Privacy Policy

Medita is a medical-coding study app operated by NPJ Properties Limited. We provide a 90-day curriculum aligned with the CPC (AAPC), CCA, and CCS (AHIMA) exam blueprints, plus a free public ICD-10-CM code lookup tool, at medita.live and via our Android/iOS apps.

This policy explains what personal information we collect, why we collect it, how we use it, who we share it with, and your rights over it.

When you create an account or use Medita, we collect:

• Account data: email address, optional display name, and a hashed password (if you sign up with email/password), or your Google account identifier (if you sign in with Google).
• Learning data: which curriculum days you have read, quiz answers, scores, and streak counts.
• Payment metadata: if you pay the one-time unlock fee in USDT, we store the on-chain transaction hash, the network you used, and the wallet address you paid from. We do not store, request, or have access to your private keys, credit cards, or bank details.
• Push notification subscription: only if you explicitly opt in to notifications. We store the browser/device push endpoint provided by your operating system; we never see the endpoint as a personal identifier.
• Anonymous analytics: aggregated page views and app events via Google Analytics 4 (measurement ID G-NTZXZBXNK4) and Vercel Analytics. These do not include your name or email and are used solely to understand which lessons are working.

We do not collect: your real name, address, phone number, location, health records, contacts, photos, camera or microphone data, financial-account numbers, government IDs, or any data about your medical history.

• To create and operate your Medita account.
• To save your progress so you can resume the curriculum across devices.
• To verify on-chain that your USDT unlock payment was received, and to grant access to Days 2–90 once verified.
• To send you progress reminders and streak notifications, only if you opt in.
• To improve the curriculum and the app based on aggregated learning data (e.g. which questions are most often missed).

Medita offers an opt-in feature that places your upcoming daily lessons on your Google Calendar so you don't miss a study session. If — and only if — you click Connect Google Calendar and grant consent, we request a single OAuth scope: https://www.googleapis.com/auth/calendar.events.

• What we do with it: create calendar events on your primary calendar — one event per upcoming lesson, with a 15-minute popup reminder — and delete those events if you disconnect.
• What we do not do: read your existing events, read or modify any other calendars, share calendar data with third parties, use calendar data for advertising, or store the content of any of your events on our servers.
• What we store: a Google OAuth refresh token (encrypted at rest by Supabase), the Google email of the account you connected, your timezone, and the IDs of the calendar events we created on your behalf so we can delete them when you disconnect.
• How to revoke: click Disconnect in the dashboard at any time — we will revoke our refresh token with Google and delete every event we created. You can also revoke access directly at myaccount.google.com/permissions.

Medita's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We process your data based on (a) contract performance — to provide you the service you signed up for; (b) consent — for optional push notifications and analytics cookies; and (c) legitimate interest — to detect fraud and improve the product.

Medita is a small product and we keep the third-party list short:

• Supabase (database + auth) — your account row, progress, and payment metadata are stored in our Supabase project hosted in the EU (eu-west-1).
• Vercel (web hosting + edge functions) — serves the web app and runs server-side requests.
• Google (Sign-in with Google + Google Analytics + Google Play distribution) — only the data necessary for the relevant feature.
• Public blockchain networks (Ethereum, BNB Smart Chain, Solana) — when you pay in USDT, the transaction is, by nature, publicly visible on the blockchain.
• Push gateway services (Apple Push Notification service / Firebase Cloud Messaging) — only the opaque subscription endpoint required to deliver a notification.

We do not sell your personal information to anyone. We do not run third-party advertising inside Medita.

Medita is hosted across multiple regions (Vercel: global edge network; Supabase: eu-west-1). When you use Medita from outside the EU, your data may be transferred to and processed in regions outside your home country, including the United States. We rely on the data-processing agreements provided by our processors (Vercel, Supabase, Google) and the EU Standard Contractual Clauses where applicable.

We keep your account data for as long as your Medita account is active. If you delete your account (by emailing us at samstickkz@gmail.com), we remove your personal data within 30 days, except for aggregated analytics that no longer identify you and on-chain payment records (which are immutable by the nature of public blockchains).

Wherever you are in the world, you can request:

• A copy of the personal data we hold about you.
• Correction of any inaccurate data.
• Deletion of your account and personal data.
• That we stop processing your data for a specific purpose.
• To withdraw a consent you previously gave (e.g. unsubscribe from push notifications inside the app, or from your phone settings).

Email samstickkz@gmail.com and we will respond within 30 days.

Medita is intended for users aged 16 and older. We do not knowingly collect information from children under 16. If you believe a child has signed up, email us and we will remove the account.

All traffic to and from Medita is encrypted with TLS. Passwords are hashed by Supabase Auth before storage; we never see or store your plaintext password. Row-level security policies in our database prevent users from reading each other's data.

If we make a material change to this policy, we will update the "Last updated" date at the top of this page and, where appropriate, notify you in-app or by email.

NPJ Properties Limited (operator of Medita)
Email: samstickkz@gmail.com