• Stripe, Inc.: transaction and subscription status data returned from the Stripe API following payment events.
• Google: basic profile information (name, email address, profile picture if available) returned on Google OAuth authentication, if you choose that login method.
• Mux, Inc.: video playback analytics (play rate, watch duration, quality metrics) associated with your lesson activity.

• Creating and managing your account and authenticated sessions
• Delivering NCLEX-RN preparation, IELTS preparation, credential filing support, and immigration pathway guidance
• Processing and displaying your learning progress, quiz scores, and analytics summaries
• Providing your assigned tutor or advisor with the information necessary to support you
• Scheduling and facilitating live classes, office hours, and filing calls
• Processing subscriptions, invoices, and payment history
• Sending transactional communications: account confirmations, payment receipts, filing status updates, schedule reminders, and platform notices

• Calculating engagement scores, risk flags, and category performance to enable educator and advisor intervention
• Running nightly analytics functions to identify students who may require additional support
• Improving the accuracy and effectiveness of the platform’s content, quiz items, and scheduling features
• Conducting aggregate, de-identified analyses of student outcomes (e.g., cohort-level NCLEX pass rates) for product development and reporting purposes

• Verifying the integrity and provenance of credential documents submitted for filing
• Maintaining audit trails of administrative actions (user role changes, document reviews, payment overrides)
• Complying with lawful requests from regulatory authorities or courts having competent jurisdiction
• Detecting and preventing fraud, unauthorized access, and abuse of the platform

With your express or implied consent in accordance with CASL, we may send you commercial electronic messages about new services, cohort intake dates, and educational resources. You may withdraw consent at any time by using the unsubscribe mechanism in any such message or by contacting our Privacy Officer.

The Comprehensive Ranking System (CRS) estimator and immigration pathway information we provide are for orientation and informational purposes only. This content does not constitute legal immigration advice and does not create a solicitor-client relationship. Users requiring formal immigration advice must consult a Regulated Canadian Immigration Consultant (RCIC) or a licensed immigration lawyer. We connect users to RCICs as a referral, not as their representative. Information collected through the CRS estimator is used solely to generate the in-session score estimate and is not retained beyond the session unless the user has an authenticated account.

We disclose personal information to third-party service providers who process data on our behalf, strictly pursuant to written agreements that impose obligations at least as protective as those in this Policy:

If you are enrolled in a course, your assigned tutor or educator has access to your learning progress, quiz performance, engagement scores, category weakness data, and schedule participation. This access is technically scoped by database-level controls — educators can only access records for students in their assigned courses. Educators are bound by confidentiality obligations in their agreements with us.

Filing advisors and immigration advisors assigned to your case have access to the documents and case information you upload or share within your filing workspace. Access is logged and audited. Advisors are not authorized to disclose your documents to any third party without your express prior consent, except to the applicable regulatory body or government institution as part of the filing process you have authorized.

We may disclose personal information without your consent to the extent permitted or required by law, including:

• In response to a lawful subpoena, court order, or demand from a law enforcement agency or regulatory authority with competent jurisdiction
• Where we have reason to believe that an individual’s life, health, or safety is at risk
• In connection with the investigation or prevention of fraud, cybercrime, or unauthorized access to the platform
• To our legal counsel for the purpose of obtaining legal advice (under solicitor-client privilege)

We will, where legally permissible, notify affected users before disclosing their information in response to legal process.

In the event of a merger, acquisition, sale of assets, reorganization, or insolvency proceeding involving the Company, personal information held by the Company may be transferred to a successor organization. We will provide notice on the platform and by email no fewer than 30 days before any such transfer occurs and will ensure that the successor is bound by equivalent privacy obligations. You will have the right to withdraw consent and request deletion of your information before the transfer is completed.

• All data transmitted between your browser and our platform is encrypted using Transport Layer Security (TLS 1.2 or higher)
• All data stored in our database and file storage infrastructure is encrypted at rest
• Credential and filing documents are stored in a private storage bucket with no public URL access; all access requires a short-lived signed URL (valid for 5 minutes) generated for authenticated and authorized users only
• Passwords are hashed using industry-standard algorithms; we do not store plaintext passwords
• Database-level Row-Level Security (RLS) policies enforce access boundaries between user roles at the data layer, independent of application-level controls
• Authentication sessions are managed through Supabase’s secure session infrastructure

• Access to personal information is restricted to personnel and service providers who require it to perform their functions
• All administrative actions (role changes, document reviews, payment overrides) are logged in an immutable audit trail
• Staff and contractors with access to personal information are bound by confidentiality obligations
• We conduct periodic reviews of access permissions

The platform’s data model includes a file scan state for uploaded credential documents. Integration with a virus and malicious content scanning service is a required operational dependency that must be confirmed as active and tested before credential document uploads are accepted from users. Until such integration is verified in production, uploaded files are not subject to automated malicious content scanning, and users will be notified of this limitation at the point of upload.

In the event of a security incident involving unauthorized access to, disclosure of, or loss of personal information that poses a real risk of significant harm to one or more individuals, we will:

• Notify the Commission d’accès à l’information du Québec (CAI) and the Office of the Privacy Commissioner of Canada (OPC) within the time limits prescribed by applicable law
• Notify affected individuals as soon as reasonably possible, with sufficient information to enable them to take protective measures
• Maintain a register of security incidents as required under Quebec Law 25
• Take immediate steps to contain and remediate the incident

You have the right to request access to the personal information we hold about you, to be informed of the sources from which it was collected, the purposes for which it is used, the categories of third parties to whom it has been disclosed, and the retention period applicable to it (Quebec Law 25, s. 37; PIPEDA Principle 9).

We will respond to a verified access request within 30 days (extendable by an additional 30 days in complex cases, with notice). We will provide information in a structured, commonly used format. If we hold the information in a technological form, we will provide it in a structured, technological format (portability right under Quebec Law 25, effective September 2023).

You have the right to request correction of any personal information that is inaccurate, incomplete, ambiguous, or outdated. We will update your information within 30 days of a verified correction request and, where the information has been disclosed to a third party, inform that third party of the correction.

Where our processing is based on your consent, you may withdraw that consent at any time, subject to legal or contractual restrictions. Withdrawal of consent will not affect the lawfulness of processing carried out before its withdrawal. However, withdrawal may limit or prevent our ability to provide certain Services to you. We will advise you of the consequences before withdrawal takes effect.

You have the right to request the deletion of personal information where: (a) the information is no longer necessary for the purposes for which it was collected; (b) you have withdrawn consent and there is no other legal basis for processing; or (c) the information was collected from a minor without valid parental consent.

We may decline an erasure request where retention is required by law (e.g., tax records, regulatory compliance), where the information is necessary for the establishment or defence of legal claims, or where there is an overriding public interest.

Under Quebec Law 25 (effective September 2023), you have the right to receive your personal information held in a technological form in a structured, commonly used, and technology-neutral format, and to request that it be transmitted directly to another organization where technically feasible. This right applies to information you have directly provided and that is processed by automated means.

We use automated analytics to calculate engagement scores, identify risk flags, and generate learning recommendations. These automated assessments are used to support — not replace — human educator and advisor judgment. No consequential decision about your access to the Services or your candidacy for registration is made solely by automated means without human review. If you believe an automated assessment has incorrectly characterized your learning status, you may request a human review by contacting your assigned advisor or the Privacy Officer.

If you believe your rights under applicable privacy law have not been respected, you may first contact our Privacy Officer to seek resolution. If you are not satisfied with our response, you have the right to file a complaint with:

• Commission d’accès à l’information du Québec (CAI): www.cai.gouv.qc.ca
• Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca