CALIFORNIA PRIVACY RIGHTS NOTICE (CCPA/CPRA)

Your Rights Under California Law

Dr. Wanda Hill / Dr Hill DM Health

Effective Date: April 19, 2026
Last Updated: April 19, 2026
Notice for California Residents

1. INTRODUCTION AND SCOPE

This California Privacy Rights Notice ("California Notice") provides comprehensive information specifically for California residents regarding how Dr. Wanda Hill, doing business as Dr Hill DM Health ("we," "us," "our," or "Company"), collects, uses, discloses, sells, and shares your personal information, as well as your specific privacy rights under the California Consumer Privacy Act of 2018 ("CCPA") as amended by the California Privacy Rights Act of 2020 ("CPRA"), codified at California Civil Code Section 1798.100 et seq., and all related implementing regulations adopted by the California Privacy Protection Agency ("CPPA"). This Notice supplements our general Privacy Policy and provides California-specific information about our data collection and processing practices, the categories of personal information we collect and disclose, your rights as a California consumer, and how you can exercise those rights under California law. By using our Services, you acknowledge that we have provided you with notice of our collection, use, and disclosure practices as required by California law, and where applicable, you provide your affirmative authorization for the collection and use of sensitive personal information for purposes beyond those permitted without authorization under CPRA regulations.

2. INFORMATION WE COLLECT ABOUT CALIFORNIA RESIDENTS

Under the CCPA and CPRA, we are required to disclose the categories of personal information we have collected about California consumers during the preceding twelve (12) months. The table below provides this information in the format prescribed by California regulations, including the categories of personal information collected, the categories of sources from which we collected such information, our business or commercial purposes for collecting such information, and the categories of third parties to whom we disclosed such information.

2.1 Categories of Personal Information Collected

We collect the following categories of personal information as defined under California Civil Code Section 1798.140:

Category A: Identifiers
Examples: Real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
What We Collect: Name, email address, postal address, phone number, IP address, device identifiers, account username, online identifiers.
Collected: YES

Category B: Personal Information (Cal. Civ. Code § 1798.80(e))
Examples: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
What We Collect: Name, address, phone number, payment card information (processed by third parties), bank account information (if provided), health and wellness information (voluntary).
Collected: YES

Category C: Protected Classification Characteristics
Examples: Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
What We Collect: Age, date of birth, gender (if voluntarily provided).
Collected: YES (Limited)

Category D: Commercial Information
Examples: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
What We Collect: Purchase history, transaction records, products/services purchased, order details, payment method preferences.
Collected: YES

Category E: Biometric Information
Examples: Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
What We Collect: NONE
Collected: NO

Category F: Internet or Other Electronic Network Activity
Examples: Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.
What We Collect: Website browsing activity, pages viewed, links clicked, search queries, clickstream data, interaction with emails and content, usage patterns, session data.
Collected: YES

Category G: Geolocation Data
Examples: Physical location or movements.
What We Collect: General location from IP address (city/state/country level), precise geolocation ONLY if you explicitly grant device permission.
Collected: YES (General location only)

Category H: Sensory Data
Examples: Audio, electronic, visual, thermal, olfactory, or similar information.
What We Collect: Voice recordings (if you participate in recorded coaching calls with consent), profile photos or progress photos (if voluntarily provided).
Collected: YES (Limited, with consent)

Category I: Professional or Employment-Related Information
Examples: Current or past job history or performance evaluations.
What We Collect: Occupation or employment information (if voluntarily provided in profile or communications).
Collected: YES (Limited, voluntary)

Category J: Non-Public Education Information
Examples: Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records (per the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, 34 C.F.R. Part 99).
What We Collect: NONE
Collected: NO

Category K: Inferences Drawn from Personal Information
Examples: Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
What We Collect: Inferences about preferences, interests, program suitability, content recommendations, email engagement propensity.
Collected: YES

Category L: Sensitive Personal Information (CPRA Addition)
Examples: Social security number, driver's license, state ID, passport number; account log-in, financial account, debit/credit card + security/access code; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, union membership; contents of mail, email, text (unless business is intended recipient); genetic data; biometric data for unique identification; health data; sex life or sexual orientation information.
What We Collect: Health and wellness information (voluntarily provided for coaching purposes); payment card information with security codes (processed by PCI-compliant third-party processors); account login credentials (encrypted).
Collected: YES (Limited categories, with authorization)

3. SOURCES OF PERSONAL INFORMATION

We collect personal information from the following categories of sources:

Directly From You: Information you provide when creating an account, making purchases, filling out forms, subscribing to communications, participating in programs, contacting customer support, submitting content or feedback, or otherwise interacting with our Services.

Automatically From Devices: Information automatically collected when you access or use our Services through cookies, web beacons, server logs, and similar tracking technologies, including usage data, device information, and browsing activity.

Third-Party Payment Processors: Stripe, PayPal, and other payment processors provide transaction confirmation, payment status, and limited payment information necessary to complete purchases.

Third-Party Analytics and Advertising Providers: Google Analytics, Facebook Pixel, and similar services provide aggregated usage statistics, advertising conversion data, and attribution information.

Social Media Platforms: Facebook, Instagram, and other platforms provide profile information if you connect accounts or interact with our social media pages.

Data Enrichment Services: Third-party data providers may supplement information with additional demographic or publicly available data.

Other Users: Referral information, gift purchases, or testimonials from other users may contain information about you.

Publicly Available Sources: Government records, public social media profiles, or business directories may provide publicly accessible information.

4. BUSINESS AND COMMERCIAL PURPOSES FOR COLLECTING PERSONAL INFORMATION

We collect, use, and disclose personal information for the following business and commercial purposes as permitted under CCPA/CPRA Section 1798.140(e):

Performing Services: Providing, maintaining, and delivering our products, services, programs, courses, and features you request; processing transactions and payments; managing accounts; delivering customer support; fulfilling orders.

Detecting Security Incidents: Protecting against malicious, deceptive, fraudulent, or illegal activity; detecting security incidents and data breaches; monitoring for threats and vulnerabilities.

Debugging and Repair: Identifying and repairing errors, bugs, or technical problems that impair existing intended functionality.

Short-Term Transient Use: Short-term, transient use of personal information that is not used to build a profile or otherwise alter your experience outside the current interaction (such as displaying information in real-time during your session).

Providing Services to the Business: Performing services on behalf of our business including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing analytics services, providing storage, or providing similar services.

Internal Research for Technological Development: Conducting internal research for technological development and demonstration to improve, upgrade, or enhance our Services, products, or features.

Quality and Safety Verification: Undertaking activities to verify or maintain the quality or safety of our Services and to improve, upgrade, or enhance our Services.

Marketing and Advertising: Sending promotional communications, newsletters, and marketing materials; conducting targeted advertising and retargeting campaigns; analyzing marketing effectiveness; segmenting audiences for personalized communications.

Business Operations: Operating and managing our business; conducting analytics and data analysis; understanding usage patterns and trends; optimizing user experience; developing new products and features.

Legal Compliance and Protection: Complying with applicable laws, regulations, legal processes, and governmental requests; protecting our rights, privacy, safety, or property and that of our users or the public; establishing, exercising, or defending legal claims.

5. CATEGORIES OF THIRD PARTIES WITH WHOM WE SHARE PERSONAL INFORMATION

We disclose personal information to the following categories of third parties for business or commercial purposes:

Service Providers and Vendors: Payment processors (Stripe, PayPal), email service providers, course hosting platforms, customer support systems, cloud hosting providers (AWS, Google Cloud), analytics providers, CRM systems, accounting software, security services.

Advertising Networks: Google Ads, Facebook Ads, and other advertising partners for targeted advertising and marketing attribution.

Professional Advisors: Legal counsel, accountants, auditors, consultants providing professional services.

Government Authorities: Law enforcement, courts, regulatory agencies, or other governmental bodies when legally required or permitted.

Business Transaction Parties: Potential buyers, investors, or other parties in connection with mergers, acquisitions, asset sales, or other business transactions.

Other Users: When you submit public content, testimonials, or reviews, or when your information is included in referrals or gift purchases.

6. SALE OR SHARING OF PERSONAL INFORMATION

6.1 Do We "Sell" Personal Information?

Under the CCPA/CPRA definition, "sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer's personal information to another business or third party for monetary or other valuable consideration.

We do NOT sell personal information for monetary consideration. We do not exchange your personal information with third parties in return for money.

6.2 Do We "Share" Personal Information for Cross-Context Behavioral Advertising?

Under the CPRA, "sharing" means disclosing personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

We MAY share certain personal information for cross-context behavioral advertising purposes. Specifically, we share the following categories of personal information with advertising networks (Google Ads, Facebook Ads) for targeted advertising purposes:

Categories Shared: Identifiers (cookie IDs, device IDs, IP addresses, hashed email addresses), Internet or Other Electronic Network Activity (browsing behavior, page views, interactions with content), Inferences (interests, preferences, propensities).

Third Parties We Share With: Google LLC (Google Ads, Google Analytics with advertising features enabled), Meta Platforms, Inc. (Facebook Ads, Facebook Pixel, Instagram Ads).

Your Right to Opt-Out: You have the right to opt out of the sharing of your personal information for cross-context behavioral advertising purposes as described in Section 8.3 below.

6.3 Categories of Personal Information Sold or Shared (Last 12 Months)

Categories Sold: NONE (We do not sell personal information for money)

Categories Shared for Cross-Context Behavioral Advertising:

Category A: Identifiers (cookie IDs, device IDs, hashed emails)

Category F: Internet/Network Activity (browsing behavior, interactions)

Category K: Inferences (interests, preferences)

We do NOT sell or share Sensitive Personal Information.

7. RETENTION OF PERSONAL INFORMATION

We retain each category of personal information for the following periods (or based on the following criteria):

Identifiers and Contact Information: Retained while account is active, plus 3 years after account closure or last activity.

Commercial Information: Transaction records retained for 7 years (legal, tax, accounting requirements).

Internet Activity Data: Retained for 90 days to 1 year, then deleted or anonymized.

Health and Wellness Information (Sensitive): Deleted within 30 days of account closure or upon request, unless required for legal compliance.

Inferences: Retained while relevant for personalization, typically duration of account relationship plus 1 year.

Payment Information: Payment card data not stored by us (processed by PCI-compliant third parties); transaction records retained 7 years.

Communications: Retained for 3 years for customer service and quality purposes.

After retention periods expire, we securely delete or de-identify personal information in accordance with our data retention policies and legal requirements.

8. YOUR CALIFORNIA PRIVACY RIGHTS

California consumers have the following rights under the CCPA and CPRA:

8.1 Right to Know (Sections 1798.100, 1798.110, 1798.115)

You have the right to request that we disclose to you the following information covering the 12 months preceding your request:

The categories of personal information we collected about you

The categories of sources from which the personal information was collected

The business or commercial purpose for collecting, selling, or sharing personal information

The categories of third parties to whom we disclose personal information

The specific pieces of personal information we collected about you (data portability request)

If we sold or shared your personal information, the categories of personal information sold or shared to each category of third-party recipient

You have the right to request this information up to twice in a 12-month period.

8.2 Right to Delete (Section 1798.105)

You have the right to request that we delete any personal information about you that we collected from you, subject to certain exceptions. We may deny your deletion request if retaining the information is necessary for us or our service providers to:

Complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you

Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible

Debug to identify and repair errors that impair existing intended functionality

Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law

Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et seq.)

Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws

Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us

Comply with a legal obligation

Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information

8.3 Right to Opt-Out of Sale or Sharing (Section 1798.120)

You have the right to opt out of the sale or sharing of your personal information. We do not sell personal information for money, but we may share certain information with advertising partners for cross-context behavioral advertising as described in Section 6.2.

How to Opt-Out:

Click "Do Not Sell or Share My Personal Information" link on our website footer (if available)

Adjust Cookie Preferences through our cookie banner or settings to disable advertising cookies

Enable Global Privacy Control (GPC) in your browser, which we honor as a valid opt-out signal

Email us at [email protected] with subject line "Opt-Out of Sharing"

Opt out directly with advertising platforms: Google: https://adssettings.google.com Facebook: https://www.facebook.com/settings?tab=ads

Once you opt out, we will not share your personal information with advertising networks for targeted advertising purposes. However, you may still see advertising (it will be less personalized).

We do NOT sell or share the personal information of consumers we know are under 16 years of age without affirmative authorization.

8.4 Right to Correct (Section 1798.106) (CPRA Addition)

You have the right to request correction of inaccurate personal information we maintain about you, taking into account the nature of the personal information and the purposes of processing. To request correction, submit a verifiable consumer request specifying which information is inaccurate and providing the correct information.

8.5 Right to Limit Use and Disclosure of Sensitive Personal Information (Section 1798.121) (CPRA Addition)

You have the right to direct us to limit our use and disclosure of your sensitive personal information to only those uses necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services, or for certain specified business purposes permitted under CPRA regulations.

Sensitive Personal Information We Collect:

Health and wellness information (voluntarily provided for coaching services)

Account login credentials (encrypted)

Payment card information with security codes (processed by third-party payment processors)

Our Use of Sensitive Personal Information: We use sensitive personal information only for purposes permitted without limitation under CPRA regulations (Section 7027(m)), including: performing services requested by you (delivering wellness coaching based on health information you provide); preventing, detecting, and investigating security incidents and fraudulent or illegal activity; verifying or maintaining quality and safety; short-term, transient use; performing services such as account maintenance, customer service, and order processing; and undertaking activities to verify or maintain the quality or safety of our services.

Because we use sensitive personal information only for permitted purposes, the right to limit does not currently apply. If our uses change, we will update this Notice and provide an opt-out mechanism.

8.6 Right to Non-Discrimination (Section 1798.125)

You have the right not to receive discriminatory treatment for exercising any of your CCPA/CPRA rights. We will not:

Deny you goods or services

Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties

Provide you a different level or quality of goods or services

Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services

However, we may offer you certain financial incentives permitted by the CCPA/CPRA that can result in different prices, rates, or quality levels, provided that the financial incentive is reasonably related to the value of your personal information. Any CCPA-permitted financial incentive we offer will include written terms that describe the material aspects of the financial incentive program. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

9. HOW TO EXERCISE YOUR CALIFORNIA PRIVACY RIGHTS

9.1 Submitting Requests

To exercise your rights to know, delete, or correct, you may submit a verifiable consumer request by:

Email: [email protected]
Subject Line: "California Privacy Rights Request - [Right Name]"
Include: Your full name, email address, phone number (optional), description of the right you wish to exercise, specific details of your request (e.g., categories or specific pieces for right to know; which information to delete for right to delete; which information is inaccurate for right to correct), proof of California residency (if not already evident).

By Phone: +1 (321) 693-2963 (mention "California Privacy Rights Request")

9.2 Verification Process

We must verify your identity before processing your request. Our verification process may include:

For Right to Know (Categories): We verify to a reasonable degree of certainty by matching at least two data points you provide with data points we maintain.

For Right to Know (Specific Pieces), Right to Delete, Right to Correct: We verify to a reasonably high degree of certainty by matching at least three data points you provide with data points we maintain, and may request additional documentation (e.g., copy of government-issued ID).

If We Cannot Verify: If we cannot verify your identity to the required degree of certainty, we will notify you and explain why we cannot process your request. We may still be able to process a less sensitive request (e.g., categories instead of specific pieces).

9.3 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. Authorized agents must:

Provide proof of authorization (signed written permission from you)

Verify their own identity

Provide proof of California residency for you

We may require you to directly verify your identity and confirm that you provided the authorized agent permission to submit the request. We may deny requests from authorized agents who do not meet these requirements.

9.4 Response Timeframes

We will respond to verifiable consumer requests within forty-five (45) calendar days of receipt. If we require more time (up to an additional 45 days for a total of 90 days), we will inform you of the reason and extension period in writing within the initial 45-day period.

For requests to know specific pieces of personal information, we will separately provide the requested information to you in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the information to another entity without hindrance.

9.5 No Fee for Requests

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

9.6 Request Frequency

You may submit a request to know (categories or specific pieces) up to twice within a 12-month period. There is no limit on the number of deletion or correction requests you may submit.

10. CALIFORNIA "SHINE THE LIGHT" LAW (CIVIL CODE § 1798.83)

California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes during the immediately preceding calendar year. We do not share personal information with third parties for their own direct marketing purposes. If this practice changes, we will update this Notice and provide you with the required opt-out mechanism.

11. CALIFORNIA MINORS' PRIVACY RIGHTS (BUSINESS & PROFESSIONS CODE § 22581)

If you are a California resident under 18 years of age, you may request and obtain removal of content or information you have publicly posted on our Services. To make such a request, please contact us at [email protected] with subject line "Minor Content Removal Request" and provide a detailed description of the content you wish to remove. We will make reasonable efforts to remove the content from public view, though please note that removal does not ensure complete or comprehensive removal from all systems, and the content may remain visible if it was reposted or shared by others.

Please note that our Services are not intended for individuals under 18 years of age, and we do not knowingly collect personal information from minors under 18.

12. NOTICE OF FINANCIAL INCENTIVE PROGRAMS

We do not currently offer any financial incentive programs (such as discounts, rewards programs, or other benefits) in exchange for the collection, retention, sale, or sharing of personal information. If we implement such programs in the future, we will provide you with a separate notice describing the material terms of the program, including how to opt in and opt out, and explaining our good-faith estimate of the value of your personal information that forms the basis for the financial incentive. Participation in any financial incentive program will be optional and subject to your prior opt-in consent, which you may revoke at any time.

13. CHANGES TO THIS CALIFORNIA NOTICE

We reserve the right to update or modify this California Privacy Rights Notice at any time to reflect changes in our practices or to comply with changes in California privacy laws. When we make material changes, we will update the "Last Updated" date at the top of this Notice and notify you by posting the revised Notice on our website. For material changes, we may also provide additional notice such as email notification to registered users. We encourage you to review this Notice periodically to stay informed about how we protect your privacy and your California privacy rights.

14. CONTACT INFORMATION

For California Privacy Rights Inquiries:

Dr. Wanda Hill / Dr Hill DM Health
Email: [email protected]
Phone: +1 (321) 693-2963
Subject Line (for emails): "California Privacy Rights Request" or "CCPA/CPRA Inquiry"

For General Privacy Inquiries:

Refer to our main Privacy Policy or contact [email protected]

15. ADDITIONAL CALIFORNIA DISCLOSURES

Notice of Collection at Point of Collection: In accordance with CPRA requirements, we provide notice of the categories of personal information to be collected and the purposes for which they will be used at or before the point of collection through privacy notices on forms, disclosures at checkout, and links to this Notice and our Privacy Policy.

Consumer Request Metrics: In accordance with CPRA Section 1798.130(a)(7), we will maintain records of consumer requests and publish aggregate metrics upon request or as required by the California Privacy Protection Agency regulations.

Sensitive Personal Information Notice: Where we collect sensitive personal information, we provide notice at or before the point of collection and obtain your affirmative authorization where required for uses beyond those permitted under CPRA Section 7027(m).

© 2026 Dr. Wanda Hill / Dr Hill DM Health. All rights reserved.

This California Privacy Rights Notice provides California residents with comprehensive information about their privacy rights under the CCPA and CPRA and is incorporated into our Privacy Policy and Terms of Service.

Last Updated: April 19, 2026