Privacy Policy for Preppr

Preppr - Privacy Policy
Effective Date: August 19, 2025
Last Updated: August 19, 2025
Version: 1.0.0

VMGM Software LLC ("Company", "we", "us", or "our") operates the Preppr mobile application ("App", "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App. Please read this carefully. IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY, DO NOT USE THE APP.

This policy applies to information collected through:
- Our mobile application (iOS and Android)
- Communications between you and the App
- Your interactions with our AI voice agents

TABLE OF CONTENTS
1. Information We Collect
2. Legal Basis for Processing (GDPR)
3. How We Use Your Information
4. Disclosure of Your Information
5. Cookies and Tracking Technologies
6. Data Security
7. Data Retention
8. Your Privacy Rights
9. California Privacy Rights (CCPA)
10. International Data Transfers
11. Children's Privacy
12. Biometric Data
13. AI and Automated Decision Making
14. Third-Party Services
15. Data Breach Notification
16. Changes to Privacy Policy
17. Contact Information

1. INFORMATION WE COLLECT

1.1 Personal Information You Provide
- Account Information: Name, email, phone number, password
- Profile Data: Resume, job preferences, industry, experience level
- Payment Information: Billing address, payment method (processed by payment providers)
- Communications: Support requests, feedback, survey responses

1.2 Automatically Collected Information
- Device Data: Device ID, model, OS version, app version, language settings
- Usage Data: Features used, session duration, interaction patterns, crash logs
- Performance Data: App load times, response times, error rates
- Network Data: IP address, ISP, connection type, bandwidth

1.3 Voice and Audio Data
- Voice Recordings: Interview practice sessions with AI agents
- Speech Patterns: Pace, tone, clarity metrics (derived data)
- Audio Quality Metrics: Background noise levels, microphone quality
- Transcriptions: Text versions of your responses

1.4 AI-Generated Data
- Performance Scores: Interview performance metrics
- Improvement Recommendations: Personalized coaching insights
- Behavioral Analytics: Communication patterns, confidence indicators
- Progress Tracking: Skill development over time

1.5 Location Data (Optional)
- Approximate Location: For job market insights (city/state level)
- Time Zone: For scheduling features
You can disable location services in your device settings.

1.6 Third-Party Data
- Social Media: If you connect accounts (LinkedIn, etc.)
- Authentication Providers: If using social sign-in
- Analytics Services: Usage patterns from Firebase, etc.

2. LEGAL BASIS FOR PROCESSING (GDPR)

For users in the European Economic Area (EEA), we process data based on:

2.1 Consent (Article 6(1)(a) GDPR)
- Voice recordings and biometric processing
- Marketing communications
- Optional features like location services

2.2 Contract (Article 6(1)(b) GDPR)
- Account creation and management
- Service delivery (interview practice)
- Customer support

2.3 Legal Obligations (Article 6(1)(c) GDPR)
- Tax and accounting requirements
- Legal compliance and law enforcement

2.4 Legitimate Interests (Article 6(1)(f) GDPR)
- Service improvements and analytics
- Fraud prevention and security
- Direct marketing (with opt-out rights)

3. HOW WE USE YOUR INFORMATION

3.1 Primary Purposes
- Provide interview practice services
- Generate AI feedback and recommendations
- Process payments and subscriptions
- Communicate service updates

3.2 Service Improvement
- Analyze usage patterns
- Improve AI accuracy
- Develop new features
- Fix bugs and technical issues

3.3 Personalization
- Customize interview questions
- Tailor difficulty levels
- Provide relevant job market insights
- Recommend practice areas

3.4 Legal and Safety
- Comply with legal obligations
- Enforce Terms of Service
- Protect against fraud
- Ensure user safety

3.5 Marketing (with consent)
- Send promotional emails
- Provide special offers
- Share product updates
- Conduct user research

4. DISCLOSURE OF YOUR INFORMATION

4.1 Service Providers
We share data with vendors who assist us:
- Cloud Infrastructure: Amazon Web Services, Google Cloud
- Payment Processing: Stripe, Apple Pay, Google Pay
- Analytics: Firebase, Google Analytics
- Communication: SendGrid, Twilio
- AI Services: OpenAI, Google AI (anonymized data only)

4.2 Legal Requirements
We may disclose information when required by:
- Court orders or subpoenas
- Government investigations
- Law enforcement requests
- National security requirements

4.3 Business Transfers
In case of merger, acquisition, or sale:
- Buyer receives user data
- Users notified before transfer
- Privacy commitments maintained

4.4 Aggregated Data
We may share anonymized, aggregated data:
- Industry reports
- Research publications
- Marketing materials
No individual identification possible.

4.5 With Your Consent
- Sharing with potential employers (if you opt-in)
- Third-party integrations you authorize
- Testimonials or case studies

5. COOKIES AND TRACKING TECHNOLOGIES

5.1 Types We Use
- Session Cookies: Temporary, deleted after session
- Persistent Cookies: Remain for specified period
- Analytics Cookies: Track usage patterns
- Functional Cookies: Remember preferences

5.2 Mobile Identifiers
- Advertising ID (IDFA/AAID): For attribution
- Device ID: For security and fraud prevention
- Push Tokens: For notifications (optional)

5.3 Third-Party Tracking
- Google Analytics: Usage analytics
- Firebase: Performance monitoring
- Adjust/AppsFlyer: Attribution tracking

5.4 Your Controls
- Device settings for ad tracking
- Browser cookie settings
- In-app privacy settings
- Email unsubscribe links

6. DATA SECURITY

6.1 Technical Measures
- AES-256 encryption at rest
- TLS 1.3 for data in transit
- Multi-factor authentication available
- Regular security audits
- Vulnerability scanning
- Penetration testing

6.2 Organizational Measures
- Limited access controls
- Employee training
- Confidentiality agreements
- Vendor security assessments
- Incident response plan
- Privacy by design principles

6.3 Data Centers
- SOC 2 certified facilities
- 24/7 monitoring
- Redundant backups
- Disaster recovery plans

7. DATA RETENTION

7.1 Active Accounts
- Account data: Duration of account + 30 days
- Voice recordings: 6 months (configurable)
- Transcriptions: 12 months
- Analytics: 24 months
- Payment records: 7 years (legal requirement)

7.2 Deleted Accounts
- Immediate: Personal identifiers removed
- 30 days: Complete deletion from production
- 90 days: Removal from backups
- Exception: Legal hold requirements

7.3 Aggregated Data
- Retained indefinitely
- No personal identification possible

8. YOUR PRIVACY RIGHTS

8.1 Universal Rights
- Access: Request copy of your data
- Rectification: Correct inaccurate data
- Deletion: Request data removal
- Portability: Receive data in portable format
- Objection: Opt-out of certain processing
- Restriction: Limit processing
- Withdraw Consent: For consent-based processing

8.2 How to Exercise Rights
- In-app privacy settings
- Email: privacy@vmgmsoftware.com
- Response within 30 days
- Free of charge (reasonable requests)
- Identity verification required

8.3 Appeals
- Internal review process
- Supervisory authority complaints
- Judicial remedies

9. CALIFORNIA PRIVACY RIGHTS (CCPA)

9.1 Additional Rights for California Residents
- Right to Know: Categories and specific pieces of data
- Right to Delete: Subject to exceptions
- Right to Opt-Out: Of data "sales" (we don't sell data)
- Right to Non-Discrimination: Equal service regardless of rights exercise

9.2 Categories of Information
- Identifiers: Name, email, device ID
- Commercial: Purchase history, preferences
- Biometric: Voice patterns
- Internet Activity: Usage data
- Geolocation: Approximate location
- Professional: Employment history
- Inferences: Profile data

9.3 Shine the Light
California residents can request information about disclosures to third parties for direct marketing.

9.4 Do Not Sell
We do not sell personal information. No opt-out needed.

10. INTERNATIONAL DATA TRANSFERS

10.1 Transfer Mechanisms
- Standard Contractual Clauses (SCCs)
- Data Processing Agreements
- Privacy Shield principles (where applicable)
- Adequacy decisions

10.2 Safeguards
- Encryption during transfer
- Limited access controls
- Contractual obligations
- Regular assessments

10.3 Your Rights
- Information about transfers
- Copies of safeguards
- Lodge complaints with authorities

11. CHILDREN'S PRIVACY

11.1 Age Restrictions
- Service for 18+ (or 13+ with parental consent)
- No knowing collection from under 13
- Age verification measures

11.2 Parental Rights (13-17)
- Access child's data
- Request deletion
- Withdraw consent
- Contact: privacy@vmgmsoftware.com

11.3 Schools and Educational Institutions
- FERPA compliance where applicable
- Special terms for educational use

12. BIOMETRIC DATA

12.1 Voice Biometrics
- Voice patterns for speaker verification
- Emotional tone analysis
- Speech clarity metrics

12.2 Your Consent
- Explicit opt-in required
- Separate consent for biometrics
- Can withdraw anytime
- Alternative non-biometric options available

12.3 Protection Measures
- Encrypted storage
- No third-party sharing
- Automatic deletion after 3 years
- BIPA compliance (Illinois residents)

13. AI AND AUTOMATED DECISION MAKING

13.1 How AI Uses Your Data
- Generate interview questions
- Analyze responses
- Provide feedback
- Score performance

13.2 Human Oversight
- AI decisions reviewable
- Human support available
- Appeals process
- No solely automated significant decisions

13.3 Transparency
- AI logic explanations available
- Scoring methodology disclosed
- Bias testing conducted
- Regular audits performed

14. THIRD-PARTY SERVICES

14.1 Integrated Services
Current third-party integrations:
- Firebase (Google): Analytics, storage
- Stripe: Payment processing
- OpenAI: AI language processing
- AWS: Cloud infrastructure
- SendGrid: Email delivery

14.2 Their Privacy Policies
Review their policies:
- Firebase: firebase.google.com/support/privacy
- Stripe: stripe.com/privacy
- OpenAI: openai.com/privacy
- AWS: aws.amazon.com/privacy
- SendGrid: sendgrid.com/privacy

14.3 Your Controls
- Manage integrations in settings
- Revoke access anytime
- Data deletion requests honored

15. DATA BREACH NOTIFICATION

15.1 Our Commitment
In case of breach affecting your data:
- Notification within 72 hours (GDPR)
- Email to affected users
- Public notice if needed
- Regulatory notifications

15.2 Information Provided
- Nature of breach
- Data categories affected
- Mitigation measures taken
- Recommendations for users
- Contact information

15.3 Your Actions
- Change passwords
- Monitor accounts
- Enable 2FA
- Contact us with concerns

16. PRIVACY POLICY CHANGES

16.1 Notification Methods
- In-app notifications
- Email to registered users
- Website announcement
- 30-day advance notice for material changes

16.2 Your Options
- Review changes
- Accept to continue using
- Delete account if disagree
- Export data before deletion

17. CONTACT INFORMATION

17.1 Data Controller
VMGM Software LLC
[Physical Address]
United States

17.2 Contact Methods
Privacy Inquiries: privacy@vmgmsoftware.com
General Support: hello@vmgmsoftware.com
Data Protection Officer: dpo@vmgmsoftware.com
Phone: [Phone Number]

17.3 EU Representative
[If applicable, add EU representative details]

17.4 Response Time
- Acknowledgment: 48 hours
- Full response: 30 days
- Complex requests: Up to 90 days with notice

17.5 Supervisory Authorities
You may lodge complaints with your local data protection authority:
- EU: Your country's DPA
- UK: Information Commissioner's Office (ICO)
- California: California Attorney General

ACCESSIBILITY
This Privacy Policy is available in alternative formats upon request. Contact privacy@vmgmsoftware.com for assistance.

PRIVACY NOTICE FOR SPECIFIC STATES

Nevada Residents
We don't sell covered information as defined under Nevada law. To opt-out of future sales (if applicable), email privacy@vmgmsoftware.com.

Virginia Residents (VCDPA)
Virginia residents have rights similar to CCPA, including access, deletion, correction, and opt-out rights.

Colorado Residents (CPA)
Colorado residents have rights to opt-out of targeted advertising, sales, and profiling.

Connecticut Residents (CTDPA)
Connecticut residents have similar rights to those provided under GDPR and CCPA.

Utah Residents (UCPA)
Utah residents can access, delete, and opt-out of sales and targeted advertising.

COOKIE DECLARATION
For detailed cookie information, visit our Cookie Policy at [URL].

By using Preppr, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.