Privacy Policy

Last updated: December 1st, 2025

Purpose

VITR.AI develops orientation software, data visualization, and application programming interfaces (APIs), including patient orientation tools and clinical relevance filters.

By accessing its software (including NAVIG), you are bound by the user license agreement that your employer has entered into with VITR.AI or by your employment contract with VITR.AI, if applicable, and/or by the terms of use of the VITR.AI website and software, as well as by this privacy policy.

The purpose of this privacy policy is to inform users, patients, clients, employees, and consultants of VITR.AI about the practices implemented by VITR.AI to protect personal information obtained through the provision of services, the use of its websites and software, and its business management.

If you do not agree to this privacy policy and to VITR.AI obtaining your personal information, please do not provide us with your personal information.

Application of this privacy policy

This privacy policy applies to three situations:

  • The use of NAVIG, during which no personal information is collected;

  • The use of a VITR.AI API, which involves the collection of personal information from patients and/or users;

  • The collection of personal information from employees and consultants;

The following sections outline our personal information management practices for each of these situations.

Personal information collected

Personal information is defined as information that can be used to identify a given individual. Please note the professional contact details of an individual are not considered personal information.

1. NAVIG

When using NAVIG, VITR.AI does not collect any personal information from its clients (medical clinics and call centers), nor from their patients, employees, or users, since no personal information is required to use the patient orientation and data visualization software. In fact, according to the terms of use and license agreements signed with the institutions, no personal information should be entered into the orientation software.

2. API

In contrast to NAVIG, the use of a VITR.AI API involves the collection of personal information that is strictly necessary for processing a request.

Therefore, the following personal information may be collected when using a VITR.AI API:

  • Postal code: to identify the region where you are located;

  • Health insurance number: to verify whether you have a primary care physician;

  • Answers to health questions: to provide a better understanding of the patient's needs;

These data are necessary to enable VITR.AI to offer patients services adapted to their needs, in particular for the scheduling of appointments and care management via the platform.

Using a VITR.AI API requires your consent for the collection and processing of personal information necessary for its operation. You must also give your express consent for these data to be used, when anonymized, in the training and improvement of artificial intelligence models. Personal information is stored for a limited period of time before being irreversibly anonymized, thereby eliminating any possibility of direct or indirect identification. A detailed description of the anonymization process is provided below.

3. Employees and consultants

At VITR.AI, we collect the following personal information about our employees and consultants:

  • Name;

  • Contact details;

  • Phone number;

  • Social Security number (for employees only);

  • Specimen check (bank details);

  • Hourly rate/salary;

  • Information on professional performance;

  • Emergency contact;

Children's privacy

At VITR.AI, we do not intentionally collect or solicit personal information from individuals under the age of thirteen (13) without parental consent. If you are a parent or guardian and you know that your child has provided us with personal information, please contact our privacy and data protection officer, whose contact details are provided in the following section of this policy.

All data collected without verified parental consent will be immediately deleted from our servers.

Purposes for which personal information is collected

The personal information of our employees, as well as that of users of a VITR.AI API, is collected solely for the following purposes:

  • Conducting our business activities;

  • Proper human resources management;

  • Payroll and accounting services;

  • Legal obligations;

  • Provision of services to patients via the VITR.AI API;

Consent and legal basis

To limit any risk of harm caused by a privacy incident, we only collect and retain personal information that is necessary for the purposes listed above.

If you provide us with personal information about other individuals, it is your responsibility to inform them and obtain their consent before providing us with their personal information.

If we wish to use your personal information for purposes other than those originally stated, we will request your consent beforehand, except in cases permitted by law or if the new use is compatible with the original purpose for which we collected your personal information.

Disclosure of your personal information

Only the following individuals may receive communications from our employees that may contain your personal information:

  • You;

  • VITR.AI employees who require it for their job and have signed a personal information confidentiality agreement (e.g., management and accounting);

  • A VITR.AI service provider who needs your personal information in order to provide services and who has signed a personal information confidentiality agreement or has equivalent ethically based obligations;

  • The police or other competent authority, if required by law;

Non-disclosure to third parties

VITR.AI does not rent, sell, or exchange the personal information of its employees or users (such as name, address, phone number, or email address) or financial information (such as hourly rates/salaries).

VITR.AI undertakes to not disclose personal information, except where required by law, at the request of a court, or in the context of the performance of a contract assigned to an external service provider. When we use an external service provider, we take all necessary measures to ensure that your personal information is protected by law and is collected, used, stored, and deleted in accordance with this policy.

Personal information hosting

VITR.AI hosts your personal information using servers located in Quebec.

Security measures

At VITR.AI, we apply high standards and use high-performance security systems for the design, implementation, and daily operation of our platforms (websites and applications) as well as our underlying servers and networks. We also aim to detect and block any intrusion on our platforms.

We have implemented various measures to protect your personal information from loss, theft, and unauthorized access, disclosure, reproduction, use, modification, or destruction. These measures include physical, administrative, and technological security measures that we deem appropriate based on the sensitivity, amount, and format of the personal information collected.

In addition to these security measures, our employees, consultants, and suppliers sign confidentiality agreements ensuring the protection of all personal information collected, as well as our customers' business information.

Access control to your personal information

Access to information is restricted to authorized employees and consultants who are properly trained and bound by contractual confidentiality obligations. All access to personal information is logged to ensure complete traceability and to detect any unauthorized access attempts. Information is encrypted in transit and at rest, and hosted exclusively on servers located in Quebec.

Your rights regarding your personal information

The Act to modernize legislative provisions as regards the protection of personal information (hereinafter referred to as « Act 25 ») and the Act respecting health and social services information (hereinafter referred to as « Act 5 ») provide you with various rights with respect to your personal information. These rights include the following :

  • Access: the right to ask whether we hold personal information about you and, if so, to request access to that personal information;

  • Rectification: the right to request that any incomplete or inaccurate personal information we hold be rectified;

  • Withdrawal of consent: the right to withdraw your consent to the disclosure or use of any personal information we may hold;

  • Restriction or refusal of access: the right to request that a specific individual or category of individuals not be allowed access to one or more specific elements of information that you have identified;

  • Portability: You have the right to request that your personal information be disclosed to you or transferred to another organization in a structured and commonly used technological format;

  • Complaint: You have the right to file a complaint with our privacy and data protection officer or, if you believe there has been a breach of the Privacy Act;

If you wish to exercise any of these rights, please contact our privacy and data protection officer, whose contact details can be found in the following section of this policy.

Please note that VITR.AI may refuse any request for rectification, portability, or withdrawal of consent if it is contrary to applicable laws and regulations, or in the case of portability, if it causes serious practical difficulties. We will then provide you with full justification for the refusal.

Risks

In recognition of the importance of protecting your personal information, VITR.AI has implemented the necessary measures to comply with applicable laws as well as professional and ethical obligations. We respect the security standards specific to our sector of activity to ensure the protection of the information we collect and receive.

Notwithstanding the foregoing, the management of the collection, storage, consultation, and communication of personal information via technology involves a number of risks that cannot be attributed to or imputed to VITR.AI. If you have reason to believe that personal information has been compromised, please contact our privacy and data protection officer, whose contact details can be found in the following section of this policy.

Incident management involving confidentiality, cybersecurity, and technical abnormalities

In the event of inadvertent access to personal information, whether it belongs to patients of our clients (medical clinics and call centers), employees, or any other API user, we proceed as follows:

  • The patient, employee, client, or any other affected user is immediately informed;

  • Personal information obtained by mistake is destroyed as soon as possible;

  • The incident is documented to ensure traceability and prevent recurrence;

In the event of cybersecurity incidents or technical anomalies that could compromise security and/or personal information, VITR.AI has an incident response plan that will be implemented by our privacy and data protection officer. This plan includes, among other things:

  • Immediate notification to all relevant parties;

  • Assessment of the nature and impact of the incident;

  • Corrective measures to limit the consequences;

  • Complete documentation of the incident and actions taken;

Therefore, if an incident occurs, you must notify our privacy and data protection officer as soon as possible using the contact information provided at the bottom of this policy.

Anonymization, retention period, and destruction

As mentioned above, prior to using a VITR.AI API, you will be asked to give your express consent so that your personal information, once anonymized, can be used for training our artificial intelligence.

Anonymization involves permanently transforming data so that no individual can be identified, either directly or indirectly. At VITR.AI, this process follows a rigorous method that complies with the Act respecting health and social services information (LRSSS, known as “Act 5”), which includes:

  • The destruction of direct identification data (name, telephone number, address, etc.);

  • The modification or generalization of indirect information that could be used to trace an identity (date of birth, place of birth, unique codes, etc.);

Only anonymized data are used to train artificial intelligence models, ensuring user privacy while enabling the continuous improvement of our technologies.

You may withdraw your consent at any time. In this case, non-anonymized personal information will be destroyed within 120 days of collection.

Any non-required personal information must not be provided by you unless it is necessary for the provision of services or employment.

VITR.AI undertakes to destroy the personal information of API users after a maximum period of six (6) years. For employees and consultants, data is retained for six (6) years after the end of employment or service provision, in accordance with the legal obligations of the Canada Revenue Agency.

Our commitment to protecting your privacy

At VITR.AI, protecting your personal information is a priority. We ensure that our privacy and security policies and practices are clearly communicated to all our employees and consultants, and we implement rigorous measures to ensure their enforcement. We are committed to maintaining high standards of information security and promoting an organizational culture focused on the protection of personal information.

Training and awareness

At VITR.AI, we regularly train our employees and consultants to ensure they understand how to protect personal information and secure our systems. This enables them to take the right actions, identify risks, and follow our security rules on a daily basis. By doing so, we ensure that your personal information is well protected and that our practices comply with information security standards.

Revision and update of the policy

We reserve the right to revise and update our privacy policy at any time to reflect changes in our practices, activities, or applicable legal and regulatory requirements. When an update is made, we will update the date of the last modification at the beginning of this policy and publish the revised version on our website or any other relevant platform. If the changes are significant, we will post a clear and visible notice to inform you accordingly.

We encourage you to review this policy regularly to stay informed about how we process your personal information. By continuing to use our website, software, or services after a revised version has been published, you are deemed to have accepted the changes. If you do not agree with the updated terms and conditions, we invite you to stop using our services.

Appointment of the privacy and data protection officer

VITR.AI has appointed Arianne Patenaude as its privacy and protection officer.

Contact details:
Me Arianne Patenaude, Legal and Compliance Counsel
VITR.AI 126, rue Principale (suite 100) Granby (Québec) J2G 2V2
[email protected]

Please feel free to contact our privacy and data protection officer if you have any questions about this privacy policy.