Privacy Policy
Last updated: June 23, 2026
This Privacy Policy explains how Xora Tech Labs LLC ("Xora Tech Labs," "we," "us," or "our") collects, uses, and protects information when you use our websites and mobile applications, including our CME/MOC continuing-education credit tracker (collectively, the "Services").
By using the Services, you agree to the practices described in this policy. If you do not agree, please do not use the Services.
- 1. Information we collect
- 2. How we use information
- 3. Certificate images and OCR processing
- 4. How we share information
- 5. Where your data is stored
- 6. Data retention and deletion
- 7. Your rights and choices
- 8. Security
- 9. Children's privacy
- 10. International users
- 11. Changes to this policy
- 12. Contact us
1. Information we collect
We collect only what we need to provide the Services:
Account information
When you create an account, we collect your email address and authentication credentials. Authentication is handled by our identity provider; we do not store your password in plain text.
Continuing-education records you provide
Information you enter to track your credits — such as activity titles, providers, credit amounts, dates earned, credit categories, notes, and the certification cycles you set up.
Certificate images
Photos or files of certificates you capture or import. These are stored as evidence of the credits you log (see Sections 3 and 5).
Device permissions
With your permission, the app may access your device camera (to capture a certificate), your photo library (to import an existing certificate or PDF), and the ability to schedule local notifications (deadline reminders). You can change these permissions at any time in your device settings.
Basic technical and diagnostic data
We may collect limited technical information needed to operate and secure the Services, such as app version, device type, and error/diagnostic logs. We do not use this information to build advertising profiles, and we do not sell it.
2. How we use information
- To provide the core Services: storing your credits, computing your progress and pace against board recertification requirements, generating reminders, and producing reports and exports.
- To authenticate you and keep your account secure.
- To extract text from certificate images you submit, so you can confirm and save entries faster (see Section 3).
- To operate, maintain, troubleshoot, and improve the Services.
- To communicate with you about your account, support requests, and important service changes.
- To comply with legal obligations and enforce our terms.
3. Certificate images and OCR processing
When you capture or import a certificate, the image may be sent to a third-party artificial-intelligence provider that performs optical character recognition (OCR) to read the printed text and return suggested field values (such as the provider, date, and credit amount). This is done solely to populate the entry for your review.
- Extracted values are always presented to you for confirmation or correction before they are saved — nothing from OCR is treated as confirmed automatically.
- Our current OCR provider is Anthropic. Images sent for OCR are processed to return text; per our provider's terms, content sent through the API is not used to train its models.
- If you do not wish to use OCR, you can enter credits manually instead of submitting an image.
4. How we share information
We do not sell your personal information. We share information only with service providers ("sub-processors") who process it on our behalf to operate the Services, and only as needed for that purpose:
- Supabase — account authentication and identity.
- Microsoft Azure — application hosting, database, and storage of your records and certificate images.
- Anthropic — OCR text extraction from certificate images you submit (see Section 3).
We may also disclose information if required by law, to protect our rights or the safety of others, or in connection with a business transfer (such as a merger or acquisition), in which case we will notify you of any material change to how your information is handled.
5. Where your data is stored
Your records and certificate images are stored on managed cloud infrastructure (currently Microsoft Azure). Certificate images are stored as files; your account is the owner, and access is scoped so that one account cannot access another account's images or records. Deadline reminders are scheduled locally on your device and are not transmitted to us.
6. Data retention and deletion
We retain your information for as long as your account is active or as needed to provide the Services. You can delete individual entries within the app; deleting an entry also deletes its associated certificate image from storage. To delete your entire account and associated data, contact us at the email below, and we will process your request within a reasonable period, subject to any legal retention obligations.
7. Your rights and choices
Depending on where you live, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. You can exercise many of these directly in the app, or by contacting us. We will not discriminate against you for exercising these rights. If you are in the European Economic Area, the United Kingdom, or California, additional rights may apply under the GDPR, UK GDPR, or CCPA/CPRA respectively; contact us to make a request.
8. Security
We use reasonable technical and organizational measures — including encrypted transport, access controls scoped to your account, and reputable cloud providers — to protect your information. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security.
9. Children's privacy
The Services are intended for credentialed professionals and are not directed to children. We do not knowingly collect personal information from children under 13 (or the minimum age required in your jurisdiction). If you believe a child has provided us information, please contact us and we will delete it.
10. International users
We operate in the United States, and your information may be processed and stored in the United States or other countries where our service providers operate. By using the Services, you understand that your information may be transferred to facilities and providers in those locations.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, where appropriate, provide additional notice. Your continued use of the Services after a change takes effect constitutes acceptance of the updated policy.
12. Contact us
If you have questions or requests regarding this Privacy Policy or your information, contact us at:
Xora Tech Labs LLC
Email: privacy@xoratechlabs.com
General inquiries: contact@xoratechlabs.com
This policy is governed by the laws of the State of Florida, United States, without regard to its conflict-of-laws principles.