Last updated: 11 April 2026

Privacy Policy

This Privacy Policy describes how BoardsQA collects, uses, and protects personal data in accordance with Regulation (EU) 2016/679 (GDPR) and Spanish data protection law (LOPDGDD).

1. Data Controller

The data controller is Dr. Pablo Lozano Lominchar, acting in personal capacity as educator and platform operator.

Platform: boardsqa.com
Contact: contact@boardsqa.com

This platform is operated independently and does not represent Hospital General Universitario Gregorio Marañón or Universidad Complutense de Madrid.

2. Legal Basis for Processing (GDPR Art. 6)

Basis	Processing activity
Art. 6.1.b — Contract performance	Account creation and management, quiz sessions, subscription fulfillment
Art. 6.1.f — Legitimate interest	Platform security, fraud prevention, aggregate analytics
Art. 6.1.a — Consent	Analytics cookies (Vercel Analytics), marketing emails (if opted in)

3. Data We Collect

Registration data

Email address (required). Display name (optional).

Usage data

Quiz sessions, question attempts, answer selections, and performance statistics. This data is used to calculate accuracy, identify weak areas, and generate progress reports.

Payment data

Payment processing is handled exclusively by Stripe Inc. (PCI-DSS compliant). BoardsQA stores only subscription status and tier — never card details or payment instrument data.

Technical data

IP address (retained in server logs for 30 days), browser type, device type. Used for security and error diagnostics only.

4. Data Processors

We engage the following sub-processors under Data Processing Agreements (DPA) and, where applicable, Standard Contractual Clauses (SCCs) for international transfers:

Processor	Purpose	Transfer mechanism
Supabase Inc.	Database and authentication (EU hosting)	SCCs
Stripe Inc.	Payment processing	SCCs
Vercel Inc.	Platform hosting and analytics	SCCs (EU/US)
Resend Inc.	Transactional email	SCCs

5. Data Retention

Data type	Retention period
Account data	Until account deletion request
Quiz sessions and progress	2 years from creation
Billing records	7 years (legal obligation)
Server logs (IP)	30 days

6. Your Rights (GDPR Art. 15–22)

You have the right to:

Access your personal data (Art. 15)
Rectify inaccurate data (Art. 16)
Erasure of your data (Art. 17)
Portability of your data in a structured format (Art. 20)
Restriction of processing (Art. 18)
Object to processing based on legitimate interest (Art. 21)
Withdraw consent at any time without affecting prior processing (Art. 7.3)

To exercise your rights, contact us at contact@boardsqa.com. We will respond within 30 days.

You may also lodge a complaint with the Spanish Data Protection Authority (AEPD): www.aepd.es

7. International Transfers

Some of our data processors are located outside the European Economic Area. In each case, transfers are governed by Standard Contractual Clauses adopted by the European Commission, ensuring an equivalent level of protection.

8. Changes to This Policy

We may update this Privacy Policy. Significant changes will be communicated via email to registered users at least 14 days before taking effect. Continued use of the platform after the effective date constitutes acceptance.