with Google.”
• Upstash for rate limiting and abuse prevention (processes a hashed identifier of your request).
• PostHog for product analytics (self-hosted EU region) and error tracking.

Each sub-processor is contractually obligated to handle your data only on our instructions.

We use first-party cookies to keep you signed in (Supabase auth session) and to preserve UI preferences. We do not use third-party advertising cookies.

We retain account and study data for as long as your account is active. If you delete your account, we hard-delete profile, FSRS state, and review history within 30 days. Stripe billing records are retained for 7 years to satisfy accounting and tax obligations.

Depending on where you live, you may have rights to access, correct, port, or delete your personal data, and to object to or restrict certain processing. To exercise these rights, email privacy@modernatc.com. Most rights can also be exercised directly from the Account page.

California (CCPA/CPRA): we do not sell or share your personal information for cross-context behavioral advertising.

EU/UK (GDPR): our legal basis for processing is performance of contract (account, study, billing), consent (waitlist), and legitimate interest (security, fraud prevention). You may lodge a complaint with your local supervisory authority.

Our infrastructure is hosted in the United States. By using the Service from outside the US, you consent to the transfer of your data to the US. Where required, we use Standard Contractual Clauses with sub-processors.

The Service is not directed to children under 17, and we do not knowingly collect personal information from anyone under 17. If we learn that we have, we will delete it.

We may update this policy from time to time. Material changes will be notified by email or in-app notice at least 30 days before taking effect.