top of page
Nurse-Matrix-Systems-logo
Contact Us

Privacy Policy

1. Introduction

Nurse Matrix Systems Inc. ("Company", "we", "us", "our") is committed to protecting the privacy and confidentiality of personal information entrusted to us. We operate the NurseMatrix platform, a nursing competency and credential management application designed for Canadian healthcare professionals and organizations which is operated and delivered via a website, online software application, and other channels (the "Platform" or "Service").

 

This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information when you access or use the Platform. It applies to all users, including nurses, healthcare organization administrators, managers, instructors, and other individuals who interact with the Service.

 

This Privacy Policy supplements our Terms of Use and should be read together with those Terms. In the event of a conflict between this Privacy Policy and the Terms of Use regarding the treatment of personal information, this Privacy Policy shall prevail.

2. Definitions

For the purposes of this Privacy Policy:

 

  • "Personal Information" (PI) means information about an identifiable individual, as defined under PIPEDA, PIPA, and other applicable legislation. This includes, but is not limited to, name, email address, phone number, address, date of birth, and professional identifiers.

 

  • "Aggregate Data" means statistical, de-identified, and anonymized data derived from user activity and content on the Platform that does not identify, and cannot reasonably be used to identify, any individual.

 

  • "Consent Grant" means the explicit permission given by a nurse user to a specific organization to access defined categories of the nurse's professional information through the Platform.

 

  • "Third-Party Processor" means any external service provider that processes personal information on our behalf under contractual obligations.

3. Applicable Privacy Legislation

The Platform is designed to comply with all applicable Canadian federal and provincial privacy legislation, including:

PIPEDA (Personal Information Protection and Electronic Documents Act)

Federal - Applies as the federal baseline for private-sector collection, use, and disclosure of personal information in the course of commercial activity. Governs cross-border data considerations.

PIPA (Personal Information Protection Act)

Alberta - Applies as the primary provincial privacy law for operations in Alberta (initial launch province). Recognized as substantially similar to PIPEDA. Covers employee personal information.

Other Provincial Legislation - Applicable as per Platform availability.

We adhere to the ten fair information principles articulated in Schedule 1 of PIPEDA: Accountability, Identifying Purposes, Consent, Limiting Collection, Limiting Use/Disclosure/Retention, Accuracy, Safeguards, Openness, Individual Access, and Challenging Compliance.

 

Québec Exclusion. The Platform is not intended for use by, and is not made available to, individuals or organizations located in or resident in the Province of Québec. Use of the Platform by Québec-based individuals or organizations is expressly prohibited. Accordingly, the Act respecting the protection of personal information in the private sector (Québec), as amended by An Act to modernize legislative provisions as regards the protection of personal information ("Law 25"), and any regulations thereunder, do not apply to the Platform or to the collection, use, or disclosure of personal information through the Platform. The Company disclaims any and all obligations, liability, or compliance requirements arising under Québec privacy legislation in connection with the Platform. Any individual or organization that accesses or uses the Platform in contravention of this exclusion does so at their own risk and may not assert rights or remedies under Québec privacy legislation against the Company.

4. Information We Collect

We limit our collection of personal information to what is necessary for the purposes identified in this Privacy Policy, in accordance with the Limiting Collection principle under PIPEDA and PIPA. We do not collect personal information indiscriminately and will only collect information by fair and lawful means.

4.1 Information You Provide Directly

Account and Identity Information:

Email address - Account authentication, communications

First and last name - Profile identification

Preferred name - Display preferences

Password - Managed by Auth0 (identity provider); not stored on our servers

Sensitive Personal Information (encrypted at application level):

Phone number - Contact, MFA recovery

Professional and Health-Adjacent Information:

Nursing license numbers - Regulatory identification, credential verification

Nursing category (NP, RN, RPN, LPN,) - Professional classification

Specializations - Clinical specialty tracking

Years of experience - Career profiling

Certifications and credentials (BLS, ACLS, etc.) - Competency management, recertification tracking

Credential documents (scanned licenses, transcripts) - Document verification

Skills and proficiency levels - Competency assessment

Employment status - Career tracking

Organizational Information (for organization accounts):

Organization name and legal name - Account identification

Business number - Regulatory identification

Facility ID - Health facility identification

Contact information (email, phone) - Communications

Address - Correspondence

Member employment details - Membership management

4.2 Information Collected Automatically

IP address - Security, audit logging, fraud prevention

Browser and device information (user agent) - Security monitoring, compatibility

Access timestamps - Audit trail, session management

Pages and features accessed - Service improvement, security monitoring

Request identifiers - Debugging, incident response

4.3 Information from Third Parties

  • Auth0 (identity provider): Authentication events, login history, MFA status, breach detection alerts.

  • Stripe (payment processor): Payment status, subscription status. We do not receive or store your full credit card number.

4.4 Information from Surveys and Feedback

We may collect information you voluntarily provide when responding to surveys, feedback requests, or promotional activities conducted by or on behalf of Nurse Matrix Systems Inc. This information is used for service improvement, product development, and the purposes identified at the time of collection.

5. How We Use Your Information

We collect and use your personal information for the following purposes:

5.1 Providing and Operating the Service

  • Creating and managing your user account.

  • Authenticating your identity and verifying your access permissions.

  • Storing, displaying, and managing your professional credentials, and skills.

  • Enabling consent-based sharing of your professional information with organizations.

  • Processing subscription payments and managing billing.

  • Sending transactional communications (account verification, password resets, consent notifications, credential expiry reminders).

5.2 Security and Compliance

  • Enforcing role-based access controls (RBAC) and consent-based data access.

  • Maintaining comprehensive audit trails of all data access and modification events as required by applicable legislation.

  • Detecting, investigating, and preventing fraudulent activity, unauthorized access, or other security incidents.

  • Complying with applicable legal obligations, regulatory requirements, and law enforcement requests.

5.3 Service Improvement

  • Analyzing usage patterns (in aggregate and de-identified form) to improve Platform features and user experience.

  • Diagnosing and resolving technical issues.

  • Developing new features and services.

5.4 Research and Analytics (Aggregate Data Only)

  • Generating anonymized, de-identified, aggregate data sets for internal analysis, workforce planning insights, and healthcare competency research.

  • See Section 6 for full details on our use of Aggregate Data.

5.5 Communications

  • Sending service-related notifications (e.g., credential expiry warnings, consent requests, system updates).

  • Responding to your inquiries, support requests, and feedback.

  • With your consent, sending promotional or informational communications about Platform features (you may opt out at any time).

6. Aggregate Data and Research

6.1 Data Ownership

As set out in our Terms of Use, data within the Platform is subject to the following ownership and rights framework:

  • Individual Personal Information: You retain all rights granted to you under applicable privacy legislation with respect to your personal information, including rights of access, correction, and consent withdrawal, regardless of where that information is stored.

  • Platform-Generated Operational Data: System logs, performance data, security records, and other data generated by the Platform’s operation are owned by Nurse Matrix Systems Inc.

  • Aggregate and De-Identified Data: All aggregate, statistical, de-identified, and anonymized data derived from Platform activity is owned by Nurse Matrix Systems Inc., which retains full rights to use, analyze, publish, license, and share such data as described in this Section 6.

6.2 What Is Aggregate Data

Aggregate Data is statistical, de-identified, and anonymized data derived from user activity and content on the Platform. It does not identify any individual user and cannot reasonably be used to re-identify any individual. Examples include:

 

  • Workforce distribution statistics (e.g., number of nurses per province, specialization breakdowns).

  • Training completion rates and learning pathway effectiveness metrics.

  • Employment and career mobility trends across the healthcare sector.

6.3 How We Use Aggregate Data

Nurse Matrix Systems Inc. may use, analyze, publish, license, and share Aggregate Data for:

 

  1. Internal research and development — To improve the Platform, develop new features, benchmark performance, and enhance service quality.

  2. Academic and industry research — To contribute to the advancement of nursing competency frameworks, healthcare workforce planning, education research, and related fields.

  3. Third-party access for research purposes — Aggregate Data may be made available to qualified third parties, including:

    • Academic institutions and university researchers.

    • Healthcare policy organizations and government agencies.

    • Industry research partners and healthcare standards bodies.

    • Non-profit organizations working in healthcare workforce development.

6.4 Safeguards for Research Data Sharing

When sharing Aggregate Data with third parties for research purposes, we apply the following safeguards:

 

  • No PI is included. All Aggregate Data shared externally is fully de-identified and anonymized. No names, email addresses, or any other personally identifiable information is ever included.

  • Re-identification prohibition. Third-party recipients are contractually prohibited from attempting to re-identify any individual from Aggregate Data.

  • Contractual controls. All third parties receiving Aggregate Data must execute a data use agreement specifying the permitted research purposes, security requirements, and restrictions on further disclosure.

  • Privacy legislation compliance. All de-identification processes comply with PIPEDA, PIPA, and other applicable Canadian privacy legislation.

  • Minimum necessary principle. Only the minimum Aggregate Data necessary for the stated research purpose is shared.

6.5 What We Will Never Do

  • We will never sell, trade, or disclose individual PI to third parties for research, marketing, or commercial purposes without your explicit, informed consent.

  • We will never provide third parties with access to identifiable personal data for research purposes.

 

We will never use your personal information for automated decision-making that produces legal effects or similarly significant effects concerning you, without your explicit consent and an opportunity to contest the decision.
 

7. Consent

7.1 Meaningful Consent

We are committed to obtaining meaningful consent for the collection, use, and disclosure of your personal information in accordance with PIPEDA, PIPA, and other provincial legislation.

 

At or before the time we collect personal information from you, we will identify the purposes for which it is being collected. We will not use or disclose your personal information for purposes other than those for which it was collected, except with your consent or as required or permitted by law.

7.2 Types of Consent

  • Express consent: We obtain express consent for the collection and use of sensitive personal information through clear, affirmative actions such as checking consent boxes during registration or account setup.

  • Implied consent: Consent is implied where the purpose is obvious and you voluntarily provide the information (e.g., providing your email address to create an account implies consent to use it for account-related communications).

  • Consent for organization data sharing: Access by organizations to your professional information requires a separate, explicit Consent Grant through the Platform's consent management system (see Section 15).

7.3 Withdrawing Consent

You may withdraw your consent at any time by:

 

  • Revoking specific Consent Grants through the Platform's "Your Data, Your Control" interface.

  • Contacting our Privacy Officer (see Section 20).

 

Consequences of withdrawal: If you withdraw consent for certain uses of your information, we may no longer be able to provide some or all of the Service's features. We will inform you of the implications of withdrawing consent at the time of your request.

7.4 Consent Records

We maintain records of all consent grants, modifications, and withdrawals, including timestamps, scope, and the identity of the consenting party, as required by applicable legislation.
 

8. Disclosure and Sharing of Information

We do not sell your personal information. We disclose personal information only in the following circumstances:

8.1 With Your Consent

  • To healthcare organizations to whom you have granted explicit consent through the Platform's consent management system (see Section 15).

  • To any third party with your express, informed consent.

8.2 Service Providers (Third-Party Processors)

We share personal information with third-party service providers who process data on our behalf to operate the Platform. All third-party processors are bound by contractual obligations to protect personal information to a standard substantially similar to our own. See Section 9 for details.

8.3 Legal Requirements

We may disclose personal information without your consent where required or permitted by law, including:

 

  • In response to a valid court order, subpoena, or warrant.

  • To comply with applicable Canadian federal or provincial legislation.

  • To a government institution that has requested the information, identified its lawful authority, and indicates that disclosure is for the purpose of enforcing or administering any law, or carrying out a lawful investigation.

  • To an investigative body listed in the regulations of PIPEDA or applicable provincial legislation.

  • Where disclosure is necessary to address an emergency that threatens the life, health, or security of an individual.

8.4 Business Transactions

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, personal information may be transferred to the acquiring entity, provided that the acquiring entity agrees to protect your personal information in accordance with this Privacy Policy and applicable law. We will provide notice to affected individuals before their personal information is transferred or becomes subject to a different privacy policy.

8.5 Aggregate Data

We may share Aggregate Data (as defined in Section 6) with third parties for research and analytical purposes. Aggregate Data does not identify any individual. See Section 6 for full details.

8.6 Mandatory Reporting and Suspected Abuse

Notwithstanding any other provision of this Privacy Policy, we reserve the right to disclose personal information without your consent where we reasonably suspect that the information involves a person who may be the victim of abuse, neglect, or domestic violence, including but not limited to child abuse, elder abuse, or abuse of a dependent adult. Disclosure may be made to appropriate authorities, including law enforcement agencies, child protection agencies, or other bodies as required or permitted by applicable mandatory reporting legislation, including the Child, Youth and Family Enhancement Act (Alberta), the Protection for Persons in Care Act (Alberta), and analogous legislation in other provinces and territories.

8.7 Affiliates and Related Entities

We may share your personal information with our affiliates, subsidiaries, or related entities, provided that such entities agree to protect your personal information in accordance with this Privacy Policy and applicable privacy legislation. “Affiliates” includes any entity that controls, is controlled by, or is under common control with Nurse Matrix Systems Inc.

9. Third-Party Service Providers

We engage the following categories of third-party service providers to operate the Platform:

Service Provider - Auth0 (Okta)

Data Shared - Email address, password hash, MFA configuration, login timestamps, IP addresses, user agent, breach detection data

Purpose - Identity authentication, multi-factor authentication, account security

Data Residency - Auth0 cloud infrastructure (see Section 10)

Contractual Safeguards - Data Processing Agreement (DPA)

Service Provider - Google Cloud Platform

Data Shared - All application data (database, documents, logs)

Purpose - Cloud infrastructure — compute, database (Cloud SQL), document storage (GCS), logging, secrets management

Data Residency - Canada — northamerica-northeast1 (Montréal, Québec)

Contractual Safeguards - GCP Data Processing Terms (PIPEDA-aligned)

Service Provider - Stripe

Data Shared - Payment method tokens, billing details, subscription status

Purpose - Payment processing, subscription management

Data Residency - PCI-DSS compliant infrastructure

Contractual Safeguards - Stripe DPA; PCI-DSS Level 1 certified

Service Provider - SendGrid (Twilio)

Data Shared - Recipient email address, sender address, email content (may include names and invite/notification details)

Purpose - Transactional email delivery (password resets, invitations, notifications)

Data Residency - US-based infrastructure (see Section 10)

Contractual Safeguards - Data Processing Agreement (DPA)

 

We require all third-party processors to:

 

  • Process personal information only on our documented instructions.

  • Implement appropriate technical and organizational security measures.

  • Not sub-process personal information without our prior authorization.

  • Assist us in meeting our obligations under applicable privacy legislation, including responding to individual access/correction requests and data breach notifications.

  • Return or delete personal information upon termination of the service relationship.

10. Cross-Boarder Data Transfers

The majority of your personal information is stored and processed entirely within Canada (see Section 11). However, certain third-party service providers may process limited personal information outside of Canada:

Service - Auth0 (Okta)

Data Transferred - Authentication data (email, password hash, MFA data, login events, IP addresses)

Destination - Auth0 cloud infrastructure — verify regional settings for .ca.auth0.com tenant

Justification - Necessary for identity authentication service; Auth0 DPA in place

Service - SendGrid (Twilio)

Data Transferred - Email addresses, names, notification content

Destination - United States

Justification - Necessary for transactional email delivery; SendGrid DPA in place

Safeguards for cross-border transfers:

 

  • All cross-border transfers are governed by Data Processing Agreements with the receiving parties.

  • Receiving parties are contractually required to protect personal information to a standard comparable to Canadian privacy legislation.

  • We limit the personal information transferred cross-border to the minimum necessary for the specific service purpose.

  • We monitor third-party compliance with their contractual obligations.

 

Disclosure under PIPA s 13.1: By accepting the Terms of Use and this Privacy Policy, you confirm that you have been advised that limited personal information (as described above) may be stored or processed outside of Canada by the identified third-party service providers for the stated purposes, and you accept this as a condition of using the Platform. If you have concerns about cross-border transfers, please contact our Privacy Officer.

11. Data Residency

All primary personal information and personal health information processed by the Platform is stored on infrastructure located within Canada:

Data Component - Application servers

Infrastructure - Google Cloud Run

Location - northamerica-northeast1 (Montréal, Québec)

Data Component - Database (PostgreSQL)

Infrastructure - Google Cloud SQL

Location - northamerica-northeast1 (Montréal, Québec)

Data Component - Document storage

Infrastructure - Google Cloud Storage

Location - northamerica-northeast1 (Montréal, Québec)

Data Component - Container images

Infrastructure - Google Artifact Registry

Location - northamerica-northeast1 (Montréal, Québec)

Data Component - Secrets management

Infrastructure - Google Secret Manager

Location - Canadian region

Data Component - Application logs

Infrastructure - Google Cloud Logging

Location - Canadian data residency configuration

This Canadian data residency architecture satisfies the requirements of PIPEDA and PIPA regarding the storage and processing of personal information within Canada.

12. Data Security

We implement comprehensive technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, destruction, or loss:

12.1 Encryption

  • In transit: All data transmitted between your device and the Platform, and between Platform components, is encrypted using TLS 1.2 or higher.

  • At rest (platform level): All data stored in Google Cloud SQL, Google Cloud Storage, and Google Secret Manager is encrypted at rest using AES-256 encryption.

12.2 Access Controls

  • Authentication: Multi-factor authentication (MFA) is enforced for all user accounts through Auth0, with brute-force protection, breached password detection, and suspicious IP throttling.

  • Role-based access control (RBAC): The Platform enforces granular role-based permissions, ensuring that users can only access data and features appropriate to their assigned role(s).

  • Consent-based data access: Organizations may only access nurse professional information through explicit, revocable Consent Grants.

  • Signed URLs: Document access is controlled through time-limited signed URLs (15-minute expiry for reads) to prevent unauthorized direct access to stored files.

12.3 Infrastructure Security

  • Dedicated service accounts following the principle of least privilege.

  • Non-root containers with hardened Docker configurations.

  • Secrets stored in Google Secret Manager — not in environment variables or code.

  • Encrypted database connections through Cloud SQL Auth Proxy.

12.4 Audit and Monitoring

  • Comprehensive audit logging of all data access, modification, and deletion events, including actor identity, IP address, user agent, timestamp, and before/after state.

  • Dedicated consent access logging tracking which organizations access which nurse data, when, and from where.

  • Request-level tracing for incident investigation.

  • Application and infrastructure log retention for security monitoring.

12.5 File Upload Security

  • MIME type and file extension validation against an allowed whitelist.

  • File size limits (10 MB maximum) enforced at the application level.

  • Upload integrity verification using CRC32C checksums.

  • Path isolation ensuring user files are stored in user-specific directories.

12.6 No Guarantee of Absolute Security

While we have implemented the security measures described above to protect your personal information, please be aware that no method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security of your personal information transmitted to or stored on the Platform. Any transmission of personal information is at your own risk.

13. Data Retention and Disposal

13.1 Retention Periods

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

PIPEDA s.4.5; PIPA s.35

Data Category - User account data

Retention Period - For the duration of the account plus a reasonable wind-down period, or until deletion is requested

 

Data Category - Professional credentials and skills

Retention Period - For the duration of the account plus a reasonable wind-down period, or until deletion is requested

 

Data Category - Uploaded documents

Retention Period - For the duration of the account plus any legally required retention period

 

Data Category - Audit logs

Retention Period - Minimum 2 years

 

PIPEDA s.4.3; PIPA s.8

Data Category - Consent records

Retention Period - Duration of consent plus a reasonable proof period (minimum 2 years after revocation)

 

Canada Revenue Agency requirements

Data Category - Payment records

Retention Period - As required by tax and financial reporting legislation (typically 7 years)

Operational necessity

Data Category - Operational logs

Retention Period - 14–90 days depending on log type

Data Category - Backup data

Retention Period - Same retention periods as production data

13.2 Disposal

When personal information is no longer required for the identified purposes or by law:

 

  • Database records: Securely deleted using cascade deletion, ensuring all related records across all tables are removed.

  • Uploaded documents: Deleted from Google Cloud Storage and all associated database metadata removed.

  • Backups: Expired from backup systems in accordance with backup lifecycle policies.

  • Aggregate Data: De-identified data that cannot identify individuals is retained indefinitely for research and analytical purposes.

13.3 Account Deletion

Upon account deletion:

 

  • All personal information associated with your account is deleted or anonymized.

  • All uploaded documents are removed from storage.

  • All active Consent Grants are revoked.

  • Audit log entries are retained as required by law (see retention periods above) but are anonymized where possible.

  • Aggregate Data derived from your use of the Platform is retained, as it does not identify you.

14. Your Privacy Rights

Under applicable Canadian privacy legislation, you have the following rights:

14.1 Right of Access

You have the right to request access to the personal information we hold about you. You can access much of your personal information directly through the Platform (via your profile, credentials, skills, and related features). For a comprehensive data access request, contact our Privacy Officer.

 

We will use best commercial efforts to respond to access requests within 30 days, and in all cases within the timelines required by applicable legislation. A reasonable fee may be charged for unusually extensive or complex requests, with advance notice.

14.2 Right of Correction

You have the right to request correction of inaccurate or incomplete personal information. You can correct most of your information directly through the Platform. If you believe information held by us is inaccurate and cannot be corrected through the Platform, contact our Privacy Officer.

14.3 Right to Withdraw Consent

You may withdraw your consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. See Section 7.3 for details.

14.4 Right to Deletion

You may request the deletion of your personal information by emailing our privacy officer or by using any account deletion feature which may be available on the Platform from time to time. Subject to legal retention requirements (see Section 13), we will use best commercial efforts to complete deletion or anonymization of your personal information within 60 days of verifying your request, subject to statutory retention requirements in effect from time to time. Note that some data may be retained as required by law (e.g., audit logs and financial records).

14.5 Right to Data Portability

Upon request, we will use reasonable commercial efforts to provide a copy of your personal information in a structured, commonly used, machine-readable format, unless we are expressly required by applicable legislation to provide such access in a specific format or within a specific timeframe, in which case we will comply with such requirements. Contact our Privacy Officer to request a data export.

14.6 Right to Challenge Compliance

You have the right to challenge our compliance with this Privacy Policy and applicable privacy legislation. See Section 21 for our complaints process.

14.7 Exercising Your Rights

To exercise any of these rights:

 

  • Self-service: Access, correct, and manage much of your data directly through the Platform.

  • Contact us: Email our Privacy Officer at the address in Section 20 with your specific request.

 

We may require verification of your identity before processing a request, to protect against unauthorized disclosure. We will not require you to pay a fee for exercising your rights, except in cases of manifestly unfounded, excessive, or repetitive requests.

15. Consent-Based Data Sharing Between Users

15.1 How Organization Access Works

Healthcare organizations using the Platform may only access your professional information (credentials, skills, etc.) if you have provided explicit consent through the Platform's consent management system.

15.2 Consent Grant Features

The Platform's consent system provides you with the following controls:

 

  • Scope: You choose which categories of information to share (e.g., profile, credentials, skills, documents, training records, goals, or full access).

  • Purpose: Each consent grant includes a stated purpose for the data access.

  • Duration: Once provided, consent is ongoing until revoked by you.

  • Revocation: You may revoke any consent grant at any time, immediately terminating the organization's access.

  • Transparency: You can view which organizations have access and what scope they were granted.

15.3 Access Logging

Every access by an organization to your data through a Consent Grant is logged, including:

 

  • The identity of the organization and individual who accessed the data.

  • The timestamp of access.

  • The specific data categories accessed.

  • The IP address from which access occurred.

 

15.4 Organization Obligations

Organizations that receive Consent Grants are required to:

 

  • Use your information only for the stated purpose.

  • Comply with all applicable privacy legislation in their handling of your data.

  • Not further disclose your information to third parties without your independent consent.

15.5 Visibility of Your Information

When you grant an organization access to your professional information through a Consent Grant, authorized personnel within that organization (including administrators, managers, and designated staff) may view the categories of information within the scope of the Consent Grant. Your activity on the Platform is not visible to other individual users unless you have granted a Consent Grant or the information is shared through Platform features. We reserve the right to expand Platform features that may affect information visibility, and will update this section accordingly.

16. Cookies and Tracking Technologies

16.1 Cookies Used

The Platform uses a limited number of cookies, strictly for functional purposes:

Session/authentication cookies

Purpose - Maintaining your authenticated session

Type - Essential / Functional

Duration - Session duration

Sidebar state

Purpose - Remembering your sidebar UI preference

Type - Functional

Duration - 7 days

16.2 What We Do Not Use

  • We do not use advertising or marketing cookies.

  • We do not use third-party tracking pixels or analytics cookies that share data with advertising networks.

  • We do not engage in cross-site tracking.

16.3 Browser Settings

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the Platform from functioning correctly.

16.4 Do-Not-Track Signals

The Platform does not currently respond to Do-Not-Track (“DNT”) browser signals or similar mechanisms, including the Global Privacy Control (“GPC”) signal. If a standard for responding to such signals is adopted that we are required to follow, we will disclose our practices in a revised version of this Privacy Policy.

17. Children's Privacy

The Platform is not intended for use by individuals under the age of majority in their province or territory of residence (18 in Alberta, Saskatchewan, Manitoba, Ontario, Prince Edward Island, and Québec; 19 in all other provinces and territories). We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from an individual who has not reached the age of majority in their jurisdiction of residence, we will take steps to delete such information promptly. If you believe a minor has provided us with personal information, please contact our Privacy Officer.

18. Data Breach Notification

18.1 Our Commitment

We maintain an incident response plan for the detection, investigation, containment, and remediation of data breaches involving personal information.

18.2 Notification to Individuals

In the event of a breach of security safeguards involving personal information under our control that creates a real risk of significant harm to affected individuals, we will:

 

  • Notify affected individuals as soon as feasible (and without unreasonable delay under PIPA) describing:

    • The nature of the breach.

    • The personal information involved.

    • Steps we have taken to reduce risk of harm.

    • Steps individuals can take to reduce their own risk.

    • Our contact information for further inquiries.

18.3 Notification to Authorities

Where required by applicable legislation, we will report the breach to:

 

  • The Office of the Privacy Commissioner of Canada (under PIPEDA).

  • The Office of the Information and Privacy Commissioner of Alberta (under PIPA).

  • The Information and Privacy Commissioner of any other applicable Canadian province or territory where required.

18.4 Record-Keeping

We maintain a record of all breaches of security safeguards, regardless of whether they meet the notification threshold, in accordance with PIPEDA and PIPA requirements.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. When we make material changes:

 

  • We will post the updated Privacy Policy on the Platform with a revised "Last Updated" date.

  • We will notify you of material changes through in-app notification or email to your registered email address at least 30 days before the changes take effect, unless a shorter notice period is necessitated by changes in applicable law, regulatory requirements, or exceptional business circumstances.

  • Where required by law, we will obtain your consent to material changes that affect how your personal information is collected, used, or disclosed.

 

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

20. Third-Party Websites and Services

The Platform may contain links to third-party websites, applications, or services that are not operated or controlled by Nurse Matrix Systems Inc., including but not limited to authentication services, payment processors, regulatory body websites, and educational resources. This Privacy Policy does not apply to the privacy practices of any third party. We encourage you to review the privacy policies of any third-party site you visit. We are not responsible for the content, privacy policies, or practices of any third-party websites or services. Any information you provide to a third-party website is governed by that third party’s own privacy policy.

21. Privacy Officer and Contact Information

Nurse Matrix Systems Inc. has appointed a Privacy Officer responsible for overseeing compliance with this Privacy Policy and all applicable privacy legislation.

 

To contact our Privacy Officer:

 

Nurse Matrix Systems Inc. Attention: Privacy Officer Email: privacy@nursematrix.ca Website: https://nursematrix.ca

 

For general inquiries: Email: support@nursematrix.ca

 

We will acknowledge receipt of your inquiry within 5 business days and provide a substantive response within 30 days or inform you if additional time is required.

22. Complaints

If you believe that we have not handled your personal information in accordance with this Privacy Policy or applicable privacy legislation, you may:

 

  1. Contact our Privacy Officer at the address above. We will investigate your complaint and respond within 30 days.

 

  1. File a complaint with the applicable privacy commissioner:

 

  • Office of the Privacy Commissioner of Canada (OPC) Website: www.priv.gc.ca Phone: 1-800-282-1376

 

  • Office of the Information and Privacy Commissioner of Alberta (OIPC) Website: www.oipc.ab.ca Phone: 780-422-6860

 

 

You are not required to file a complaint with us before contacting a privacy commissioner.

By using NurseMatrix, you acknowledge that you have read and understood this Privacy Policy. If you have any questions, please contact our Privacy Officer at privacy@nursematrix.ca.

Links to PDF:

Privacy Policy

Terms of Use

bottom of page