Skip to content

Privacy Policy

Last updated: March 10, 2026

The short version

We collect only what we need to run Lily. We don't sell your data. Your uploads are yours. You can delete your account anytime from your settings.

Your Data, Your Choice

Lily is built with a privacy-first approach. You can request access, correction, or deletion of your personal data by contacting us at privacy@studywithlily.com. In-app account deletion removes your profile, study sessions, and performance data. Some records (such as payment history and security logs) may be retained as required by law or for fraud prevention. To request complete deletion of all data including authentication records, contact privacy@studywithlily.com. We will process complete deletion requests within 30 days.

Data We Collect

We collect the following categories of information to operate Lily and provide you with a personalized study experience:

  • Account information: email address, phone number (if used for authentication), full name, and Google account email (if Google sign-in is used).
  • Educational profile: nursing program type, semester, courses, clinical rotation, NCLEX® timing, study goals, self-reported strengths and weaknesses.
  • Study activity: session history, question responses, performance scores, difficulty progression, streak data.
  • Uploaded content: study materials you upload or import from Google Drive (file names, metadata, and text content).
  • Payment information: subscription status, plan type, and transaction identifiers. Credit card details are handled directly by our payment processor and never stored by Lily.
  • Technical data: IP addresses, device information, browser type, security logs, rate-limit metadata.

How We Use Data

We use your data to provide core functionality, personalize question difficulty, improve product quality, and protect the platform from abuse.

Third-Party Service Providers

We do not sell personal data. We share data only with the following service providers, subject to contractual and security controls:

  • Supabase: database hosting and user authentication (account data, study records).
  • Anthropic (Claude): AI question generation (study material excerpts and educational profile context; we apply PII masking to remove emails, phone numbers, and sensitive identifiers before transmission).
  • Voyage AI: semantic text embeddings (document text excerpts for search functionality).
  • Vercel: hosting, analytics, and performance monitoring (page views, web vitals, server-side traces).
  • LemonSqueezy: payment processing (subscription management, billing).
  • Resend: email delivery (email address for transactional and optional marketing communications).
  • Google: OAuth sign-in and Google Drive integration (with your explicit authorization; we request read-only Drive access and store encrypted OAuth tokens).

Each third-party provider listed above operates under a written contract that restricts how they may use, retain, and combine your data. Under the California Consumer Privacy Act (CCPA/CPRA), these providers qualify as service providers, meaning they process data only on our behalf and for the purposes described above.

AI Processing

Study materials you upload and educational profile information are processed by AI services (Anthropic Claude) to generate personalized practice questions. We apply automated PII masking to strip emails, phone numbers, SSNs, and credit card numbers from your content before sending to AI services.

Document text is also processed by Voyage AI to create semantic embeddings for content retrieval. AI service providers process data according to their respective privacy policies and do not use your data to train their models under our API agreements.

Google Drive Integration

If you connect Google Drive, we request read-only access to browse and import study materials. We store encrypted OAuth tokens to maintain your connection. File metadata (name, type, modification date) and text content are stored for study material processing.

An automated sync checks for updates to your connected folders periodically. You can disconnect Google Drive at any time, which revokes our access.

Cookies and Tracking

  • Authentication cookies: required for login sessions (Supabase auth).
  • Preference cookies: email consent preference, beta access status.
  • Referral cookies: track referral codes for our referral program.
  • Analytics: Vercel Analytics collects anonymous page view and performance data; Vercel SpeedInsights measures web performance metrics. These are only loaded with your consent.

We do not use third-party advertising cookies. On your first visit, a cookie consent banner lets you choose which optional cookies to accept. You can change your preferences at any time from account settings.

Email Communications

  • Transactional emails: account confirmations, password resets, subscription changes (cannot be opted out).
  • Weekly study digests: summary of your study progress (unsubscribe link in each email).
  • Marketing emails: study tips and product updates (only sent with your explicit consent; opt out anytime).

Emails are delivered via Resend.

Referral and Affiliate Programs

If you participate in our referral program, we track referral codes and conversion status. Affiliate program data may link external affiliate identifiers to Lily accounts.

Data Retention

We retain personal data for as long as needed to provide the service, comply with legal obligations, resolve disputes, and enforce agreements. Specific retention periods:

  • Study data: retained while your account is active and deleted upon account deletion.
  • Audit logs: retained for 180 days, then automatically deleted.
  • Security and rate-limit data: retained for 24 hours, then automatically cleaned up.
  • AI generation context logs: retained for 90 days, then automatically deleted.
  • Email unsubscribe tokens: retained for 90 days after generation.
  • Payment records: retained per LemonSqueezy's data retention policy as our payment processor.
  • Analytics cookies: subject to your consent preferences, managed by Vercel Analytics.

You can export all your data or delete your account at any time from your account settings.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Right to access your personal data.
  • Right to correct inaccurate data.
  • Right to delete your account and data.
  • Right to data portability.
  • Right to opt out of marketing emails.

California residents: Under the CCPA/CPRA, you have additional rights including the right to know what personal information is collected and the right to opt out of the sale of personal information. We do not sell your personal information.

To exercise any right, email privacy@studywithlily.com.

Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities as required by applicable law.

Security

Lily uses transport encryption, authentication controls, rate limiting, and access policies to protect user data.

Children

Lily is intended for users who are at least 18 years old and is not directed to children under 13.

Educational Records (FERPA)

Lily is a direct-to-consumer study tool and does not operate as a school official or institutional service provider under the Family Educational Rights and Privacy Act (FERPA). We do not receive education records from schools or universities. If your institution directs you to use Lily, please be aware that your usage data is governed by this Privacy Policy, not by FERPA.

Changes to This Policy

We may update this policy from time to time. If we make material changes, we will update the "Last updated" date on this page.

Contact

Study with Lily LLC
2942 N 24th St Ste 115, PMB 698078, Phoenix, AZ 85016

For privacy requests, contact: privacy@studywithlily.com