CFrame External Privacy Policy

1. Introduction

At CFrame, we believe your data is your own. This Privacy Policy explains how we collect, use, and protect your personal information when you use our platform, mobile applications, and services. We are committed to transparency and giving you control over your data.

By accessing or using CFrame’s services, you agree to the practices described in this policy.

2. Scope

This Privacy Policy applies to all personal data collected by CFrame from individuals (e.g., users, research participants, customers) through our digital platform, surveys, email communications, and integrations with third-party services.

If you are a resident of California, the EU/EEA, or another jurisdiction with specific privacy rights, please refer to Section 10 for region-specific disclosures.

3. What Information We Collect

We only collect data that is necessary for you to use our platform and services effectively. This includes:

3.1 Information You Provide Voluntarily

• Account Information: Name, email address, phone number, demographic details
• Journal or Survey Entries: Free-text responses, structured assessments, self-reported health or wellness data
• Consent Forms: Electronic signatures, timestamps
• Support Requests: Messages, file uploads, contact details

3.2 Information Collected Automatically

• Device Information: IP address, browser type, OS, device model
• Usage Data: Feature usage, clickstream activity, session duration
• Location Data: Approximate location via IP (we do not collect GPS data)
• Cookies & Similar Technologies: Used for login persistence, analytics, and user experience improvements (see Section 6)

3.3 Information from Third Parties

• Authentication or SSO providers (e.g., Google, Apple)
• Optional integrations with wellness, EHR, or calendar systems (only with explicit permission)
• Referrals or research partnerships (if you’ve been invited by a clinician, employer, or research sponsor)

4. How We Use Your Data

• Provide and personalize your experience with the CFrame platform
• Conduct secure research with appropriate consent
• Monitor platform performance and improve features
• Respond to inquiries, feedback, and support requests
• Comply with legal obligations (e.g., HIPAA, data retention laws)
• Prevent fraud, abuse, or misuse of our systems

We do not sell or rent your personal information.

We will never use your health or assessment data for advertising or marketing without explicit, informed consent.

5. How We Share Your Data

5.1 With Your Consent

• For research studies you explicitly opt into
• When connecting your account to external apps or providers

5.2 With Service Providers

We use vetted third-party processors (under strict Data Processing Agreements or Business Associate Agreements) for:
- Cloud hosting (e.g., AWS, GCP)
- Authentication and access control
- Support ticketing and communication
- Data analytics (aggregated and de-identified only)

5.3 For Legal and Security Purposes

We may disclose data to comply with legal obligations or in response to lawful requests by public authorities (e.g., court order, subpoena), or to protect our rights and users’ safety.

6. Cookies and Tracking

CFrame uses essential cookies for functionality (e.g., login sessions) and analytics cookies (e.g., Google Analytics) to understand platform usage. We do not use tracking cookies for advertising or behavioral profiling.

You can manage your cookie preferences via your browser or through our in-app privacy settings.

7. Data Retention

We retain your data only for as long as it is necessary for the purpose for which it was collected, in line with our Data Retention and Disposal Policy. Retention durations may vary based on:
- Legal or regulatory requirements
- Your account status
- Participation in research projects

When data is no longer required, it is securely deleted or de-identified.

8. Data Security

We implement robust administrative, physical, and technical safeguards to protect your data, including:
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Role-Based Access Control (RBAC)
- Multi-Factor Authentication (MFA) for all administrator access
- Regular audits, penetration testing, and vulnerability scanning

Despite our efforts, no system is completely immune to breaches. In the unlikely event of a data incident, you will be notified in accordance with applicable law.

9. Your Rights

Depending on your location, you may have the right to:
- Access your personal data
- Request correction or deletion
- Withdraw consent
- Request a copy of your data (data portability)
- Object to processing or request restrictions

To exercise these rights, contact us at: security@cframe.co

We respond to all requests within 30 days.

10. Region-Specific Disclosures

10.1 California (CCPA)

California residents have the right to request:
- What categories of personal information we collect and disclose
- Deletion of personal information (subject to legal exceptions)
- That their information not be sold (we do not sell personal data)

10.2 European Union (GDPR)

• The legal basis for processing your data is your consent, contractual necessity, or legal obligation
• You may lodge a complaint with your local Data Protection Authority (DPA)

11. Children’s Privacy

CFrame is not intended for individuals under 13 years of age. We do not knowingly collect personal data from children without verifiable parental consent. If we learn we have collected data from a child in violation of this policy, we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, practices, or services. When we do, we will revise the "Last Updated" date and notify users via email or in-app banner when required.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact:

Bryan Matthews
Chief Information Security Officer (CISO)
security@cframe.co
[cframe.co]