Privacy Policy

1. Introduction

SOOPER (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our AI-powered educational platform designed for Canadian family medicine residents preparing for the Simulated Office Orals (SOOs) examination.

By using SOOPER, you consent to the data practices described in this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Personal Information You Provide

We collect personal information that you voluntarily provide when you:

• Create an Account: Name, email address, username, password, and profile photo (optional)
• Make a Payment: Billing information is processed through Stripe (we do not store credit card information)
• Contact Us: Name, email address, and any information you choose to include in your message
• Provide Feedback: Survey responses, ratings, comments, and suggestions

2.2 Information Automatically Collected

When you use SOOPER, we automatically collect certain information, including:

• Usage Data: Pages visited, features used, time spent on pages, session duration, interaction patterns
• Device Information: Browser type and version, operating system, device type, screen resolution
• Log Data: IP address, access times, error logs, referring URLs
• Cookies and Similar Technologies: Session cookies, preference cookies, analytics cookies

2.3 Practice Session Data

During your practice sessions, we collect and store:

• Session Transcripts: Full text records of conversations with AI patients via ElevenLabs
• Audio Interactions: Processed through ElevenLabs but not permanently stored by SOOPER
• Session Metadata: Patient case selected, session duration, start/end times
• Performance Data: Evaluation scores, AI assessments, completion rates
• User Notes: Any notes you create during or after sessions

2.4 Information from Third-Party Services

If you choose to authenticate using third-party providers (e.g., Google, GitHub), we receive basic profile information such as your name, email address, and profile picture as authorized by you and permitted by the third-party provider.

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Provision

• Create and manage your account
• Provide access to practice sessions with AI patients
• Process session transcripts and generate evaluations
• Store and retrieve your session history and performance data
• Provide personalized recommendations and feedback

3.2 Payment Processing

• Process payments and donations through Stripe
• Manage subscriptions and billing cycles
• Issue receipts and handle refund requests
• Prevent fraudulent transactions

3.3 Communication

• Send service-related notifications (evaluation completion, account updates)
• Respond to your inquiries and support requests
• Send important notices about changes to our policies or service
• Solicit feedback about your experience (with your consent)

3.4 Service Improvement

• Analyze usage patterns to improve features and user experience
• Develop new educational content and AI patient cases
• Enhance evaluation accuracy and feedback quality
• Troubleshoot technical issues and optimize performance

3.5 Legal and Security

• Comply with legal obligations and regulatory requirements
• Protect against fraud, abuse, and security threats
• Enforce our Terms of Service
• Respond to legal requests from authorities

3.6 Aggregated Analytics

We may use aggregated, de-identified data for research, statistical analysis, and reporting purposes. This data cannot be used to identify individual users.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

4.1 Third-Party Service Providers

We share information with trusted third-party service providers who assist us in operating our platform:

• Firebase (Google): Authentication, database hosting, and cloud storage
• Stripe: Payment processing and subscription management
• ElevenLabs: Conversational AI and voice synthesis for practice sessions
• Anthropic: AI-powered evaluation and assessment of session performance
• Vercel: Web hosting and content delivery

These providers are contractually obligated to protect your information and use it only for the purposes we specify. They have their own privacy policies:

• Firebase/Google: https://policies.google.com/privacy
• Stripe: https://stripe.com/privacy
• ElevenLabs: https://elevenlabs.io/privacy
• Anthropic: https://www.anthropic.com/privacy

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal processes (subpoenas, court orders, warrants)
• Requests from government or regulatory authorities
• Investigations of potential violations of our Terms of Service
• Protection of our rights, property, or safety, or that of our users or the public

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the new entity. We will notify you of any such change and any choices you may have regarding your information.

4.4 With Your Consent

We may share your information for any other purpose with your explicit consent.

5. Data Storage and Security

5.1 Data Storage

Your data is primarily stored using:

• Firebase Cloud Firestore: User accounts, session data, transcripts, evaluations, and settings
• Firebase Authentication: Account credentials and authentication tokens
• Vercel Edge Network: Application files and cached content

Data storage locations may include servers in the United States and other countries where our service providers operate. By using our Service, you consent to the transfer of your information to these locations.

5.2 Security Measures

We implement industry-standard security measures to protect your information:

• Encryption of data in transit using HTTPS/TLS
• Encryption of sensitive data at rest
• Secure authentication using Firebase Authentication
• Role-based access controls for administrative functions
• Regular security audits and updates
• Firestore security rules to protect database access
• Secure API key management and environment variables

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

5.3 Data Retention

We retain your information for as long as necessary to:

• Provide you with our services
• Comply with legal obligations
• Resolve disputes and enforce agreements
• Maintain business records

When you delete your account, we will delete or anonymize your personal information within 90 days, except where we are required to retain it by law or for legitimate business purposes (e.g., fraud prevention, financial records).

6. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

6.1 Access and Portability

You have the right to:

• Request a copy of the personal information we hold about you
• Receive your data in a structured, commonly used, machine-readable format
• Access your session history, transcripts, and evaluations through your account dashboard

6.2 Correction and Update

You can:

• Update your profile information through your account settings
• Request correction of inaccurate or incomplete information

6.3 Deletion

You have the right to:

• Request deletion of your account and associated data
• Delete individual session records through your dashboard
• Request erasure of your personal information (subject to legal retention requirements)

6.4 Objection and Restriction

You can:

• Object to certain processing of your personal information
• Request restriction of processing in specific circumstances
• Opt out of marketing communications (we currently do not send marketing emails)

6.5 Withdraw Consent

Where processing is based on consent, you can withdraw your consent at any time. This will not affect the lawfulness of processing before withdrawal.

6.6 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@sooper.ca. We will respond to your request within 30 days. We may need to verify your identity before fulfilling your request.

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

• Essential Cookies: Required for authentication and core functionality. These cannot be disabled.
• Preference Cookies: Remember your settings like dark mode, language preferences.
• Analytics Cookies: Help us understand how users interact with our service (if implemented).

7.2 Managing Cookies

Most browsers allow you to control cookies through their settings. However, disabling essential cookies may prevent you from using certain features of the Service.

7.3 Local Storage

We use browser local storage to save certain preferences (e.g., theme settings, UI preferences) on your device. This data remains on your device and is not transmitted to our servers.

8. Children's Privacy

SOOPER is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@sooper.ca, and we will promptly delete such information.

9. International Data Transfers

SOOPER is based in Canada, and our service providers may be located in various countries, including the United States. When you use our Service, your information may be transferred to, stored, or processed in countries other than your own.

These countries may have data protection laws that differ from those in your jurisdiction. We take steps to ensure that your information receives an adequate level of protection wherever it is processed, including through:

• Using service providers that comply with recognized international frameworks
• Implementing appropriate safeguards and data processing agreements
• Adhering to industry-standard security practices

10. Canadian Privacy Law Compliance

As a Canadian service, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Our practices align with the following principles:

• Accountability for personal information under our control
• Identifying purposes for collection before or at time of collection
• Obtaining consent for collection, use, or disclosure
• Limiting collection to what is necessary
• Limiting use, disclosure, and retention to purposes identified
• Ensuring accuracy of personal information
• Providing appropriate safeguards for personal information
• Making information about policies readily available
• Providing access to personal information upon request
• Allowing challenges to compliance

11. Third-Party Links

Our Service may contain links to third-party websites, services, or resources. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party services you access through our platform.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last Updated” date at the top of this policy
• Notify you via email (if you have provided your email address)
• Display a prominent notice on our Service
• Obtain your consent if required by law

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes indicates your acceptance of the updated policy.

13. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and applicable regulatory authorities as required by law. We maintain incident response procedures to detect, respond to, and recover from security incidents.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to privacy-related inquiries within 30 days.

15. Complaints and Disputes

If you believe we have not complied with this Privacy Policy or applicable privacy laws, you may:

• Contact us directly at privacy@sooper.ca to resolve the issue
• File a complaint with the Office of the Privacy Commissioner of Canada (www.priv.gc.ca)
• Contact your provincial privacy commissioner if applicable