Privacy Policy

1. Who We Are

We are Vetted Medical Inc. ("Vetted Medical," "we," "us," or "our"), a consulting and tasking platform that connects licensed physicians with enterprises and healthcare organizations to validate, audit, and publish on medical AI products and models. This Privacy Policy describes how we handle personal information across our website https://vettedmedical.ai/ (the "Site") and any associated web or mobile services, platforms, or applications we make available (collectively, the "Vetted Medical Systems").

Unless otherwise stated, Vetted Medical Inc. is the controller of your personal information for our own business operations (e.g., operating the Site, onboarding physicians, paying contractors, marketing). When we process personal information strictly under a client's instructions (e.g., on a specific engagement), we act as that client's processor/service provider.

Head Office & Contact

Vetted Medical Inc.

3 Pl. Ville-Marie, Suite 400

Montréal (Québec) H3B 2E3, Canada

Hosting Location: Our primary servers/databases are located in Canada; data you provide will be stored in and/or transit through Canada.

2. Scope and Applicability

This Privacy Policy applies when you:

• Visit or use the Site or Vetted Medical Systems;
• Register as a physician to perform validation/audit tasks or participate in research/publications;
• Engage us as a client or enterprise partner;
• Communicate with us by email, phone, web forms, or other channels;
• Attend our events or webinars; or
• Interact with our marketing content.

This Policy does not cover third-party services you access via outbound links, or any processing performed by our clients outside our control.

3. Personal Information We Collect

"Personal information" (or "personal data") means information about an identifiable individual. Depending on your relationship with us (physician, client, visitor), we collect:

A. Information You Provide Directly

Registration (Physicians/Experts).

• Identification and contact details (e.g., name, email, phone, address, country/province of practice).
• Professional data (e.g., specialty, medical license number/authority, credentials, CV/resume, years in practice, language(s), affiliations, availability, hourly rate/compensation preferences).
• Compliance data (e.g., eligibility declarations, conflicts, attestations, sanctions screening results where applicable).
• Tax and payment data (e.g., banking details, tax numbers/forms for compensation).

Identity and Credential Verification (if required).

Documents or data to verify identity, licensure, or credentials (e.g., government-issued ID, proof of address, license certificates, membership cards).

Biometric/sensitive elements (only if expressly required and lawful): In limited cases, a verification partner may process images/video/selfies of you and/or your ID to validate authenticity or liveness. We do not sell, lease, or profit from biometric data. We will only use such data to verify identity/credentials and protect platform integrity, and we retain it no longer than necessary (see Retention).

Client/Enterprise Contacts.

Business contact details (name, role/title, organization, work email/phone), project requirements, procurement and invoicing information.

Communications, Support & Surveys.

Messages you send us (e.g., support requests, RFPs, feedback, testimonials), survey responses, and preferences.

User Content (Platform Use).

Content you submit within Vetted Medical Systems (e.g., task responses, annotations, ratings, commentary, audit notes). Depending on the project, User Content may include your voice or image if you voluntarily provide them to complete a task. We do not require patient-identifiable health information to perform routine tasks; if a client provides de-identified clinical data, additional contractual safeguards apply.

Health/PHI Notice: Vetted Medical's standard operations are designed not to collect patient-identifying health information. If a client instructs processing of such data, we act as a processor/service provider under a dedicated agreement with heightened safeguards.

B. Information Collected Automatically

When you browse or use the Site or Vetted Medical Systems, we may automatically collect:

• Technical data: IP address, device/browser type, OS, language, time zone, referring/exit pages, approximate location (derived from IP).
• Usage data: pages viewed, links clicked, session timestamps, login events, error logs, task completion metrics.
• Cookies & similar tech: For session management, security, analytics, and preferences. (See Cookies section.)

C. Information from Third Parties

• Verification partners (identity/licensure checks, sanctions/adverse media screening, where lawful).
• Payment processors (tax forms, payment confirmations).
• Business partners/clients (to provision platform access or collaborate on a project).
• SSO providers (if you log in through a third-party identity provider, we may receive your name, email, and related profile attributes you authorize).

4. How and Why We Use Information (Purposes & Legal Bases)

We process personal information for the purposes below. Where required by law, we identify the relevant legal basis (e.g., Contractual Necessity, Legitimate Interests, Consent, Legal Obligation).

We do not sell or rent your personal information.

5. Information Sharing and Disclosure

We may share personal information as follows, subject to contractual and legal limits:

Clients/Enterprises.

We share physician professional details (e.g., name, specialty, credentials, languages, relevant experiences, geographic availability) to assess fit for specific engagements. We may share User Content produced for a client engagement under the relevant contract.

Service Providers (Processors).

Infrastructure hosting, identity/credential verification, analytics, communications, payment processing, document signing, and security vendors that process data on our behalf under confidentiality and security obligations.

Affiliates.

Where needed to deliver or support the Vetted Medical Systems and operations under this Policy.

Other Users (limited).

For collaboration features (e.g., project workspaces), your name/profile may be visible to authorized collaborators on the same project.

Third-party Networks/Websites (Marketing).

If we run campaigns on third-party platforms, those platforms process data under their own privacy policies. We do not provide them with your sensitive data; we use audience tools consistent with applicable law and your choices.

Law, Safety, and Rights.

We may disclose information if we believe it is reasonably necessary to: (a) comply with applicable law, regulation, legal process, or government request; (b) protect any person from death or serious bodily harm; (c) detect, prevent, or address fraud, abuse, or security issues; or (d) protect our rights, property, safety, or interests (or those of our users or the public).

Corporate Transactions.

In connection with a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred to a successor, subject to this Policy and applicable law.

We do not sell personal information to third parties.

6. Retention and Deletion

We retain personal information only as long as necessary to fulfill the purposes described above, to comply with legal, accounting, and reporting obligations, to resolve disputes, and to enforce agreements.

Retention periods vary by data type and context. We consider: the amount, nature, and sensitivity of the information; the potential risk of harm from unauthorized use or disclosure; the purposes of processing and whether these can be achieved by other means; and legal requirements.

• Payment/tax records: retained per statutory/accounting timeframes.
• Identity/credential verification data: retained only for as long as needed to verify and maintain the integrity of the platform or as required by law. If biometric elements are used by a verification provider, they are retained no longer than necessary and deleted per provider obligations and applicable law.
• User Content & project records: retained per contract and legal requirements.
• Marketing records: retained until you opt out or until no longer needed.

When retention ends, we delete or de-identify data. If complete deletion is not feasible (e.g., backup systems), we will securely isolate and restrict it from further processing.

7. Security

We employ administrative, technical, and physical safeguards designed to protect personal information (e.g., access controls, encryption in transit/at rest where appropriate, network monitoring, least-privilege access, vendor due diligence). No method of transmission or storage is 100% secure; we continually improve safeguards to mitigate risks.

Incident Response (Law 25). We maintain internal procedures to record and assess confidentiality incidents and, where required, notify affected individuals and regulators.

8. International Transfers

Our primary hosting is in Canada. If you access the Vetted Medical Systems from outside Canada, your information may be transferred to, stored, and processed in Canada (and, where applicable, other jurisdictions where our vetted service providers operate). We implement appropriate contractual and organizational safeguards for cross-border transfers consistent with PIPEDA and Québec Law 25, and, where applicable, EU/UK data protection laws (e.g., Standard Contractual Clauses and supplementary measures).

If you are in the EEA/UK/Switzerland: where required and in the absence of an adequacy decision for a destination country, we rely on appropriate transfer mechanisms (e.g., SCCs) and measures designed to protect your personal information.

9. Your Privacy Rights and Choices

Your rights depend on your jurisdiction. Subject to applicable law, you may have the right to:

• Access the personal information we hold about you;
• Rectify inaccurate or incomplete information;
• Delete your personal information (subject to legal/contractual limitations);
• Withdraw consent where processing is based on consent;
• Object to or restrict certain processing;
• Portability (receive certain information in a portable format); and
• Manage marketing communications (unsubscribe at any time).

To exercise rights, contact privacy@vettedmedical.ai. We may request information to verify your identity and jurisdiction. If your platform access was provisioned by a business client, we may direct you to that organization for requests related to their administrator-controlled accounts.

Regulators (Canada).

• Office of the Privacy Commissioner of Canada (OPC)
• Commission d'accès à l'information du Québec (CAI)

10. Children's Privacy

Vetted Medical Systems are not directed to individuals under 18 (or the age of majority in your jurisdiction). If we learn we have collected personal information from a minor, we will delete it.

11. Cookies and Similar Technologies

We use cookies, local storage, and similar technologies to:

• Keep you signed in and maintain session security;
• Remember preferences;
• Analyze traffic and performance;
• Improve features and content.

You can control cookies through your browser settings. Some cookies are essential to the operation of the Vetted Medical Systems and cannot be disabled without affecting functionality. Where required by law, we obtain consent for non-essential cookies. (A separate Cookies Notice can be provided on request.)

12. Additional Information for Québec (Law 25)

• Privacy Officer: Identified above, responsible for ensuring compliance and handling requests.
• Governance: We maintain internal privacy policies, access controls, and incident logging.
• Automated Decision-Making: If we use automated tools to suggest matches between physicians and projects, humans remain involved in final matching decisions. You can request general information about the logic involved and your rights related to such processing.
• De-indexing/Portability: We will honor applicable Law 25 rights as they enter into force and are clarified by regulation.
• Cross-Border Communication: Where cross-border disclosures occur, we conduct an assessment of the sensitivity of the information, the purposes for its use, and applicable legal protections.

13. Changes to This Policy

We may update this Privacy Policy as our services and legal requirements evolve. We will post updates on this page with a new "Last Updated" date. If we make material changes, we will provide additional notice (e.g., email, in-product notice) as required.

14. Contact Us

If you have questions or would like to exercise your privacy rights:

Vetted Medical Inc.

Attn: Privacy Officer - Vincent Dumouchel

3 Pl. Ville-Marie, Suite 400

Montréal (Québec) H3B 2E3, Canada

privacy@vettedmedical.ai