Reflective Training Privacy Policy

1. Introduction

Reflective Training (“RT,” “we,” “us,” or “our”) is committed to protecting the privacy of our users, who are healthcare providers, healthcare students, corporate trainees, and other legitimate human learners aged 18 and older. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (the “Site”). By accessing or using the Site, you agree to this Privacy Policy.

2. How We Protect Your Privacy

We use the following measures to safeguard your information:

• User Verification: We require email verification at signup and ask users to self-identify as eligible learners (18 or older, in a healthcare or training context).
• Data Security: We use industry-standard encryption, U.S.-based secure cloud application hosting, database services, and Amazon Web Services (AWS) for file storage, plus access controls to protect your data from unauthorized access, disclosure, alteration, or destruction. Video roleplays are stored securely to prevent unauthorized copying.
• De-identification: Before data is used for educational research, we remove or pseudonymize directly identifying information (such as name and email) and apply technical and procedural safeguards designed to reduce the risk of re-identification.
• Limited Access: Only authorized RT personnel (such as coaches assigned to you, designated scorers, and authorized administrators) may access identifiable data, and only for the purposes described in this policy. Internal reviewers or research partners may access de-identified data for quality and program-evaluation purposes.
• Data Breach Notification: If a data breach affecting your information occurs, we will notify affected users and any required authorities without undue delay, in accordance with applicable law (for example, the GDPR’s 72-hour regulator-notification requirement and breach disclosure rules under U.S. state laws such as the CCPA/CPRA).

3. Information We Collect

We collect:

• Personal Information: Name, email address, role (e.g. learner, instructor), profile image (if you use Google sign-in or upload one), and user ID you provide when you register, sign in, or use the Site.
• Educational Data: Feedback you submit, video roleplays (mock sessions) you or your coaches upload, quiz and journey/progress data, and related training content. We also record scheduling and attendance data for group sessions (times, check-in, confirmation). We do not automatically record the audio or video of live meetings as part of the Site; any meeting-style recording would come only from content you or your team upload as training material.
• Google account data (if you use Google): If you sign in with Google, we receive profile information that Google makes available to us for authentication (Google account email, name, and profile image) using the standard openid, userinfo.email, and userinfo.profile scopes. If you separately connect Google Calendar from your dashboard, we only access Google Calendar data to display availability and schedule training sessions requested by the user. Specifically, RT requests the scopes https://www.googleapis.com/auth/calendar.freebusy and https://www.googleapis.com/auth/calendar.events to: (a) read your free/busy availability on your primary calendar, (b) create new events for training sessions, (c) add Google Meet conference links to those events when you use that option, and (d) delete events that you or your coach cancel through RT. All Google Calendar actions (reading availability, creating events, and deleting events) are only performed in response to explicit user actions in the RT interface, such as connecting your calendar, creating a session, joining a session, or canceling a session. RT does not modify events on your calendar that it did not create, and runs no background jobs against your calendar. We store the OAuth refresh and access tokens that are needed to call these APIs on your behalf. You can disconnect Google Calendar at any time from /dashboard/calendar; on disconnect we delete the stored tokens. Events already created on your Google Calendar will remain there unless you delete them. You can also revoke RT’s access at any time via myaccount.google.com/permissions. Google’s own handling of your Google account and Calendar data is described in Google’s policies (see Section 6).
• Usage Data: Data related to your use of the Site (e.g. session and security logs) collected through cookies and similar technologies as described in the next section.

4. Cookies and Tracking Technologies

We use cookies and similar technologies that are necessary to run the Site, including:

• Types: Essential, first-party cookies and similar storage (e.g. to keep you signed in, protect security, and remember interface preferences such as sidebar layout).
• Purpose: Authentication, security, and basic Site functionality.
• Control: You can control cookies and local storage through your browser settings. Disabling essential cookies may prevent sign-in or limit functionality.
• Compliance: Where required (for example, under the GDPR or the CCPA/CPRA), we process information in line with applicable law. We do not use advertising cookies, and we do not sell your personal information. California residents and EEA/UK/Swiss users have additional rights described in Section 9.

5. How We Use Your Information

We use your information to:

• Improve Learning: Analyze de-identified feedback and training activity (including session scheduling and attendance, where available) to enhance training effectiveness.
• Conduct Educational Research: Use de-identified data for educational research to advance psychotherapy training. Reports never identify RT learners.
• Manage Video Roleplays: Your mock video roleplays may be viewed by:
  • Coaches assigned to you and designated scorers, for the purpose of giving you feedback on your training.
  • Authorized RT administrators, for quality assurance and moderation.
  • Authorized internal reviewers or research partners, using de-identified data, for program evaluation and the educational research described in this policy.
  • Where the Site makes shared viewing or library features available, other authorized RT users for collaborative learning, under strict confidentiality. Users agree not to capture, reproduce, or distribute others’ roleplays, as per the Terms of Service.
• Deliver Services: Provide Site access, manage accounts, and communicate about training.

6. Third-Party Services

We don’t sell or rent your personal information. We share data with the following service providers (subprocessors) so we can operate the Site:

• Google (Sign-In and Calendar): If you use Sign in with Google or Connect Google Calendar, your use of those Google services is also subject to Google’s terms and Privacy Policy. RT’s use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
  • We only use Google user data to provide and improve the user-facing features of RT described in this policy (authentication; reading free/busy; creating, deleting, and adding Google Meet links to events for training sessions).
  • We do not transfer Google user data to third parties except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  • We do not allow humans to read Google user data, except: (i) with your affirmative consent for specific data, (ii) when necessary for security purposes (such as investigating abuse), (iii) when necessary to comply with applicable law, or (iv) when the data has been aggregated and de-identified for internal operations and in accordance with applicable privacy and other laws.
  • We do not use Google user data to develop, improve, or train generalized or non-personalized AI/ML models.
• Amazon Web Services (AWS): We use AWS (including S3) in U.S. regions to store and serve uploaded videos and other files. See AWS Privacy.
• Vercel (application hosting): The RT web application is deployed on Vercel’s U.S. infrastructure. See Vercel’s privacy policy.
• Managed PostgreSQL database: Account, training activity, and scheduling data are stored in a managed PostgreSQL database hosted in the United States.
• Resend (transactional email): We use Resend to send transactional emails (e.g. verification codes, password reset). See Resend’s privacy policy.
• Educational research partners: De-identified data may be shared with academic partners for educational research, with technical and contractual safeguards designed to prevent re-identification.
• Legal requirements: We may disclose data to comply with law, enforce our terms, or protect the rights, safety, or property of RT, our users, or others.

We will keep this list reasonably up to date if our subprocessors change.

7. International Data Transfers

Our systems and your files are processed in the United States (application hosting, database, and AWS storage). If you access the Site from outside the U.S., your information may be transferred to and processed in the U.S. For users in the EEA, UK, or Switzerland:

• Safeguards: We use appropriate transfer mechanisms as required by applicable law, which may include Standard Contractual Clauses (or successor frameworks) and supplementary measures as appropriate.
• Rights: EEA, UK, Swiss, and California residents have additional rights described in Section 9. We do not sell personal information for money and do not share it for cross-context behavioral advertising.
• Contact: Email mfredrick@reflective-learning.org. for international data concerns.

8. Data Retention

We retain:

• Personal Information: Up to 7 years after account closure, unless you request earlier deletion or a shorter period is required by law.
• Educational Data: Video roleplays, feedback, and related training records (including scheduling and attendance metadata) are retained for educational research and platform improvement while your account is active, and thereafter for up to 7 years, unless you request earlier removal of specific materials.
• Aggregated or de-identified data: May be retained indefinitely for analytics, platform improvement, and educational research. Where data has been aggregated or de-identified to a degree that it can no longer reasonably be associated with you, it is no longer treated as your personal data.
• Google account and Calendar data: OAuth tokens are retained only while you keep Google Sign-In or Google Calendar connected to RT, and are deleted when you disconnect or when we detect that the tokens have been revoked.
• Usage and server data: Security and application logs are retained for a limited operational period (typically up to 90 days) and then deleted or aggregated, unless a longer period is required by law or needed to investigate a security incident.

Note: “de-identified” here refers to records from which direct identifiers have been removed. Where applicable law (e.g. the GDPR) requires anonymization rather than de-identification before data ceases to be personal data, we treat that data as personal data until the higher standard is met.

9. Your Rights

All RT users have the following baseline rights:

• Access & Correction: Request a copy of the personal data we hold about you, or correction of inaccurate data, by emailing mfredrick@reflective-learning.org..
• Deletion: Request deletion of your account, your uploaded roleplays, or other data associated with you. We’ll process requests within 30 days, subject to legal obligations and to data we are required to retain (for example, audit logs).
• Opt out of future research use: You can ask us to exclude your future activity from datasets used for educational research. Data that has already been aggregated or de-identified before your request cannot be unwound, but we will not include new identifiable activity going forward.
• Disconnect Google services: You can revoke Google Sign-In or Google Calendar access at any time from your dashboard or at myaccount.google.com/permissions.

Additional rights for EEA, UK, and Swiss residents (GDPR / UK GDPR)

Subject to applicable law, you may also have the right to: data portability, restriction of processing, objection to certain processing (including processing based on legitimate interests), withdrawal of consent (where processing is based on consent), and lodging a complaint with your local supervisory authority. Our lawful bases include performance of a contract (operating your account), legitimate interests (security, service improvement, educational research with safeguards), consent (where you connect Google Calendar or opt in to specific processing), and compliance with legal obligations.

Additional rights for California residents (CCPA / CPRA)

California residents have the right to know what personal information we collect and how we use it, to request deletion or correction, to opt out of “sale” or “sharing” of personal information for cross-context behavioral advertising, to limit the use of sensitive personal information, and to be free from discrimination for exercising these rights. RT does not sell your personal information for money and does not share it for cross-context behavioral advertising.

To exercise any of these rights, email mfredrick@reflective-learning.org.. We may need to verify your identity before completing your request. You may use an authorized agent where applicable law permits.

10. Video Roleplay Control

• Storage: Mock video roleplays are stored on AWS S3 in U.S. regions, with access limited to authenticated RT users who have a legitimate need (the uploader, the learner, the assigned scorer, and the learner’s coach).
• Removal: You can request removal of any of your roleplays at any time — during a course, after a course, or after account closure — by emailing mfredrick@reflective-learning.org.. We will confirm removal from the Site within 30 days. Any de-identified derivative data already incorporated into research datasets is governed by Section 9 (opt out of future research use).

11. Legal Compliance

RT is an educational training platform. RT does not collect, create, or store Protected Health Information (PHI) subject to HIPAA. All training materials, including mock video roleplays, must be simulated; users must not upload recordings of real patients or any content that contains real clinical encounters or PHI. We comply with applicable laws, including the GDPR (and UK GDPR) and the CCPA/CPRA, and we maintain confidentiality standards appropriate to an educational setting.

13. Reporting a Security Concern

If you believe you have found a security vulnerability or that your account or data has been compromised, please email mfredrick@reflective-learning.org. with details. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and respond.