Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account registration information: name, email address, phone number, and employer name
• Employee concern submissions: workplace concern details, employment information (employer name, job title, department, dates of employment, supervisor name), descriptions of incidents, documentation references, and disclosure preferences
• Employer account information: company name, contact person name, email address, phone number, billing information, and company size
• Communications: messages sent through the platform between you and your employer, and correspondence with our support team
• Mediator-selection metadata (at-launch): when both parties to a matter elect mediator-guided resolution, we collect each party's mediator slate selections, ranking submissions, conflict declarations (employer's preexisting-conflict list), bilateral engagement-request status, the timestamps of each party's engagement request and acceptance, and the audit-log record of each step in the bilateral selection workflow
• Survey responses and feedback

1.2 Information Collected Automatically

• Device and browser information: browser type, operating system, device identifiers
• IP address and approximate location data
• Usage data: pages visited, features used, time spent on pages, referring URLs
• Cookies and similar tracking technologies (see Section 5 below)

1.3 Sensitive Personal Information

Due to the nature of workplace concern reporting, the information you provide may include sensitive personal information (SPI) within the meaning of Cal. Civ. Code section 1798.140(ae), including information about race, ethnicity, national origin, gender, age, disability, medical conditions and health information, sexual orientation, religious or philosophical beliefs, union membership, and the contents of communications between you and third parties who are not the intended recipients. We collect this information only when you choose to provide it as part of describing your workplace concern.

Use limitation under CCPA/CPRA section 1798.121(d). We use and disclose your SPI solely for the purposes authorized in Cal. Civ. Code section 1798.121(a) and the implementing regulations at 11 CCR section 7027, which means only to (i) perform the Services you requested (routing your concern to the employer you identify, tracking the employer response window, and providing the in-platform message channel), (ii) detect security incidents and resist fraudulent or malicious actions, (iii) comply with federal, state, or local laws, and (iv) protect the vital interests of a natural person. We do not use SPI to infer characteristics about you, to build profiles for targeted advertising, or for any purpose outside those listed. Because our use of SPI is limited to the purposes specified in 1798.121(a), the CPPA's implementing regulations do not require us to provide a separate "Limit the Use of My Sensitive Personal Information" link, although you retain all rights described in Section 7 of this Policy.

1.3.1 Consumer Health Data (Washington residents)

Wiser Workplace presently accepts submissions only from California residents and our intake forms decline submissions from Washington residents. If, despite that gating, we nevertheless receive a submission from a Washington resident, information in that submission that relates to past, present, or future physical or mental health status (including disability, medical condition, accommodation request, mental health, pregnancy, reproductive or sexual health, or substance-use information) would be "consumer health data" under the Washington My Health My Data Act (RCW 19.373). In that event, our collection, use, sharing, and retention of consumer health data is governed by our separate Consumer Health Data Privacy Policy, which is published and maintained as a safeguard required by that statute.

1.3.2 Consumer Health Data (Nevada residents)

Wiser Workplace presently accepts submissions only from California residents and our intake forms decline submissions from Nevada residents. If, despite that gating, we nevertheless receive a submission from a Nevada resident, information in that submission that relates to past, present, or future physical or mental health status (including disability, medical condition, accommodation request, mental health, pregnancy, reproductive or sexual health, or substance-use information) would be "consumer health data" under Nevada's consumer-health-data provisions within Chapter 603A of the Nevada Revised Statutes (as amended by Nevada Senate Bill 370 (2023)). In that event: Wiser Workplace does NOT sell health data to data brokers, does NOT use consumer health data to create or augment consumer dossiers through profiling, and does NOT combine consumer health data with other consumer data for automated decision-making. We collect and use consumer health data solely for the purpose of routing the concern to the identified employer and operating the Services. A Nevada resident would have the right to: (1) request confirmation of whether consumer health data is collected, (2) request deletion of consumer health data, (3) withdraw consent for future collection and use, and (4) appeal a denial of such a request. To exercise these rights, contact privacy@wiserworkplace.com.

1.4 Educational Content Usage Data

When you use our educational tools and resources, we collect data including search queries, guide pages viewed, and time spent using resources. This data is collected solely for service improvement and to enhance the relevance of our educational content.

1.5 Mediator-Applicant and Mediator-User Information (At-Launch)

At public launch in Q3 2026, mediators may apply to join the platform's directory and may serve as Mediator Users when engaged through the bilateral selection process described in Section 13 of our Terms. From mediator applicants and Mediator Users, we collect:

• Identity and contact information: name, email address, phone number, mailing address, professional credentials, and identification information necessary to verify identity and right to work
• Professional credentials and qualifications: bar admission(s) and license status, training certifications, mediation experience (years and case counts), education, areas of specialization, languages, and other information disclosed in the mediator's directory profile
• Service availability: counties or regions available, mediation style, hourly rate, availability windows, and conflict-of-interest declarations
• Tax and payment information: if Wiser Workplace processes any payments to a mediator, taxpayer identification number (TIN or SSN) and payment-routing information; this information is collected and stored solely as needed for tax reporting (1099-NEC) and is not used for any other purpose
• Engagement metadata: matter assignments, engagement-acceptance and decline records, session scheduling, and post-session feedback

Bar admission(s) and other directory-profile information are displayed publicly on the mediator's directory profile so users can identify the mediator's jurisdiction(s) and credentials. Tax and payment information is treated with the same confidentiality and security protections as Employer User billing information and is never displayed publicly. Mediator data is retained per the schedule in Section 4 of this Policy and is anonymized at directory removal except as required for tax records.

2. How We Use Your Information

• To operate and provide the Services, including routing workplace-concern submissions from employees to the employer the employee identifies, tracking the employer's response window, and enabling the parties to exchange messages and documents through the platform's in-app channel
• To create and manage your account
• To communicate with you about your account, submissions, and the Services
• To process payments for subscription services
• To maintain and improve the Services
• To send service-related notifications and updates
• To ensure platform security and prevent fraud, abuse, and misuse of the platform
• To comply with legal obligations
• To generate de-identified, aggregated data for research and analytics purposes. Such data does not identify any individual
• To improve the accuracy and relevance of our educational content and legal guides
• To operate limited algorithmic features including administrative case routing and draft-message generation, all for operational and informational purposes only, not for legal advice
• At-launch (Q3 2026), to operate the bilateral mediator selection workflow described in Section 13 of our Terms, including: filtering qualifying mediators by specialization and county, presenting a slate to both parties, recording each party's rankings, computing the rank-sum selection, recording bilateral engagement requests and timestamps, and routing engagement notifications to the selected mediator and to the parties
• At-launch (Q3 2026), to administer mediator-applicant and Mediator-User accounts, including verifying credentials, displaying directory profiles, processing 1099-NEC tax reporting if Wiser Workplace processes any payment to a mediator, and managing mediator-side conflict declarations

Important Limitations on Use:

• We do NOT use personal information to provide legal advice. The Services provide educational information and technology that routes concerns between employees and employers; they do not constitute legal advice and Wiser Workplace is not a law firm or a mediation provider.
• We do NOT make automated decisions about the legal merit or value of any workplace concern.
• We do NOT use algorithmic features to provide legal advice, evaluate case strength, or make legal determinations of any kind.

Automated Processing and Algorithmic Features:

The Services include limited algorithmic features (administrative case routing and draft-message generation for human review) that process your information for operational and informational purposes only. None provide legal advice or make legal determinations. See our Terms of Service Section 10 for complete details on these features.

Key data practices: Algorithmic outputs are retained only for the duration of the active case plus 90 days. We do not use your personally identifiable data to train machine learning models. You may request a human review of any automated decision by contacting support@wiserworkplace.com.

California Automated Decisionmaking Technology Notice (ADMT Pre-Use Disclosure):

This section serves as a pre-use disclosure under the California Privacy Protection Agency's regulations implementing the California Consumer Privacy Act as amended by the California Privacy Rights Act, for features that use automated decisionmaking technology (ADMT) to assist the delivery of the Services.

• Purposes. We use ADMT to produce draft messages for Wiser Workplace staff review and to support administrative case routing. We do not operate an automated classifier that labels your submission as any particular type of legal claim; you select category labels yourself on the intake form. No ADMT output terminates, suspends, conditions, or determines employment, credit, housing, insurance, healthcare, education, or access to essential goods or services, and no ADMT output is the sole basis for any "significant decision" about you within the meaning of the ADMT regulations.
• How the logic works, in general terms. Draft generation uses large-language-model prompting over the information you submit. Material outputs that affect the handling of your matter (including employer notification content and draft messages) are reviewed by a human before any user-facing action is taken. Routine administrative aids (such as internal category tagging and urgency tiering used for operational routing) may be applied automatically without human pre-review, but remain subject to your right to opt out and to request human review.
• Categories of personal information used as ADMT inputs. The narrative text of your submission, category labels and metadata you select, correspondence you exchange through the Platform, and operational case data such as dates and status. We do not use sensitive health identifiers to draw inferences beyond the matching tasks described above.
• Right to opt out of ADMT. You may request that your matter be processed through a human-only workflow with no ADMT assistance. You can exercise this right in two ways: (i) check the "Process my matter through a human-only workflow" box on the intake form at the time you submit, or (ii) email privacy@wiserworkplace.com at any time with the subject line "Opt out of ADMT." We will honor the request within the statutory response window and will not retaliate against you for exercising this right.
• Right to access information about ADMT. You may request the specific ADMT features that processed information about you, the output produced, the role that output played in any decision that affected you, and a meaningful description of the logic used, by emailing privacy@wiserworkplace.com.
• Right to human review. You may request human review of any output of an ADMT feature that materially affected a decision about you or the handling of your matter. Email privacy@wiserworkplace.com.
• No use for targeted advertising or profiling. We do not use ADMT for behavioral advertising, for cross-context profiling, or to evaluate personal aspects of your life unrelated to your submission.

3. How We Share Your Information

We do not sell your personal information to third parties. We may share your information as follows:

3.1 With Employers (for Employee Submissions)

Pre-launch (current state), when an employee submits a workplace concern, we share information about that concern with the identified employer, subject to the employee's disclosure preferences. All such communications are subject to contractual confidentiality under our Terms of Service and the California Evidence Code section 1152 compromise-negotiation framework recited in Section 7.7 of our Terms. Because no mediator has yet been engaged through the platform under the bilateral selection workflow described in Section 13 of our Terms, the statutory mediation-confidentiality framework in California Evidence Code sections 1115 to 1128 does not yet attach to platform communications. At public launch in Q3 2026, when a credentialed independent California mediator on the platform's directory is engaged for a specific matter, communications occurring within that mediator-guided resolution will additionally invoke California Evidence Code sections 1115 to 1128. This Section will be updated before launch with the corresponding mediator data-flow disclosures.

3.2 With Service Providers

Trusted third-party service providers (“Sub-Processors”) who assist us in operating the Services are bound by confidentiality obligations. The following is a complete list of our current Sub-Processors, the data each processes, and their role:

• Airtable, database infrastructure. Stores case records, account data, employer information, and platform content. Airtable processes and stores Platform Communications as part of the platform’s core functionality. Airtable has completed a SOC 2 Type II audit. Airtable Privacy Policy
• Brevo, transactional email delivery. Sends case status notifications, account communications, platform alerts, and (at-launch) mediator-engagement notifications. Notification emails generally direct users to log into the platform to view substantive details and do not contain the content of Platform Communications. Mediator-engagement notifications, however, may include the mediator's name, directory profile link, and other engagement metadata necessary to inform the parties and the mediator that an engagement has been mutually accepted. Brevo Privacy Policy
• Stripe, payment processing for employer subscriptions. Certified by a PCI-qualified auditor to PCI Service Provider Level 1. Stripe processes payment card data directly; we do not store credit card numbers. Stripe does not have access to Platform Communications. Stripe Privacy Policy
• Netlify, website hosting and serverless infrastructure. Hosts the platform’s web application and executes server-side functions. Mediation data passes through Netlify’s infrastructure in transit but is not stored by Netlify. Netlify Privacy Policy
• Cloudflare, content delivery network (CDN), DNS resolution, DDoS mitigation, and bot detection (Turnstile). Cloudflare processes request metadata, including IP address, user agent, and request path, for every page load and form submission, in order to deliver and secure the Services. Cloudflare does not store the body of Platform Communications. Turnstile verifies that form submissions are made by real users rather than automated bots. Cloudflare Privacy Policy
• Google Analytics (GA4), website analytics on public pages only (page views, traffic sources, general demographics). Google Analytics is not loaded on the employee or employer portal or any page where confidential communications occur. Google processes this data as a processor on our behalf. Google Privacy Policy

We will update this list if we add or change Sub-Processors. If a Sub-Processor receives a subpoena or legal process requesting platform data, we will take reasonable steps to protect the contractual confidentiality of Platform Communications, including notifying you and, where permitted by law, objecting to disclosure on confidentiality grounds.

3.3 Law Enforcement and Legal Compliance

We may disclose information in response to valid legal process (subpoena, court order, or government request). To the maximum extent permitted by law, we will notify the affected user(s) before producing data in response to a subpoena or other compulsory process, except where (i) the order or applicable law prohibits notice (including, without limitation, gag orders accompanying national-security letters or grand-jury subpoenas), (ii) notice would itself violate law, or (iii) we have a good-faith belief that notice would create a risk of injury or death to a third party or interfere with an ongoing law enforcement investigation. We will take reasonable steps to object to disclosure on contractual-confidentiality grounds, to invoke any applicable evidentiary privilege (including the California Evidence Code section 1115 to 1128 mediation privilege where applicable at launch), and to seek a protective order to limit the scope of any disclosure.

3.3.1 Sharing With Mediators (At-Launch)

At public launch in Q3 2026, when an Employee User and an Employer User in a given matter both elect mediator-guided resolution under Section 13 of our Terms, the platform will share the following with the selected mediator: (i) the names and contact information of the parties; (ii) the matter category, county, and other intake metadata necessary for the mediator to conduct the mediation; (iii) Platform Communications relevant to the matter, to the extent necessary for the mediator to prepare for and conduct the session; and (iv) any agreement-to-mediate or settlement document the parties elect to execute through the platform. The mediator is bound by the confidentiality obligations of Section 7 of our Terms, by Cal. Evid. Code §§ 1115 to 1128 with respect to mediation communications, and by the mediator's own professional rules. Sharing under this Section 3.3.1 occurs only after the bilateral consent gate in Section 13.4 has been satisfied; no party data is shared with any mediator before mutual engagement.

3.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice of any such change and any choices you may have.

3.5 Aggregated Data

We may share de-identified, aggregated data for analytics, research, and service improvement purposes.

Information We Will NEVER Share:

• Your employee identity with your employer without your explicit consent
• Platform communications between you and the employer you identify, except as expressly permitted by Section 7 of our Terms of Service or as required by lawful legal process
• Your personal information with third-party sales-intelligence, lead-enrichment, data-broker, or prospecting platforms (for example Apollo, ZoomInfo, Clearbit, or functional equivalents), except with your express prior opt-in consent and only after this Privacy Policy has been updated to list the receiving platform as a Sub-Processor in Section 3.2 above

4. Data Retention & Deletion

4.1 Retention Schedule

We retain your personal information only as long as necessary for the purposes described in this Privacy Policy or as required by law. Our target retention windows are set out below. Anonymization and scrubbing are performed by scheduled processes that run after a case reaches a terminal status; individual records may be processed in batches, and completion for any particular record may take up to an additional 30 calendar days beyond the stated window during normal operations. If a specific window is material to you, you may request earlier deletion under Section 4.2.

• Active case data: Retained with full personally identifiable information for the duration of the case. After a case reaches a terminal status (resolved, withdrawn, or otherwise closed), personally identifiable information is targeted for anonymization beginning at 90 days after closure. Non-identifying aggregate metadata (case category, county or state, resolution type, dates) is retained after anonymization.
• Account data: Targeted for anonymization at 90 days after account closure
• Billing records: Retained for 7 years as required by applicable tax law
• Algorithmic outputs: Matching scores, routing decisions, timeline predictions, and generated briefs are targeted for anonymization at 90 days after case closure
• Consent receipts (IP address, browser user agent, timestamp, terms version, notice version): Retained for 24 months from the date of submission for consent-verification and fraud-prevention purposes, then scrubbed
• Server logs and security telemetry: Retained for 12 months, then anonymized or deleted
• De-identified usage analytics: May be retained indefinitely (contains no personally identifiable information)
• Unsubmitted intake drafts (device-local only): If you begin filling out the intake form but don't submit, your partially-completed form may be saved to your browser's localStorage on the device you're using so you can resume. This draft never leaves your device, is automatically cleared 24 hours after your last edit, is cleared on successful submission, and does not include your date of birth. You can clear the draft at any time using the "Clear draft" button on the intake page or by clearing your browser storage for wiserworkplace.com. If you are using a shared or employer-owned device, clear the draft before leaving that device.

4.2 Your Right to Request Deletion

You may request deletion of your personal data at any time by contacting support@wiserworkplace.com. Upon receiving a verified request, we will delete the requested data within 30 calendar days, subject to the following:

• If both parties to a case consent, all case data is deleted within 30 days
• If only one party requests deletion, that party's personal identifying information is anonymized, but anonymized case records may be retained per the schedule above
• Settlement agreements are retained per their terms unless both parties agree to deletion
• Billing records are retained for 7 years regardless of deletion requests (tax law requirement)
• Contractual confidentiality obligations under Section 7 of our Terms of Service survive deletion

4.3 Destruction Confirmation

Upon request, we will provide written confirmation that your data has been deleted in accordance with this policy.

4.4 Confidentiality Survives Deletion

Deletion of data does not release any party from confidentiality obligations. See our Terms of Service (Section 7: Confidentiality) for details.

5. Cookies and Tracking Technologies

5.1 Types of Cookies and Tracking Technologies We Use

• Essential cookies, required for platform functionality and security (e.g., authentication tokens, session identifiers). These do not require consent.
• Analytics cookies (Google Analytics / GA4), placed by Google to help us understand how visitors use our public pages, including page views, traffic sources, and general usage patterns. GA4 collects data such as anonymized IP addresses, browser type, referring URLs, and pages visited. GA4 event data is retained for 2 months (the default setting), after which it is automatically deleted by Google.
• Consent preference cookie, stores your cookie consent choice (accept or decline) so we do not ask you again. This cookie expires after 365 days.

5.2 Cookies We Do NOT Use

• No third-party advertising cookies, We do not use cookies for targeted advertising purposes
• No retargeting or behavioral advertising, We do not track you across websites for marketing purposes
• No sale to data brokers or advertisers, We do not sell cookie data or tracking data to third parties

5.3 Your Cookie Choices

We honor Global Privacy Control (GPC) and Do Not Track (DNT) signals. If your browser sends a GPC or DNT signal, we automatically treat it as a request to decline analytics cookies, and no Google Analytics scripts will load during your visit. You can also manage cookies through your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent. Note that refusing essential cookies may impair platform functionality.

5.4 Cookie Consent and Opt-In Requirement

No analytics tracking occurs until you affirmatively consent. When you first visit our website, a consent banner will appear giving you the choice to accept or decline analytics cookies. If you decline, no Google Analytics scripts will load during your visit. You may change your consent at any time by clearing your browser's local storage for this site, which will cause the consent banner to appear again on your next visit.

You may also opt out of Google Analytics across all websites by installing the Google Analytics Opt-out Browser Add-on.

6. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256.
• Access Controls: Role-based access, principle of least privilege, and multi-factor authentication for administrative access.
• Third-Party Standards: Our data-processing service providers have completed SOC 2 Type II audits. Our payment processor is certified to PCI Service Provider Level 1.
• Monitoring: Regular security assessments, employee training, and an incident response plan (see Section 11 for breach notification procedures).

No system is 100% secure. We cannot guarantee absolute security of your information. We are not liable for unauthorized access resulting from circumstances beyond our reasonable control.

7. Your Rights and Choices

7.1 All Users

• Access, update, and correct account information
• Request deletion of your data
• Opt out of non-essential communications
• Manage cookies and tracking preferences
• Request a human review of any automated processing decisions
• Request data portability in a structured, commonly used format

7.2 California Residents (CCPA/CPRA)

California residents have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request what personal information we collect, use, share, and sell
• Right to Delete: You have the right to request deletion of personal information collected from you, subject to certain exceptions
• Right to Correct: You have the right to request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: You have the right to request that we limit use of sensitive personal information to necessary purposes
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights

How to Exercise California Rights: You may submit a privacy request by visiting our Do Not Sell or Share My Personal Information page, emailing support@wiserworkplace.com, or writing to Wiser Workplace LLC, 1801 Century Park East, Suite 2400, Los Angeles, CA 90067. We will verify your identity and respond within 45 calendar days (which may be extended by an additional 45 days for complex requests, with notice). You may designate an authorized agent to submit requests on your behalf by providing written authorization.

Right to Limit Use, How It Works: If you request that we limit the use of your sensitive personal information (which may include employment-dispute details, health-related workplace claims, or other information you provide through our intake forms), we will restrict its use to what is strictly necessary to route the concern to the employer you identified, to operate the Services, to comply with legal obligations, and to maintain platform security. We will not use your sensitive personal information for profiling, marketing, or any purpose beyond operating the Services. To exercise this right, email support@wiserworkplace.com with the subject line "Limit Use of Sensitive Personal Information."

Right to Opt Out of Automated Decision-Making Technology: Under CPRA, you have the right to opt out of the use of automated decision-making technology, including profiling. Our platform uses limited algorithmic features for administrative purposes only (administrative case routing and draft-message generation for human review). These features do not evaluate legal merit, determine fault, or produce legal effects. You may request that a human review any automated output by emailing support@wiserworkplace.com with the subject line "Opt Out of Automated Decision-Making." We will respond within 15 business days.

7.3 California "Shine the Light" Law

California Civil Code Section 1798.83 provides California residents with the right to request information about the categories of personal information we share with third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

7.4 Virginia CDPA and Colorado CPA

Residents of Virginia and Colorado have similar privacy rights under the Virginia Consumer Data Protection Act (CDPA) and Colorado Privacy Act (CPA). These rights include rights to know, delete, correct, and opt-out of processing. Contact us at support@wiserworkplace.com to exercise these rights.

Right to Appeal: If we deny your privacy request under the Virginia CDPA or Colorado CPA, you have the right to appeal that decision. To appeal, email support@wiserworkplace.com with the subject line "Privacy Request Appeal" within 45 days of our response. We will review and respond to your appeal within 60 days. If we deny your appeal, we will provide information on how to contact your state attorney general to submit a complaint.

7.5 Financial Incentive Disclosure

We do not offer financial incentives in exchange for your personal information. We do not have any financial incentive programs under CCPA.

7.6 Verification of Requests

We will verify requests to exercise privacy rights by confirming your identity and account information. Failure to verify may result in denial of the request.

7.7 CCPA Categories of Personal Information Collected

8. Children's Privacy

The Services are intended for users 18 years of age and older. We do not knowingly collect personal information from individuals under 18. Consistent with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501 et seq.), we do not knowingly collect personal information from children under 13. California users: consistent with California's "Eraser Law" (Cal. Bus. & Prof. Code §§ 22580-22582), a registered minor under 18 who is a California resident may request removal of content or information they posted. To make such a request, contact us at the address in Section 15. If we become aware that we have collected personal information from a minor in violation of these laws, we will delete such information promptly and terminate the account.

9. Third-Party Links and Services

The Services may contain links to third-party websites and services. We are not responsible for the privacy practices or content of third-party sites. Please review the privacy policies of any third-party websites or services before providing your personal information. Payment processors like Stripe have their own privacy policies governing their collection and use of payment information.

10. International Users

We do not currently offer Services outside the United States. If you access the Services from outside the United States, your personal information will be transferred to, processed, and stored in the United States. By using the Services, you consent to this transfer and processing of your information in the United States according to this Privacy Policy and applicable US laws.

Sub-Processor Global Infrastructure. Although the Services are offered only to U.S. users, our Sub-Processors listed in Section 3.2 may use globally distributed infrastructure for content-delivery, DNS resolution, transactional email routing, and similar operational functions. Each Sub-Processor is contractually bound to handle data consistent with this Policy and applicable U.S. law, and is selected in part for its security posture and its compliance certifications (such as SOC 2 Type II and PCI Service Provider Level 1, where applicable). Wiser Workplace does not transfer Platform Communications or Sensitive Personal Information out of the United States for the purpose of evading U.S. privacy law.

11. Data Breach Notification

In the event of a data breach involving personal information, we will:

• Notify affected individuals in the most expedient time possible and without unreasonable delay, consistent with California Civil Code § 1798.82, Nevada Revised Statutes § 603A.220, and Washington RCW 19.255.010, subject to the legitimate needs of law enforcement or measures necessary to determine the scope of the breach and restore reasonable integrity of the data system
• Notify the California Attorney General if the breach affects more than 500 California residents (Cal. Civ. Code § 1798.82(f))
• Notify the Washington Attorney General if the breach affects more than 500 Washington residents (RCW 19.255.010(8)), and provide notice within 30 days as required by Washington law
• Provide notice to Nevada residents consistent with Nev. Rev. Stat. § 603A.220, including notice to consumer reporting agencies where required
• Provide a description of the breach, the types of information affected, and steps you can take to protect yourself
• Describe the remediation steps we have taken and will take to prevent future breaches

Notification will be provided by email to the address on file, or by mail if we do not have a valid email address. Where state law mandates a specific notification timeframe (for example, Washington's 30-day requirement), we will comply with the shortest applicable deadline.

12. No Legal Advice

Wiser Workplace is not a law firm and does not provide legal advice. All content is for informational purposes only. See our Terms of Service Section 8 for complete disclaimers.

13. Platform Confidentiality and Privacy

Pre-launch (current state). Platform Communications are protected by this Privacy Policy and by the contractual confidentiality obligations in Section 7 of our Terms of Service, plus the California Evidence Code section 1152 compromise-negotiation framework recited in Section 7.7 of our Terms. These Terms do not yet rely on the statutory mediation-confidentiality framework in California Evidence Code sections 1115 to 1128 because no mediation has commenced through the Services pre-launch. At launch (Q3 2026). When a credentialed independent mediator on the platform's directory is engaged for a specific matter under the bilateral process described in Section 13 of our Terms, communications, documents, and writings prepared for the purpose of, in the course of, or pursuant to that mediation, within the meaning of California Evidence Code section 1115(b), will additionally invoke California Evidence Code sections 1115 to 1128. Communications occurring before mediator engagement, and communications outside the scope of section 1115(b), continue to be governed by Section 7.1 (contractual confidentiality) and Section 7.7 (section 1152 framework) of our Terms only. The contractual confidentiality terms are not an evidentiary privilege; if Wiser Workplace is compelled to produce data through lawful legal process, we will take reasonable steps to object to disclosure on contractual grounds where appropriate, but we cannot guarantee that platform communications will be protected from disclosure in litigation, arbitration, or government investigation. See our Terms of Service Section 7: Contractual Confidentiality for the full text.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For non-material changes, we will update the effective date and post the revised policy on the Services. For material changes to how we collect, use, or share your personal information, we will provide prominent notice by sending an email to the address associated with your account at least 30 days before the changes take effect, in addition to posting the revised policy. Your continued use of the Services following the effective date of changes constitutes your acceptance of such changes. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.