Privacy Policy

Introduction

At RAN BIOLINKS CANADA LTD, the developers of MAESTRO IMS, we are committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard the information of users of our enterprise inventory management platform and website (collectively, the "Services").

MAESTRO IMS is designed for healthcare organizations, health authorities, and regulated environments where data privacy is paramount. We treat all user data — including inventory records, operational data, and personal information — with the highest level of care.

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this policy. If you do not agree with our policies and practices, please do not use our Services.

Information We Collect

We collect several types of information from and about users of our Services:

Information You Provide to Us

• Account Information: When you register for an account, we collect your name, email address, organization, job title, role designation, and account login credentials.
• Profile Information: Information you provide in your user profile, including contact information, facility assignments, and professional details.
• Communication Information: When you contact us, we collect information such as your name, email address, phone number, and the content of your communications.
• Payment Information: If you subscribe to our paid services, we collect billing information, though payment card details are processed by our third-party payment processors.
• Inventory and Operational Data: Any inventory records, stock transactions, reorder data, quality control records, audit logs, and other operational information that you upload, input, or generate through the Services.

Information We Collect Automatically

• Usage Information: Information about your interaction with our Services, including features you use, pages you visit, barcode scans performed, and actions you take within the platform.
• Device Information: Information about the device you use to access our Services, including hardware model, operating system, browser type, and barcode scanner hardware identifiers.
• Log Information: Server logs, including IP address, browser type, referring/exit pages, operating system, date/time stamps, and clickstream data.
• Cookies and Similar Technologies: We use cookies and similar technologies to collect information about your browsing activities and to distinguish you from other users of our Services.

Information We Receive From Other Sources

• Integration Partners: If you connect third-party services to our platform (such as PeopleSoft, Azure AD, or Microsoft Outlook), we may receive information from those services as required for integration functionality.
• Service Providers: We may receive information from our service providers, such as analytics providers and cloud infrastructure partners.
• Organizations: If you use our Services through a health authority or organization, we may receive information about you from that organization, including role assignments and facility access permissions.

How We Use Your Information

We use the information we collect for various purposes, including:

Providing and Improving Our Services

• To provide, maintain, and improve our inventory management platform
• To process inventory transactions, generate reorder recommendations, and manage stock transfers
• To generate compliance reports, audit trails, and operational analytics
• To develop new features and improve existing capabilities
• To respond to your requests, comments, and questions
• To provide customer service and technical support

Communication

• To communicate with you about our Services, including updates, security alerts, and support messages
• To send low-stock alerts, reorder notifications, and operational warnings
• To send marketing communications, if you have opted in to receive them

Analytics and Research

• To understand how our Services are used and identify areas for improvement
• To monitor and analyze trends, usage patterns, and activities
• To generate aggregated insights for platform performance optimization

Security and Protection

• To detect, prevent, and address technical issues and security threats
• To maintain immutable audit logs as required for regulatory compliance
• To investigate and prevent unauthorized access and fraudulent activities
• To verify your identity and enforce role-based access controls

Legal Compliance

• To comply with applicable laws, regulations, and legal processes including PIPA, FIPPA, and PIPEDA
• To enforce our terms and conditions and other agreements
• To protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others

How We Share Your Information

We may share your information in the following circumstances:

With Your Organization

If you use our Services through a health authority or organization, that organization may have access to your information, activity logs, and content you provide or upload to the Services as part of their administrative oversight responsibilities.

With Service Providers

We share information with third-party service providers who help us provide, maintain, and improve our Services, such as cloud hosting providers (AWS), payment processors, analytics providers, and email service providers. All service providers are bound by contractual obligations to protect your data.

For Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

For Legal Reasons

We may share information if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or governmental request
• Enforce our agreements, policies, and terms of service
• Protect the security or integrity of our Services
• Protect RAN BIOLINKS CANADA LTD, our users, or the public from harm or illegal activities

With Your Consent

We may share information with third parties when you give us consent to do so.

Aggregated or De-identified Information

We may share aggregated or de-identified information, which cannot reasonably be used to identify you, for various purposes including research, analysis, and improving our Services.

Data Security

We implement rigorous technical and organizational measures to protect your personal information against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

• AES-256 encryption of data at rest and TLS 1.3 encryption for data in transit
• Argon2 password hashing with configurable work factors
• Multi-factor authentication (TOTP) and single sign-on via Azure AD
• Role-based access control with location-scoped permissions and separation of duties
• Regular security assessments and penetration testing
• Immutable audit logs with 7-year retention
• Physical security measures at AWS data centers

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. Therefore, we cannot guarantee absolute security.

For more detailed information about our security practices, please visit our Security page.

Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

• Audit Logs: Immutable audit records are retained for a minimum of 7 years to meet healthcare regulatory requirements
• Account Information: Retained for the duration of your account and for a reasonable period thereafter
• Inventory Transaction Data: Retained according to your organization's data retention policies and applicable regulations
• Communication Records: Retained for as long as necessary to resolve your inquiry and for a reasonable period thereafter

When we no longer need to use your personal information, we will either delete it or anonymize it in accordance with applicable data protection laws.

Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information. These may include:

Access and Correction

You can access and update certain information about your account through your account settings. You may also contact us to request access to, correction, or deletion of personal information that you have provided to us.

Data Portability

You have the right to receive a copy of certain personal information we process about you in a structured, commonly used, and machine-readable format. MAESTRO IMS supports data export in CSV, Excel, and PDF formats.

Deletion

You can request deletion of your personal information in certain circumstances. Note that we may retain certain information as required by law or for legitimate business purposes, including immutable audit records required for regulatory compliance.

Objection and Restriction

You have the right to object to or request restriction of processing of your personal information in certain circumstances.

Withdraw Consent

Where we rely on your consent to process your personal information, you have the right to withdraw your consent at any time.

Marketing Communications

You can opt out of receiving marketing communications from us by following the unsubscribe instructions included in our marketing communications or by contacting us.

Canadian Privacy Legislation

RAN BIOLINKS CANADA LTD is based in Canada and complies with applicable Canadian privacy legislation, including:

• PIPEDA: Personal Information Protection and Electronic Documents Act — governing our handling of personal information in the course of commercial activities
• PIPA (BC): Personal Information Protection Act — applicable to organizations operating in British Columbia
• FIPPA (BC): Freedom of Information and Protection of Privacy Act — applicable to public bodies in British Columbia

All customer data is stored within Canadian borders (AWS ca-central-1 region) unless explicitly directed otherwise. For more information, please visit our Data Residency page.

International Data Transfers

RAN BIOLINKS CANADA LTD processes and stores information primarily in Canada. If you are located outside Canada, your information may be transferred to, stored, and processed in Canada. Canada's privacy laws have been recognized as providing adequate protection by the European Commission.

If we transfer personal information from the European Economic Area (EEA), United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, such as Standard Contractual Clauses, to protect your personal information.

Children's Privacy

Our Services are not intended for children under the age of 16, and we do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete such information as quickly as possible.

Changes to Our Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice on our website prior to the changes becoming effective. We encourage you to review this Privacy Policy periodically for the latest information on our privacy practices.

Contact Us

If you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us at:

RAN BIOLINKS CANADA LTD
10212 Yonge Street, 202, Richmond Hill, Ontario, Canada, L4C 3B6
Email: [email protected]