1. Introduction & Definitions

ResQWare LLC ("We", "Us", "Our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use the CPR Enroll application (collectively, the "Service").

To ensure clarity, we define our users in two categories:

• "Customers" (Instructors/Admins): Individuals or businesses who subscribe to CPR Enroll to manage their training operations. For Customer data, CPR Enroll acts as the Data Controller.
• "End Users" (Students): Individuals whose data is uploaded to CPR Enroll by our Customers for the purpose of class registration or certification. For End User data, CPR Enroll acts as the Data Processor, and the Customer acts as the Data Controller. For more details on this relationship, please see our Data Processing Addendum at https://cprenroll.com/data-processing-addendum/.
• "Connected Services": Third-party platforms (such as Google Calendar) that a Customer voluntarily authorizes CPR Enroll to access on their behalf. Use of any Connected Service is optional and requires the Customer's explicit consent through the relevant authorization flow (e.g., OAuth).

2. Information We Collect

We collect information in four ways: (1) information you provide to us, (2) information collected automatically, (3) information from third parties, and (4) information from Connected Services that you authorize.

A. Information You Provide

• Account Registration: Name, business name, email address, phone number, and physical address.
• Billing Data: Payment method details (processed via Stripe; we do not store full credit card numbers).
• Student Data: Rosters, skills sheets, certification dates, and student contact information uploaded by Customers.
• Support Communications: Content of emails, tickets, or chats sent to our support team.

B. Information Collected Automatically

• Usage Data: Pages visited, features used, time spent on the application, and clickstream data.
• Device Data: IP address, browser type, operating system, and unique device identifiers.
• Session Analytics: We may use tools (such as log recording) to understand how users interact with the dashboard, to improve user experience and debug issues.

C. Information From Third Parties

We may receive limited information from third parties who help us deliver and improve the Service, including our payment processor (Stripe), email delivery vendor (SendGrid), and hosting provider (AWS). The information we receive is limited to what those vendors share for service operation purposes (e.g., delivery status of a transactional email).

D. Information From Connected Services

When a Customer authorizes CPR Enroll to connect to a third-party service such as Google Calendar, we access only the specific data necessary to provide the integration feature the Customer has chosen to use. Section 5 of this policy describes our Google API integration in detail, including the exact scopes requested and the limits on how that data is used. We never request access to a Connected Service unless the Customer initiates the connection.

3. How We Use Information

We use the collected data only for specific, identified business purposes:

• Service Delivery: To provide class scheduling, roster generation, certification processing, billing, and integration features.
• Connected Service Integrations: To enable features the Customer has explicitly opted into (such as syncing class events to Google Calendar). Data received from a Connected Service is used only for the specific feature the Customer authorized.
• Communications: To send transactional emails (invoices, password resets, integration notifications) and platform updates to Customers. Students receive only those emails triggered by the Instructor (Customer).
• Research & Development: To analyze usage trends and improve the "Classes Engine" and "Admin Engine" features. We do not use data received from Connected Services for research or product development.
• Security & Compliance: To detect fraud, enforce our Terms of Service, and comply with legal obligations.
• Marketing: To send promotional materials to Customers (Instructors). We do not market directly to End Users (Students). We do not use data received from Connected Services for marketing.

4. Sharing & Disclosure

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We disclose data only in the following circumstances:

• Service Providers: We share data with trusted vendors who assist in operating our platform (e.g., Stripe for payments, AWS for hosting, SendGrid for email delivery). These providers are contractually obligated to protect your data and may use it only to perform services on our behalf.
• Legal Compliance: We may disclose information if required by law, subpoena, valid governmental request, or to protect the safety and rights of ResQWare LLC or others.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as a business asset. We will notify users of any such change in ownership through the Service or by email.
• With Your Consent: We may share information for any other purpose with your explicit consent.

Data accessed from Connected Services (such as Google Calendar) is subject to additional restrictions described in Section 5.

5. Third-Party Integrations & Google API Services

CPR Enroll offers optional integrations with third-party services to streamline scheduling and administration. These integrations are activated only when a Customer explicitly connects their third-party account. The Customer may disconnect any integration at any time.

Google Calendar Integration

CPR Enroll integrates with Google Calendar to allow instructors to synchronize CPR class schedules with their Google Calendar accounts. To enable this feature, CPR Enroll requests access to the following Google services through Google's OAuth consent flow:

• calendar.events — to create, update, and delete calendar events that CPR Enroll generates on behalf of the authenticated instructor (e.g., a CPR class scheduled in CPR Enroll appears as an event on the instructor's calendar; students enrolled in the class are added as attendees so they receive a calendar invitation).
• calendar.readonly — to read existing event start and end times for the sole purpose of scheduling conflict detection. CPR Enroll does not store, display, or process event titles, descriptions, attendees, or any other content from pre-existing personal calendar events.
• calendar.calendars.readonly — to read each calendar's time zone setting and display name so that conflict checks normalize event times correctly across calendars in different time zones. Only calendar-level metadata is accessed through this scope; no event data is read.
• calendar.calendarlist.readonly — to retrieve the list of calendars available to the instructor, so the instructor can select which of their calendars should receive CPR class events. Only calendar display names and IDs are accessed.

Data Use and Limited Use Compliance

CPR Enroll's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Google Calendar data accessed by CPR Enroll is used exclusively to provide and improve the CPR class scheduling features of this application. Specifically:

• CPR Enroll does not use Google Calendar data for advertising or for serving ads of any kind.
• CPR Enroll does not sell or share Google Calendar data with third parties.
• CPR Enroll does not transfer Google Calendar data to artificial-intelligence or machine-learning models for training, except where transfer is required to provide the user-facing scheduling feature the Customer has authorized (and never for model improvement).
• CPR Enroll does not use Google Calendar data to build user profiles beyond what is required for CPR class management.
• Human review of Google Calendar data occurs only when the user explicitly requests support assistance, when required for security investigations, or when required to comply with applicable law.

Revoking Access

You may disconnect Google Calendar from CPR Enroll at any time using either of the following methods:

• Within CPR Enroll: Navigate to Settings → Integrations → Google Calendar in your CPR Enroll dashboard and click Disconnect Calendar.
• Via your Google Account: Visit https://myaccount.google.com/permissions and remove CPR Enroll from the list of apps with account access.

Upon revocation, CPR Enroll immediately deletes all stored Google access tokens, refresh tokens, and related credentials associated with your account. Calendar events that were previously created by CPR Enroll on your Google Calendar will remain on your calendar; you may delete them manually if desired.

Other Future Integrations

If CPR Enroll adds integrations with additional third-party services in the future (for example, other calendar providers, messaging platforms, or accounting tools), the same principles will apply: integrations are opt-in, only the minimum scopes necessary are requested, data is used solely to provide the feature, and disconnection is available at any time. We will update this policy to describe any new integration before it is offered to Customers.

6. Cookies & Tracking Technologies

We use cookies, pixels, and local storage to operate the Service. Specifically:

• Essential Cookies: Required for login authentication and security. These cannot be disabled without breaking the Service.
• Functional Cookies: Remember your preferences (e.g., calendar view settings).
• Analytics Cookies: Help us understand how the site is used (e.g., Google Analytics). You may opt out of Google Analytics tracking using the Google Analytics Opt-Out Browser Add-on.

Most browsers allow you to refuse or delete cookies through browser settings. CPR Enroll honors browser-level Global Privacy Control (GPC) signals where required by law.

7. Data Security

We implement industry-standard technical and organizational measures to protect your data, including TLS/SSL encryption for data in transit and encryption at rest for sensitive fields and authentication credentials (including tokens received from Connected Services). Access to production data is restricted to authorized personnel and logged for audit purposes.

However, no internet transmission or electronic storage method is 100% secure, and we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify affected users and applicable authorities as required by law.

8. Data Retention

We retain personal data only as long as necessary to provide the Service and comply with legal obligations:

• Active Accounts: Data is retained while your subscription is active.
• Cancelled Accounts: If your account is cancelled due to non-payment or voluntary termination, we retain data for a grace period to allow reinstatement (as defined in our Terms of Service). After the grace period, data may be archived or permanently deleted.
• Connected Service Credentials: OAuth tokens (e.g., Google Calendar access and refresh tokens) are deleted immediately upon disconnection by the Customer or upon account closure, whichever occurs first.
• Legal Retention: We may retain billing records for seven (7) or more years to comply with tax and accounting laws.
• Backups: Encrypted backups are retained on a rolling basis and overwritten in the ordinary course of operations.

9. International Data Transfers

ResQWare LLC is based in the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.

Where required by applicable law (including the GDPR and UK GDPR), we rely on Standard Contractual Clauses or other lawful transfer mechanisms to ensure your data receives an adequate level of protection.

10. Your Privacy Rights

Depending on your jurisdiction (including residents of California, Virginia, Colorado, Connecticut, Utah, the European Economic Area, and the United Kingdom), you may have specific rights with respect to your personal data:

• Right to Access & Portability: Request a copy of the data we hold about you in a portable, machine-readable format.
• Right to Correction: Update inaccurate information via your dashboard, or by contacting us.
• Right to Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Right to Opt-Out: Unsubscribe from marketing emails, opt out of analytics tracking, or object to certain processing activities.
• Right to Non-Discrimination: We will not deny, charge different prices for, or provide a different quality of service because you exercised any privacy right.
• Right to Withdraw Consent: Where processing is based on your consent (including connection of a third-party service such as Google Calendar), you may withdraw consent at any time without affecting the lawfulness of processing carried out beforehand.

Note for Students (End Users): If you took a class with an instructor using CPR Enroll and wish to exercise your rights, please contact your Instructor directly. As the Data Processor, we can only act on instructions from the Controller (the Instructor).

How to exercise your rights: Contact us at support@cprenroll.com. We will respond within forty-five (45) days, or sooner if required by applicable law. We may need to verify your identity before fulfilling certain requests.

11. Children's Privacy

The Service is intended for business professionals. We do not knowingly collect data from children under the age of eighteen (18). If a student under 18 takes a class, their data should be managed by the Instructor in compliance with applicable laws, including the Children's Online Privacy Protection Act (COPPA) where applicable. If we learn that we have collected personal information from a child under 18 without verified parental consent, we will delete that information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this policy and, where required by law, notify you by email or through the Service. We encourage you to review this policy periodically to stay informed about how we protect your information.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

ResQWare LLC
Attn: Privacy Officer
Email: support@cprenroll.com
Location: New Hampshire, United States