Privacy Policy

SRIT — "Surgical Residency in the Tropics" — is operated by Craftudy Ltd, a Nigerian-registered company. We provide an online learning platform for surgical residents, accessible via the web at app.srit.app and via dedicated mobile applications for iOS and Android.

This Privacy Policy explains what information we collect about you, how we use it, who we share it with, and the rights you have over your information. It applies to all use of SRIT, including registration, browsing content, payments, and customer support interactions.

For privacy questions or to exercise any of the rights described below, email us at support@srit.app.

We collect the following categories of information:

Information you provide to us

• Account information: first name, last name, email address, and password (stored as a salted hash; we never see or store plaintext passwords).
• Profile information: any optional details you add, such as your profile photo or surgical specialty.
• User content: chat messages you send, answers you submit in Question Bank sessions, and other content you create in the product.
• Payment information: we do not collect or store card details. Payments are processed directly by our payment provider (Paystack), which gives us a customer reference and transaction reference we store against your subscription record.
• Support communications: when you contact us at support@srit.app we retain the email thread for the duration of the support relationship and reasonable record-keeping.

Information we collect automatically

• Session and authentication data: session identifiers, access and refresh tokens stored in HTTP-only cookies (web) or secure storage (mobile).
• Device and connection metadata: IP address, user-agent string, device model, OS version, app version, locale and timezone, captured at request time for security and abuse-prevention purposes.
• Usage analytics: page views and feature interactions necessary to operate the service (e.g. which content item was opened to award progress). We do not currently use third-party analytics products like Google Analytics or Mixpanel.
• Error diagnostics: when the application throws an unhandled error, we send a structured event to our error-monitoring service (Sentry) including the error stack, the request URL, your user ID, the browser/device context, and — on the web — a short Session Replay of the seconds preceding the error. We use this exclusively to fix bugs.

We use the information described above to:

• Provide the service: authenticate you, deliver content based on your subscription tier, schedule Question Bank reviews, and synchronise progress across devices.
• Process payments: forward the necessary transaction details to Paystack and reflect the outcome (active subscription, billing cycle, renewal date) in your SRIT account.
• Send transactional emails: account verification, password reset, payment confirmations, subscription changes, and operational service updates.
• Maintain security: detect and respond to suspicious activity, prevent abuse, and keep your account safe.
• Diagnose and fix problems: investigate errors reported through our monitoring tooling.
• Communicate with you about your account when you contact our support channel.
• Comply with legal obligations, including tax record-keeping under applicable Nigerian law.

We do not sell or rent your personal information to third parties. We do not currently send marketing or promotional emails. If we add a marketing newsletter in the future, it will be strictly opt-in.

Where applicable, we rely on the following legal bases under the Nigeria Data Protection Regulation and equivalent regimes:

• Contract: to provide the service you have signed up for.
• Legitimate interests: to operate, secure, and improve SRIT.
• Legal obligation: to meet tax, accounting, and regulatory requirements.
• Consent: for any future processing that requires it (e.g. marketing communications), in which case you may withdraw consent at any time.

We work with the following service providers to operate SRIT. Each operates under its own privacy policy and we share with them only the data they need to perform their function.

• Paystack — payment processing. Receives your name, email, and the amount being charged when you initiate a checkout. Stores your card information directly. Operates from Nigeria.
• Resend — transactional email delivery. Receives the recipient address, sender address, subject, and message body of every email we send. Operates from the United States.
• Amazon Web Services (AWS S3) — content media storage. Stores course images, audio, and downloadable assets. Operates from the eu-west-1 region (Ireland) for SRIT.
• Railway — backend application and database hosting. Operates the Postgres database that holds your account record, your Subscription, and your content progress. Operates from the United States.
• Vercel — web application hosting and CDN. Serves app.srit.app and routes API calls through to Railway. Operates globally with edge points of presence.
• Cloudflare — DNS, edge security, and inbound email routing for our support@srit.app address. Operates globally.
• Sentry — error monitoring. Receives error events with the request context described in §2. Operates from the EU (Frankfurt) for SRIT.
• Apple and Google — distribute the iOS and Android applications when you install them from the App Store or Play Store. We do not share your SRIT account contents with Apple or Google; their data collection follows their own platform policies.

SRIT is operated from Nigeria but our service providers (above) are based in the United States, the European Union, and globally. When your information is transferred to a jurisdiction with different data protection rules than yours, we rely on contractual safeguards with those providers (including Standard Contractual Clauses where relevant) to maintain a comparable level of protection.

• Account and content data: retained for as long as your account is active. If you delete your account, we delete or anonymise your data within 30 days, except where retention is required by law (see below).
• Payment records: retained for the period required by Nigerian tax law (typically up to 7 years).
• Request/access logs: retained for up to 90 days for security and abuse-prevention.
• Error events in Sentry: retained per our Sentry plan's default (typically 30–90 days).
• Support emails: retained for the duration of the support relationship and a reasonable period afterward.

Under the NDPR and similar laws you have the right to:

• Access the personal information we hold about you.
• Correct any inaccurate or incomplete information.
• Delete your account and the personal information associated with it (subject to legal retention obligations).
• Object to or restrict certain processing.
• Request a portable copy of the information you have provided.
• Withdraw consent where we are processing based on consent.
• Lodge a complaint with the Nigeria Data Protection Commission (NDPC) or your local data protection authority.

To exercise any of these rights, email support@srit.app. We aim to respond within a reasonable period and at the latest within 30 days. We may need to verify your identity before acting on a request.

SRIT uses a small set of cookies that are strictly necessary to operate the service:

• srit_access_token — short-lived (15 minutes) HTTP-only cookie used to authenticate your session.
• srit_refresh_token — longer-lived (7 days) HTTP-only cookie used to refresh your access token.

We do not use marketing cookies, tracking pixels, or third-party analytics cookies. Disabling the cookies above will prevent you from being able to log in.

SRIT is intended for adult medical professionals and trainees. We do not knowingly collect personal information from individuals under 18. If you believe a minor has provided us with personal information, contact us and we will delete it.

We use industry-standard security measures including TLS/HTTPS in transit, encrypted password hashing, segregated production credentials, rate-limited authentication endpoints, structured audit logging, and continuous error monitoring. No system can be made perfectly secure; we cannot guarantee absolute security but we work to minimise risk and respond promptly to any incident.

If we ever experience a personal data breach that is likely to result in a risk to your rights, we will notify you and the relevant authorities in line with our legal obligations.

We may update this Privacy Policy from time to time. The Last updated date at the top of this page reflects the most recent change. For material changes we will notify you through the service or by email before the change takes effect.

For any privacy-related question, request, or complaint, contact us at support@srit.app.

Data controller: Craftudy Ltd, operating SRIT.
Jurisdiction: Federal Republic of Nigeria.