Privacy Policy for SpeechCatcher

1. Introduction

1.1. Who We Are and What This Policy Covers

This Privacy Policy describes how Speech Metrics ("we," "us," or "our") handles information in connection with the SpeechCatcher iPad application and the associated cloud platform (collectively, the "Service" or "SpeechCatcher").

This policy applies to all users of our Service, which includes licensed Speech Language Pathologists and other qualified healthcare professionals ("Providers") who subscribe to the Service, as well as their Clients whose speech productions may be recorded using the Service ("Clients").

This document is designed to provide transparent information about our privacy practices in a format that is concise, intelligible, and easily accessible, using clear and plain language as required by global data protection standards. It outlines what information we process, why we process it, and the rights and choices available to you regarding your information.

1.2. Our Commitment to Your Privacy: The "Zero-Knowledge" Promise

The foundation of our Service is a steadfast commitment to the privacy and confidentiality of the sensitive information entrusted to it. We have engineered our Service on a "zero-knowledge" architecture using state-of-the-art end-to-end encryption (E2EE).

This means:

• All data, including client information, audio recordings of therapy sessions and metadata (collectively "Session Data") are encrypted directly on the Provider's device before they are transmitted or stored.
• The cryptographic keys required to decrypt this Session Data are held exclusively by the authorized users (the Provider and, if applicable, the Client) and are never shared with or accessible by Speech Metrics.
• As a result, we cannot listen to, view, or otherwise access the content of any therapy session. We process your Session Data as an opaque, unreadable, and securely sealed container of information.

This architectural choice is a deliberate one, designed to ensure that the confidentiality of the Provider-Client relationship is technically and programmatically protected. By leading with this promise, we aim to provide immediate assurance that your most sensitive data remains private, accessible only to those you authorize. This approach moves beyond simple compliance to build a foundation of trust, proactively addressing the primary privacy concern associated with health-related communications.

2. Information We Process

To provide our Service, we must process certain categories of information. We are committed to the principle of data minimization, meaning we only collect and process information that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

2.1. Information You (the Provider) Provide Directly

When a Provider registers for and uses the Service, we collect information necessary to establish and maintain a professional account. This includes:

• Account Information: Your full name, email address, and your chosen data region. Authentication credentials are handled by our identity provider (Firebase Authentication, operated by Google LLC) and are never visible to Speech Metrics. You may sign in with an email and password, with Sign in with Apple, or with Sign in with Google; when you use a federated sign-in option the identity provider verifies you with Apple or Google and shares only the information you authorize (typically your name and email address). If you use Apple's "Hide My Email" feature, we receive a private relay address rather than your personal email.
• Payment Information: Subscriptions purchased through the iPad application are billed by Apple Media Services via Your Apple ID account. Apple handles Your billing address and payment card details directly; Speech Metrics does not collect, see, or store this information. We use RevenueCat as our subscription-management platform; through RevenueCat we receive an Apple subscription identifier, the product purchased, the purchase and renewal dates, and Your current entitlement status, so that we can grant or revoke access to subscriber features. We do not receive payment card numbers, CVV codes, or billing addresses.
• Communications: If you contact us for customer support or other inquiries, we will collect the content of those communications, including your name, email address, and any other information you choose to provide.

2.2. Information We Process on Your Behalf (Encrypted Session Data)

When a Provider uses the Service to record a therapy session, the primary data generated is the Encrypted Session Data. This category includes:

• Encrypted Audio Recording: The audio file of the therapy session, which is immediately encrypted on the recording device.
• Encrypted Metadata: Associated information such as the date, time, and duration of the session, which is also encrypted alongside the audio.

We process this Encrypted Session Data solely as a Data Processor (under GDPR) or Business Associate (under HIPAA) on behalf of the Provider. Our role is strictly limited to facilitating the secure storage and transmission of this encrypted "container" of information as directed by the Provider. We have no technical means to access the content within this container.

2.3. Information We Do Not Collect or Access

To reinforce our "Zero-Knowledge" promise, we explicitly state that we do not engage in the following activities:

• We do not listen to, transcribe, or analyze the content of your audio recordings.
• We do not access or process any Client health information contained within Session Data.
• We do not share the content of your sessions with any third parties.
• We do not use the content of your sessions for advertising, marketing, or any other purpose.

Disclosing what is not collected is a critical component of transparency and helps to build user trust by eliminating ambiguity about our data practices.

2.4. Information Collected Automatically (Usage and Device Data)

To ensure the proper functioning, security, and improvement of our Service, we automatically collect a limited amount of technical information when you explicitly opt in to analytics. Analytics collection is disabled by default and is only activated after you provide consent through the Analytics Consent screen within the application. You may withdraw your consent at any time through the application settings. This category includes:

• Device Information: The type of device you are using, its operating system version, and unique device identifiers.
• Usage Analytics: We use PostHog, a product analytics platform, to collect information about how you interact with the Service. This includes events related to test administration (starting, completing, and cancelling tests), test navigation (advancing between screens), target tracking (marking speech targets as produced), record validation, report generation, client management (creating and updating client records), content downloads, and user feedback submission. Each event includes the screen where it occurred and the application environment. No client names, session content, assessment data, or audio recordings are included in analytics events.
• Session Replay: When analytics are enabled, PostHog records session replays that capture Your interactions with the application interface, including screen transitions, taps, gestures, and the on-screen content rendered during a session. Session replays do not capture the audio content of Encrypted Session Data, which is decrypted only in memory for playback and is never rendered into a form PostHog can record. However, session replays may capture other on-screen text rendered as part of the user interface, including Client display names, test metadata, and text You type into input fields. Do not enable analytics consent if You require that such information remain outside Your analytics provider.
• Error Tracking: PostHog automatically captures application errors, including uncaught exceptions, unhandled promise rejections, and console output at the error, warning, info, and log levels. Error reports may include diagnostic information from log messages that were written by the application. We do not intentionally log Client identifiers, audio content, or other Encrypted Session Data content.
• Log Data: When you use our Service, our servers automatically record information, which may include your Internet Protocol (IP) address, the date and time of your requests, and data related to application crashes or errors.

Crucially, this automatically collected data is processed in a way that is never linked to the content of your Encrypted Session Data . It is used for operational purposes only. No user identification is performed through analytics; all analytics events are captured anonymously.

2.5. Tracking Technologies and Identifiers

The Service uses the following persistent identifiers and tracking technologies on Your device or within third-party services we engage:

• Apple Identifier for Vendor (IDFV): Provided by iOS, this identifier is common across all Speech Metrics apps on Your device and is used solely for device-scoped diagnostics. It is not used for cross-app tracking.
• RevenueCat App User ID: An anonymous identifier maintained by RevenueCat so We can synchronize Your subscription entitlement across devices. It is not used for advertising or cross-app tracking.
• Firebase Installations ID: A pseudonymous identifier assigned by Firebase Authentication and used to associate Your device with Your account for secure server-to-device communication.
• PostHog Distinct ID: Assigned only when You opt in to analytics; used to join analytics events from the same install into a single session for debugging and product-improvement purposes.
• Web Cookies (marketing site only): The speechcatcher.ca marketing website uses only strictly necessary cookies required to operate the site. We do not place advertising or cross-site tracking cookies.

App Tracking Transparency (ATT): The iPad application does not engage in tracking as defined by Apple's App Tracking Transparency framework. We do not link user or device data collected within the Service to user or device data collected in third-party apps or websites for advertising or advertising-measurement purposes, and We do not share user or device data with data brokers. Accordingly, the application does not present an App Tracking Transparency prompt.

3. How and Why We Use Your Information (Purpose of Processing)

Every piece of information we process is tied to a specific, explicit, and legitimate purpose. This mapping is a core requirement of data protection law and ensures we do not use your data beyond what is necessary and disclosed.

4. Our Legal Basis for Processing Under GDPR

For individuals in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland, we process personal data based on the following lawful bases as defined under the General Data Protection Regulation (GDPR):

• Performance of a Contract: We process Provider Account Information, Payment Information, and Encrypted Session Data because it is necessary to perform the service contract we have with our Providers. This includes creating their account and providing the core recording, storage, and transmission features they have subscribed to.
• Legitimate Interests: We process Usage and Device Data and Log Data based on our legitimate interest in maintaining a secure, functional, and reliable Service. We also rely on legitimate interests to communicate with Providers about important service updates. We have balanced these interests against your data protection rights and have concluded that our processing is necessary and does not override your fundamental rights and freedoms.
• Consent: For any processing activities that are not essential for service delivery, such as non-essential analytics cookies or marketing communications, we will rely on your explicit consent.
• Processing on Behalf of a Controller: For the Encrypted Session Data, which contains "special categories of personal data" (i.e., data concerning health) under Article 9 of the GDPR, we act as a Data Processor. The Provider is the Data Controller. The Provider is responsible for establishing a lawful basis for processing this sensitive data, which will typically be the explicit consent of the Client. Our policy requires Providers to certify that they have obtained all necessary consents from their Clients before using our Service to record sessions.

This clear delineation of roles is a critical aspect of GDPR compliance. As a Processor, we are bound by our contractual agreement with the Provider to protect the data and only process it according to their instructions. The Provider, as the Controller, retains primary responsibility for the data and for ensuring that Client rights are upheld.

5. Data Sharing and Disclosure

We do not sell your personal information. We limit the sharing of your information to the specific circumstances described below:

• Third-Party Service Providers (Sub-processors): We engage a limited number of third-party companies to perform functions on our behalf. These include:
  • Cloud Hosting Provider (Google LLC, through the Firebase platform): All Service infrastructure runs on Google's Firebase platform, comprising Cloud Firestore (structured data), Cloud Storage for Firebase (Encrypted Session Data audio files), Cloud Functions (server-side logic), and Firebase Authentication. At account creation You choose a data residency region, which determines where Your data is stored and processed: North America (Firebase region us-east1 ), European Union (Firebase region europe-west1 ), or Australia (Firebase region australia-southeast1 ). The hosting provider stores Encrypted Session Data but is contractually and technically prevented from accessing the content of that data.
  • Identity and Authentication Provider (Firebase Authentication, operated by Google LLC): Manages account authentication, including email and password sign-in and the federated Sign in with Apple and Sign in with Google flows. The identity provider stores authentication identifiers and, for email/password accounts, a hashed credential. It does not receive any Encrypted Session Data or its decryption keys.
  • App Store Billing (Apple Media Services, operated by Apple Inc.): Subscriptions purchased through the iPad application are billed by Apple through Your Apple ID account. Apple handles all payment information directly under its own terms and privacy policy.
  • Subscription Management (RevenueCat, Inc.): We use RevenueCat to validate App Store receipts, synchronize subscription state across Your devices, and determine entitlement to subscriber features. RevenueCat receives an Apple subscription identifier, product identifier, purchase and renewal timestamps, and an anonymous user identifier. RevenueCat does not receive payment card information or Encrypted Session Data.
  • Analytics Services (PostHog): We use PostHog to collect usage analytics, session replays, and error tracking data as described in Section 2.4. PostHog processes this data on our behalf under a data processing agreement that requires them to maintain the confidentiality and security of the data. They are only permitted to process data for the specific purposes for which we engage them. Analytics data is collected only with your explicit consent.
• Legal Requirements: We may disclose your information if we are required to do so by law, or if we believe in good faith that such disclosure is necessary to comply with a legal obligation, such as a court order or subpoena. In such a scenario, it is important to note that for Encrypted Session Data, we can only provide the encrypted, unreadable data file, as we do not possess the keys to decrypt it.
• Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

6. Data Security and Retention

6.1. Our Security Measures: End-to-End Encryption Explained

We take the security of your data extremely seriously and have implemented robust technical and organizational measures to protect it. Our primary security control is End-to-End Encryption (E2EE).

Think of E2EE like sending a letter in a locked box. You, the sender, lock the box with a key that only you have. You then create a copy of that key and securely give it to the intended recipient. The postal service can transport the box, but they cannot open it. Only the recipient, who has the duplicate key, can unlock the box and read the letter.

In our Service, this works as follows:

1. Encryption: When a session is recorded, the audio data is immediately scrambled on the Provider's device into an unreadable format called ciphertext, using a strong encryption algorithm like AES-256.
2. Transmission: This encrypted ciphertext is transmitted to our servers for storage. At no point during this transmission can anyone—including us, our hosting provider, or any third party—read the data.
3. Decryption: The data remains encrypted while stored on our servers. It can only be decrypted and turned back into readable audio on a device that possesses the correct decryption key—namely, the Provider's authorized device(s).

In addition to E2EE, we employ other security measures, including access controls to limit internal access to data, regular security assessments, and employee training on data protection.

6.2. Data Retention Periods

We retain different categories of data for different periods, guided by the principle of storing data only for as long as is necessary.

• Provider Account Data: We retain this information for as long as the Provider's account remains active. After an account is closed, we may retain some information for a limited period to comply with legal, financial, and tax obligations.
• Encrypted Session Data: As the Data Controller and Covered Entity, the Provider is responsible for determining the retention period for this data . Healthcare record retention requirements vary by jurisdiction and professional guidelines (e.g., HIPAA requires records to be kept for a minimum of six years). Our Service provides Providers with the tools to manage and delete their Encrypted Session Data in accordance with their own legal and professional obligations. We retain this data solely at the direction of the Provider.
• Usage and Device Data: We retain this data for a limited period, typically 18–24 months, as needed for security, analytics, and service improvement purposes. After this period, the data is either deleted or anonymized.

This retention policy directly addresses the potential conflict between regulations like GDPR, which grants a right to erasure, and HIPAA, which mandates long-term record-keeping. By empowering the Provider—the party with the legal and ethical obligation to their Client—to control the data's lifecycle, we ensure that these complex requirements can be properly managed.

6.3. Account Deletion

You may delete Your Provider account at any time from within the iPad application by navigating to Account > Delete Account. Deleting Your account terminates Your subscription entitlement on our side (Apple-billed subscriptions must be cancelled separately through Your Apple ID account settings), removes Your Provider Account Data from active systems, and initiates deletion of Your Encrypted Session Data subject to the retention rules described above and to Your obligations under applicable health-record-retention law. If You are unable to access the in-app deletion control, You may contact privacy@speechmetrics.ca and We will process Your deletion request manually. We may retain a limited subset of account information for the period required to comply with legal, financial, and tax obligations.

7. Your Privacy Rights and Choices

We believe in empowering you with control over your personal information. Depending on your location, you have certain rights regarding your data. We have created the following table to provide a clear, at-a-glance comparison of your key rights under the GDPR and HIPAA. This is intended as a user-friendly summary; detailed explanations are provided in Sections 8 and 9.

To exercise any of these rights, please follow the instructions in the table. For rights related to your account data, you may contact us directly at privacy@speechmetrics.ca. For rights related to your session data, you must contact your Provider, who is the controller of that information. We will provide our Providers with the necessary tools and support to help them respond to your requests.

8. Information for Users in Australia

The privacy of individuals in Australia is protected by the federal Privacy Act 1988 and the Australian Privacy Principles (APPs) contained within it.

• Applicability: The Privacy Act applies to Australian Government agencies, private sector organizations with an annual turnover of more than AUD 3 million, and all health service providers.
• Personal and Sensitive Information: The Act defines "personal information" as information or an opinion about an identifiable individual. It provides special protection for "sensitive information," which includes health information, genetic data, and racial or ethnic origin.

8.1. The Australian Privacy Principles (APPs)

The 13 APPs set out the standards for the handling of personal information. Our practices are aligned with these principles.

• APP 1 — Open and Transparent Management: We are committed to managing your personal information transparently. This Privacy Policy is designed to be clear and up-to-date, explaining the kinds of information we collect, how we handle it, and for what purposes. It also details how you can access your data, make corrections, or file a complaint.
• APP 2 — Anonymity and Pseudonymity: You have the right to deal with us anonymously or by using a pseudonym where it is lawful and practicable to do so.
• APP 3 — Collection of Solicited Personal Information: We only collect personal information that is reasonably necessary for our functions. We will not collect sensitive information (including health information) about you without your consent, unless an exception applies.
• APP 5 — Notification of Collection: At or before the time we collect your personal information, we will notify you of the purposes of collection, who we might disclose it to, and other relevant details as outlined in this policy.
• APP 6 — Use or Disclosure: We will only use or disclose your personal information for the primary purpose for which it was collected, unless you have consented to a secondary use or disclosure, or another exception applies.
• APP 7 — Direct Marketing: We will not use your sensitive information for direct marketing without your explicit consent. For all direct marketing, we will provide a simple way for you to opt out.
• APP 12 & 13 — Access and Correction: You have the right to request access to the personal information we hold about you and to request that we correct any information that is inaccurate, out-of-date, or incomplete.

8.2. Your Rights in Australia

Under the Privacy Act, you have the right to:

• Know why your personal information is being collected and how it will be used.
• Access and correct your personal information.
• Remain anonymous or use a pseudonym in certain situations.
• Opt out of receiving direct marketing communications.

Complaints regarding a breach of the APPs can be directed to the Office of the Australian Information Commissioner (OAIC), which is the independent national regulator for privacy and freedom of information.

9. Information for Users in Canada

Personal information, including personal health information, is protected by a combination of federal and provincial laws in Canada. Our data handling practices are designed to comply with these regulations.

9.1. Federal Privacy Law: PIPEDA

Canada's federal privacy law for the private sector is the Personal Information Protection and Electronic Documents Act (PIPEDA) . PIPEDA governs how organizations engaged in commercial activities collect, use, and disclose personal information.

• Applicability: PIPEDA applies to our service when we handle the personal information of Canadian users across provincial or national borders. For activities that occur entirely within a province with a "substantially similar" privacy law, the provincial law will apply.
• Personal Information: Under PIPEDA, "personal information" is broadly defined as any "information about an identifiable individual." This includes your name, age, ID numbers, and sensitive data such as medical and health records.
• Your Rights Under PIPEDA: You have the right to:
  • Know why an organization is collecting, using, or disclosing your personal information.
  • Expect that your information will be collected, used, and disclosed for reasonable and appropriate purposes.
  • Access the personal information held about you and challenge its accuracy and completeness. Organizations must respond to access requests within 30 days.
• Our Obligations Under PIPEDA: We are obligated to:
  • Obtain meaningful and informed consent for the collection, use, and disclosure of your personal information.
  • Implement appropriate security safeguards to protect your personal information against loss, theft, or unauthorized access.
  • Notify the Office of the Privacy Commissioner (OPC) and affected individuals of any data breach that poses a "real risk of significant harm."

9.2. Provincial Privacy Laws

Several Canadian provinces have their own private-sector privacy laws that have been deemed "substantially similar" to PIPEDA. For activities conducted wholly within these provinces, the provincial law applies.

• Quebec: An Act to modernize legislative provisions as regards the protection of personal information (Law 25, formerly Bill 64). Law 25 significantly modernizes Quebec's privacy framework, introducing stricter requirements. Key provisions include:
  • Enhanced Consent: Consent must be clear, granular, and requested separately for each specific purpose. Express consent is required for sensitive personal information, and parental consent is needed for minors under 14.
  • Privacy Impact Assessments (PIAs): We are required to conduct PIAs for certain activities, including before transferring personal information outside of Quebec, to ensure the data receives adequate protection.
  • Expanded User Rights: Law 25 grants you rights similar to the GDPR, including the right to data portability (effective September 2024) and the right to request the de-indexation of your information (a "right to be forgotten").
  • Privacy by Default: Technological products and services must be configured to provide the highest level of privacy by default.
  • Breach Reporting: We must report any confidentiality incident that presents a "risk of serious injury" to the Commission d'accès à l'information (CAI) and affected individuals.
• Alberta: Personal Information Protection Act (PIPA). Alberta's PIPA governs how private sector organizations in the province handle personal information.
  • Applicability: PIPA applies to provincially regulated organizations in Alberta. Personal health information is primarily protected under a separate law, the Health Information Act.
  • Your Rights: You have the right to know why your data is being collected, expect it to be handled reasonably, and to access and request corrections to your personal information.
  • Consent: Organizations must obtain your explicit consent before collecting, using, or disclosing your personal information.
• British Columbia: Personal Information Protection Act (PIPA). BC's PIPA sets the rules for how private sector and non-profit organizations in the province manage personal data.
  • Applicability: PIPA applies to most private organizations in BC. Health-specific records are also covered by the E-Health (Personal Health Information Access and Protection of Privacy) Act .
  • Personal Information: The law defines personal information broadly to include name, address, medical information, and employment history.
  • Your Rights: You have the right to know why your information is being collected, expect it to be used reasonably, access it, and request corrections.
• Ontario: Personal Health Information Protection Act (PHIPA). For users in Ontario, the collection, use, and disclosure of personal health information is specifically governed by PHIPA. This law applies to "health information custodians," such as healthcare providers, and is considered substantially similar to PIPEDA for health data.
• Other provinces: Provincial health information statutes also apply in Newfoundland and Labrador (PHIA), Manitoba (PHIA), New Brunswick (PHIPAA), Nova Scotia (PHIA), and Saskatchewan (HIPA). The Provider is responsible for determining the applicable framework and meeting the obligations of a health information custodian thereunder.

9.3. Canada's Anti-Spam Legislation (CASL)

We comply with Canada's Anti-Spam Legislation (CASL). We will not send You a commercial electronic message without Your express or implied consent, and every commercial electronic message We send will identify Speech Metrics, provide our contact information, and include a working unsubscribe mechanism. You may withdraw consent at any time by following the unsubscribe link in any commercial email or by contacting privacy@speechmetrics.ca.

10. Information for Users in the European Economic Area (EEA), UK, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have certain rights and protections under the GDPR. This section provides the detailed disclosures required by that regulation.

10.1. Your Rights Under GDPR

You have the following rights with respect to your personal data:

• The Right of Access: You have the right to request a copy of the personal data we hold about you.
• The Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data.
• The Right to Erasure ('Right to be Forgotten'): You have the right to request the deletion of your personal data where there is no compelling reason for its continued processing.
• The Right to Restrict Processing: You have the right to request that we suspend the processing of your personal data in certain circumstances.
• The Right to Data Portability: You have the right to receive your personal data in a structured, machine-readable format and to have it transmitted to another controller.
• The Right to Object: You have the right to object to our processing of your personal data where we are relying on a legitimate interest as our legal basis.
• Rights in Relation to Automated Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. We do not engage in such processing.

10.2. Data Controller, Privacy Officer, and Data Protection Officer

As explained in Section 4, the Provider is the Data Controller for Encrypted Session Data. Speech Metrics is the Data Controller for Provider Account Data and Usage/Device Data. Our Privacy Officer is Gregory Hedlund and can be reached at privacy@speechmetrics.ca or via mail at our registered address. The Privacy Officer is responsible for overseeing this Privacy Policy, responding to data-subject requests, and serving as the point of contact for supervisory authorities.

Data Protection Officer (GDPR Article 37). Having reviewed the criteria in Article 37, We have concluded that We are not required to formally appoint a Data Protection Officer at this time. Our processing of Encrypted Session Data — which contains special-category health data — is conducted exclusively as a Data Processor on behalf of Providers, using end-to-end encryption that prevents Us from accessing the plaintext content of that data. We do not engage in regular and systematic monitoring of data subjects on a large scale, and We do not process special-category data on a large scale in a form that is decipherable to Us. We will reassess this conclusion if the scale, nature, or context of our processing changes, and We will appoint a DPO promptly if Article 37 thresholds are met.

EU and UK Representative (GDPR Article 27 / UK GDPR). Speech Metrics is established in Canada and is not currently established in the European Economic Area or the United Kingdom. We have not yet designated an Article 27 representative because the Service is not actively targeted at data subjects in those territories at a scale that triggers the obligation, and our processing of personal data of EEA/UK residents is occasional and low-risk relative to the encrypted nature of Session Data. We will appoint a written EU representative and a separate UK representative before commencing active marketing or large-scale processing directed at the EEA or the United Kingdom.

10.3. International Data Transfers

Your personal information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for personal data under European Union law, such as the United States. To provide adequate protection for these transfers, we have put in place appropriate safeguards, such as the Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA) or UK Addendum where applicable, to ensure that your personal data is treated in a manner that is consistent with and respects the EU and UK laws on data protection. Where You select a European Union data residency region at account creation, Your Encrypted Session Data and Provider Account Data are stored on Firebase infrastructure in the europe-west1 region and are not transferred outside the EEA in the ordinary course of providing the Service.

10.4. Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, We will notify the competent supervisory authority without undue delay and, where feasible, not later than seventy-two (72) hours after becoming aware of the breach, in accordance with GDPR Article 33 and UK GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, We will also notify affected data subjects without undue delay, in accordance with Article 34. For Providers acting as Data Controllers, We will notify You of any breach affecting Encrypted Session Data so that You may meet Your own notification obligations to Your Clients and to regulators.

11. Information for Users in the United States

This section serves as our Notice of Privacy Practices ("Notice") as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It applies to the Protected Health Information (PHI) that is created or received by Providers using our Service.

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

11.1. Our Responsibilities

Speech Metrics functions as a "Business Associate" to your Provider, who is a "Covered Entity" under HIPAA. We are required by law to maintain the privacy and security of your PHI. We will notify you and your Provider if a breach of unsecured PHI occurs. We must follow the duties and privacy practices described in this Notice and provide you with a copy of it.

Due to our end-to-end encryption architecture, our primary responsibility is to implement robust security safeguards to protect the integrity and confidentiality of the Encrypted Session Data. We cannot access, use, or disclose the PHI contained within that data.

11.2. How We May Use and Disclose Your PHI

HIPAA permits Covered Entities (your Provider) to use and disclose PHI for purposes of treatment, payment, and healthcare operations without your specific authorization. Your Provider may use the PHI from your recorded sessions for these purposes.

Our role as a Business Associate is strictly limited. We do not use or disclose your PHI for treatment, payment, or operations because we cannot access it. Our only "use" of the PHI is to facilitate the secure storage and transmission of the encrypted data at the direction of your Provider.

11.3. Uses and Disclosures Requiring Your Authorization

Any other use or disclosure of your PHI by your Provider not described in their Notice of Privacy Practices will be made only with your written authorization. You may revoke this authorization at any time, in writing, except to the extent that your Provider has already acted in reliance on your authorization.

11.4. Your Rights Regarding Your PHI

You have the following rights concerning your PHI. To exercise these rights, you must contact your Provider directly.

• Right to Inspect and Copy: You have the right to inspect and obtain a copy of your PHI.
• Right to Amend: If you believe that PHI your Provider has about you is incorrect or incomplete, you may ask them to amend the information.
• Right to an Accounting of Disclosures: You have the right to request a list of the disclosures your Provider has made of your PHI for purposes other than treatment, payment, and healthcare operations.
• Right to Request Restrictions: You have the right to request a restriction or limitation on the PHI your Provider uses or discloses about you.
• Right to Request Confidential Communications: You have the right to request that your Provider communicate with you about medical matters in a certain way or at a certain location.

11.5. How to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with your Provider or with the Secretary of the U.S. Department of Health and Human Services. You may also contact our Privacy Officer at privacy@speechmetrics.ca. You will not be penalized for filing a complaint.

12. Information for Users in California

This section supplements the rest of this Privacy Policy with disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"). It applies to consumers who are California residents. Terms defined in the CCPA have the same meaning when used in this section.

12.1. Categories of Personal Information We Collect

In the preceding twelve (12) months, We have collected or processed the following categories of personal information about California residents who use the Service. The list maps to the categories enumerated in Cal. Civ. Code §1798.140.

• Identifiers (e.g., name, email address, federated sign-in identifier, Firebase Installations ID, RevenueCat App User ID, IDFV).
• Customer records information (account profile information You provide).
• Commercial information (subscription status, product purchased, purchase and renewal timestamps; payment card information is handled by Apple and is not collected by Us).
• Internet or other electronic network activity information (with Your consent only: PostHog product analytics events, session replays of in-app interactions, error reports including console output, log data including IP address and request metadata).
• Inferences drawn from the foregoing to support, secure, and improve the Service.
• Sensitive personal information in the form of Encrypted Session Data, which contains health-related audio recordings and associated metadata. We process this data only as a service provider acting at the direction of the Provider; the data is encrypted end-to-end and We do not have the ability to decrypt it.

12.2. Sources of Personal Information

We collect personal information directly from You (when You create an account, contact support, or use the Service), automatically from Your device (when You opt in to analytics), and from third parties that authenticate You at Your direction (Apple, Google) or that process Your subscription (Apple Media Services, RevenueCat).

12.3. Business or Commercial Purposes for Collection

We use the categories above to provide and secure the Service, manage Your account and subscription, process Your requests, respond to support inquiries, detect and prevent fraud or abuse, comply with legal obligations, and (with Your consent) improve the Service through analytics and error tracking.

12.4. Categories of Third Parties with Whom We Share Personal Information

We share personal information only with the service providers and sub-processors identified in Section 5 of this Policy, in each case under contracts that limit their use of the data to providing services to Us. We do not share personal information with data brokers.

12.5. No Sale or Sharing of Personal Information

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We have not done so in the preceding twelve (12) months. We do not have actual knowledge of selling or sharing the personal information of consumers under sixteen (16) years of age.

12.6. Use of Sensitive Personal Information

Our use of sensitive personal information (Encrypted Session Data) is limited to that which is necessary to perform the Service at the direction of the Provider. We do not use or disclose sensitive personal information to infer characteristics about a consumer, and We do not use it for any purpose for which a California resident would have the right to limit use under the CCPA.

12.7. Retention

We retain each category of personal information for the periods described in Section 6.2 of this Policy. We retain personal information for no longer than is reasonably necessary for the purposes for which it was collected, except where a longer period is required or permitted by law.

12.8. Your California Privacy Rights

If You are a California resident, You have the following rights, subject to certain exceptions:

• Right to Know: Request that We disclose the categories and specific pieces of personal information We have collected, the sources, the purposes for collection, and the categories of third parties with whom We have shared personal information.
• Right to Delete: Request that We delete personal information We have collected from You, subject to legal retention requirements (note that Encrypted Session Data containing PHI is generally controlled by Your Provider; delete requests for that data must be directed to the Provider).
• Right to Correct: Request that We correct inaccurate personal information We maintain about You.
• Right to Opt Out of Sale or Sharing: We do not sell or share personal information; nonetheless, You may exercise this right and We will confirm our practices in writing.
• Right to Limit Use of Sensitive Personal Information: As explained in Section 12.6, our use of sensitive personal information is already limited to purposes permitted under the CCPA without a separate opt-out.
• Right to Non-Discrimination: We will not deny You service, charge You a different price, or provide You a different level of quality because You exercise any of these rights.

12.9. How to Exercise Your Rights

To exercise any of these rights, contact our Privacy Officer at privacy@speechmetrics.ca. We will verify Your identity using information already associated with Your account before responding. You may designate an authorized agent to make a request on Your behalf; the agent must provide written authorization signed by You, and We may require You to verify Your identity directly with Us before processing the request. We will respond within forty-five (45) days, with one extension of up to forty-five (45) additional days where reasonably necessary.

13. Information for Users in Other U.S. States

Residents of Virginia, Colorado, Connecticut, Utah, Texas, and Oregon, and of other U.S. states that have enacted comprehensive consumer privacy laws, have rights substantially similar to those described in Section 12 for California residents, including the rights to access, correct, delete, and obtain a copy of personal information We hold about them, and to opt out of the sale of personal information or targeted advertising. We do not engage in the sale of personal information or targeted advertising as those terms are defined in these laws.

To exercise any right under Your state's privacy law, contact our Privacy Officer at privacy@speechmetrics.ca. We will verify Your identity, respond within the timeframes required by Your state's law, and provide an appeal process if We deny Your request.

14. Children's Privacy

Our Service is intended for use by licensed Providers and other qualified professionals. We do not market the Service to children and we do not knowingly collect personal information directly from a child for the child's own use of the Service. Where a Provider uses the Service to record sessions with a minor Client, it is the sole responsibility of the Provider to obtain legally valid consent from the child's parent or legal guardian in accordance with the law applicable to the Client's residence, including but not limited to:

• United States — COPPA: For Clients under the age of thirteen (13), the Children's Online Privacy Protection Act requires verifiable parental consent before any collection of personal information from the child.
• Quebec, Canada — Law 25: For Clients under the age of fourteen (14), consent must be given by the holder of parental authority.
• European Economic Area, United Kingdom, Switzerland — GDPR and UK GDPR: For Clients under the age of sixteen (16), parental or guardian consent is required (member states may lower this floor to no less than thirteen (13); the Provider is responsible for applying the threshold applicable in the Client's jurisdiction).
• Other jurisdictions: The Provider is responsible for applying the minor-consent threshold required by local law.

If We become aware that We have collected personal information directly from a child in a manner inconsistent with the foregoing thresholds, We will take steps to delete that information promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make material changes, we will notify you by email (sent to the email address specified in your account) or by means of a prominent notice within the Service prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

16. How to Contact Us

If you have any questions, comments, or concerns about this Privacy Policy or our data practices, please contact us using the information below:

Speech Metrics

Attn: Privacy Officer

Email: privacy@speechmetrics.ca