Privacy Policy
How WANDM Notes handles your information.
Who we are
WANDM Notes is a medical education platform built by practising clinicians for postgraduate exam candidates. The platform is operated by Dr. Mohammed Khalid Khalafallah and Dr. Shima Mo. Ali, based in Riyadh, Saudi Arabia. References to "we", "us", or "WANDM" in this document refer to the WANDM Notes team.
This privacy policy applies to all WANDM Notes services accessed through the domain mrcs.wandmnotes.com and any related subdomains. It explains what personal information we collect, how we use it, who we share it with, and what rights you have over that information.
We take privacy seriously. As clinicians, we understand that trust is built through transparency. If anything here is unclear or you want more detail, please get in touch using the contact details in section 11.
Information we collect
We only collect the information we need to run the service. We do not buy data about you from third parties, and we do not sell your data to anyone.
2.1 Account information
When you create an account, we collect:
- Email address — used as your login identifier and for important account notifications.
- Display name — shown to you on the home screen and (optionally) to administrators.
- Encrypted password — handled entirely by Firebase Authentication. We never see, store, or transmit your password in plain text.
- Account status — pending, active, expired, or suspended; managed by our administrators.
- Subscription dates — when your access starts and expires.
2.2 Study progress data
To make the platform genuinely useful, we record your interactions with the study material:
- Which notes chapters you have opened or marked complete.
- Which MCQ questions you have answered, your selected answer, whether it was correct, and whether you flagged it.
- Mock exam attempts: papers taken, scores, time spent per question, and submitted answers.
This data exists so you can resume where you left off, see your own progress over time, and get personalised insights. It is not used for any other purpose.
2.3 Technical information
When you use WANDM Notes, our infrastructure providers (notably Google Firebase) collect technical information automatically. This typically includes your IP address, browser type, operating system, approximate location derived from IP, the dates and times of requests, and basic error logs. This information is used to keep the service running, identify abuse, and debug issues.
We do not deliberately collect sensitive information such as racial origin, political views, religious beliefs, or biometric data. Please do not enter such information in any free-text fields.
How we use your information
We use your information for the following purposes only:
- To provide the service — authenticating you, showing your progress, syncing across devices, and personalising study recommendations.
- To enforce subscription terms — checking that your account is active, not expired, and not suspended.
- To communicate with you — sending essential service emails (password resets, expiry notices, security alerts). We do not send marketing email unless you have opted in separately.
- To improve the platform — aggregate statistics (e.g. average score on a paper) help us identify questions that need re-writing. Aggregated statistics never identify individual users.
- To prevent abuse — detecting credential sharing, automated scraping, and other behaviour that undermines fairness for paying users.
- To comply with legal obligations — responding to lawful requests from competent authorities where required by Saudi or other applicable law.
Where your data is stored
Your data is stored in Google Firebase infrastructure, specifically Firebase Authentication for credentials and Cloud Firestore for application data. Firebase is operated by Google LLC and uses data centres in regions selected for our project. The current data region for this exam's project is configured at the infrastructure level and may include the United States or Europe, depending on the Firebase project settings.
Google has obtained ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1, SOC 2, and SOC 3 certifications relevant to data security and privacy. Their privacy practices are described in the Google Cloud Privacy Notice.
Third-party services
WANDM Notes uses the following third-party services. Each has its own privacy policy, which we encourage you to review.
- Google Firebase (Authentication, Firestore, Hosting) — core infrastructure for accounts, data storage, and serving the website.
- Google Fonts — typeface delivery (Inter, Newsreader, Caveat, JetBrains Mono). Google may log your IP address when fonts are loaded.
- Google reCAPTCHA — protects sign-up and sign-in from automated abuse. reCAPTCHA collects technical and behavioural signals; see Google's privacy policy.
We do not use any third-party advertising network, behavioural tracking pixel, social media tracker, or analytics platform that profiles individual users. There is no Facebook pixel, no Google Analytics, no advertising cookies.
Cookies and local storage
WANDM Notes uses browser cookies and local storage for purposes that are strictly necessary to the operation of the service.
- Authentication cookies — set by Firebase Authentication to keep you signed in across page loads.
- Local storage — used to cache your study progress on your device, so the platform works fast and survives brief network interruptions. Free mock attempts are stored exclusively in local storage and never leave your device.
We do not use cookies for advertising, behavioural profiling, or third-party tracking. Because all cookies and local storage are strictly necessary, we do not show a cookie consent banner.
Your rights
You have the following rights over the personal data we hold about you. To exercise any of these rights, contact us using the details in section 11.
- Right of access — request a copy of the personal data we hold about you.
- Right of correction — ask us to correct inaccurate or incomplete data.
- Right of erasure — ask us to delete your account and all associated data. Note that some records (e.g. payment receipts) may be retained where we have a legal obligation to do so.
- Right to portability — receive your progress data in a structured, machine-readable format.
- Right to withdraw consent — where we rely on your consent for a particular processing activity, you can withdraw it at any time.
- Right to object — object to any processing you believe is unjustified.
We aim to respond to all reasonable requests within thirty days. If you are unhappy with our response, you may have the right to lodge a complaint with your local data protection authority.
Data retention
We retain your data for as long as your account is active, plus a brief grace period after deletion or expiry to allow account recovery and to meet our legal obligations.
- Active accounts — data is retained continuously while you are using the service.
- Expired subscriptions — account and progress data are retained for ninety days so you can renew without losing your history. After ninety days, the data may be archived or deleted.
- Deleted accounts — when you request deletion, your account is marked deleted immediately. Personal data is purged within thirty days, except where retention is required by law (e.g. tax records).
- Backups — operational backups may retain residual data for up to six months. Backups are encrypted and are restored only in the event of disaster recovery.
Children's privacy
WANDM Notes is designed for postgraduate medical exam candidates. The service is not intended for, marketed to, or knowingly used by individuals under eighteen years of age. We do not knowingly collect personal information from children. If you believe a child has provided personal information through the service, please contact us so we can remove the data and close the account.
Changes to this policy
We may update this policy from time to time, for example when we change service providers, add new features, or improve our privacy practices. When we make changes, we update the "Last updated" date at the top of the page.
For material changes that affect how we use your data, we will notify active subscribers by email and display a banner on the platform for thirty days before the changes take effect.
Continued use of the service after a change becomes effective constitutes acceptance of the updated policy.
Contact us
If you have any question about this privacy policy, want to exercise your rights, or believe we have not met our obligations to you, please contact us.
- Email: wandmnotes@gmail.com
- Operated by: Dr. Mohammed Khalid Khalafallah & Dr. Shima Mo. Ali
- Based in: Riyadh, Saudi Arabia