Privacy Policy

Intoto Inc., and its affiliates or corporate partners, (“Intoto” or “we“/”our”), collect, use, and disclose Personal Information in compliance with Canadian and applicable laws when providing services to our users or individuals who reach out to us (together, “you” or “your”).  Along with our Terms of Service, this privacy policy (“Policy”) serves to let you know how we collect, use, and disclose your personal information when you visit, access, log-in to, or use our mobile application, our website or our social media accounts (the mobile application, website and social media accounts are collectively referred to as the “Platform”).

Any capitalized terms not defined in this Privacy Policy are defined in our Terms of Use which is available for review here: [www.intoto.ca]

WHAT IS PERSONAL INFORMATION

Within this policy, Personal Information is defined as any factual or subjective information, recorded or not, about an identifiable individual or which may allow an individual to be identified.  For instance, personal information includes age, name, ID numbers, income, ethnic origin, blood type, opinions, evaluations, comments, social status, disciplinary actions, employee files, credit records, loan records, and medical records.

We are responsible for the personal information that we possess or control. We maintain internal practices to protect personal information and have appointed a Privacy Officer to oversee privacy matters.

WHY WE COLLECT, USE AND DISCLOSE PERSONAL INFORMATION

We collect, use, and disclose necessary personal information for the primary purpose of providing our Platform. To provide the Platform, we use personal information:

• to maintain our relationship with you and other third parties, such as Universities who have registered to use the Platform;
• to provide and enhance our Platform;
• to provide you with suggestions based on your use of the Platform;
• to answer your inquiries or questions;
• to collect and process payments;
• to update you on changes to our practices and procedures;
• to send updates to our mailing list subscribers;
• to develop and manage our operations;
• to detect and protect against error, fraud, theft and other illegal activity;
• to authenticate you when you contact us;
• to communicate with you in the context of providing technical support;
• to communicate with you respecting the use of the Platform and other matters including but not limited to regulatory compliance, subscription and payment information, software or application functionality and updates, security and breaches;
• to track and improve our services, software, applications, security, and evaluate how we are doing;
• to fulfill our contractual obligations; and
• as permitted by, and to comply with, applicable laws and local rules and regulations related to COVID-19 vaccinations.

For people who contact us regarding a job at Intoto, we would also use your personal information to communicate with you about the job.

WHAT PERSONAL INFORMATION DO WE COLLECT

When you use our Platform as an educational institution (an “Institutional User”), the types of personal information we collect about you or have access to include:

• your IP Address;
• the geolocation of your device;
• your name and the name of the institution you represent;
• your E-mail address associated with your institution, which may contain personal information;
• your business phone number; and
• your institution’s payment information.

When you use our Platform as a student (a “Student User”), the types of personal information we collect about you or have access to include:

• your IP Address;
• the geolocation of your device;
• your name and/or screen name;
• your photograph and/or likeness, if you choose to upload it to the Platform;
• your E-mail address;
• your phone number;
• your payment information;
• your gender;
• your date of birth;
• your current and/or permanent addresses including country, state/province, and postal code;
• your travel details, including port of departure and arrival, flight number and carrier (if applicable), and travel itinerary; and
• your COVID-19 vaccination status.

Some of the information that we collect about you, including your COVID-19 vaccination status may be considered by applicable law to be “personal health data.” We only collect, process, and disclose this information from you in order to comply with applicable laws, local regulations, and policies related to vaccination against COVID-19, including the policies of our Institutional Users. We will only ever collect, use, and disclose this information in accordance with our obligations under applicable law.

If you have reached out to us for employment opportunities, we collect personal information including your name, address, telephone number, date of birth, social insurance number, banking information, benefit information, emergency contact information, resume, reference letters, and/or police record or RCMP record checks.

We also collect information through e-mail communications and your use of our website located at [www.intoto.ca] (“Website”). We collect this information to adjust our content, verify your credentials or authenticate you, and understand your preferences and online activities when interacting with our Platform.

We may also collect information about you, or use information that has been collected about you, if you have interacted with our social media pages, or that you have posted publicly on third party sites such as:

• Instagram;
• Facebook;
• LinkedIn; and
• YouTube

Personal Information We DO NOT Collect

We do not collect any personal data related to:

• Financial information except as necessary to process payments; or
• Medical or personal health information, other than your COVID-19 vaccination status through our COVID-19 Vaccination Reporting tool. This information is only collected to comply with applicable laws, regulations, and the vaccination policies of our Institutional Users.

If we determine that you or another Customer has provided the above information to our Platform, we will t  ake immediate steps to delete or otherwise destroy that information.

How do we store and retain your Personal Information?

Storage

The Platform is hosted by Amazon Web Services, and all information uploaded to the Platform or sent to Intoto in connection with the Platform is held on our Amazon AWS servers located in the United States of America. We do not keep any hard copies of personal information, and in the event that we have or have received hard copy documents containing personal information, we will destroy hard copies as soon as is feasible, subject to our legal obligations. We do not currently have physical offices and do not retain physical copies of data.

Retention

We retain personal information only for as long as we need to for the purposes outlined in this Policy, unless otherwise required by law or you request that we delete your personal information.  For instance, under Canadian law, we must retain financial information for at least 6 years.  Once we no longer need the information for the purpose for which it was collected, we securely dispose of or de-identify any Personal Information, subject to our legal requirements and any written requests from you. We do not sell your personal information.

Types of Data We Collect

The data we collect from you consists of:

• Text (i.e. your e-mail address);
• Images (i.e. images that you upload to the Platform);
• Metadata (i.e. the date you visited the Platform);
• Raw data (i.e. transaction data provided by Stripe, or payment provider); and
• Aggregate data (i.e. data related to the use of our website.

Location of your Personal Information

Personal Information collected from you will be transferred to, stored, and processed at the Amazon Web Services servers located in the United States of America.

Our Websites

Cookies

We collect personal information using cookies on our Platform. Cookies are small files placed on your devices to track how you use our website. This helps us improve your user experience and save your preferences.  We use essential, functionality, analytics and performance cookies.

Essential Cookies. These Cookies are essential to provide you with services available through our Platform and to enable you to use some of its features. For example, they allow you to log in to secure areas of our Platform and help the content of the pages you request load quickly. Without these Cookies, the services that you have asked for cannot be provided, and we only use these Cookies to provide you with those services.

Functionality Cookies. These Cookies allow our Platform to remember choices you make when you use our Services, such as remembering your language preferences, remembering your login details and remembering the changes you make to other parts of Services which you can customize. The purpose of these Cookies is to provide you with a more personal experience and to avoid you having to re-enter your preferences every time you visit our Services.

We use functional cookies that are required for you to use the Platform including, but not limited to:

• third-party cookies to ensure safety and security;
• Google RECAPTCHA;
• Stripe

Analytics and Performance Cookies. These Cookies are used to collect information about traffic to Services and how users use our Services. The information gathered does not identify any individual visitor. The information is aggregated and anonymous. It includes the number of visitors to our Platform, the websites that referred them to our Platform, the pages they visited on our Services, what time of day they visited our Platform, whether they have visited our Services before, and other similar information. We use this information to help operate our Services more efficiently, to gather broad demographic information and to monitor the level of activity on our Services.

We also use optional cookies activated upon consent like Google Analytics (see our Third-Party Service Providers).

Some browsers can block cookies through your browser settings. Blocking cookies may affect the way our Websites works on your device. You can set up your browser to disable cookies at any time. For instructions on how to disable cookies, please visit the links below:

• Internet Explorer
• Mozilla Firefox
• Microsoft Edge
• Google Chrome

Online Communications

Our Website allows you to submit information to us through our “Contact us” form. We use the personal information you provide only to address your question or inquiry.

We also send e-mails to the people in our contact database regarding updates to our services or practices.  Our e-mails contain opt-out features and instructions on how to unsubscribe.  You can also send us an email to [info@intoto.ca ] to be removed from our contact list.  You acknowledge that in some cases, we will need to authenticate you before processing the request.

Electronic Marketing Communications

We may send you information about our Product or other promotions that we think might interest you. Unless we already have a business relationship with you, or you have offered your contact information to us (i.e. your business card), we will always obtain your consent to receive sales and marketing information before sending you any  commercial electronic communications.

You have the ability to withdraw your consent and opt-out of our sales and marketing communications at any time. If you wish to do so, please contact our Privacy Officer at inderpreet@intoto.ca  or select the unsubscribe link in an e-mail that you receive. If you choose to unsubscribe and request that you be placed on a “do not contact” list, you acknowledge and agree that we will retain your information on our “do not contact” list, and we will retain your personal information to ensure that we do not send you unsolicited communications

Third Party Links

Our Websites contains links to other websites. Those other websites may also collect your personal information. We are not responsible for how those other websites collect, use or disclose your personal information. We strongly encourage you to review their privacy policies before providing them with your personal information.

Do Not Track Signals

As there is not yet a common understanding of how to interpret Do Not Track (“DNT”) signals, we do not currently respond to such browser DNT signals.

Our Third-Party Service Providers

To the extent we engage third-party service providers, we try to ensure that those providers maintain comparable privacy protections and practices if they process your personal information. Some of our third-party service providers include:

• Amazon Web Services (for website hosting services).
• Google Analytics (for analytical purposes); and
• Stripe (to process payments).

AUTOMATED DECISION MAKING

We do not use systems that make autonomous decisions with your Personal Information.

YOUR CONSENT

We will obtain your express consent to collect, use and disclose your personal information wherever possible and where required by law. If you provide personal information directly to us, we assume you consented to the processing of your information for the reason you provided your information. This applies where you have signed up as a Student or University User, agreed to our Terms, or an authorized representative has done so on your behalf. 

We do not collect, use or disclose personal information without consent unless authorized or required by law to do so, such as in the following circumstances:

• when the information is publicly available, such as in public directories, registries or published information;
• if we are required to disclose personal information to a lawful authority;
• in an emergency that threatens someone’s life, health or personal security;
• for security reasons; or
• as otherwise authorized by law.

We obtain electronic or oral consent from those who subscribe to our Website for updates on the launch of our Product or who express an interest in receiving communications from us.

PROVIDING YOUR PERSONAL DATA TO OTHERS OR RECEIPT FROM OTHERS

From time to time we may need to provide your personal information to other parties to provide the Platform and process your transactions, or as required by applicable law. We provide only what is necessary to complete the service and/or fulfil our obligations. We may also receive information about you from another party, such as our payment processor. When we receive information from another we do so because it is for a legitimate business purpose or it is necessary to complete the service or would negatively impact you to be required to obtain the information from you first. For example, we may be required to provide or receive information to a payment processing company such as Stripe.

YOUR RIGHTS TO THE PERSONAL INFORMATION WE POSSES ABOUT YOU

Our Company would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

The right to access – You have the right to request Our Company for copies of your personal data. We may charge you a small fee for this service.

The right to rectification – You have the right to request that Our Company correct any information you believe is inaccurate. You also have the right to request Our Company to complete information you believe is incomplete.

The right to erasure – You have the right to request that Our Company erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that Our Company restrict the processing of your personal data, under certain conditions.

The right to object to processing – You have the right to object to Our Company’s processing of your personal data, under certain conditions.

The right to data portability – You have the right to request that Our Company transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at the address located below. You acknowledge and agree that by contacting Intoto to exercise any of these rights, you consent to the collection by Intoto of certain Personal Information for the purposes of verifying your identity.

SECURITY AND ACCURACY

We protect personal information in our files from loss, misuse, unauthorized access, and alteration using technical, physical and administrative methods.  We frequently monitor our systems to ensure we have implemented up-to-date and effective security measures. Only senior employees with a need-to-know and authorized back-end access to the website have access to your Personal Information. Access is only provided upon an employee or sub-contractor obtaining approval from a director of Intoto. We ensure that all our employees and/or sub-contractors have entered into agreements related to the protection and security of your Personal Information containing terms no less restrictive than the terms outlined in this Privacy Policy.

We have implemented the following security measures :

• Our database is encrypted and managed by Mongo Atlas;
• We use security groups in our Amazon Virtual Private Cloud (VPC) to act as a firewall and control inbound and outbound traffic. These are configured on specific ports for Tomcat secure servers;
• Production environments are configured with security built into our infrastructure based on the “privacy by design” principle;
• All logins are completed through secure JSON Web Tokens (JWT).

However, you acknowledge that no one security system is impenetrable.  By sharing your personal information with us, your personal information may be at risk if someone breaches our systems or the systems of our third-party service providers.  In such cases, we will notify you as soon as is feasible if it is reasonable to believe that the breach created a real risk of significant harm to you.

We try to ensure that personal information we have on file is accurate.  We encourage you to contact us to update your personal information where you are aware our records are incorrect.

For more information on our security measures or records, please contact us at [info@intoto.ca ]

CONTACT US

If you would like to review or correct your personal information we have on file, or have any other concerns regarding your privacy rights, please send a written request to:

Privacy Officer

[Inderpreet Singh] [inderpreet@intoto.ca}

We will respond within 30 days. If more time is required we will advise you, and provide the reasons.

You acknowledge that when you request to exercise your privacy rights, you are consenting to our collection of your basic contact information so that we can authenticate you and communicate with you regarding your request.

CHALLENGING COMPLIANCE

Intoto will respond to questions we receive about this Policy and our legal compliance. We will investigate all challenges and attempt to resolve all complaints. If you feel we have not met our legal obligations under this Policy or applicable laws, please contact our Privacy Officer at [inderpreet@intoto.ca ]. Following our investigation, we will decide whether to update our policies and practices as necessary.

If you are unsatisfied with our responses, you may at anytime consult the relevant government privacy office based in your province, state or country.

In Canada you may contact:

• If you are in Ontario: https://www.priv.gc.ca/
• If you are in Quebec: https://www.cai.gouv.qc.ca

UPDATES

We review and revise this Policy regularly.  We reserve the right to change our Policy at any time by posting a new Policy on our Websites.

This Policy was last updated on [2021-11-04].