RXTUTEUR PRIVACY POLICY

Last updated: March 9, 2026

This Privacy Policy describes how RxTuteur Inc. ("RxTuteur", "we", "our" or "us") collects, uses, shares and protects personal information through our training platform at app.rxtuteur.com (the "Platform").

We are committed to protecting your privacy in accordance with Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25), the Personal Information Protection and Electronic Documents Act (PIPEDA) and other applicable laws.

This Policy is written in clear, straightforward language as required by law. If anything is unclear, please contact our Privacy Officer.

1. PRIVACY OFFICER

Our designated Privacy Officer is responsible for overseeing the protection of personal information within our organization and for handling any questions, comments or complaints.

Name: Doria Boukheroufa
Email: rxtuteur@gmail.com
Address: 472 Monmouth Ave, Mont-Royal, QC, H3P 2B4, Canada

We will respond to all requests within 30 calendar days of receipt.

2. PERSONAL INFORMATION WE COLLECT

2.1 Information you provide

Account information: your name, email address and language preference.
Training activity: your responses to surveys and quizzes, scores, completion records and any content you submit on the Platform.
Payment information: collected and processed directly by our payment processor, Stripe. We do not store your credit card number or banking details on our servers.
Support communications: messages you send us through the Platform, live chat or email.

2.2 Information collected automatically

When you use the Platform, we may automatically collect:

Device information: device type, operating system, browser type and version, screen resolution and language settings.
IP address: including an approximate geographic location (city or region).
Activity information: pages viewed, session duration, navigation between pages, time of access and the website you visited before reaching the Platform.
Email interactions: whether you opened an email or clicked a link, collected through tracking pixels (small invisible images embedded in emails) for statistical purposes.

2.3 Information from third parties

Workspace administrators: your employer or pharmacy administrator may add you to a workspace and provide your name and email address.
Stripe: payment confirmation and subscription status.

3. WHY WE COLLECT YOUR INFORMATION

We collect and use your personal information for the following purposes:

Provide and operate the training platform.
Track and report training completion to your workspace administrator.
Manage your account and authenticate your identity.
Process billing and payments.
Send transactional communications (task reminders, announcements, security alerts).
Provide customer support via live chat and email.
Improve platform performance and user experience through analytics.
Ensure the security and integrity of the Platform.
Comply with legal obligations.

We do not sell your personal information.

4. CONSENT

We rely on the following bases for processing your personal information:

Contract performance: processing necessary to provide the Platform and its services (account management, training delivery, billing).
Consent: for non-essential processing such as analytics cookies and communication tools. You may withdraw consent at any time through the privacy settings in your account menu.
Legal obligation: where we are required to process information to comply with applicable laws.
Legitimate interest: for platform security monitoring and error tracking, where such interests do not override your rights.

During your first visit, a consent banner allows you to choose which categories of cookies and technologies you accept. Only strictly necessary cookies are activated by default. You may change your preferences at any time through the privacy settings accessible in your account menu.

5. DATA RETENTION AND DESTRUCTION

5.1 Retention periods

Data Category	Retention Period
Active user accounts	Retained for the duration of the business relationship
Inactive user accounts	Anonymized after 36 months of inactivity
Training results and completion records	Retained for the duration of the workspace subscription (may be preserved in anonymized form after account anonymization)
Audit and security logs	90 days (application logs), up to 7 years (compliance logs)
Cookie consent records	Retained as long as your account is active, deleted upon anonymization
Email queue	Deleted after processing

5.2 Anonymization

When your information is no longer needed, we anonymize it through an irreversible process. Anonymized data cannot be linked back to you. Aggregate training statistics may be preserved for reporting purposes, but they will not identify you in any way.

5.3 Workspace-level data

Workspace data is retained while the workspace subscription is active. When a workspace is deleted, all associated data (surveys, responses, user memberships) is permanently removed.

6. YOUR RIGHTS

Under Quebec law, you have the following rights regarding your personal information:

Right of access: request a copy of the personal information we hold about you. We can provide your data in a structured format (JSON).
Right to rectification: request correction of inaccurate or incomplete information. You may also update your account information directly through the Platform.
Right to deletion (anonymization): request that your personal information be permanently anonymized.
Right to data portability: receive your personal information in a structured, commonly used, machine-readable format (JSON).
Right to withdraw consent: withdraw your consent for non-essential processing (such as analytics cookies or communication tools) at any time through your account menu.
Right to de-indexation: request that your personal information linked to your name be removed from search engine indexing.
Right regarding automated decisions: RxTuteur does not make decisions based solely on automated processing that produce legal or significant effects on you.

How to exercise your rights

Contact our Privacy Officer at rxtuteur@gmail.com. We will respond within 30 calendar days. We may need to verify your identity before processing your request. If we are unable to fulfill your request, we will provide written reasons.

Note for workspace employees: If your account was created by a workspace administrator (your employer), certain requests related to your training data may need to be directed to your administrator first, as they are the data controller for your employment-related training records.

7. SHARING AND THIRD PARTIES

We do not sell, rent or trade your personal information to any third party.

We may share your information in the following circumstances:

7.1 Workspace administrators

Training completion data, quiz scores and survey responses are shared with the administrators of your workspace (employer or pharmacy). This is necessary to operate the training platform.

7.2 Service providers (sub-processors)

We work with the following service providers who may process personal information on our behalf. Written data processing agreements are in place with each provider.

Provider	Purpose	Data Shared	Location
Google Cloud Platform	Infrastructure hosting and database	All platform data (stored on GCP servers)	Canada
Stripe	Payment processing	Email address, payment method details (collected directly by Stripe)	United States
SendGrid	Transactional email delivery	Email address, email content	United States
Intercom	Live chat and customer support	Name, email address, workspace name (only if you accept communication cookies)	United States
Google Analytics	Website usage analytics	Anonymized usage data (only if you accept analytics cookies)	United States
Sentry	Error monitoring and platform stability	Technical error data, request context (no direct personal identifiers)	United States

7.3 Legal obligations

We may disclose personal information when required by law, court order or government request.

7.4 Business transactions

In the event of a merger, acquisition or sale of all or part of RxTuteur, personal information may be transferred to the acquiring party. We will notify you before your information becomes subject to a different privacy policy.

8. COOKIES AND TRACKING TECHNOLOGIES

When you use the Platform, we use cookies and similar technologies to ensure its proper functioning, improve performance and analyze usage. A cookie is a small text file stored on your device by your browser.

Click on each category below to see the specific technologies used.

These cookies are strictly necessary for the Platform to function. They cannot be disabled.

Technology	Purpose	Duration
`ci_session` (cookie)	Session management — keeps you logged in and remembers your state	2 hours
`csrf_cookie_name` (cookie)	Security — protects against cross-site request forgery attacks	Session
`cookie_consent` (cookie)	Stores your cookie consent preferences	1 year
`localStorage` (browser storage)	Stores application state (e.g., task list cache, version tracking)	Persistent until cleared

These cookies help us understand how the Platform is used so we can improve it. They are only activated if you give your consent.

Technology	Provider	Purpose	Duration
`_ga`	Google Analytics	Distinguishes unique visitors	2 years
`_ga_*`	Google Analytics	Maintains session state	2 years
`_gat_*`	Google Analytics	Throttles request rate	1 minute
Google Tag Manager	Google	Manages analytics script loading	Session

These cookies enable the live chat feature for customer support. They are only activated if you give your consent.

Technology	Provider	Purpose	Duration
`intercom-id-*`	Intercom	Identifies your live chat session	9 months
`intercom-session-*`	Intercom	Maintains your chat session state	1 week
`intercom-device-id-*`	Intercom	Identifies your device for support continuity	9 months

Our transactional emails may contain the following technologies for delivery and performance monitoring:

Technology	Purpose
Tracking pixels (invisible images)	Detect whether an email was opened, for delivery statistics
Link tracking	Detect whether links in emails were clicked, for engagement statistics

You can manage cookies at any time through the privacy settings in your account menu or through your browser settings. If you revoke consent for a category, the corresponding cookies are deleted from your device.

9. SECURITY MEASURES

We implement technical, organizational and physical security measures to protect the personal information we collect against unauthorized access, loss, misuse, alteration or disclosure. Our measures include:

Role-based access control following the principle of least privilege.
Two-factor authentication available for all user accounts.
Encrypted connections (TLS/HTTPS) for all data transmitted between your device and our servers.
Secure, HTTP-only session cookies that cannot be accessed by scripts.
System monitoring, structured logging and error tracking.
Automated blocking of known attack patterns and vulnerability probes.
Internal procedures for the management of confidentiality incidents.
Ongoing awareness of our personnel regarding the protection of personal information.

10. CONFIDENTIALITY INCIDENTS

In the event of a confidentiality incident involving your personal information that presents a risk of serious harm, we will:

Notify the Commission d'accès à l'information du Québec (CAI) promptly.
Notify you and any other affected individuals without undue delay.
Record the incident in our internal incident register.

We maintain an incident register as required by law.

11. CHILDREN'S PRIVACY

The Platform is intended for professional use and is not directed at individuals under the age of 14. We do not knowingly collect personal information from children under 14. If you believe a child under 14 has provided us with personal information, please contact our Privacy Officer so we can take appropriate steps.

12. OTHER SITES AND SERVICES

The Platform may contain links to websites or services operated by third parties. We do not control and are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

13. COMPLAINTS AND DISPUTE RESOLUTION

13.1 Internal complaint

If you have a complaint about how we handle your personal information, please contact our Privacy Officer at rxtuteur@gmail.com. We will respond within 30 calendar days.

13.2 External complaint

If you are not satisfied with our response, you have the right to file a complaint with the:

Commission d'accès à l'information du Québec (CAI)
Website: www.cai.gouv.qc.ca
Phone: 1-888-528-7741

14. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the date at the top of this page and, where appropriate, by other means (such as a notice on the Platform or an email). Your continued use of the Platform after the effective date of any changes indicates your acceptance of the updated Policy.

15. GOVERNING LAW

This Privacy Policy is governed by and construed in accordance with the laws of the Province of Quebec and the federal laws of Canada applicable therein, without regard to conflict of law principles.

16. CONTACT US

For any questions about this Privacy Policy or to exercise your rights, please contact our Privacy Officer:

Doria Boukheroufa
Email: rxtuteur@gmail.com
Address: 472 Monmouth Ave, Mont-Royal, QC, H3P 2B4, Canada