PRIVACY POLICY

Effective date: October 25, 2025

Last updated: October 25, 2025

1) About this policy

This Privacy Policy describes how Infection control IQ ("Company," "we," "us") collects, uses, discloses, and protects personal information when you visit our website, sign up for an account, or use the Infection Control IQ Service (together, the "Services"). It applies to personal information we handle in Canada and, if we intentionally offer Services to individuals in other jurisdictions, as described below.

We designed this Policy to reflect Canadian privacy laws (including federal PIPEDA) and substantially similar provincial laws where they apply. We also respect Quebec's Law 25 requirements for transparency and accountability when applicable, and CASL for commercial electronic messages.

2) What we do (and what we don't)

  • We index and search public IPAC guidance and return cite‑backed answers.
  • We do not require you to submit personal health information (PHI) or any sensitive personal information to use core features. Please do not include PHI in prompts, uploads, or support tickets.
  • If you inadvertently provide PHI or other sensitive data, contact us. We will delete it where feasible and not required for security or legal reasons.

3) Personal information we collect

a) Information you provide

  • Account and profile: name, work email, organization, role, password (hashed), and preferences.
  • Communications: support requests, email messages, or call notes.
  • Billing (paid plans): billing contact, company name, plan selections, and transaction metadata via our payment processor (we do not store full payment card numbers on our servers).
  • Content you submit: search queries, feedback, and optional uploads (please exclude PHI).

b) Information collected automatically

  • Usage and device data: pages viewed, features used, links clicked, timestamps, IP address, device/OS/browser, and approximate location derived from IP.
  • Cookies and similar technologies: necessary cookies (e.g., session), functional preferences, and analytics cookies.

c) Information from third parties

  • Single sign‑on (if enabled) may share basic profile attributes (e.g., email, name, org ID).
  • We may receive business contact details from your organization (user provisioning) or from service providers for fraud/security and anti‑abuse.

4) Why we collect and how we use personal information

We use personal information to:

  1. Provide and secure the Services (core functionality, authentication, fraud prevention, service integrity).
  2. Respond to you (support, training, customer success).
  3. Improve the Services (e.g., quality, relevance, and safety of answers; UI/UX), including aggregated or de‑identified analytics.
  4. Communicate: operational notices, updates, security alerts; and marketing emails only with your consent (or as permitted by law).
  5. Compliance: meet legal, regulatory, tax, and audit obligations; enforce our Terms; protect rights, safety, and property.

5) Our legal authority to handle personal information

In Canada, we rely on consent (express or implied) and reasonable purposes under applicable privacy laws to collect, use, and disclose personal information. You can withdraw consent at any time, subject to legal or contractual limits.

If we intentionally offer Services to individuals in the EU/EEA/UK, we rely on an appropriate lawful basis under GDPR/UK GDPR (e.g., contract, legitimate interests, consent) for the limited data we process for website access and account management.

6) Do not submit PHI or other sensitive data

The Services are not intended to process PHI. You agree not to submit PHI or other sensitive data (e.g., health numbers, biometrics, precise geolocation, financial account identifiers, government IDs). If you believe such data was sent to us, contact us so we can remediate.

7) How we share information

We do not sell personal information. We disclose personal information only to:

  • Service providers (cloud hosting, email delivery, analytics, customer support, payments, error monitoring) who are bound by contractual confidentiality and security obligations;
  • Your organization (for enterprise plans) to administer access;
  • Authorities when required by law or to protect rights, safety, and security; and
  • Business transfers: if we undergo a merger, acquisition, or asset sale, data may transfer under appropriate contractual protections.

A list of core service providers is available upon request at support@infectioncontroliq.com.

8) Cookies and analytics

We use strictly necessary cookies for login and security, functional cookies to remember preferences, and analytics cookies (e.g., page performance, crash diagnostics). On your first visit, we may present a cookie consent banner where required. You can manage preferences via your browser settings or the cookie preferences link (if available) in our site footer.

9) Your choices and rights

Subject to applicable law and verification of identity, you may:

  • Access your personal information;
  • Correct inaccuracies or update your information;
  • Withdraw consent for non‑essential processing (e.g., marketing or analytics cookies);
  • Request deletion where we no longer need the data and are not required to keep it;
  • Request a copy of certain information in a commonly used format; and
  • File a complaint with a privacy regulator.

To exercise rights, email support@infectioncontroliq.com.

10) Security

We use reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including encryption in transit, access controls, and audit logging. No system can be guaranteed 100% secure. If we discover a security incident that creates a real risk of significant harm, we will notify you and regulators as required by law.

11) Retention

We retain personal information only as long as necessary to provide the Services and for legitimate business needs (e.g., security, audits), and as required by law. Illustrative defaults:

  • Account data: for your subscription term plus up to 12 months after closure;
  • Support communications: 24 months;
  • Application logs/analytics: 12–18 months in aggregated or de‑identified form;
  • Legal records: as required by statute.

12) Where we store and process data; international transfers

We primarily host in Canada. Some providers may process data in other jurisdictions (e.g., the United States) under contractual safeguards. For transfers from the EU/EEA/UK (if applicable), we rely on recognized mechanisms and implement supplementary measures as needed.

13) How to resolve concerns or file a complaint

If you have a privacy question or complaint, contact us first (see below). If unresolved, you may contact the Office of the Privacy Commissioner of Canada or your provincial privacy regulator (e.g., OIPC Alberta/BC; CAI Québec).

14) Contact us (and Law 25 contact)

Privacy Officer: Privacy Officer

Email: support@infectioncontroliq.com

Mailing address: 34 Steepelview Cres, Richmond Hill, Ontario, L4C9R3

(If your organization is subject to Quebec's Law 25, we publish the title and contact information of the person in charge of personal information on this page.)

15) Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will post the updated Policy with a new "Last updated" date and, where required, obtain your consent.

CASL marketing consent (optional language for signup/newsletter)

By subscribing, you consent to receive commercial electronic messages about Infection Control IQ from Infection control IQ at the email provided. You can withdraw consent at any time via the unsubscribe link or by contacting support@infectioncontroliq.com. We do not send CEMs without consent as required by CASL.