How we protect your data
1. Security at a glance
2. What we store, and what we don't
We store
- Account info via Google OAuth (email, display name, photo URL, Google ID). No passwords.
- Organization role, certification level, access status.
- Quiz attempts, scenario responses, leaderboard scores, progress.
- Customer-uploaded protocol PDFs and generated study content.
- Technical telemetry: browser type, IP (transient, security only), session ID.
We do not store
- Patient information or Protected Health Information (PHI). The Platform is not a HIPAA-covered service. Uploads are scanned for PHI markers and quarantined when detected.
- Payment card or bank account numbers. Stripe handles all card and ACH processing (PCI-DSS Level 1).
- GPS or precise location data.
- Microphone, camera, or contacts.
3. Subprocessors
We use the following third-party services to operate the Platform. Each is bound by a written agreement requiring at least the same data-protection posture stated here.
| Subprocessor | Purpose | Region |
|---|---|---|
| Google Cloud / Firebase | Auth, database (Firestore), file storage, hosting | United States |
| Vercel, Inc. | Backend APIs and billing infrastructure | United States |
| Cloudflare, Inc. | DNS, edge protection, email routing | Global |
| Stripe, Inc. | Payment processing, invoicing, ACH collection (PCI-DSS Level 1) | United States |
| Brevo (Sendinblue SAS) | Transactional email delivery | EU / US |
| Discord, Inc. | Internal operational alerts (minimized event data) | United States |
| Google AI / Vertex AI (Gemini) | LLM content generation from Customer-uploaded protocols. No-training contract. | United States |
| Documenso, Inc. | Master Services Agreement and Order Form e-signature workflow. Customer signing-contact email + signature image processed. | United States |
Customers receive at least 30 days' notice before any new subprocessor begins processing Customer data. The contractual notice mechanism is described in DPA §4.2.
4. AI use
ProtoQuiz uses third-party LLM services (currently Google Gemini / Vertex AI) to generate quiz questions, scenarios, and drug-comparison content from Customer-uploaded protocol PDFs. We send only the protocol content needed to generate the requested output. We do not send User personal information (email, name, photo) to LLM providers. The provider's terms prohibit training their foundation models on submitted Customer content.
5. Incident response
If we become aware of a confirmed Security Incident affecting Customer Personal Data, we will notify the affected Customer's designated contact within 72 hours, with the information then available: nature of the incident, affected data categories and approximate scope, likely consequences, and measures taken or proposed. We will continue to coordinate as the investigation progresses. This commitment is contractual under DPA §6.
Vulnerability reports: send to [email protected]. We respond promptly and do not pursue good-faith security researchers acting within standard responsible-disclosure norms.
6. Data export & deletion
Customers can request a machine-readable export (CSV or JSON) of their data at any time during the subscription, or for 90 days following termination. After 90 days post-termination, Customer data is deleted from production systems; backup snapshots are purged within an additional 30 days, subject to legal retention requirements (e.g., financial records).
7. Compliance posture
We are early-stage and do not yet hold formal third-party certifications (SOC 2, ISO 27001). We are happy to share our completed Vendor Security Questionnaire (SIG Lite / CAIQ-Lite), discuss controls in detail, or work toward a security questionnaire your procurement team prefers. Contact [email protected].
We are not a HIPAA Business Associate; the Platform is not designed to process PHI. CCPA, GDPR, and UK DPA-aligned commitments are in the DPA. Standard Contractual Clauses are available where required for cross-border transfers.
8. How to reach us
Teach Me to Live LLC, d/b/a ProtoQuiz
1500 N Grant St #10764, Denver, CO 80203
(720) 441-2532