Privacy Policy

CaseStacks LLC ("us," "we," or "CaseStacks") is committed to protecting the privacy and security of personal information. This Privacy Policy explains how CaseStacks handles personal information collected via the CaseStacks platform, website (www.casestacks.com) (the "Site"), and related services (collectively, the "Services").

If you are a resident of a jurisdiction with an applicable privacy law, the "Additional Information for Certain Jurisdictions" section contains further information about our handling of your personal information and data subject rights that may apply to you.

Personal Information We Collect

To provide our Services, we may process personal information from the categories listed below. Our listing of these categories does not mean that all categories or the examples listed in each category are collected from everyone who uses our Services or otherwise interacts with us. We are providing a list here in the spirit of transparency.

• Identifiers. This may include name, address, country, telephone number, language, email address, and date of birth.
• Internet or other electronic network activity information. This may include IP address, device/system identifiers, and other information collected via cookies/other tracking technologies (e.g., browsing data, and other information gathered about interactions with our Services).
• Commercial information. This may include employer, bank account number, credit or debit card number, purchase history, products or services purchased, transaction records, order history, subscription status, and other financial information needed to authorize payments.
• Geolocation data. This may include imprecise geolocation information derived from IP addresses that identifies a user's location within a broad geographic area.
• Professional or employment-related information. This may include job title, employer name, employee ID number, work email address, work phone number, and office address.
• Education information. This may include school/institution name, residency program, degree, enrollment status, student ID number, field of study, and preliminary reports/diagnostic assessments generated during use.

Sources of Personal Information

We collect the categories of personal information listed above from various sources. This section lists and describes those sources.

Directly

We collect personal information directly from you when you provide it to us; for example, when you register for an account, set up a user profile (optional), submit a payment, claim CME credits, request information, contact us (via the Services or email), or subscribe to email updates.

Indirectly

We may automatically collect personal information from users when they engage with the Services. This "passively collected" information helps us to improve our offerings and allows us to ensure our Services work as designed and in a way that meets our customers' expectations. Some examples include:

• Log Information. Through the use of analytics tools, we may automatically record information that a browser or device sends when it accesses our Services. This information may include information such as the type, browser language, computer operating system, name of an internet service provider/mobile carrier, the date and time of a request, etc.
• Cookies and Similar Tracking Technologies. When visiting or accessing our Services, we may utilize cookies (small text files containing a string of characters sent to the relevant computer/mobile device) or similar tracking technologies that uniquely identify the browser to track user's activity and hold certain information. We use the following types of cookies:
  • Necessary Cookies help you access our Services and facilitate features available on our Site.
  • Functional Cookies support additional functionalities on our Site to provide an even smoother experience.
  • Advertising/Targeting Cookies enable us to target our advertisements.
  • Performance/Analytics Cookies help us to understand your behavior. This enables us to keep improving our Services.
• Activity/Use Data. We also automatically collect certain information about your activity on the platform. This includes educational activity data such as assessment responses, assessment results, case completions, and progress tracking.
• Session and Assessment Timing. We also collect session and assessment timing information, including total session duration for call simulator sessions and time spent per case during assessments.

You can control and manage cookies/tracking technologies used on our Site at any time through our cookie consent management tool. By using the banner or the "Cookie Policy" link in the footer, you can accept or reject non-essential cookies, adjust preferences by category (such as analytics or advertising), or withdraw consent at any time.

From Third Parties

We may collect Personal Information about you from third parties, either at their request or for our business purposes. These third-party sources vary, but could include the following:

• Institutional customers. Our institutional customers provide us with personal information in connection with the provision of our Services (e.g., we collect personal information from medical institutions to facilitate their employees' access to our Services). The accuracy of what we receive is often dependent upon what our institutional customers provide us. If you have an account funded by an institution, please reach out to them directly if you believe they provided us with inaccurate information.
• Technical Service Partners. We work with a variety of third-party service providers to provide and improve our Services.

How We Use Personal Information

We process personal information for a variety of reasons, including to:

• provide and manage our Services,
• facilitate account registration and maintenance for our users,
• process payments and manage subscriptions,
• provide information about our Services to users,
• respond to user inquiries/requests,
• facilitate conversations with live chat platforms,
• develop new educational materials, newsletters, and assessment tools,
• facilitate our marketing efforts,
• provide customer support,
• issue CME credits and maintain certification records,
• facilitate interactions with social networks and platforms,
• analyze usage statistics,
• personalize our Services, and
• improve and secure our Services.

We may also create anonymous data records from personal information by excluding information that makes the data personally identifiable. We use this anonymous data to perform statistical analyses of users' aggregate behavior so that we may enhance/improve our Services. We reserve the right to disclose anonymous data to third parties in our discretion.

How We Disclose Personal Information

We may share personal information with third parties, including vendors, service providers, or agents who perform services on our behalf or at our request. These third parties require access to such information to do that work. The categories of third parties we may share personal information with for this purpose include, but are not limited to, providers of:

• Education/Accreditation Partners
• Institutional Customers
• Payment Processors
• Data Analytics Providers
• IT Infrastructure Service Providers
• Marketing Providers
• Web Developers
• Cloud Providers

We may also disclose or share the information we collect in connection with our Services with the following recipients and/or under the following circumstances:

• Government and Legal Authorities. We may disclose personal information in response to lawful requests by governmental and other legal authorities, including requests from national security agencies, consumer protection agencies, courts, and similar authorities.
• Law Enforcement. Under appropriate circumstances, we may disclose personal information to law enforcement personnel and certain third parties for use in connection with and in support of law enforcement activities.
• Business Transfers/Transactions. In the event of a merger, acquisition, bankruptcy or other sale of all or a portion of our assets, any personal information owned or controlled by us may be one of the assets transferred to third parties. We reserve the right, as part of this type of transaction, to transfer or assign personal information and other information we have collected from business customers and other users of the Service to third parties. Other than to the extent ordered by a bankruptcy or other court, the use and disclosure of all transferred personal information from users will be subject to this Policy. However, any information submitted or collected after this type of transfer may be subject to a new privacy policy adopted by the successor entity.

Additionally, we may disclose personal information:

• to comply with a law, regulation, or other governmental request, for example, to comply with subpoenas, court orders, legal process, or requests by law enforcement or governmental entities;
• to investigate or defend against third-party claims against us;
• to detect, prevent, or investigate fraud or other illegal activity or to enforce our Terms of Service;
• to repair or resolve technical issues;
• to respond to a request by a User to disclose the information, including requests to allow access to personal information by third parties designated by the requestor;
• to address emergencies or events beyond our reasonable control, including acts of God; and
• with the data subject's knowledge and consent.

Additional Privacy Information for Certain Jurisdictions

Residents of certain jurisdictions may also have the right to receive disclosures regarding a business' processing of "personal data" (as defined under Applicable Privacy Law). Where required by Applicable Privacy Law, the following disclosures apply.

Data Subject Rights

Depending on your jurisdiction and subject to certain exceptions, under Applicable Privacy Law you may have the following rights with respect to our processing of your personal data:

• Right to Access: You may have the right to access the specific pieces of personal data we have collected about you. If you make an access request more than twice in a 12-month period, or we determine the request is manifestly unfounded or excessive, we may request that you pay a small fee.
• Right to Delete: You may have the right to request that we delete any personal data about you that you have provided to us. Subject to certain limitations, we will delete your personal data from our records and notify our service providers, and third parties that you have requested deletion of your personal data.
• Right to Opt-Out: You may have the right to opt-out of any "selling" and certain types of sharing of your personal data.
• Right to Limit the Use of Sensitive Personal Data: If we process sensitive personal data, we do so only for the purposes specifically authorized by applicable law and in a manner that is necessary and proportionate for those purposes. As such, we do not perform any processing for which a right to opt-out/limit the use of sensitive personal data is available.
• Right to Correct: You may have the right to verify the accuracy of and correct inaccuracies in your personal data.
• Right to Restrict Processing: In certain circumstances, you may have the right to restrict our processing of your data. If we receive a valid request to restrict processing, CaseStacks will generally not process your personal data other than to store it.
• Right to Portability: You may have the right to receive your data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another organization without any hindrance.
• Right to Non-Discrimination: If you exercise your privacy rights, we will not discriminate against you by, for example, charging a different price or offering a different level or quality of products or services.
• Right to Lodge a Complaint: You may also have the right to bring a claim before your competent data protection authority.

Request Verification

Before we can respond to a privacy request, we will verify that you are the consumer who is the subject of the request. Requests to Opt-Out or Limit the Use of Sensitive Data (if applicable) do not require verification.

Typically, identity verification will require you to confirm certain information about yourself based on information we have already collected. For example, we will ask you to verify that you have access to the email address we have on file for you. If we cannot verify your identity based on our records, we cannot fulfill your request.

Exercising Your Rights

If you are a resident of a jurisdiction that has enacted an applicable privacy law and wish to exercise any of these rights, please contact us at privacy@casestacks.com.

Opt-out Preference Signals

Many browsers allow users to automatically transmit an opt-out preference signal, such as the Global Privacy Control ("GPC") signal, to online services they visit. When we detect a GPC signal, our systems recognize it and limit third-party tracking technologies on our Site accordingly. GPC signals will be associated with your browser identifier only and not linked to any account information (because the connection between browser and the account is not known to us). GPC signals are supported by certain internet browsers or as a browser extension.

Authorized Agent

If you choose to use an Authorized Agent, we require that you provide the Authorized Agent with written permission to allow them to submit your request and that you verify your identity directly with us. Failure to do so may result in CaseStacks denying your request.

Response Timing

Upon receiving your request, we will attempt to respond within 30 days. The response period may be extended when reasonably necessary. We will inform you of any such extension within 30 days of receiving your request, together with the reason for the extension.

Additional Disclosures for EU Residents

If you are located in the European Economic Area, we only process your personal data where we have a valid legal basis to do so under applicable data protection laws, including:

• Contract Performance: To provide the Services you've subscribed to.
• Legitimate Interests: To improve our Services, prevent fraud, and ensure data security.
• Legal Obligations: To comply with tax laws, CME reporting requirements, and other regulations.
• Consent: For marketing communications and optional features.

In any case, CaseStacks will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

CaseStacks is based in the United States. We do not currently maintain a physical presence or designated representative in the European Union or United Kingdom. We may transfer your personal information to countries outside of the European Economic Area ("EEA"), including to the United States, where data protection laws may differ from those in your jurisdiction.

When we transfer personal data internationally, we implement appropriate safeguards to ensure your information remains protected in accordance with applicable data protection laws. These safeguards may include the use of Standard Contractual Clauses approved by the European Commission or other lawful transfer mechanisms.

Providing certain personal data is necessary to enter into and perform a contract with us, such as creating and maintaining your account or providing access to our Services. If you choose not to provide required information, we may be unable to provide some or all aspects of the Services.

We do not use your personal data to make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you. If this changes, we will notify you and provide meaningful information about the logic involved, as well as the significance and potential consequences of such processing.

If you are located in the EU, UK, or other international jurisdiction, and have questions please contact us using the contact information provided below.

Email: privacy@casestacks.com
Address: CaseStacks LLC, 9833 San Remo Pl, Wake Forest, NC 27587

Health Information

CaseStacks is an educational platform and is not a HIPAA-covered entity. We do not offer Business Associate Agreements (BAAs) and our platform is not designed or intended to store, process, or transmit Protected Health Information ("PHI").

Users may not upload, access, or otherwise process PHI when using CaseStacks. This includes patient names, medical record numbers, dates of birth, dates of service, or any other information that could identify a patient. Users who enter PHI do so in violation of these terms and are solely responsible for any resulting HIPAA violations.

If you believe PHI has been inadvertently submitted to our platform, please contact us immediately at privacy@casestacks.com so we can take appropriate action.

Other Additional Information

No Children Under 13

Our Services are not directed at or intended for use by children under 13 years old. We do not knowingly collect personal information from children under 13 through our Services. If you are under the age of 13, do not use or provide any data through the Site or our other Services. If we learn that we have collected Personal Information of a child under 13, we will delete all relevant information as soon as possible.

Links to Third Party Sites

The Services contain links to other websites. This Privacy Policy applies solely to personal information collected via the Services, and CaseStacks is not responsible for the privacy practices or content of any other websites. You are encouraged to be aware when leaving the Services and to read the privacy policies of other websites and online services.

Retention of Personal Information

Unless specified otherwise in this Policy, personal information shall be processed and stored for as long as required for the purposes for which it was collected and may be retained for longer due to applicable legal obligation or based on the user's consent.

When feasible, CaseStacks promptly deletes information upon the termination of the relevant retention period. Accordingly, many data subject rights may not be enforceable after expiration of the relevant retention period.

Included below is specific information about our retention of certain types of data:

• Educational Records: Your progress, completions, assessment results, CME credits, and other learning data are retained indefinitely so you can access your complete learning history.
• Payment Information: Payment processing is primarily handled by Stripe. We retain your subscription status and billing history for account management.

Updates to this Privacy Policy

We reserve the right to make changes to this Privacy Policy at any time by giving notice on this page and possibly elsewhere within our Services. It is strongly recommended to check this page often, referring to the date of the last modification listed at the top.

Contact Us

If you have questions about this privacy policy or the rights described above, please contact us at:

• Email: privacy@casestacks.com
• Or contact us via our contact form
• Address: CaseStacks LLC, 9833 San Remo Pl, Wake Forest, NC 27587