NURA Medical Inc. – Privacy Policy
v2.0
Effective Date: September 25, 2025
1. Scope of Application
This Privacy Policy describes how NURA Medical Inc. ("NURA", "we", "us", or "our") collects, uses, discloses, and protects personal information and/or personal health information.
This Policy applies to:
- Individuals who use our clinical decision-support software, NurEx, via our web or mobile applications (collectively, the "Software").
- Patients under the care of healthcare professionals and institutions who themselves use the NurEx Software.
- Visitors to our public-facing website at https://nuramedical.com (the "Website").
- Individuals interacting with NURA via email, contact forms, newsletters, or events or who provide information to us in connection with our services, communications, or clinical partnerships.
- Healthcare professionals for which NURA has legitimate interest to collect and process their contact information.
We are committed to protecting the privacy and personal information of both our end users and the patients they serve. This Policy complies with:
- Law 25 (Quebec’s Act to Modernize Privacy Legislation)
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- The Health Insurance Portability and Accountability Act (HIPAA) (for U.S. healthcare providers and users)
- Other applicable Canadian and U.S. privacy laws.
2. Personal Data We Collect
A. For End Users of NurEx (Healthcare Professionals)
We may collect and process the following personal information:
| Type (Purpose) | Examples | Mandatory? | Retention |
|---|---|---|---|
| Account Data | Unique Id, Name, email address | Yes | Account lifetime |
| Authentication Data | Encrypted credentials, access logs | Yes | Account lifetime |
| Usage Analytics | Device & browser type, session duration, feature usage, geographical region | Optional (opt-in) | 30 days |
| Support Logs | Messages and technical reports submitted via support channels | Optional (user submitted) | Account lifetime |
| Contact Information | Name, email address, organization name, job title | Optional (opt-in) | While opted-in |
B. For Website Visitors and Newsletter Subscribers
We may collect and process the following personal information:
| Type (Purpose) | Examples | Mandatory? | Retention |
|---|---|---|---|
| Website Analytics | Device & browser type, referral source, page views | Optional (opt-in) | 90 days |
| Contact Information | Name, email address, organization name, job title | Opt-in only | While consent is active |
| Form Submissions | Contact form messages, event sign-ups | Opt-in | While consent is active |
C. For Patients (Entered by NurEx users)
The NurEx Software may process the following data entered by a licensed healthcare professional using the Software:
| Type | Examples | Purpose |
|---|---|---|
| Demographics | Age, weight, height, gender, date of birth | To calculate dosing recommendations |
| Identifiers | First name, last name, medical record number | For institutional tracking (optional) |
| Clinical Context | Ordered medications, indication | To guide medication preparation and administration |
NURA acts as a Data Processor for patient data. The healthcare provider or institution is the Data Controller.
D. For other Healthcare Professionals
We may collect and process the following information for healthcare professionals who may have an interest in our services, based on our legitimate interest in developing business with them. You may opt out of this at any time by contacting us or by using the relevant link in our communications.
| Type (Purpose) | Examples | Mandatory? | Retention |
|---|---|---|---|
| Website Analytics | Device & browser type, referral source, page views | Optional (opt-in) | 90 days |
| Contact Information | Name, email address, organization name, job title | Opt-in only | While consent is active |
| Form Submissions | Messages or event sign-ups | Opt-in | While consent is active |
3. Legal Basis for Processing
We process your data based on:
- Contractual necessity (e.g., to provide the Software)
- Legal obligations (e.g., to comply with healthcare regulations)
- Legitimate interests (e.g., product improvement, site security)
- Consent, where applicable (e.g., newsletters, optional fields)
4. Purposes of Use
| Purpose | Applies To | Basis |
|---|---|---|
| Account creation & user authentication | End users | Contractual necessity |
| Software functionality & support | End users | Contractual necessity |
| Product improvement & debugging | End users | Legitimate interest |
| Usage analytics | End users, website visitors | Legitimate interest |
| Marketing emails (opt-in only) | Website visitors, end users | Consent |
| Customer support | All | Contractual necessity |
We do not use patient data for research or marketing under any circumstance.
5. Children’s Data
If NurEx is used to calculate medication for a patient under age 14, the User must confirm that they:
- Have obtained appropriate parental or legal guardian consent, and
- Are using the Software solely for the provision of healthcare services to that patient.
NURA does not knowingly collect data directly from children.
6. Data Storage & Transfers
Software Data – Microsoft Azure (Canada or U.S.) – Region configurable.
Website Analytics – Microsoft Azure (U.S.) – Anonymized and aggregated.
Backup & Logging – Microsoft Azure (U.S.).
All transfers outside of Quebec are protected by written contractual agreements with equivalent safeguards under Law 25.
7. Data Retention and Deletion
| Data Type | Retention | Deletion |
|---|---|---|
| User account data | Duration of customer contract | Deleted upon termination or request |
| Patient data | Duration of customer contract | Deleted upon termination or request |
| Support logs | Up to 12 months | On request |
| Website browsing data | 30 days | Automatic deletion |
| Marketing contacts | Until opt-out | Deletion on request or unsubscribe |
End users and institutions may request access, correction, or deletion via email: privacy@nuramedical.com
8. Security Measures
We implement robust administrative, physical, and technical safeguards:
- Encryption at rest and in transit
- Role-Based Access Control (RBAC)
- Multi-Factor Authentication (MFA)
- Vendor management & subprocessors audits
- Audit logs for key actions
- Internal ISMS reviews
- Planned SIEM system within 6 months
No third-party may access personal data unless bound by a Data Processing Agreement (DPA).
9. Third-Party Vendors & Subprocessors
We do not use Google, Firebase, or analytics tools that export identifiable data. All Software and Website data is hosted on Microsoft Azure, and only contracted service providers have access (e.g., email delivery, database backup).
Each vendor is required to:
- Sign a DPA,
- Adhere to strict access controls,
- Implement their own privacy and security programs.
A full list of subprocessors is available upon request.
10. Your Rights
Depending on your jurisdiction (Quebec, rest of Canada, U.S.), you have the right to:
- Access a copy of your personal data
- Correct inaccurate data
- Request deletion of your data
- Withdraw consent (for marketing)
- Lodge a complaint with the applicable privacy regulator
To exercise your rights, contact privacy@nuramedical.com.
11. Breach Notification
In the event of a data breach:
- We will notify affected Users and Institutions within required timeframes under Law 25, PIPEDA, and/or HIPAA.
- Notifications will be sent via email to the account holder and/or institutional contact.
12. Cookies & Tracking Technologies (Website Only)
We use minimal first-party cookies for account and session management, to track preferences you selected, or to collect usage data that will help us improve the product experience. None of this information is shared with others.
We do not use third-party cookies, ad pixels, or behavioral tracking.
13. Changes to This Policy
We may update this Policy to reflect operational, legal, or regulatory changes.
- Material changes will be communicated to users via email or app prompt.
- All users will be prompted to review and accept any updated version before continuing to use the Software.
14. Contact Us
Privacy Officer, NURA Medical Inc.
Email: privacy@nuramedical.com
By using NurEx or interacting with our Website, you confirm that you have read and agree to this Privacy Policy.