Free for nurses · always
For program coordinators Sign in
N·R·P
Nurse Residency Directory
Verified programs worldwide
Sign in Find a program
Legal · Privacy

Privacy Policy

How we collect, use, and protect data on the Nurse Residency Directory — operated by Global Cyber Institute, a New York State non-profit.

Effective: May 2, 2026  ·  Last updated: May 12, 2026
Operated by
Global Cyber Institute, Inc.

A 501(c)(3) non-profit organization based in New York State. The Nurse Residency Directory is operated as a public-interest project of Global Cyber Institute. The directory is free for nurses and funded by optional listing tiers from participating residency programs.

Contents
  1. Plain-language summary
  2. Who we are
  3. What data we collect
  4. How we use it
  5. When we share it
  6. Cookies, pixels & trackers — explicit list
  7. Your rights
  8. Data retention
  9. Security
  10. Children's privacy
  11. Changes to this policy
  12. Contact us

1. Plain-language summary

The directory is free for nurses. You can browse all 1,213 programs without an account and without any cookie on your device. We do not run advertising pixels, session replay, or behavioral tracking. We do use Google Analytics 4 in a cookieless configuration to count aggregate visits — no cookies are stored, your IP is anonymized before logging, and ad personalization signals and Google Signals are disabled. If you create an account (to claim a listing or submit a correction), we store the minimum needed to make that work, on a private database we operate. We never sell, rent, share for advertising, or "monetize" personal data. Period.

2. Who we are

The Nurse Residency Directory ("we", "us", "the directory") is operated by Global Cyber Institute, Inc., a 501(c)(3) non-profit organization registered in New York State. Global Cyber Institute is the data controller for personal information collected through this site.

3. What data we collect

3.1 If you browse without an account

Nothing personally identifying. Browsing does not require an account. We do not load advertising pixels or session-replay code. We do load Google Analytics 4 in a strict cookieless configuration (client_storage: 'none', anonymize_ip: true, allow_ad_personalization_signals: false, allow_google_signals: false) to measure aggregate page views, country, and device class. Google receives a per-request beacon with an anonymized IP, page URL, and standard request metadata; no cookies are stored on your device, no cross-site identifiers are sent, and the visit cannot be tied to advertising profiles. Your IP address may also briefly appear in our hosting provider's edge logs (Vercel) for delivery and abuse-prevention purposes; we do not store, query, or join those logs to anything else.

3.2 If you sign in (claim flow or admin)

To verify you, our authentication provider (Supabase Auth) stores:

  • Your email address (required for the magic-link sign-in)
  • A session token after you click the magic link (held in a single first-party cookie, scoped to this site)
  • Sign-in timestamps

3.3 If you submit a correction

  • The correction itself (which field, suggested value, source URL or note)
  • Optionally, your email and role — only if you choose to provide them, only used if a reviewer needs to follow up
  • Anti-abuse metadata (a hashed IP fingerprint and your browser's user-agent string), retained 90 days then purged

3.4 If you are a program coordinator who claims a listing

  • Your name, role, and work email (used to verify your authority to manage the listing)
  • The text of your claim and any supporting notes
  • Subsequent edits you make to your listing (recorded in an audit log so we can revert if a claim is later disputed)

3.5 If your program subscribes to a paid tier

Payment information is collected and stored by Stripe, our payment processor. We never see or store your card details. Stripe shares back to us only what we need to associate the subscription with your program (a customer ID, plan, status, current period end). See Stripe's privacy policy.

4. How we use it

We use collected data only to:

  • Operate the directory (display listings, accept corrections, run paid subscriptions)
  • Authenticate sign-ins via magic link (Supabase Auth)
  • Verify ownership when a coordinator claims a listing
  • Reach out about a correction or claim if needed (only with your provided email)
  • Bill subscribers (via Stripe) and remit applicable taxes

We do not use any data for behavioral advertising, profiling, or training third-party AI models.

5. When we share it

We do not sell, rent, trade, or share personal data for advertising. We share data only with:

  • Sub-processors required to run the site:
    • Vercel, Inc. — hosting and content delivery (United States). Privacy.
    • Supabase, Inc. — database, authentication, edge functions (United States, AWS us-east-1). Privacy.
    • Stripe, Inc. — payment processing for paid subscribers only (United States). Privacy.
    • Google LLC — (1) Google Fonts CDN serves typefaces; Google may briefly receive your IP for font delivery. (2) Google Analytics 4 in a cookieless configuration (see §3.1) — Google receives an anonymized per-request beacon used to count aggregate visits. We do not use Google Ads, conversion tags, Google Signals, or any Google service for behavioral profiling. Privacy.
    • jsDelivr — open-source CDN for the Supabase JavaScript client and Stripe.js (loaded only on pages with sign-in, corrections, or checkout). Privacy.
  • Law enforcement when legally required, with notice to the affected user where lawful.
  • Successor entity if Global Cyber Institute's assets are transferred to another non-profit; in such a case, this policy continues to apply.

6. Cookies, pixels & trackers — explicit list

We list every tracking technology used on this site, in plain language, so you can audit us against your network log:

  • Cookieless Google Analytics 4 beacon (every page). Configured with client_storage: 'none', anonymize_ip: true, and ad signals disabled. Does not write any cookie to your device. Google receives an anonymized IP, page URL, and device class per page view. Cannot be joined to advertising profiles. Measurement ID: G-PH5VNTSZB6.
  • One first-party authentication cookie, set by Supabase Auth only after you sign in. Used to keep you signed in. Cleared when you sign out or after the session expires (1 hour). Not present on browse-only pages.
  • One first-party Stripe checkout cookie, set only during the brief moments you are on the Stripe-hosted checkout flow (not on this site itself).

We do not use:

  • Meta (Facebook) Pixel
  • Google Ads conversion tags, Google Signals, or any standard (cookie-based) Google Analytics configuration
  • TikTok Pixel, LinkedIn Insight Tag, Pinterest Tag, Twitter/X Pixel
  • Hotjar, FullStory, Mouseflow, Microsoft Clarity, or any session-replay tool
  • Any cross-site behavioral advertising network
  • Any "data broker" sharing arrangement
  • Any healthcare-related third-party tracker (the directory is a public information resource, not a covered entity, but we hold ourselves to the same anti-tracking posture that healthcare-pixel litigation has identified as the safe baseline)

Because the only browse-time technology we load is the cookieless GA4 beacon (which sets no cookies and sends no personally identifying data to Google), a cookie-consent banner is not required and would be misleading. We do not display one.

7. Your rights

Regardless of where you live, you can:

  • Access the data we hold about you
  • Correct inaccurate data
  • Delete your account and all associated data
  • Export your data in a portable format (JSON)
  • Opt out of all marketing emails (we send minimal transactional emails only)

If you are in the European Economic Area, the United Kingdom, California, or another jurisdiction with specific privacy rights (GDPR, UK GDPR, CCPA/CPRA), those rights apply in full. Email privacy@globalcyberinstitute.org to exercise any of them.

8. Data retention

We retain personal data only for as long as it is needed to operate the service. When you delete your account, your personal data is removed from production systems within 30 days and from backups within 90 days. Aggregated, non-identifying analytics may be retained indefinitely.

9. Security

Data is encrypted in transit (TLS 1.3) and at rest. Authentication uses magic-link sign-in (no passwords stored on the site). Ownership verification follows the same standards as Google Search Console.

10. Children's privacy

The directory is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. Nurse residency programs require licensure (which presumes adulthood), so this should never be an issue in practice.

11. Changes to this policy

We will update this policy if our practices change. Material changes will be announced via email to active account holders at least 14 days before they take effect. Non-material changes (clarifications, formatting, fixes) may be made without notice.

12. Contact us

Global Cyber Institute, Inc. is the data controller. You can reach us at:

Privacy inquiries privacy@globalcyberinstitute.org
General questions hello@globalcyberinstitute.org
Listing claims claims@nrpdirectory.org
Data subject requests dsr@globalcyberinstitute.org
Mailing address Global Cyber Institute, Inc.
New York, NY · USA
Organization status 501(c)(3) Non-Profit
New York State

This policy is provided for transparency and is not a substitute for legal advice. Global Cyber Institute reviews and updates this policy annually as part of its non-profit governance practices. A summary of all sub-processors and our anti-tracking posture is also published as a static page at /trust.