Privacy Policy

1. Introduction & Scope

DoCPR (“we,” “us,” or “our”) operates a multi-tenant software-as-a-service (SaaS) platform that enables CPR training businesses (“Tenants”) to manage their classes, schedules, and student certifications. Students (“End Users”) use the platform to browse, book, and complete CPR training courses.

This Privacy Policy describes how we collect, use, disclose, and protect personal information when you access or use the DoCPR platform, including our website, booking flows, online SCORM-based coursework, and any related services (collectively, the “Service”).

By using the Service you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Information We Collect

2.1 Personal Information You Provide

When you create an account, book a class, or interact with the Service we may collect:

• Full name
• Email address
• Phone number
• Business or organization name (for Tenant accounts)
• Any information you voluntarily provide through support requests or forms

2.2 Payment Information

Payment processing is handled entirely by Stripe, Inc. When you enter payment card information during checkout, that data is collected directly by Stripe using Stripe Elements — a PCI-DSS-compliant embedded payment form. DoCPR never directly receives, transmits, or stores your full credit or debit card number. We receive only a tokenized reference and limited metadata (e.g., card brand, last four digits, expiration date) from Stripe to display transaction history.

2.3 Usage & Device Data

We automatically collect certain information when you access the Service, including:

• IP address (recorded at booking as terms_ip_address for audit purposes)
• Browser type and version
• Operating system
• Referring URL and pages visited
• Date, time, and duration of visits
• SCORM course progress and completion data

2.4 Consent & Audit Records

When you accept our Terms of Service during the class booking flow, we record the timestamp (terms_accepted_at) and your IP address (terms_ip_address) to maintain a verifiable record of your consent.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Service
• To process class bookings, payments, and issue certifications
• To deliver transactional emails (booking confirmations, reminders, certification notices)
• To authenticate users and maintain session security
• To enable Tenants to manage their students, classes, and schedules
• To track SCORM LMS course progress and completions
• To comply with legal obligations and enforce our Terms of Service
• To detect, prevent, and address fraud, abuse, or technical issues
• To improve and optimize the Service

4. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

4.1 With Your Tenant (Training Provider)

When you book a class through a Tenant’s booking page, that Tenant can access your name, email, phone number, booking details, payment status, and course completion records as necessary to deliver their training services.

4.2 Service Providers (Sub-Processors)

We use the following third-party service providers to operate the platform. Each processes data only as necessary to perform its designated function:

4.3 Legal & Compliance

We may disclose personal information if required by law, subpoena, court order, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

5. Multi-Tenant Data Isolation

DoCPR is a multi-tenant platform. Each Tenant’s data — including class schedules, student bookings, certifications, and financial records — is logically segregated within our database infrastructure. This means:

• One Tenant cannot access another Tenant’s student records, booking data, or financial information.
• Access controls are enforced at the application and database level using row-level policies tied to each Tenant’s unique identifier.
• DoCPR administrators may access Tenant data only as needed to provide support, troubleshoot issues, or comply with legal obligations.

6. Cookies & Tracking Technologies

6.1 Authentication Cookies

We use strictly necessary session cookies provided by Supabase to authenticate your login session and maintain security. These cookies do not track your activity across other websites and are essential for the Service to function. We do not currently use analytics, advertising, or preference cookies.

6.2 Email Tracking Pixels

Our transactional email providers (Mailgun/Resend) may embed small, transparent tracking pixels in emails and use redirect links to measure open rates and click-through rates. This data helps us monitor email deliverability and improve communication reliability. These pixels do not install cookies on your device. If your email client blocks remote images, the tracking pixel will not load.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, including:

• Active accounts: Data is retained for the duration of your account or your relationship with a Tenant on the platform.
• Certification records: CPR certification data may be retained for a minimum period required by applicable regulations or Tenant policies (typically two years from the date of certification).
• Consent and audit logs: Records of terms acceptance (timestamps and IP addresses) are retained for legal compliance purposes.
• Payment records: Transaction history is retained as required by tax and financial reporting obligations.

When data is no longer required, it is securely deleted or anonymized in accordance with our internal data management procedures.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete personal information.
• Deletion: Request that we delete your personal information, subject to legal retention requirements.
• Portability: Request a machine-readable copy of your data.
• Objection / Restriction: Object to or request restriction of certain processing activities.

To exercise any of these rights, please contact us at privacy@docpr.com. We will respond to verified requests within 30 days (or sooner if required by applicable law).

9. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

• Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom it is shared.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

We do not sell personal information, and we have not sold personal information in the preceding twelve months.

To submit a CCPA request, email privacy@docpr.com with the subject line “CCPA Request.”

10. Children’s Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information promptly.

If you believe we have collected information from a child under 13, please contact us at privacy@docpr.com.

11. Security Measures

We implement industry-standard technical and organizational measures to protect your personal information, including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Row-level security policies in our PostgreSQL database (via Supabase)
• Secure, HttpOnly, SameSite authentication cookies
• PCI-DSS-compliant payment processing through Stripe
• Regular access reviews and least-privilege access controls
• Hosted infrastructure on Vercel and Supabase with SOC 2 compliance

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

12. International Data Transfers

DoCPR is based in Iowa, United States, and our primary data infrastructure is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

By using the Service, you consent to the transfer of your information to the United States and other jurisdictions that may have different data protection laws than your country of residence.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last Updated” date at the top of this page
• Notify Tenants via email or an in-platform notice for significant changes

Your continued use of the Service after changes are posted constitutes your acceptance of the revised Privacy Policy.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: