Privacy Policy

Who we are

Anatomy of a Clinician: Built to Practice (“AoC,” “we,” “us”) is a clinical reasoning and certification preparation platform operated by Courtney LaSumner Bass, MSN, APRN, AGPCNP-BC. This site is located at anatomyofaclinician.com. This Privacy Policy describes what personal information we collect, how we use it, with whom we share it, and the rights you have over it.

What information we collect

Information you provide directly

Contact form submissions. When you use the contact form at /contact/, we collect the name and email address you provide and the content of your message. This information is used only to respond to your inquiry. It is not used for marketing.

Account and purchase data. When commerce features are active and you create an account or complete a purchase, WooCommerce records the information needed to process your transaction and maintain your account: name, email address, billing and shipping addresses if applicable, and a tokenized reference to your payment method issued by the payment processor. We do not see or store payment card numbers.

Newsletter subscriptions. If you subscribe to email updates, we collect the email address you provide. It is used only to send the content you have signed up for. You can unsubscribe at any time using the link in any email we send.

Information from authentication services

Sign in with Google. The site supports Sign in with Google as an authentication option, provided through the Site Kit by Google plugin. If you choose to sign in using your Google account, Google shares the following information with us: your Google account email address, your name as configured on your Google account, your profile picture, your Google account ID (a numeric identifier used to recognize returning visits), and the verification status of your email. We use this information to identify you across visits, restore your account state, and contact you about your account or your activity on the site.

Authenticating with Google does not give us access to your Gmail, Google Drive, Google Calendar, or any other Google service. The data flow is one-way: from Google to AoC, limited to the fields above, and only at the moment you sign in. You can revoke our access to your Google account at any time at myaccount.google.com/permissions; doing so disables Sign in with Google for AoC but does not delete any account or activity data we already hold. To delete that data, see “Your rights” sections below.

As of the date of this policy, public account creation on this site is disabled. Sign in with Google currently authenticates existing administrators and authorized users only. When public account creation is enabled, this section will continue to govern the data flow.

Information collected automatically

Server logs. WordPress.com, the platform that hosts the site, automatically logs standard request data including IP address, browser type and version, the page you requested, the page that referred you, and the date and time of the request. This is used by Automattic (WordPress.com’s operator) for security, fraud prevention, and infrastructure operations.

Platform analytics. Jetpack and WordPress.com analytics record aggregated, non-personally-identifying information about site usage — page views, referring sources, approximate geographic region (typically country level), and session engagement signals. This helps us understand which content is reaching readers.

Google Analytics 4. The site uses Google Analytics 4 (GA4), provided by Google LLC and integrated through the Site Kit by Google plugin. When you visit the site and consent to analytics cookies, GA4 records pseudonymous information about your visit — page views, session duration, referring source, approximate geographic location (city level, derived from IP address), device type, browser, screen size, and engagement events such as scrolls, clicks, and page transitions. GA4 assigns your browser a pseudonymous client identifier stored in cookies (see “Cookies and tracking technologies” below). We have configured GA4 with IP anonymization. We have not enabled Google’s advertising-features extensions that personalize ad targeting based on analytics data. Google retains GA4 data for a configurable period; we have set the shortest reasonable retention window described in “Data retention” below.

Search Console and PageSpeed Insights. The site is connected to Google Search Console and PageSpeed Insights through Site Kit. These services do not place cookies on your browser and do not track individual visitors. Search Console reports aggregate search-query data for the site; PageSpeed Insights analyzes site performance from synthetic test runs initiated by us.

Meta Pixel (forthcoming). AoC operates a private Facebook group as part of the community offering. To support attribution between the website and the Facebook group, we plan to activate Meta Pixel — a tracking script provided by Meta Platforms. Meta Pixel is not currently active. When activated, it will be wired through our cookie consent mechanism so that it loads only with your consent. See “Cookies and tracking technologies” below for what Meta Pixel will collect when activated.

Cookies. See “Cookies and tracking technologies” below.

How we use your information

• To respond to inquiries you send through the contact form
• To authenticate sign-ins and maintain account access (when authentication is used)
• To process orders, deliver purchased content, and maintain account access (when commerce features are active)
• To deliver email updates you have opted into
• To understand how the site is used so we can improve content and navigation
• To understand which search queries reach the site so we can improve discoverability
• To monitor site performance and detect operational issues
• To support attribution between the website and the AoC Facebook group (when Meta Pixel is active and you have consented to advertising/audience tracking)
• To protect the site against fraud, abuse, and security threats
• To comply with applicable legal obligations

We do not sell your personal information. We do not run our own advertising network and we do not use your information for our own behavioral targeting.

When Google Analytics is active and you have consented, aggregated site-usage data is shared with Google. Google acts as a service provider for this data under Google’s standard data processing terms; this is not “selling” or “sharing” of personal information under California law. When Meta Pixel becomes active, page-view and event data will be shared with Meta Platforms; under California law, that activity does constitute “sharing for cross-context behavioral advertising” and is subject to your opt-out rights described in the California section below.

Cookies and tracking technologies

This site uses cookies — small text files stored in your browser — for several purposes. Categories below reflect what is currently active and what is forthcoming.

• Strictly necessary cookies. Currently active. Required for core site functionality (session management, security, load balancing) and for the cookie consent mechanism itself to remember your preferences. Set by WordPress.com platform infrastructure and by the CookieYes consent platform. Disabling these will prevent the site from functioning.
• Functional cookies. Currently active when applicable. Set when you log in, place an order, or change site preferences. Used only for signed-in interactions and for remembering settings such as authentication state.
• Platform analytics cookies. Currently active. Set by Jetpack and WordPress.com analytics to record aggregated usage patterns. These do not personally identify you.
• Google Analytics cookies. Currently active when you consent. Google Analytics 4 sets several first-party cookies in your browser, primarily _ga (a pseudonymous client identifier with a default lifetime of two years) and _ga_<ID> (a property-specific session identifier with a default lifetime of two years). These cookies are loaded only after you accept analytics cookies through our consent banner. If you decline, GA4 either does not load or operates in a cookieless measurement mode that does not store identifiers in your browser.
• Advertising and audience cookies. Forthcoming. When Meta Pixel is activated, it will set cookies that allow Meta Platforms to track page views and certain interactions, attribute them to a Meta-hosted user identifier where one exists, and use them for ad targeting, audience building, and ad measurement on Meta-operated services. Meta Pixel will be wired through our cookie consent mechanism and will load only after you accept advertising cookies.

Cookie consent

The site uses CookieYes, a third-party cookie consent management platform, to give you control over non-essential cookies. On your first visit, the consent banner asks for explicit opt-in consent before any non-essential cookies are loaded. Strictly necessary cookies do not require consent and are loaded automatically. You can revisit your consent choices at any time through the cookie preferences link in the site footer.

CookieYes uses Google Consent Mode v2 to communicate your consent state to Google Analytics in real time. If you decline analytics cookies, Google Analytics either does not load or operates in a cookieless mode where no identifiers are stored in your browser. CookieYes also stores a record of your consent decision, which we retain as evidence of compliance with applicable consent laws. Consent records include a timestamp, a hashed identifier, the consent state per category, and the policy version in effect at the time. They are retained per CookieYes platform policy.

You can also manage or block cookies through your browser settings. Blocking strictly necessary cookies will prevent the site from functioning correctly.

The site does not respond to “Do Not Track” browser signals because there is no industry-standard interpretation of that signal. We do respect the Global Privacy Control (GPC) browser signal as an opt-out from the “sharing” of personal information under California law; when Meta Pixel becomes active, GPC will function as an automatic opt-out from advertising cookies for users whose browsers send the signal.

Third-party services and processors

The site relies on the third-party services listed below. Each has its own privacy policy governing data they process. Linking out to those policies is provided for transparency.

• Automattic / WordPress.com — site hosting, security, and core platform infrastructure. automattic.com/privacy
• Jetpack (an Automattic product) — contact form processing, security, analytics, email subscriptions. Covered by the Automattic privacy policy linked above.
• Akismet (an Automattic product) — comment spam filtering. When comments are enabled and submitted, Akismet receives the comment content, the submitter’s name, email, IP address, and user agent for spam analysis. Covered by the Automattic privacy policy linked above.
• WooCommerce (an Automattic product) — commerce platform and order records, used when commerce features are active. Covered by the Automattic privacy policy linked above.
• WooPayments (an Automattic product, powered by Stripe) — payment processing for orders, used when commerce features are active. Card details are submitted directly to the processor through their secure form; we do not see or store card numbers. WooPayments privacy policy
• Sensei LMS (an Automattic product) — course delivery and learner progress, used when course content is published. Covered by the Automattic privacy policy linked above.
• CookieYes — cookie consent management platform. Stores a record of your consent decision (timestamp, hashed identifier, per-category state, policy version) as evidence of compliance with consent laws. cookieyes.com/privacy-policy
• Google LLC — provides several services to the site through the Site Kit by Google plugin and through font delivery.
  • Google Analytics 4 (currently active when you consent). Collects pseudonymous site usage data and transmits it to Google’s servers. Configured with IP anonymization; Google’s advertising-features extensions are not enabled. Google acts as a service provider under its standard data processing terms.
  • Sign in with Google (currently active for authorized users). Provides authentication. Google shares basic profile information with us when you sign in (see “Information from authentication services” above).
  • Google Search Console (currently active). Server-to-server integration for search-traffic reporting. Does not place cookies on your browser.
  • Google PageSpeed Insights (currently active). Synthetic site-performance analysis initiated by us. Does not track individual visitors.
  • Google for WooCommerce / Google Merchant Center (installed; will activate when commerce products are published). Sends product catalog data to Google Merchant Center. Does not track individual site visitors directly.
  • Google Fonts CDN (currently active). Delivers typography assets. Loading fonts from Google’s servers may transmit your IP address to Google.
  • Google’s privacy policy: policies.google.com/privacy
• Meta Platforms — provides Meta Pixel for the website (forthcoming) and hosts the AoC Facebook group.
  • Meta Pixel (forthcoming). When active, will record page views and certain interactions on the website and transmit them to Meta. Meta may use this data for ad targeting, audience building, and ad measurement on Facebook, Instagram, and other Meta-operated services. We use Meta Pixel to support attribution between the website and the AoC Facebook group; we do not currently run paid Meta advertising.
  • AoC Facebook group. We operate a private Facebook group as part of the AoC community. Membership in the group is governed by Meta’s terms and privacy policy, not this Privacy Policy. While moderating the group, AoC team members can see members’ Facebook display names and profiles via Meta’s interface, but we do not export or store member data from the group outside of Facebook.
  • Meta’s privacy policy: www.facebook.com/privacy/policy

Data retention

We retain personal information only as long as needed for the purpose it was collected, or as required by applicable law:

• Contact form submissions. Retained until the inquiry is resolved and for a reasonable period afterward to address follow-up questions, then deleted on request or routine cleanup.
• Account data. Retained while your account is active and for a reasonable period after you stop using it. Deleted on request, subject to legal retention requirements.
• Authentication tokens. Session tokens issued during Sign in with Google authentication expire on schedule per the relevant security standard; persistent identifiers (your Google account ID, used to recognize returning sign-ins) are retained for the lifetime of your account.
• Purchase and order records. Retained as required by tax, accounting, and consumer-protection laws (typically up to seven years in the United States).
• Newsletter subscriber emails. Retained until you unsubscribe.
• Platform analytics data. Aggregated and retained on a rolling basis through Jetpack / WordPress.com platform retention periods.
• Google Analytics 4 data. Retained per Google Analytics platform retention settings; we have configured the property to the shortest retention window available (currently 14 months for event-level data).
• Cookie consent records. Retained per CookieYes platform policy as evidence of compliance.
• Meta Pixel data. When active. Retained per Meta’s standard retention policies, documented in Meta’s privacy policy.
• Server logs. Retained per WordPress.com infrastructure operations — typically days to weeks.

Data security

We use commercially reasonable measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (TLS), platform-level access controls, password hashing on stored credentials, and hosting on WordPress.com infrastructure. No system is perfectly secure, and we cannot guarantee that information transmitted over the internet will not be intercepted.

Data breach notification

If a security incident affects your personal information, we will notify affected users without undue delay, and within any window required by applicable law. For visitors in the European Economic Area or the United Kingdom, this means within 72 hours of becoming aware of the breach where required under GDPR.

Children’s privacy

This site is intended for licensed clinicians, advanced practice nurses, and other healthcare professionals preparing for board certification. It is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information through this site, please contact us at privacy@anatomyofaclinician.com and we will delete it.

International data transfers

This site is operated in the United States. If you access the site from outside the United States, your information may be transferred to, stored in, and processed in the United States by Automattic, Google, and other service providers. Automattic and Google operate global infrastructure and process data across multiple regions. By using the site, you consent to that transfer where lawful. Where required, we rely on standard contractual clauses or other lawful transfer mechanisms maintained by these providers.

California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you specific rights regarding your personal information.

Categories of personal information collected. In the past 12 months, we have collected the following categories of personal information from California residents:

• Identifiers (name, email address, IP address, Google account ID for users who sign in with Google, Google Analytics pseudonymous client identifier)
• Customer records (billing/shipping address, account credentials, when commerce features are active)
• Commercial information (order history, when commerce features are active)
• Internet activity (server logs, page views, referring sources, session engagement, search-query data through Google Search Console)
• Geolocation data (approximate; country level from server logs, city level from Google Analytics)
• Audience and advertising identifiers (when Meta Pixel is active — pseudonymous user identifiers used by Meta for attribution and audience building)
• Inferences (none drawn for advertising by us; aggregated content-engagement patterns only)

Sensitive personal information. We do not collect, use, or sell sensitive personal information as defined by California law.

Sale or sharing of personal information. We do not sell your personal information. As of the date of this policy, we have not shared your personal information for cross-context behavioral advertising in the past 12 months. Google Analytics 4 data is processed by Google as a service provider under Google’s standard data processing terms and is not “sharing” under California law.

Forthcoming Meta Pixel integration will share page-view and event data with Meta Platforms, which Meta may use for cross-context behavioral advertising and audience building. Once active, this data sharing will constitute “sharing” under the California Privacy Rights Act, and the opt-out mechanisms below will apply.

Your right to opt out of sharing. When Meta Pixel is active, you can opt out of this sharing in any of the following ways:

• Through our cookie consent banner, by declining advertising cookies on first visit or by opening the cookie preferences link in the footer.
• By configuring your browser to send a Global Privacy Control (GPC) signal, which we treat as an automatic opt-out of “sharing” — including from advertising cookies once Meta Pixel is active.
• By contacting us at privacy@anatomyofaclinician.com.
• Once Meta Pixel is active, a “Do Not Sell or Share My Personal Information” link will be available in the site footer in addition to the cookie preferences link.

Your other California rights. You also have the right to:

• Know what personal information we collect, use, disclose, and (if applicable) sell or share
• Access the specific pieces of personal information we have about you
• Delete personal information we have collected from you, subject to legal exceptions
• Correct inaccurate personal information
• Limit our use and disclosure of sensitive personal information (not applicable; we do not collect any)
• Not receive discriminatory treatment for exercising any of these rights
• Designate an authorized agent to make a request on your behalf

To exercise any of these rights, email privacy@anatomyofaclinician.com with the request and enough information to verify your identity.

EU and UK residents (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation gives you specific rights regarding your personal data.

Data controller. Anatomy of a Clinician: Built to Practice is the data controller for personal data collected through this site. Contact us at privacy@anatomyofaclinician.com.

Lawful bases for processing. We rely on the following lawful bases:

• Consent — for newsletter subscriptions, non-essential cookies, third-party analytics (Google Analytics 4), and advertising/audience tracking (Meta Pixel, when active). Consent is requested through our cookie consent banner and through the email subscription form, and can be withdrawn at any time through the cookie preferences link in the footer or by unsubscribing.
• Contract — to authenticate sign-ins, process orders, and deliver purchased content (when those features are active and you have requested them).
• Legitimate interest — for site security, fraud prevention, platform-level aggregated analytics (Jetpack / WordPress.com), and responding to inquiries you send.
• Legal obligation — for tax records, breach notification, consent records, and other legal-compliance retention.

Your rights under GDPR. You have the right to:

• Access your personal data
• Rectify inaccurate or incomplete data
• Erase your data (the “right to be forgotten”)
• Restrict processing in certain circumstances
• Receive your data in a portable format
• Object to processing based on legitimate interest
• Withdraw consent at any time, where consent is the lawful basis (this includes withdrawing consent for analytics or advertising cookies through the cookie preferences link in the footer)
• Lodge a complaint with your local supervisory authority

To exercise any of these rights, email privacy@anatomyofaclinician.com.

Business transfer

If AoC is acquired, sold, merged with another organization, or undergoes a similar business change, personal information may transfer as part of that transaction. Affected users will be notified before their information becomes subject to a materially different privacy policy.

Updates to this policy

We may update this policy as the platform evolves. The “Last updated” date at the top of the page reflects the most recent revision. For material changes — for example, new categories of data collected, new third-party processors, or changes to your rights — we will provide reasonable advance notice and, where required by law, request fresh consent.

Contact

For privacy-related questions, requests, or concerns, contact us at privacy@anatomyofaclinician.com. For general inquiries, please use the Contact page.

Related

• Educational Disclaimer — content scope, certification claims, sourcing
• Medical Disclaimer — no medical advice, no provider-patient relationship
• Terms of Use — agreement to use this site
• Refund and Cancellation Policy — refunds, cancellations, subscription terms
• Accessibility Statement — our commitment to accessible design