Note: This document is a template and does not constitute legal advice. Review it with a qualified attorney before relying on it for your business.

Privacy Policy

Last updated: May 23, 2025

1. Introduction

CFTrack ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have about your data when you use the CFTrack web application (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

CFTrack is not affiliated with or endorsed by the American Speech-Language-Hearing Association (ASHA). We are an independent tool for personal CF hour tracking.

2. Information We Collect

a) Account information (via Firebase Authentication)

When you create an account, we collect your email address, display name, and authentication provider (Google or email/password). This information is managed by Google Firebase Authentication. We do not collect or store your password directly; Firebase handles credential management.

b) CF tracking data you enter

The core purpose of CFTrack is to help you organize your Clinical Fellowship. You may enter information such as: clinical hours logged per session, weekly hour totals, segment progress, supervision dates and supervisor/mentor names, clinical site names, activity descriptions, and skills progress notes.

Do not enter protected health information (PHI) — including patient names, medical record numbers, or any patient-identifiable data. CFTrack is not designed or secured for PHI. Enter only aggregate counts and general descriptions.

c) Payment and entitlement metadata (via Stripe)

When you purchase CFTrack, payment is processed by Stripe. We do not receive or store your card number, CVV, or full payment details. We receive from Stripe: a confirmation that payment was successful, a Stripe customer identifier, and basic purchase metadata (date, amount) used to manage your lifetime access entitlement.

d) Technical and error data (via Sentry)

We use Sentry for error monitoring to diagnose and fix bugs. Sentry is configured with sendDefaultPii: false, meaning it does not transmit personally identifiable information such as your email address, IP address (beyond what is technically unavoidable), or the content of your CF data. Sentry collects stack traces, browser/OS version, and error event data.

e) Usage and log data

Our hosting infrastructure may automatically log standard HTTP request data (IP address, browser user-agent, requested URL, timestamp) as part of normal server operations. We do not use this data for advertising profiling.

3. How We Use Your Information

We use the information we collect to:

  • Create and manage your account and authenticate your identity.
  • Provide the CF hour tracking features of the Service.
  • Process and verify your one-time purchase and maintain your lifetime access entitlement.
  • Detect, investigate, and fix bugs and technical errors via Sentry.
  • Respond to your support requests sent to our contact email.
  • Send transactional communications (e.g., purchase confirmation, important service notices).
  • Comply with applicable legal obligations.

We do not sell your personal data to third parties. We do not use your data for advertising or behavioral targeting.

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:

  • Contract performance — to provide the Service you purchased and to manage your account.
  • Legitimate interests — to maintain the security and reliability of the Service, detect and fix errors, and communicate important service updates.
  • Legal obligation — to comply with applicable laws and regulations.
  • Consent — where we have specifically asked for your consent (you may withdraw consent at any time without affecting the lawfulness of prior processing).

5. Third-Party Processors

We share data with the following sub-processors, each of which has its own privacy policy and data practices:

Google / Firebase

Provides authentication and backend data storage for your account and CF tracking data. Your data is stored in Google Cloud infrastructure. See Firebase Privacy and Security and Google's Privacy Policy.

Stripe

Processes your one-time payment. Stripe is PCI-DSS compliant. We share with Stripe only the information needed to process your transaction. See Stripe's Privacy Policy.

Sentry

Receives anonymized error and crash reports from the app (no PII per our configuration). See Sentry's Privacy Policy.

We do not share your information with any other third parties except as required by law or as part of a business transfer (see Changes to This Policy below).

6. Cookies and Local Storage

CFTrack stores your Firebase authentication token in your browser's localStorage to keep you signed in across sessions. This is a functional necessity and does not track you across other websites.

We do not use advertising cookies, third-party analytics tracking cookies, or behavioral profiling cookies. Firebase and Stripe may set their own cookies as part of their services; refer to their respective privacy policies for details.

You can clear localStorage or cookies in your browser settings at any time, which will sign you out of the app.

7. Data Retention

We retain your account information and CF tracking data for as long as your account is active or as needed to provide the Service. If you delete your account (see Your Rights below), your data is removed from our active systems. Some residual data may remain in backups for a limited period before being overwritten.

We may retain certain minimal transaction records (e.g., purchase date and amount) for as long as required by applicable tax or accounting laws, typically 5–7 years.

In the event of a refund, see our Refund Policy for specific data retention details.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request correction of inaccurate or incomplete data.
  • Deletion — request deletion of your personal data.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection / Restriction — object to or request restriction of certain processing activities.
  • Withdrawal of consent — where processing is based on consent, withdraw it at any time.

Account deletion: You can delete your account and associated CF tracking data at any time directly within the app via Account Settings. This is the fastest way to exercise your right to deletion.

To exercise any other right, or if you have questions, email us at slpcftracker@gmail.com. We will respond within 30 days (or the period required by applicable law).

If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection supervisory authority.

9. Data Security

We implement reasonable technical and organizational measures to protect your data, including use of HTTPS for data in transit, Firebase's security rules for data at rest, and Stripe's PCI-DSS-compliant payment environment.

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security and encourage you not to enter sensitive data (such as PHI) into the Service.

10. Children's Privacy

CFTrack is not directed at children under 13 (or under 16 where applicable under local law, such as in the EEA under GDPR). We do not knowingly collect personal information from children under these age thresholds. If we learn that we have inadvertently collected such information, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at slpcftracker@gmail.com.

11. International Data Transfers

CFTrack is operated from the United States. Your information may be stored and processed in the United States or any other country where our service providers (Google, Stripe, Sentry) operate data centers.

If you are located in the EEA, UK, or another jurisdiction with data transfer restrictions, please be aware that we may transfer your data to countries that may not provide the same level of data protection as your home country. Where required, we rely on appropriate safeguards (such as standard contractual clauses) provided by our sub-processors.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top. For material changes, we will notify you via email or a prominent in-app notice. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.

We encourage you to review this policy periodically to stay informed about how we protect your information.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

slpcftracker@gmail.com

We aim to respond to all privacy inquiries within 1–2 business days (and within 30 days for formal rights requests).