privacy policy
Bunium Privacy Policy
Version 2026.06.19 · Effective June 19, 2026
1. Introduction
Bunium ("Bunium", "we", "us") is an interactive educational simulator for clinical reasoning. Bunium operates bunium.com and app.bunium.com.
This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the choices you have. It is written to be readable; the structure is informed by the EU General Data Protection Regulation (GDPR), but it applies to all users worldwide.
For the purpose of data-protection law, Bunium is the data controller of the personal data described in this policy. The payment-related processing described below is carried out on behalf of PENLIGHT AI INC, the legal entity through which Bunium accepts payments.
You can contact us about privacy matters at bunium.med@gmail.com. Where required by law, we will appoint and disclose a Data Protection Officer or EU/UK representative; until then, all privacy inquiries should be sent to that address.
2. Personal Data We Collect
When you create an account we collect: your first name, your last name, your email address, your country (ISO country code), an optional profile image URL, a securely hashed version of your password, and a confirmation that you are at least 18 years old. We never store your password in plain text. We also store account metadata such as creation and update timestamps and whether your email has been verified.
After signup we invite you to complete a short optional profile so we can tailor the simulator. The profile fields we may collect are: your role (e.g. medical student, resident, practising physician, nurse, other healthcare student, other); your current year of study (1–6, for students); your primary exam or learning goal (e.g. USMLE Step 1 / Step 2 CK / Step 3, PLAB, MCI/NEXT, local board exam, residency match, just learning); and your specialty interest (a pre-defined list, with a free-text option labelled "Other"). All profile fields are optional and can be skipped or edited later from your account.
When you sign in, we create a session record containing a session token, an expiry, the IP address and user-agent string of the device you used, and the associated user identifier. Session cookies are issued so you stay signed in across pages.
We store your in-app preferences (such as theme, language, and notification settings) so they persist across sessions.
When you use the simulator, we store one row per simulation attempt with: the topic, mission, algorithm, node, and template you ran; the seed used to generate that case; the patient name and portrait identifier the case used; the status of the attempt (in progress, completed, or abandoned); timestamps; your final score, maximum score, pass/fail flag, and the correct diagnosis; an append-only event log of the actions you took; and a per-item score breakdown when the case is finished.
We also cache your per-mission progress: which nodes you have mastered, which diagnoses you have unlocked, and how many cases you have completed.
When you use the AI chat features (patient or attending conversations), we record per-request token usage: how many input and output tokens were consumed, how many credits that translated into, and which model was used. We use this to apply per-user credit caps and to forecast costs.
We store per-user feature-flag overrides so we can gradually roll out new features and run experiments.
Payments are processed by Stripe on behalf of PENLIGHT AI INC. We do not see or store your full card number. We store identifiers issued by Stripe (such as a customer ID and a subscription ID) so we can link your Bunium account to your subscription status, and we store billing-related metadata necessary for accounting and tax compliance.
We use product analytics (PostHog) to understand how the Service is used at an aggregated level — for example, which features are popular and where users get stuck. We use the Meta Pixel (in the browser) and Meta's Conversions API (server-side, sent from our backend) to measure the effectiveness of advertising campaigns. Where you have given advertising consent, this includes server-side events — for example, sign-up, trial start, subscription start, and renewal — sent to Meta with a hashed (SHA-256) copy of your email address and a hashed internal identifier so Meta can match those events to your ad exposure. The transaction value, currency, and a predicted long-term value estimate are sent on paid-subscription events so Meta's ad-optimization can find users likely to subscribe at higher tiers. We do not send your raw email, name, or password to Meta. We also use the Google Ads tag (gtag.js, in the browser) to measure the effectiveness of our Google advertising and, where you have given advertising consent, to count conversions such as joining the waitlist or starting a trial; we apply Google Consent Mode so the tag only sets cookies and reports conversions after you consent. These services may also collect device, browser, approximate-location, and event data subject to your consent where required.
On the simulator (app.bunium.com) we disable PostHog session recording entirely so the in-app clinical content you interact with is never replayed. On the marketing website (bunium.com) PostHog session recording may be enabled for usability research.
When you have consented to advertising cookies, we may share a limited set of fields with Meta (Facebook/Instagram) so they can attribute conversions to the ads you saw and improve the audience targeting of future campaigns. The fields we forward are: your email address, your first name, your last name, your country, and a stable internal user identifier ("external ID"). These values are SHA-256 hashed in your browser before they are sent — Meta never receives the raw values. The same hashed fields, plus the transaction value and currency for paid-subscription events, are also sent server-side via Meta's Conversions API from our backend (for example, when Stripe confirms a trial start or a paid invoice). We do not forward your password, your simulation history, your scores, or any clinical content from inside the simulator. You can withdraw advertising consent at any time via the "Cookie settings" link in the footer, after which we stop sharing this data and clear the related Meta cookies (`_fbp` and `_fbc`).
When you have consented to advertising cookies, we use the Google Ads tag to attribute conversions to our Google advertising and to build remarketing audiences. The tag may set Google advertising cookies (for example, `_gcl_au`) and report conversion events such as joining the waitlist. We use Google Consent Mode v2: the tag is not loaded and no Google cookies are set until you give advertising consent, and the four consent signals (ad storage, ad user data, ad personalization, analytics storage) default to "denied". We do not send your email, name, password, simulation history, scores, or any clinical content to Google. You can withdraw advertising consent at any time via the "Cookie settings" link in the footer, after which we stop using the tag and clear the related Google cookies.
When you write to us — including support requests, refund requests, and survey responses — we keep that correspondence so we can respond and improve.
3. Lawful Basis for Processing (GDPR)
We process your account, simulation, AI-usage, and payment data because it is necessary to perform the contract between you and us — that is, to provide the Service you signed up for (GDPR Article 6(1)(b)).
We process limited security and product-analytics data on the basis of our legitimate interests in keeping the Service secure, debugging issues, preventing fraud, understanding how the Service is used, and improving it (GDPR Article 6(1)(f)). We balance these interests against your rights and freedoms.
Where required by law (for example, for non-essential cookies, marketing emails, or ad measurement), we rely on your consent (GDPR Article 6(1)(a)). You can withdraw consent at any time without affecting processing done before withdrawal.
We retain certain records (for example, payment records) because we are legally required to (GDPR Article 6(1)(c)) — typically tax, accounting, and consumer-protection law.
4. Why We Use Your Data
To create and maintain your account, sign you in, save your progress, run simulations, deliver AI-assisted features, and otherwise provide the Service.
To process payments, manage subscriptions, issue refunds, and meet our tax and accounting obligations.
To respond to your questions, support requests, and refund requests, and to keep records of those interactions.
To understand how the Service is used at an aggregated level, identify bugs and friction, run A/B tests, and improve future versions of the Service.
To detect, prevent, and investigate abuse, fraud, and security incidents, and to enforce our Terms.
Where you have consented, to send marketing emails about Bunium and to measure the effectiveness of advertising. You can opt out of marketing emails at any time via the unsubscribe link in any such email.
6. How Long We Keep Your Data
Account data is kept while your account is active. If you delete your account, we delete or anonymize identifying account data within thirty (30) days, except where we are required to keep specific records by law.
Simulation history, event logs, and mission progress are kept while your account is active, so you can review your progress. They are deleted (or anonymized for aggregated analytics) within thirty (30) days of account deletion.
AI usage records (token counts, credits, model) are kept for up to twenty-four (24) months from creation for cost forecasting and abuse prevention, after which they are anonymized.
Payment records (subscription identifiers, invoices, refund records) are retained for the period required by applicable tax and accounting law — typically seven (7) to ten (10) years, depending on jurisdiction.
Security and server logs (including IP addresses tied to sessions) are kept for up to ninety (90) days, then deleted or anonymized, unless they form part of an active security investigation.
Support correspondence is kept for up to twenty-four (24) months from the last interaction, then deleted unless we have a legitimate reason to keep it longer.
7. Your Rights
Depending on where you live, you have rights over the personal data we hold about you. We extend the rights below to all users globally, regardless of whether the law in your country requires us to.
Right of access: you can ask us for a copy of the personal data we hold about you.
Right to rectification: you can ask us to correct personal data that is inaccurate or incomplete. Most account fields can be edited directly from your account settings.
Right to erasure ("right to be forgotten"): you can ask us to delete your account and the personal data associated with it, subject to data we must retain by law.
Right to data portability: you can ask for a copy of the personal data you provided to us in a structured, commonly used, machine-readable format.
Right to restriction of processing: in certain situations you can ask us to limit how we use your data.
Right to object: you can object to processing based on our legitimate interests (including direct marketing and ad measurement) on grounds relating to your particular situation.
Right to withdraw consent: where processing is based on consent, you can withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, email bunium.med@gmail.com from the address associated with your account. We will respond within one (1) month, in line with GDPR timelines, and may extend the deadline by up to two (2) further months for complex requests, in which case we will tell you why.
Right to lodge a complaint: if you are in the European Economic Area, the United Kingdom, or another jurisdiction with a data-protection authority, you have the right to complain to that authority about how we handle your data. We would appreciate the chance to address your concern first.
8. Cross-Border Data Transfers
Bunium is operated using cloud infrastructure (AWS, Cloudflare) that processes data in multiple regions, including outside the European Economic Area and the United Kingdom. If you access the Service from one of these regions, your data may be transferred to, stored in, and processed in countries with different data-protection laws.
Where required by law, we rely on Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum where applicable) to protect data transferred out of the EEA/UK, and we work with sub-processors that publish equivalent safeguards.
10. How We Protect Your Data
We apply security measures appropriate to the sensitivity of the data we hold, including encryption in transit (HTTPS/TLS) and encryption at rest for our databases, secure password hashing, scoped access controls for our team, rate limiting and anomaly detection on authentication, and routine review of our infrastructure providers' security posture.
No method of transmission or storage is perfectly secure. While we use commercially reasonable means to protect your data, we cannot guarantee absolute security.
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within seventy-two (72) hours where required, and we will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
11. Children
The Service is intended for adults (18 and over) and is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided personal data to us, please contact bunium.med@gmail.com and we will delete it.
12. Automated Decisions and AI Output
We do not make decisions that produce legal effects on you, or similarly significantly affect you, solely on the basis of automated processing. The simulator scores your attempts using deterministic rules; AI-generated feedback inside the Service is educational and not a basis for any decision about your real-world rights, employment, or access to services.
13. Changes to This Policy
Each version of this Privacy Policy carries a version string and an effective date. The current values are at the top of this document.
When we make material changes, we will update the version and effective date and will notify you through the Service — for example, with an in-app notice or a re-acknowledgement checkbox at sign-in. Continued use of the Service after the effective date constitutes acceptance.
Last updated June 19, 2026.