Privacy Policy

1. Information We Collect

Canadian University of Aesthetic Dermatology (“CUAD”, “we”, “our”) collects personal information that you voluntarily provide when registering for an account, enrolling in courses, purchasing services, or contacting us. This may include your name, email address, date of birth, payment information, and course progress data.

2. How We Use Your Information

We use your information to provide and improve our educational services, process payments via Stripe, communicate with you about your account and courses, issue certificates, and personalize your learning experience.

3. Data Storage and Security

Your data is stored securely using Google Firebase infrastructure. Payment processing is handled by Stripe and we do not store your full credit card details on our servers. We implement appropriate technical and organizational measures to protect your personal data.

4. Third-Party Service Providers

We rely on the following third-party processors to operate the CUAD platform. Each provider receives only the information necessary to perform its function, and each maintains its own privacy policy that governs their independent processing of your data.

• Google Firebase (Google LLC) — authentication, Firestore database, cloud storage, and analytics. Receives: account credentials, profile data, course progress, device identifiers. Policy: https://policies.google.com/privacy.
• Stripe, Inc. — payment processing for web purchases. Receives: name, email, billing address, payment card details (handled directly by Stripe; CUAD never stores full card numbers). Policy: https://stripe.com/privacy.
• Apple Inc. — App Store distribution of the CUAD iOS reader app. CUAD does not sell, subscribe, or otherwise transact through the App Store; the iOS app is a Reader app under Apple’s policy and contains no in-app purchases. Apple may collect Apple ID, device identifiers, and download/usage analytics in connection with App Store distribution; this data is handled directly by Apple and is governed by its own policy: https://www.apple.com/legal/privacy/.
• Anthropic, PBC — AI tutor chat (model claude-haiku-4-5-20251001). Receives: messages typed by the user during AI tutor conversations, plus anonymized context about the active course and tier. No directly identifying account fields are sent in the prompt. Policy: https://www.anthropic.com/privacy.
• Resend — transactional email delivery (welcome emails, password resets, course completion notifications). Receives: email address and name. Policy: https://resend.com/legal/privacy-policy.
• Pinecone — vector database for course-content retrieval (RAG). This integration is currently disabled and may be used in the future to improve AI tutor responses. If enabled, it would receive embedded course-content vectors and anonymized query embeddings. Policy: https://www.pinecone.io/privacy/.

5. Your Rights

Under applicable Canadian privacy legislation including PIPEDA, you have the right to access, correct, or delete your personal information. You may also withdraw consent for data processing at any time by contacting us.

6. Consent

In accordance with PIPEDA Principle 3, we obtain your meaningful consent before collecting, using, or disclosing your personal information. By creating an account and using our services, you consent to the collection and use of information as described in this policy. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting us directly.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Course completion records and certificates are retained indefinitely for verification purposes. Account data is deleted within 30 days of an account deletion request. Payment records are retained as required by Canadian tax regulations.

Right to immediate deletion. Notwithstanding the retention periods above, you may request immediate deletion of your personal information at any time via the in-app account deletion flow or by emailing support@cuad.ca. Some records (e.g., financial transactions retained for tax compliance) may be retained in anonymized form where required by law.

8. Cookies

We use essential cookies for authentication and session management. We do not use third-party advertising cookies. You may configure your browser to refuse cookies, but this may limit your ability to use certain features of the platform.

9. Data Breach Notification

In the event of a data breach that poses a real risk of significant harm, CUAD will notify affected individuals and the Office of the Privacy Commissioner of Canada as required under PIPEDA’s mandatory breach notification provisions.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our platform. Continued use of our services after changes take effect constitutes acceptance of the revised policy.

11. Contact

For privacy-related inquiries, to request access to your personal information, or to file a complaint, please contact CUAD through our support channels at support@cuad.ca. You may also contact the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.

12. GDPR (European Union) Rights

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the EU General Data Protection Regulation (GDPR) gives you specific rights regarding your personal data.

Lawful basis for processing. We process your personal data on the following legal bases:

• Contract performance — providing course access, certificates, and account services you have purchased.
• Legitimate interest — improving our services, securing the platform, and preventing fraud.
• Consent — optional features such as marketing communications and non-essential analytics.
• Legal obligation — tax record retention and responding to lawful regulatory requests.

Your GDPR rights. You have the right to:

• Access the personal data we hold about you;
• Request rectification of inaccurate or incomplete data;
• Request erasure (the “right to be forgotten”);
• Receive your data in a portable, machine-readable format;
• Object to processing based on legitimate interest;
• Request restriction of processing;
• Withdraw consent at any time, without affecting the lawfulness of prior processing.

How to exercise your rights. Email support@cuad.ca. We will respond within 30 days of verifying your identity.

Data Controller. Canadian University of Aesthetic Dermatology, [ADDRESS TO BE PROVIDED].

EU Representative. [EU Representative not yet appointed].

International data transfers.Your personal data is stored and processed in Canada and the United States. For users located in the EEA, the United Kingdom, or Switzerland, transfers outside your jurisdiction are governed by the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, by Canada’s adequacy decision under GDPR.

13. CCPA / CPRA (California) Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with the rights described below.

Categories of personal information collected (last 12 months):

• Identifiers — name, email address, account ID, device identifiers.
• Commercial information — course enrollments and one-time purchase history.
• Internet or other electronic network activity — course progress, quiz/exam responses, AI tutor chat content, in-app navigation events.
• Inferences — derived data used to recommend courses or adapt the learning experience.
• Professional or education information — course completions and certificates.

We do not sell or share your personal information for cross-context behavioral advertising or any other purpose. We have not sold or shared personal information in the preceding 12 months, and we have no plans to do so.

Your California rights:

• Right to know what personal information we collect, use, and disclose;
• Right to delete personal information we have collected from you;
• Right to correct inaccurate personal information;
• Right to opt out of the sale or sharing of personal information (not applicable — we do neither);
• Right to limit the use and disclosure of sensitive personal information;
• Right to non-discrimination for exercising any of the above rights.

Do Not Sell or Share My Personal Information. We do not sell or share your personal information. To exercise any other California right, email support@cuad.ca.

14. Quebec Law 25

If you reside in the Province of Quebec, the Act respecting the protection of personal information in the private sector, as modernized by Law 25, applies to our handling of your personal information.

Designated Privacy Officer. [Privacy Officer name TBD]. The Privacy Officer is responsible for ensuring CUAD’s compliance with Quebec privacy law and may be contacted at support@cuad.ca.

Cross-border data transfer notice.Your personal information is processed in Canada and the United States. Several of our processors — including Firebase (Google), Stripe, and Anthropic — are primarily hosted in the United States. Before transferring your information outside Quebec, we conduct a privacy impact assessment of the destination jurisdiction’s legal framework, as required by Law 25.

French-language version. A French version of this Privacy Policy will be made available at /legal/privacy/fr [TODO: French translation pending]. Quebec users may request the French version at any time by emailing support@cuad.ca.

15. Children’s Privacy / COPPA

The CUAD platform delivers professional medical-aesthetic education and is intended for users aged 18 and older.

Users 13-17 (with verified parental consent). Where local law permits and a parent or legal guardian has provided verified consent through our consent flow, we may collect from minor users: email address, name, date of birth, mailing address, course progress, quiz/exam responses, and AI tutor chat content. We use this information solely to provide the educational service and do not use it for advertising or profiling.

Users under 13. We do not knowingly collect personal information from children under the age of 13. Sign-ups by users under 13 are refused. If we discover that we have inadvertently collected information from a child under 13, we will delete it promptly.

Parental rights. Parents or legal guardians may request access to, correction of, or deletion of a minor’s personal information at any time by emailing support@cuad.ca. They may also withdraw their consent, which will result in the deletion of the minor’s account.