WYZZIE

1.1 Scope.

This Privacy Policy applies to all information collected by WYZZIE LLC, a Florida limited liability company ("Company"), through the WYZZIE platform, including any associated websites, mobile applications, and any other software or services offered by the Company (collectively, the "Platform"). This Privacy Policy is incorporated into and subject to the Company's Terms of Service ("Terms"). Capitalized terms used but not defined in this Privacy Policy have the meanings ascribed to them in the Terms.

1.2 Acceptance.

By creating an Account, accessing, or using the Platform, the User consents to the collection, use, storage, disclosure, and processing of information as described in this Privacy Policy. The User's use of the Platform constitutes the User's agreement to the practices described herein.

1.3 Changes to This Privacy Policy.

The Company reserves the right to modify this Privacy Policy at any time. The Company will indicate the date of the most recent revision by updating the "Last Updated" date at the top of this Privacy Policy. For material changes, the Company may provide notice through the Platform, via email, or by requiring acknowledgment of the updated Privacy Policy upon the User's next login. The User's continued use of the Platform after any changes constitutes the User's acceptance of the revised Privacy Policy. The User is encouraged to review this Privacy Policy periodically.

1.4 Contact Information.

For questions, concerns, or requests regarding this Privacy Policy or the Company's data practices, the User may contact the Company at:

WYZZIE LLC
Email: [email protected]
Website: wyzzie.com

(a) Account Registration Information.

When the User creates an Account, the Company collects information necessary to establish and maintain the Account, including:

• Email address
• Password (stored in hashed form; the Company does not store plaintext passwords)
• Display name
• Role selection (Resident, Fellow, Attending, Program Director, or Dental Student)

If the User registers using Google Sign-In, the Company receives the User's name, email address, and Google account identifier from Google. The Company does not receive or store the User's Google password. If the User registers using Apple Sign-In, the Company receives an Apple-issued user identifier and, only on first sign-in and only if the User chooses to share them, the User's name and an email address. If the User selects Apple's "Hide My Email" option, the Company receives a private email-relay address rather than the User's actual email address. The Company does not receive or store the User's Apple ID password.

(b) Professional Credential Information.

To verify the User's eligibility and professional status, the Company may collect:

• National Provider Identifier (NPI) number
• Full name as registered with the National Plan and Provider Enumeration System (NPPES)
• Program name and institutional affiliation
• Post-Graduate Year (PGY) level
• Professional role and specialty designation
• Information submitted through the NPI-skip application pathway, if applicable, including any documentation provided to support the User's request for manual review

National Provider Identifier (NPI) information is collected only for Users registering as Residents, Fellows, Attendings, Program Directors, or Retired practitioners. The NPI number itself is used solely to query the National Plan and Provider Enumeration System (NPPES) at the time of registration to verify the User's professional credentials. The NPI number is not retained by the Company after verification. The Company stores only confirmation that NPI verification was successful, the User's first and last name as returned by NPPES, and the User's reported city and state. Users registering under the Dental Student account type bypass NPI collection entirely; credential verification for Dental Student accounts relies on the alternative application pathway requiring manual administrative review.

(c) Profile Information.

The User may provide additional profile information, including:

• Display name (which may differ from the User's legal name)
• Avatar selection from the Platform's avatar gallery
• Program affiliation
• PGY level
• Notification preferences
• Theme and display preferences

(d) Case Log Data.

The User may enter case log data through the Platform's case logging features, including:

• Case date
• Case type (operative or anesthesia)
• Current Procedural Terminology (CPT) codes
• International Classification of Diseases (ICD) codes (diagnosis codes)
• Anatomical location
• Case category
• Procedure details
• Case notes

(e) Educational Activity Data.

The Company collects data related to the User's participation in educational features, including:

• Question of the Day (QOTD) answers and response history
• QOTD performance metrics (accuracy, streaks)

(f) Feedback and Communications.

The Company may collect information the User provides when:

• Contacting the Company at [email protected]
• Submitting feedback, suggestions, or bug reports
• Submitting an NPI-skip application or other administrative request

(a) Usage Data (PostHog Analytics).

The Company uses PostHog, a third-party product analytics platform, to collect detailed usage data, including:

• Screen views and navigation patterns
• Feature usage and interaction events (e.g., buttons tapped, features accessed)
• Session duration and frequency
• Time spent on specific screens or features
• User engagement patterns
• A/B test group assignments (feature flag evaluations)

For more details on PostHog data collection, see Section 6 (PostHog Analytics Disclosure).

(b) Device and Technical Information.

The Company may collect information about the User's device and technical environment, including:

• Device type, model, and manufacturer
• Operating system type and version
• Application version
• Screen resolution and display metrics
• Device language and locale settings
• Unique device identifiers
• Internet Protocol (IP) address
• Mobile network information

(c) Crash and Performance Data (Firebase Crashlytics).

The Company uses Firebase Crashlytics, a crash reporting service provided by Google, to collect crash reports and performance data, including:

• Crash logs and stack traces
• Device state at the time of a crash (memory usage, battery level, device orientation)
• Operating system version
• Application version
• Device model
• Crashlytics installation UUID (a unique identifier for the Crashlytics installation, not linked to the User's personal identity)

Crashlytics data is used solely for the purpose of identifying, diagnosing, and resolving technical issues and improving Platform stability. Crashlytics data is not used for advertising, marketing, or user profiling purposes.

(d) Push Notification Tokens.

To deliver push notifications, the Platform collects device tokens issued by:

• Apple Push Notification Service (APNs) for iOS devices
• Firebase Cloud Messaging (FCM) for Android and other supported platforms

Push notification tokens are unique identifiers assigned to the User's device by the respective notification service and are used solely for the purpose of delivering notifications to the User's device.

(a) Google Sign-In.

If the User authenticates using Google Sign-In, the Company receives certain information from Google, including the User's name, email address, and Google account identifier. The information received is governed by Google's privacy policy and the User's Google account privacy settings.

(b) National Plan and Provider Enumeration System (NPPES).

When the User provides an NPI number, the Company may query the NPPES registry to verify the User's professional credentials, including the User's name, practice address, and enumeration details. This information is publicly available through the NPPES.

(c) Google Sheets API.

If the User enables the optional Google Sheets backup feature, the Company receives a limited OAuth access token authorizing the Platform to write case log data to a specified Google Sheets spreadsheet in the User's Google Drive. The Company does not access, read, or retrieve data from the User's Google Drive beyond writing the authorized backup entries. See Section 8 (Google Sheets Backup) for additional details.

(d) Apple Sign-In.

If the User authenticates using Apple Sign-In, the Company receives an Apple-issued user identifier and, only on first sign-in and only if the User chooses to share them, the User's name and email address. The email address may be either the User's actual email or an Apple-managed private relay address, at the User's choice. The information received is governed by Apple's privacy policy and the User's Apple ID privacy settings.

3.1 Provide and Operate the Platform.

To create and maintain User Accounts, authenticate Users, deliver Platform features and functionality, process case log entries, calculate and display analytics, operate gamification features (XP, levels, streaks, achievements), generate and display leaderboard rankings, track CODA graduation requirements, deliver Question of the Day content, and otherwise provide the services described in the Terms.

3.2 Verify User Credentials.

To verify the User's professional credentials through NPI lookup and other verification methods, process NPI-skip applications, and maintain the integrity of the Platform's professional community.

3.3 Program Director and Chair Analytics.

To generate aggregated, de-identified Program Data for Program Directors and Chair Account holders for program administration, departmental oversight, and educational oversight purposes, as described in Section 3.5 of the Terms.

3.4 Deliver Notifications.

To send push notifications regarding streak reminders, achievement unlocks, Question of the Day availability, weekly digests, service announcements, security alerts, and other Platform-related communications.

3.5 Analytics and Platform Improvement.

To understand how Users interact with the Platform, identify popular features and usage patterns, diagnose technical issues, optimize performance, develop new features, conduct A/B testing through feature flags, and otherwise improve the Platform.

3.6 Crash Monitoring and Stability.

To identify, diagnose, and resolve crashes, bugs, and other technical issues affecting Platform stability and performance.

3.7 Security and Fraud Prevention.

To detect, investigate, and prevent fraudulent, unauthorized, or illegal activity, protect the security and integrity of the Platform, and enforce the Terms.

3.8 Customer Support.

To respond to User inquiries, feedback, and support requests.

3.9 Legal Compliance.

To comply with applicable legal obligations, respond to legal process, and establish, exercise, or defend legal claims.

3.10 Aggregated and De-Identified Data.

To create aggregated, de-identified, or anonymized data that cannot reasonably be used to identify any individual User, and to use such data for any lawful purpose, including but not limited to research, analytics, benchmarking, and Platform improvement. Aggregated, de-identified data is not subject to the restrictions of this Privacy Policy.

(a) Firebase / Google Cloud Platform.

The Company uses Firebase and Google Cloud Platform services for authentication (Firebase Authentication), data storage (Cloud Firestore, Cloud Storage), serverless computing (Cloud Functions), push notification delivery (Firebase Cloud Messaging), crash reporting (Firebase Crashlytics), and infrastructure monitoring (GCP Monitoring). User data stored in Firebase and Google Cloud is located in the United States (us-central1 region). Google's data processing practices are governed by Google's Cloud Data Processing Addendum and applicable privacy policies.

(b) PostHog.

The Company uses PostHog for product analytics, feature flags, and surveys. Usage data is transmitted to and stored by PostHog in the United States. PostHog's data processing practices are governed by PostHog's privacy policy and data processing agreement. See Section 6 (PostHog Analytics Disclosure) for additional details.

(c) Google Sign-In.

For Users who authenticate using Google Sign-In, authentication data is processed by Google in accordance with Google's privacy policy.

(d) Apple Push Notification Service (APNs).

Push notification tokens and notification payloads for iOS devices are processed by Apple in accordance with Apple's privacy policy.

(e) Google Sheets API.

For Users who enable the Google Sheets backup feature, the Company transmits case log data to Google Sheets through Google's API, subject to Google's terms of service and privacy policy.

(f) Apple Sign-In (Apple Inc.).

For Users who authenticate using Apple Sign-In, authentication data is processed by Apple in accordance with Apple's privacy policy. If the User selected Apple's email-relay option, Apple may also forward email-relay messages from the Company to the User's actual email address.

As described in Section 3.5 of the Terms, Users with Program Director Accounts and Users with Chair Accounts may access aggregated, de-identified Program Data relating to Residents and Fellows affiliated with their program. Program Data does not include individual User names, personal contact information, or other personally identifiable information. Program Directors and Chair Account holders are prohibited from attempting to re-identify individual Users from Program Data.

Certain User information is displayed to other Users through leaderboard and ranking features, including:

• Display name (chosen by the User; the User's legal name is not displayed unless the User elects to use it as their display name)
• Avatar (selected from the Platform's avatar gallery)
• Level and experience points (XP)
• Program affiliation
• PGY level

The User consents to the display of such information as a condition of using the Platform's leaderboard features.

The Company may disclose User information if required to do so by law or in the good faith belief that such disclosure is necessary to:

• (a) Comply with a legal obligation, subpoena, court order, or other legal process;
• (b) Protect and defend the rights, property, or safety of the Company, its Users, or the public;
• (c) Detect, prevent, or address fraud, security, or technical issues;
• (d) Enforce the Terms or other agreements; or
• (e) Respond to requests from government or regulatory authorities.

In the event of a merger, acquisition, reorganization, bankruptcy, dissolution, sale of all or substantially all of the Company's assets, or other similar corporate transaction, User information may be transferred to the acquiring entity or successor as part of such transaction. In such event, the Company will provide notice to Users and the acquiring entity will be subject to the obligations set forth in this Privacy Policy with respect to previously collected User information.

The Company may share User information with third parties when the User has provided explicit consent for such sharing.

The Company may share aggregated, de-identified data that cannot reasonably be used to identify any individual User with third parties for any lawful purpose, including but not limited to research, analytics, benchmarking, and industry analysis.

5.1 Platform Tracking.

The Platform (primarily a mobile application) uses analytics tools and software development kits (SDKs) rather than traditional browser cookies to collect usage data. The primary analytics SDK used is PostHog, which collects usage data as described in Section 2.2(a) and Section 6.

5.2 Firebase SDKs.

The Platform integrates Firebase SDKs for authentication, crash reporting, cloud messaging, and other services. These SDKs may collect device identifiers, installation identifiers, and other technical data necessary for their operation.

5.3 Web Platform.

If the User accesses the Platform through a web browser, the Platform may use cookies, local storage, or similar technologies for session management, authentication, and analytics purposes. These technologies are essential for the operation of the Platform and cannot be disabled without impairing Platform functionality.

5.4 Do Not Track.

The Platform does not currently respond to "Do Not Track" signals transmitted by web browsers. There is no industry consensus on how to respond to Do Not Track signals, and the Company will revisit this practice as standards evolve.

6.1 Overview.

The Company uses PostHog, Inc. ("PostHog") as its primary product analytics platform. This section provides detailed information about the data PostHog collects and how it is used.

6.2 Data Collected by PostHog.

PostHog collects the following categories of data through the Platform:

(a) Event Data. PostHog captures events corresponding to User interactions with the Platform, including but not limited to screen views, button taps, feature usage, navigation patterns, and other interaction events. Each event may include metadata such as a timestamp, the User's device type and operating system, application version, and a pseudonymous user identifier.

(b) Feature Flag Data. PostHog evaluates feature flags that determine which features or variations of features are presented to specific Users. Feature flag evaluations include the flag name, the variation assigned to the User, and associated metadata. Feature flags are used for controlled experiments, A/B testing of engagement features, and gradual feature rollouts.

(c) Technical and Device Data. PostHog collects device and technical information including device type, operating system, application version, screen resolution, locale, and IP address. IP addresses may be used for geolocation (at the city or region level) and are not stored in identifiable form beyond the analytics session.

6.3 Data Storage and Location.

PostHog analytics data is stored in PostHog's cloud infrastructure in the United States. Data retention periods for PostHog data are configured by the Company and are described in Section 10 (Data Retention).

6.4 Purpose of PostHog Analytics.

PostHog data is used exclusively for the following purposes:

• (a) Understanding how Users interact with the Platform and identifying popular features and usage patterns;
• (b) Identifying and diagnosing usability issues, bugs, and areas for improvement;
• (c) Measuring the effectiveness of new features and Platform changes through A/B testing;
• (d) Monitoring Platform performance and engagement metrics, including but not limited to daily active users, session duration, retention rates, and feature adoption;
• (e) Collecting structured User feedback through surveys; and
• (f) Informing product development decisions and roadmap prioritization.

6.5 PostHog Data Is Not Used For.

PostHog data collected through the Platform is not used for:

• (a) Targeted advertising or ad personalization;
• (b) Sale to third parties for marketing or advertising purposes;
• (c) Individual User profiling for purposes unrelated to Platform improvement;
• (d) Sharing with third parties other than PostHog as a service provider; or
• (e) Any purpose inconsistent with this Privacy Policy.

6.6 PostHog Privacy Practices.

PostHog's processing of data is governed by PostHog's privacy policy (available at posthog.com/privacy) and the data processing agreement between the Company and PostHog. Users who have questions about PostHog's data practices may review PostHog's privacy documentation or contact the Company at [email protected].

7.1 Aggregated, De-Identified Data Only.

Users with Program Director Accounts and Users with Chair Accounts may access Program Data as described in Section 3.5 of the Terms. Program Data consists exclusively of aggregated, de-identified analytics relating to Residents and Fellows affiliated with the Program Director's or Chair's residency or fellowship program.

7.2 What Program Data Includes.

Program Data may include aggregated statistics such as:

• Total case counts by category, CPT code, or anatomical location for the program
• Aggregate CODA progress metrics for the program
• Monthly case volume trends for the program
• Other aggregate program-level training metrics

7.3 What Program Data Does Not Include.

Program Data does not include:

• Individual User names or display names
• Individual User email addresses or contact information
• Individual case log entries
• Individual User analytics or performance data
• Any personally identifiable information of individual Users

7.4 Re-Identification Prohibition.

Program Directors and Chair Account holders are strictly prohibited from attempting to re-identify individual Users from Program Data. Any attempt to re-identify individual Users constitutes a violation of the Terms and may result in termination of the Program Director's or Chair Account holder's Account and revocation of Program Director or Chair Account designation.

8.1 User-Initiated Feature.

The Google Sheets backup feature is entirely optional and is initiated solely by the User. The User must affirmatively authorize the Platform to access their Google Drive through Google's standard OAuth authorization flow.

8.2 Scope of Access.

When the User enables the Google Sheets backup feature from the Platform's Settings, the User identifies the Google Sheets spreadsheet that will receive the backup. The User creates the destination spreadsheet through Google Drive themselves; the Company does not automatically create new spreadsheets in the User's Google Drive. The Platform requests authorization solely to:

• Append case log data rows to the spreadsheet the User has identified.

The Platform does not request or obtain authorization to read, modify, or delete any other files or data in the User's Google Drive. The Platform does not access any Google Drive data beyond writing the authorized backup entries.

8.3 Data Location and Ownership.

Case log data backed up through this feature is stored in the User's own Google Drive account and is the User's property. The backed-up data is subject to Google's Terms of Service and Privacy Policy, not this Privacy Policy. The Company has no control over, and assumes no responsibility for, data stored in the User's Google Drive.

8.4 Revocation.

The User may revoke the Platform's authorization to access their Google Drive at any time through the User's Google Account security settings (myaccount.google.com > Security > Third-party apps with account access). Revoking authorization will stop future automated backups but will not delete previously backed-up data from the User's Google Drive.

8.5 Google API Compliance.

The Platform's use of Google APIs complies with Google's API Services User Data Policy, including the Limited Use requirements.

9.1 Publicly Visible Information.

The following information may be visible to other Users through leaderboard and ranking features:

• Display name
• Avatar (selected from the Platform's avatar gallery)
• Level
• Experience points (XP)
• Program affiliation
• PGY level

9.2 User Control Over Display Name.

The User may choose any display name for their Account. The User's legal name is not displayed on leaderboards unless the User elects to use their legal name as their display name. The Company recommends that Users who wish to maintain anonymity on leaderboards select a display name that does not include their real name.

9.3 No Real Name Requirement.

The Platform does not require Users to use their real name as their display name for leaderboard purposes. The User's real name, as provided during NPI verification, is stored in the User's Account but is not displayed publicly.

9.4 Information Not Displayed on Leaderboards.

The following information is not displayed on leaderboards or visible to other Users:

• Legal name (unless used as display name)
• Email address
• NPI number
• Individual case log entries
• Individual analytics data
• CODA progress data
• Notification preferences
• Device information

10.1 Active Accounts.

The Company retains User information for as long as the User's Account remains active and as necessary to provide the Platform's services. Specific retention periods vary by data category:

(a) Account and Profile Data. Retained for the duration of the User's active Account.

(b) Case Log Data. Retained for the duration of the User's active Account. Users may export their case log data at any time using the PDF export feature or Google Sheets backup feature.

(c) Analytics and Usage Data (PostHog). PostHog analytics data, including event data, is retained for a period determined by the Company's PostHog configuration, which may be adjusted from time to time. The current default retention period is governed by PostHog's data retention policies as configured by the Company.

(d) Crash Data (Firebase Crashlytics). Crash reports are retained in accordance with Firebase Crashlytics' default retention policies, typically for ninety (90) days for crash session data and longer for aggregate crash trend data.

(e) Push Notification Tokens. Retained for the duration of the User's active Account. Tokens may become invalid due to device changes or operating system updates and are updated automatically.

10.2 Deleted Accounts.

Upon deletion of a User's Account:

• (a) The Company will delete the User's personal information from its active databases within a reasonable timeframe, subject to the exceptions set forth in Section 10.3;
• (b) Case log data associated with the Account will be deleted from the Company's active databases;
• (c) Gamification data (XP, levels, streaks, achievements) associated with the Account will be deleted from the Company's active databases;
• (d) The User's data will be removed from leaderboards;
• (e) Aggregated, de-identified data that was derived from the User's data prior to deletion may be retained, as it cannot be used to identify the User; and
• (f) Data previously backed up to the User's Google Sheets will remain in the User's Google Drive and is not affected by Account deletion on the Platform.

10.3 Retention After Deletion.

Notwithstanding Section 10.2, the Company may retain certain User information after Account deletion as necessary to:

• (a) Comply with legal obligations, including record-keeping requirements;
• (b) Resolve disputes and enforce agreements;
• (c) Detect and prevent fraud;
• (d) Maintain security and integrity of the Platform; and
• (e) Fulfill any other legitimate business purpose permitted by applicable law.

10.4 Backup Systems.

User information may persist in the Company's backup systems for a limited period after deletion from active databases. The Company will delete User information from backup systems in accordance with its standard backup rotation schedule.

11.1 Security Measures.

The Company implements reasonable administrative, technical, and physical safeguards designed to protect User information from unauthorized access, use, alteration, disclosure, and destruction. These measures include:

• (a) Encryption of data in transit using Transport Layer Security (TLS);
• (b) Encryption of data at rest in Firebase and Google Cloud Platform infrastructure;
• (c) Firebase Authentication for secure user authentication, including support for email/password and Google Sign-In;
• (d) Firebase Security Rules controlling access to Firestore data based on authentication status, user role, and data ownership;
• (e) Cloud Functions with server-side validation and authorization checks;
• (f) Role-based access controls limiting data access based on User Account type;
• (g) Administrative access controls for Company personnel;
• (h) GCP Monitoring and alerting for infrastructure anomalies and security events;
• (i) Firebase App Check to help protect backend resources from unauthorized access; and
• (j) Regular review of security practices and infrastructure configuration.

11.2 No Guarantee of Security.

While the Company implements reasonable security measures, no method of transmission over the internet or method of electronic storage is completely secure. The Company cannot guarantee the absolute security of User information.

THE COMPANY SHALL NOT BE LIABLE FOR ANY UNAUTHORIZED ACCESS TO, USE OF, ALTERATION OF, OR DISCLOSURE OF USER INFORMATION, EXCEPT TO THE EXTENT SUCH LIABILITY CANNOT BE LIMITED UNDER APPLICABLE LAW.

11.3 User Responsibilities.

Users are responsible for:

• (a) Maintaining the confidentiality of their Account credentials;
• (b) Using strong, unique passwords for their Accounts;
• (c) Notifying the Company immediately of any unauthorized access to or use of their Account;
• (d) Ensuring that case log entries are properly de-identified and do not contain PHI or patient-identifiable information; and
• (e) Exercising caution in the information they provide to the Platform.

11.4 Breach Notification.

In the event of a data breach affecting User personal information, the Company will notify affected Users and applicable regulatory authorities in accordance with applicable law. The Company will provide notification within the timeframes required by applicable state and federal data breach notification laws.

12.1 Not a HIPAA-Covered Service.

12.2 PHI Prohibition.

Users are strictly prohibited from entering, uploading, transmitting, or otherwise disclosing any PHI or patient-identifiable information on or through the Platform. This prohibition applies to all areas of the Platform, including but not limited to case logs, notes, feedback, and any other input fields. The Platform displays a PHI disclaimer to Users upon their first case log entry to reinforce this prohibition.

12.3 De-Identified Data Only.

The Platform's case logging features are designed exclusively for de-identified case data. Users must not enter any of the following into the Platform:

• Patient names
• Medical record numbers
• Dates of birth
• Social Security numbers
• Patient addresses
• Patient telephone numbers
• Patient email addresses
• Photographs or images depicting identifiable patients
• Any other information that could reasonably be used to identify a specific patient

12.4 No Verification.

The Company does not verify that User-entered data is properly de-identified. The User is solely responsible for ensuring compliance with all applicable privacy laws and regulations, including HIPAA, when entering data into the Platform.

12.5 PHI Incidents.

If the Company discovers or is notified that PHI or patient-identifiable information has been entered into the Platform, the Company reserves the right to:

• (a) Immediately remove the offending content without notice;
• (b) Suspend or terminate the User's Account;
• (c) Report the incident to applicable regulatory authorities if required by law; and
• (d) Take any other action the Company deems necessary to protect the Platform, its Users, and affected individuals.

12.6 User Liability.

Any User who enters PHI or patient-identifiable information into the Platform is solely liable for all consequences thereof, including regulatory fines, civil claims, professional licensing consequences, and all costs incurred by the Company, as set forth in the Terms.

13.1 Age Restriction.

The Platform is intended solely for individuals who are at least eighteen (18) years of age. The Company does not knowingly collect, solicit, or maintain personal information from individuals under the age of eighteen (18). The Platform is not directed to children or minors.

13.2 Discovery of Minor's Information.

If the Company becomes aware that it has collected personal information from an individual under the age of eighteen (18), the Company will take prompt steps to delete such information from its systems and terminate any associated Account.

13.3 Parental Notification.

If a parent or guardian becomes aware that their child has provided personal information to the Company without their consent, the parent or guardian should contact the Company immediately at [email protected], and the Company will take prompt steps to remove such information.

14.1 United States-Based Operations.

The Platform is operated from the United States. All User information is stored and processed in the United States, primarily in Google Cloud's us-central1 region and PostHog's United States cloud infrastructure.

14.2 Cross-Border Transfers.

If the User accesses the Platform from outside the United States, the User acknowledges and agrees that the User's information will be transferred to, stored in, and processed in the United States. Data protection and privacy laws in the United States may differ from, and may not provide the same level of protection as, the laws in the User's country of residence.

14.3 Consent to Transfer.

By accessing or using the Platform, the User consents to the transfer, storage, and processing of the User's information in the United States. If the User does not consent to such transfer, the User should not access or use the Platform.

15.1 Applicability.

This Section 15 applies to Users who are residents of the State of California and supplements the information contained in the rest of this Privacy Policy. This Section is provided pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA").

15.2 Categories of Personal Information Collected.

In the preceding twelve (12) months, the Company has collected the following categories of personal information, as defined by the CCPA:

15.3 Categories of Personal Information Not Collected.

The Company does not collect the following categories of personal information: protected classification characteristics, commercial information (purchase history), biometric information, sensory data, education information (as defined by FERPA), or financial information (credit card numbers, bank accounts).

15.4 Sources of Personal Information.

The Company collects personal information from the following sources: (a) directly from Users through Account registration, profile creation, and Platform usage; (b) automatically through PostHog analytics, Firebase Crashlytics, and other tracking technologies; and (c) from third-party sources including Google Sign-In and the NPPES registry.

15.5 Business Purposes for Collection.

Personal information is collected and used for the business purposes described in Section 3 of this Privacy Policy.

15.6 Sale and Sharing of Personal Information.

The Company does not sell personal information as defined by the CCPA. The Company does not share personal information for cross-context behavioral advertising purposes.

15.7 California Consumer Rights.

Subject to certain exceptions, California residents have the following rights under the CCPA:

(a) Right to Know. The right to request that the Company disclose the categories and specific pieces of personal information it has collected about the User, the categories of sources from which the information was collected, the business purpose for collecting the information, and the categories of third parties with whom the information was shared.

(b) Right to Delete. The right to request deletion of personal information that the Company has collected from the User, subject to certain exceptions.

(c) Right to Correct. The right to request correction of inaccurate personal information that the Company maintains about the User.

(d) Right to Opt Out of Sale/Sharing. The right to opt out of the sale or sharing of personal information. As noted in Section 15.6, the Company does not sell or share personal information.

(e) Right to Non-Discrimination. The right not to receive discriminatory treatment for exercising any CCPA rights.

15.8 Exercising Your Rights.

To exercise any of the rights described in Section 15.7, California residents may submit a request by:

• Emailing [email protected] with the subject line "CCPA Request"
• Providing sufficient information to verify the User's identity and locate the User's Account

The Company will respond to verifiable requests within forty-five (45) days, as required by the CCPA. If additional time is needed, the Company will notify the User and may take up to an additional forty-five (45) days.

15.9 Authorized Agents.

California residents may designate an authorized agent to submit a request on their behalf. The authorized agent must provide proof of authorization, and the Company may require the California resident to verify their identity directly.

15.10 Verification.

The Company will verify the identity of any requestor to the extent necessary to ensure the request is being made by the User whose data is at issue, or by an authorized agent. Verification may require the User to provide information matching information already held by the Company.

16.1 Types of Push Notifications.

The Platform may send the following types of push notifications:

• (a) Streak Reminders. Notifications alerting the User that their current streak is at risk of expiring if they do not log a case or complete a Platform activity before the end of the day;
• (b) Achievement Unlocks. Notifications informing the User that a new achievement has been earned;
• (c) Question of the Day. Notifications informing the User that a new Question of the Day is available;
• (d) Weekly Digest. Periodic summary notifications regarding the User's Platform activity, case log statistics, and progress; and
• (e) Service and Security Notifications. Notifications regarding Platform updates, maintenance, security alerts, and other operational matters.
• (f) Dental Student Feature Launch Notifications. Opt-in notifications, available exclusively to Users with Dental Student Accounts, informing the User when new Platform features relevant to dental students become available. Subscription to this notification category is off by default and requires the User's affirmative opt-in through the Platform's notification settings. The User may unsubscribe at any time by disabling the relevant toggle in the Platform's notification settings. This notification category covers future product launches and feature announcements relevant to dental-student accounts only and does not affect the User's receipt of other notification types.

16.2 Consent and Opt-Out.

The User provides consent for push notifications through the device's operating system notification permission prompt. The User may opt out of specific categories of push notifications through the Platform's notification settings within Account settings. The User may also disable all push notifications through the device's operating system settings. Certain transactional and security-related notifications may not be individually disabled through the Platform's settings.

16.3 Notification Data.

Push notification delivery involves the transmission of notification payloads (message content) through Apple Push Notification Service (APNs) or Firebase Cloud Messaging (FCM). Notification payloads do not contain PHI, detailed case log data, or other sensitive personal information. Notification payloads may include general alerts (e.g., "Your streak is at risk!") and are designed to minimize the information disclosed on lock screens and notification centers.

17.1 Firebase / Google Cloud Platform (Google LLC).

• Services used: Firebase Authentication, Cloud Firestore, Cloud Storage, Cloud Functions, Firebase Cloud Messaging, Firebase Crashlytics, Firebase App Check, GCP Monitoring
• Data location: United States (us-central1)
• Privacy policy: policies.google.com/privacy

17.2 PostHog, Inc.

• Services used: Product analytics, feature flags, surveys
• Data location: United States
• Privacy policy: posthog.com/privacy

17.3 Google Sign-In (Google LLC).

• Services used: OAuth-based user authentication
• Data shared: Name, email address, account identifier
• Privacy policy: policies.google.com/privacy

17.4 Google Sheets API (Google LLC).

• Services used: Automated case log backup (user-initiated)
• Data shared: Case log data (written to user's own Google Drive)
• Privacy policy: policies.google.com/privacy

17.5 Apple Push Notification Service (Apple Inc.).

• Services used: Push notification delivery for iOS devices
• Data shared: Device tokens, notification payloads
• Privacy policy: apple.com/privacy

17.6 Anthropic, Inc.

• Services used: AI-assisted content generation and analytics processing
• Data shared: De-identified educational content prompts
• Privacy policy: anthropic.com/privacy

17.7 Apple Sign-In (Apple Inc.).

• Services used: OAuth-based user authentication; private email relay (when User elects)
• Data shared: Apple-issued user identifier; name and email address (first sign-in only, when User shares them)
• Privacy policy: apple.com/privacy

18.1 Account Information.

The User may review and update certain Account information through the Platform's settings. The User may update their display name, avatar, notification preferences, and other profile settings at any time.

18.2 Account Deletion.

The User may request deletion of their Account by contacting the Company at [email protected] or by using the Account deletion feature within the Platform, if available. Upon Account deletion, the Company will process the deletion in accordance with Section 10 (Data Retention).

18.3 Data Export.

The User may export their case log data using the Platform's PDF export feature or Google Sheets backup feature.

18.4 Push Notification Preferences.

The User may manage push notification preferences through the Platform's settings or through the device's operating system settings.

18.5 Google Sheets Authorization.

The User may revoke the Platform's authorization to access their Google Drive at any time through their Google Account security settings.

18.6 Analytics Opt-Out.

The Company is committed to User privacy and continuously evaluates options for allowing Users to limit analytics data collection. Users who have concerns about analytics data collection are encouraged to contact the Company at [email protected].

19.1 Legal Bases.

The Company processes User information based on the following legal bases:

(a) Consent. The User provides consent to data collection and processing by agreeing to this Privacy Policy and the Terms when creating an Account. Specific consents include push notification permissions and Google Sheets OAuth authorization.

(b) Contractual Necessity. Processing is necessary for the performance of the agreement between the User and the Company (the Terms), including providing Platform features, maintaining Accounts, and delivering services.

(c) Legitimate Interests. Processing is necessary for the Company's legitimate interests, including improving the Platform, ensuring security, preventing fraud, conducting analytics to understand and improve user experience, and developing new features. The Company balances these interests against the User's privacy rights.

(d) Legal Compliance. Processing is necessary to comply with applicable laws, regulations, and legal processes.

For questions, concerns, or requests regarding this Privacy Policy, the Company's data practices, or the User's rights under applicable privacy laws, please contact:

WYZZIE LLC
WYZZIE LLC, Florida
Email: [email protected]
Website: wyzzie.com

For CCPA-specific requests, please email [email protected] with the subject line "CCPA Request."

For data deletion requests, please email [email protected] with the subject line "Data Deletion Request."

21.1 Applicability.

The Florida Digital Bill of Rights (Fla. Stat. 501.701-501.721, effective July 1, 2024) ("FDBR") applies to entities that conduct business in Florida, collect personal data, earn more than one billion dollars ($1,000,000,000) in global gross annual revenue, and meet certain additional conditions. While the Company may not currently meet the applicability thresholds of the FDBR, the Company acknowledges the rights established under the FDBR and honors the spirit of these protections for Florida residents who use the Platform.

21.2 Consumer Rights.

To the extent applicable, Florida residents may have the following rights under the FDBR:

• (a) Right of Access. The right to confirm whether a controller is processing the consumer's personal data and to access such data.
• (b) Right to Correct. The right to correct inaccuracies in the consumer's personal data.
• (c) Right to Delete. The right to delete personal data provided by or obtained about the consumer.
• (d) Right to Data Portability. The right to obtain a copy of the consumer's personal data in a portable and readily usable format.
• (e) Right to Opt Out of Targeted Advertising. The right to opt out of the processing of personal data for purposes of targeted advertising.

21.3 Exercising Your Rights.

Florida residents who wish to exercise any of the above rights may contact the Company at [email protected]. The Company will respond to verifiable requests in accordance with applicable law.

21.4 Exemptions.

The FDBR provides exemptions for certain categories of data and entities, including data governed by the Health Insurance Portability and Accountability Act (HIPAA) and nonprofit organizations. The Company will evaluate applicable exemptions on a case-by-case basis.