Privacy policy

LAST UPDATED: January 12, 2024

Protecting your privacy is important to Clinia Health Inc. and its affiliates (collectively, "Clinia" or "we"), and that is why we take the privacy of our users' personal information and compliance with applicable laws very seriously.

The purpose of this privacy policy (the "Policy") is to explain and describe how we collect, use, process, store and disclose your personal information. The Policy is designed to comply with Quebec and Canadian privacy laws and, where applicable, the General Data Protection Regulation ("GDPR") applicable to individuals in the European Union "EU").

In addition to this Policy, we have established multiple other internal policies, procedures, and security practices to ensure the adequate protection of your personal information.

1. Scope of Policy

The Policy applies to personal information in our possession or control, including information collected when an authorized user or customer utilizes Clinia’s software solutions and products or browses the Clinia website (collectively, the "Services"), or submits a job application through Clinia’s job board. The Policy also applies to information we receive from third parties about you while providing our Services.

Please note that this Policy does not apply to information collected about you by third parties through websites or third-party services that you may access via our Services. We encourage you to review the privacy policy of these third-party sites or services before accessing or using them.

Further, this Policy does not apply to information collected by Clinia from employees, directors, and other representatives of Clinia; we encourage these individuals to review the internal privacy policy of Clinia applicable to such information.

2. Acceptance

By accessing our Services, you agree to be bound by the terms and conditions contained in the Policy. If you do not agree to be bound by these terms and conditions, please do not access, or use our Services.

For the sake of clarity, your use of our Services or our website constitutes implicit consent to Clinia collecting, using, and disclosing your personal information in accordance with the terms of this Policy. If you do not consent to Clinia collecting, using, and disclosing your personal information as set out in this Policy, your choice is to not use our Services.

3. Modifications to the Policy

We occasionally update this Policy and reserve the right to change the content of this Policy at any time. Any changes made will be communicated to you through our website or our application. Notice of changes may also be given to you by email, if you have provided us this information as part of our business relationship. Clinia also reserves itself the right to make administrative or clerical modifications to this Policy that do not affect your rights or obligations without sending you any communication or notice. The date of the latest version of this Policy appears at the bottom of the page. We recommend that you print a copy of this Policy for your records and review this section of our Services periodically. You are considered to have accepted any modifications to this Policy if you continue to use our Services following a modification.

4. Consent

Clinia acknowledges that your consent to the collection, use and disclosure of your personal information must be manifest, free and informed. Your consent must be given for specific purposes. Depending on the nature and sensitivity of the personal information, your consent may be express (such consent may be given in writing or electronically) or implied (for example, when you voluntarily provide us with personal information). Generally, Clinia will seek your consent at the time of collection, except where we are required or otherwise permitted by law.

Your consent can be withdrawn at any time, subject to applicable legal restrictions and reasonable notice. Please note that if you choose to withdraw your consent to the collection, use or disclosure of your personal information, our Services may no longer be available to you and Clinia may no longer be able to provide certain services to you. The withdrawal of your consent will not affect the lawfulness of processing based on consent before its withdrawal.

5. What type of personal information do we collect?

Clinia collects only the personal information about you that is necessary for the purposes of establishing, managing, and maintaining its relationship with you.

For example, and without limitation, personal information may be collected when you use our Services, submit information via our Services, communicate with our team, sign up to receive our newsletter, or participate in other interactive activities with Clinia. Section 6 of this Policy provides further details on how we collect personal information about you.

Personal information collected may include, but is not limited to:

• Identification Information: to ensure we can reliably and efficiently communicate with you, we collect information such as your first name and last name. Furthermore, when using our Services, we will collect your email so you can use it as a unique identifier for authentication and authorization purposes;

• Professional and Business Information: we may collect information about your professional qualifications and affiliations as part of our Service offering. This includes place of employment, professional qualifications, areas of expertise, professional affiliations, and certifications.

• Technical Information: when you use our Services, we may collect certain technical and business information about your equipment, your use of our Services and your browsing habits.

• Other Information provided to Clinia: we collect information concerning your interactions with us, such as when you send us emails, make service requests, or contact customer service through phone calls, etc.

• Infrastructure, network, and account/application log data: Our network, infrastructure and account/application logs may contain your personal information such as your email address and IP (Internet Protocol) addresses. This log data is used for security monitoring and to provide a verifiable trail of transactions and activity occurring on our systems.

• Information concerning your application: when you apply for a job on our website, we collect the information that you provide to us, including your first name, last name, address, email address, phone number, academic background, past employment history, skills, languages spoken, and any other information you may include in your resume or in an application form on our website.

Please note that we have no control over the content that you or any authorized user of our Services may input or publish through our Services, or that you may provide to us as part of our business relationship. Therefore, it is possible that other types of personal information, including sensitive personal information, may be processed by Clinia due to usage of our Services or as part of our business relationship, even if they are not listed above.

6. How do we collect personal information?

Generally, we obtain information directly from you. However, we may also collect personal information about you from outside sources, with your consent or without your consent, if permitted by law.

Among others, here are certain ways we use to collect personal information about you:

• Direct Interactions with You: We obtain personal information directly from you when you contact Clinia, when you schedule time with our sales team, when you add information to our software in the course of using our Services, when you apply for a position with us either directly through our website, indirectly through a job listing website or otherwise, when you subscribe to our newsletter, etc.

• Automated Collection Methods: When you use our Services, we may collect certain technical and business information about your equipment, your use of our Services, your browsing habits, etc. You can find more information about automated collection methods in Sections 5 and 13 of this Policy.

• Third-Party and Public Information: We may obtain information from third-parties that are authorized to disclose this information or that make this information generally available to the public on their website or in publicly available databases, including, for example, background check providers, advertising networks, analytics providers, or social media (such as LinkedIn, Facebook, and others).

• Authorized Users: We may obtain information concerning you when an authorized user adds this information to our platform using our Services, without our implication. We always ask our users and clients to strictly restrain from adding any personal information on our platform for which they have not due authorization. Please refer to Section 9 for further details concerning personal information communicated to Clinia by its customers and authorized users.

• Governmental Entities: We may obtain, in limited circumstances, information about you from governmental bodies, agencies and registries.

7. Use of your personal information

The purposes for which Clinia collects your personal information are determined before or at the time of collection. Clinia may use your personal information for the following purposes:

• provide our Services;

• establish and maintain our business relationship;

• improve our service offerings, including the use of Services or any other online service, and to support our research and development;

• resolve technical issues with our Services;

• communicate with you when you submit questions, comments and suggestions;

• provide you with information about our technological services and products that may be of interest to you;

• prevent and detect error and fraud;

• ensure the security of all interested parties of our enterprise;

• evaluate your suitability for employment at Clinia, including performance of background checks when you apply for a position with us;

• meet legal requirements; and

• any other use that is clearly for your benefit.

Clinia may also use your personal information to compile statistics, for example to detect trends in the use of its Services and to improve them. However, these statistics do not identify you and have been anonymized. Clinia may also create anonymized datasets from the personal information, for which it will remain sole owner. Information is considered anonymized when it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows for your direct or indirect identification.

Where authorized by law, your personal information may also be used for another purpose than those set out above without your consent, but only if (i) it is used for purposes consistent with the purposes for which it was collected; (ii) it is clearly used for your benefit; (iii) its use is necessary for the purpose of preventing and detecting fraud or of assessing and improving protection and security measures; (iv) its use is necessary for the purpose of providing or delivering a product or providing a service requested by the person concerned; or (v) its use is necessary for study or research purposes or for the production of statistics and if the information is de-identified. For a purpose to be consistent within the meaning of point (i) above, it must have a direct and relevant connection with the purposes for which the information was collected.

Your personal information will not be used for purposes other than those described above, except with your consent, or as required or permitted by law.

8. Sensitive Personal Information

Clinia will never ask you to share sensitive personal information to access and use its Services or as part of its relationship with you. For reference, sensitive personal information is personal information that, due to its nature, in particular its medical, biometric or otherwise intimate nature, or the context of its use or communication, entails a high level of reasonable expectation of privacy. Examples of sensitive information may include health information, sexual orientation, morphological, behavioral, or biological characteristics, philosophical or religious beliefs, or financial status.

You or your users may however share sensitive personal information with Clinia in using our Services, for example in using our health navigation infrastructure or our directory. If you or your users do share sensitive personal information with Clinia as part of using our Services, you acknowledge that this sharing constitutes your consent for Clinia to use and communicate this sensitive personal information strictly for the purposes outlined in this Policy. This also constitutes your consent to Clinia disclosing this sensitive personal information about you outside of your province or state, where strictly required by Clinia to provide its Services as detailed in this Policy.

9. Clinia as a processor of personal information

Customers of Clinia may also collect and manage personal information about third parties when using our Services, for example when they use our Services to build provider databases. We refer herein to personal information that our customers or authorized users submit or collect via our Services as “Customer PI”.

We do not control the content or the types of Customer PI that our customers may choose to collect or manage using our Services. Should you have questions concerning the collection, use and disclosure of your personal information that consists of Customer PI, including requests for access or rectification, we invite you to contact our concerned customer directly.

As concerns Customer PI, Clinia’s role is specifically limited to that of a processor. Clinia’s customers control and are responsible for correcting, deleting, or updating the Customer PI they process using our Services and for complying with any regulations or laws that require providing notice, disclosure, and/or obtaining consent prior to transferring the Customer PI to Clinia for processing purposes. Customers represent and warrant to Clinia that they have obtained all required consent prior to collecting and communicating Customer PI on Clinia’s Services.

Clinia implements and maintains appropriate technical and organizational measures to protect Customer PI, as set out in Section 14 of this Policy. Clinia processes Customer PI strictly in accordance with the instructions of its customers as provided in the contractual agreement between them.

10. Automated decision making

Your personal information may be used by Clinia to make automated decisions about (i) services that may be of interest or relevance to you, (ii) detection and prevention of fraud, and (iii) personalization in our search engine and algorithms. This automated decision making will have no legal or juridical effect on you. Upon request, Clinia will provide you with information on the functioning of this automated system.

11. Communication of your personal information to third parties

Clinia recognizes that, except as described below or as permitted by law, the communication of your personal information to third parties requires your consent.

Access to your personal information within our corporate group does not require your consent but is strictly limited to those individuals for whom such information is necessary to carry out their duties and responsibilities.

Clinia may share your personal information, without your consent, with its agents, service providers, suppliers, consultants, or other partners who require such information in connection with Clinia's business or to assist Clinia in administering and delivering its Services. Such agents, service providers, suppliers, consultants, and other partners will contractually guarantee that they will use your personal information exclusively for specific services and that they will keep it confidential in accordance with this Policy.

To give you examples, we communicate personal information to critical service providers of Clinia for the following functions, among others:

• Application Infrastructure: We utilize reputable Infrastructure as a Service (IaaS) providers for hosting our core platforms and supporting databases, utilities, and services, as well as services of other third-party providers for database services, network and systems monitoring and support, security administration and software development and release services.

• Customer Support: We utilize reputable Software as a Service (SaaS) providers for providing our users with customer support, as well as managing external service requests and communication.

• Human Resources: We utilize reputable SaaS providers to conduct all our human resources-related activities such as maintaining employment records, track career progression objectives and conducting team feedback activities.

• Accounting and Finance: We utilize reputable financial institutions and SaaS providers to do payroll and produce documents required by law for tax and other purposes.

Clinia may also, without your consent, disclose your personal information where permitted or required by law, for example:

• to prevent fraud or serious physical harm to any person;

• to comply with any court order, law, or judicial proceeding, including to respond to any governmental or regulatory request, in accordance with applicable laws, including in cases of alleged or actual breach of privacy; or

• to enforce our terms of use and other agreements or legal rights, including for billing and collection purposes.

Whenever Clinia is required to disclose your personal information, Clinia will endeavor to disclose no more information than is required under the circumstances.

Finally, Clinia may share your personal information when it enters into or negotiates a business transaction involving the sale or transfer of all or part of its business or assets. This could include, for example, a merger, financing, acquisition, transaction, or bankruptcy proceeding implicating the enterprise of Clinia.

12. Disclosure of your personal information outside the jurisdiction in which you ordinarily reside

Clinia may from time to time disclose your information outside of the province, state, or country in which you normally reside as part of the performance of a service or business contract, such as to the critical service providers identified in Section 11 above. Where applicable, we will take all appropriate measures to ensure that the third-party service provider or other partner will protect your personal information with the same standards of protection as Clinia and that your personal information will not be used for purposes other than those permitted by the collection or by law.

Subject to Section 8 above, if we disclose sensitive personal information about you outside of your province or state, we will obtain your express consent.

You have the right to know, upon request, to whom your personal information is disclosed and the circumstances leading up to the disclosure and contact information for making such a request is provided in section 15 of the Policy.

13. Cookies

Our Services uses cookies, which are small data files that are stored on your computer when you visit it. These cookies are used to provide you with a good experience while browsing our website or using our software solutions and products. The personal information collected through cookies allows Clinia and its service providers to manage and tailor the Services to your preferences, compile statistics and information to improve such Services, analyze trends, and gather demographic information about our user base as a whole.

We may use cookies to record anonymous and non-personal information about your visits to our website and use of our Services, and to gather information about your browsing activities. The information we may compile through cookies may include your computer's Internet Protocol (IP) address, the operating system you are using, your Internet service provider's identity, the date and time you accessed the Services, and the content viewed and downloaded from our Services.

We may use the following types of cookies:

• Necessary Cookies: These cookies help make our website and software solutions and products usable by enabling basic functions like page navigation and access to secure areas of the Services. Our Services cannot function properly without these cookies.

• Preferences Cookies: These cookies help us retain information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

• Statistical Cookies: These cookies help us understand how you interact with our website by collecting and reporting information anonymously.

To adjust your cookie preferences, you can refer to the white and blue icon in the bottom left corner of your screen when you are on our website. As with most web browsers, you can also delete cookies from your computer's hard drive, block the creation of cookies, or receive a warning before a cookie is stored. However, doing so may affect your use of our Services, and you may no longer have access to all its features. We encourage you to visit your browser's instructions or help section for more information on cookies.

Cookies on our software solutions and products (other than our Website) are not configurable, but they are strictly limited to cookies that are necessary to their proper functioning. By using our software solutions and products, you consent to the use of these necessary cookies.

14. Security safeguards

Clinia put in place a series of security safeguards to protect your personal information against loss or theft, as well as unauthorized access, disclosure, copying, use and modification, considering, amongst other things, the sensitivity of the information and the purposes for which it is used.

These physical, electronic, and administrative measures include:

• Secure Storage: Clinia protects its systems and your data within accredited data centers managed by reputable, industry-leading service providers.

• End-to-End Encryption: Your data is encrypted at rest and in transit using strong encryption and communication protocols such as AES-256 and TLS 1.3.

• Zero-Trust Security: Clinia’s systems are built on the zero-trust security model and internal systems are segregated from publicly accessible systems.

• Access Control: Access to information systems is limited to trusted employees and contractors, and is provided only when strictly necessary while following the principle of least privilege.

• Contractual Security and Confidentiality: Clinia includes security and confidentiality obligations in all contractual agreements with its customers, vendors, employees and other third-parties, ensuring roles and responsibilities are communicated to everyone and contractually binding.

• Security and Privacy Awareness Training: All Clinia team members undergo mandatory security and privacy awareness training annually so that they safeguard personal information held by the organisation and mitigate operational risks.

• Information Security Program: Clinia has developed an extensive information security program that include security, confidentiality, availability, and privacy controls. This program is audited by a reputable third-party auditing body annually under the SOC 2 framework.

Clinia also adopts necessary measures to ensure that all of its employees and other representatives are informed about the contents of the Policy and are aware of its privacy practices.

However, since no mechanism provides flawless security, there is always some degree of risk. The safety and security of your information also depends on you. Where you have chosen a password for access to certain parts of our Services, you are responsible for keeping this password confidential and to change it regularly.

If a security incident involving personal information occurs, Clinia will, where required by law, disclose to the affected individuals and to the relevant governmental authority (such as the Commission d’accès à l’information du Québec, the Office of the Privacy Commissioner of Canada, or the appropriate regulatory authority within the European Union) the occurrence of such incident and take steps to minimize the impact of the security incident on affected individuals. Clinia will also investigate the security incident and adopt methods to reduce the risk of a same nature or similar type of security incident occurring again. Clinia maintains a record of all security incidents involving personal information and, upon request and where required by law, will make such record available to the appropriate privacy authorities.

15. Accuracy

Clinia recognizes that it is important to keep personal information accurate, complete, and up-to-date, and takes reasonable steps to ensure the accuracy and completeness of the information it uses or discloses. However, you are responsible to inform Clinia of any significant changes to your personal information that may occur and to ensure that all personal information in your account is accurate.

Clinia retains your personal information only as long as necessary to fulfill the purpose for which it was collected, to meet legal retention requirements and as long as necessary to protect its legitimate business interests in compliance with its data retention schedule. After that period is over, we will either destroy your personal information or anonymize it for serious and legitimate purposes in compliance with Clinia internal data retention and disposal policy.

16. Children Under 14 years of Age

Our Services are not intended for children under 14 years of age. Children under age 14 may provide any personal information on our Services, only with the consent of his or her legal guardian. Once the consent of the legal guardian is received, we will collect, use, and process such personal information in accordance with this Policy.

17. Processing of personal information of persons within the European Economic Area (EEA) and/or EU

Clinia complies with the provisions of the GDPR, where applicable. Section 17 of the Policy applies in addition to the other dispositions of this Policy, but exclusively as it relates to the processing of personal information in connection with the EEA and the EU, insofar as such processing takes place while the people involved are in the EU or EEA and where the processing activities relate to the provision of goods or services or the monitoring of a person’s conduct, insofar as it involves conduct occurring within the EEA or EU. In case of conflict between this section 17 and the rest of the Policy, the provisions of this section shall prevail, only where the processing takes place while the people involved are in the EU or EEA or where the processing activities relate to the provision of goods or services or the monitoring of the behaviour of those persons, to the extent that it is conduct taking place within the EEA or EU.

17.1 Consent - If your consent is provided in a written statement that addresses other matters, Clinia will ensure that the request for consent to process your personal information is clearly separated.

17.2 Collection, Retention and Use of Personal Information - Clinia will not retain personal information longer than is necessary to fulfill the purposes for which it was collected and Clinia will take reasonable steps to indicate in advance the duration for which that personal information may be retained or the criteria for determining said-duration.

17.3 Automated Individual Decision Making - Clinia recognizes that you have the right to know whether your personal information is processed by an automated decision-making system. Upon request, Clinia will provide you with information on the functioning of this automated system. Unless required or permitted by law, you have the right to refuse to allow that a decision based solely on an automated system be made about you, where that decision has legal consequences for you.

17.4 Privacy Impact Assessment - Clinia will conduct a privacy impact analysis before implementing new technologies that are highly likely to infringe on your rights and freedoms, including your right to privacy.

17.5 Right to Erasure - Where permitted by law, you have the right to request Clinia to remove and erase personal information without unreasonable delay.

17.6 Right to Data Portability – You have the right to receive personal data you have provided to us in a structured, commonly used and machine-readable format that allows you to transmit the data to another controller without hindrance. You also have the right to request that we transmit this data directly to another controller.

17.7 Accuracy and protection - Clinia will implement appropriate technical and organizational measures to protect personal information prior to its collection. Clinia will only share personal information with outside agents, mandataries, consultants, data processors or service providers when they assure Clinia that appropriate measures are in place to protect personal information.

17.8 Liability - Clinia acknowledges that it is responsible for the protection of personal information and can demonstrate its compliance with the GDPR when processing personal information.

17.9 Complaint procedure, right of access or rectification - Clinia takes all necessary measures to facilitate the exercise of your right to access, your right to rectification or your right to obtain your personal information. You can always obtain confirmation from us that personal information is being processed. Any rectification or deletion of your personal information will be communicated to third parties to whom the information has been disclosed.

17.10 Legal Bases for Processing Personal Information - We may process your personal information where you have consented to such processing. We may also process your personal information when we have one of the below valid legal basis to do so:

• Contractual Necessity. We may process your personal information where contractually required to provide you with our Services.

• Compliance with Legal Obligations. We may process your personal information where we have a legal obligation to do so.

• Vital interests. We may process your personal information when there is a vital interest to you, such as in the case of an emergency or to protect you.

• Legitimate Interests. We may process your personal information where we or a third party have a legitimate interest in processing your personal information.

18. Access and rectification requests

All questions or concerns regarding this Policy or about the collection, use and disclosure of your personal information, including requests for access or rectification, should be made in writing to the following person in charge of the protection of personal information at Clinia:

Title : Responsable GRC Adress : 221, de la Commune Ouest, bureau 210, Montreal, H2Y 2C9 Email : privacy@clinia.com

You have the right to request access to your personal information held by Clinia. You also have the right to obtain confirmation that we hold personal information about you. We will provide you with your personal information, when collected electronically, in a structured, commonly used technological format. You may also request that your personal information be corrected if it is inaccurate, incomplete or misleading, or if its collection, disclosure or retention is not permitted by law.

Clinia will respond to any request for access or correction within 30 days of receiving the written request. In the event of a refusal to provide or correct information, Clinia will inform you of the reasons for the refusal and the sections of the applicable law that support the refusal, subject to the limitations of the law, and inform you of your potential recourses.

If Clinia refuses to correct your personal information, we will allow you to provide written comments to your file regarding the personal information that was refused correction. Clinia will also retain the personal information that has been the subject of an access request for as long as necessary to allow you to exhaust any recourse provided by law.

For more information about your privacy and your rights, you may contact the following law enforcement authorities:

In Quebec: Commission d’accès à l’information du Québec https://www.cai.gouv.qc.ca/

In Canada: Office of the Privacy Commissioner of Canada https://www.priv.gc.ca

In the European Union: National Commission on Informatics and Liberty https://www.cnil.fr