← Home

Privacy Policy

Effective 15 May 2026 · Version 1

Template — not legal advice.

This document is a starting template intended for legal review before you go live with paying clients. Placeholders are shown in square brackets like [LEGAL ENTITY TO BE CONFIRMED]. Replace those, then have a lawyer in your jurisdiction sign it off.

ResponseCore (operated by [LEGAL ENTITY TO BE CONFIRMED], “we”, “us”) provides medication inventory software to emergency medical services and adjacent healthcare organisations. This policy explains what personal information we handle when your organisation uses our service, why we handle it, how long we keep it, and what your rights are under Canadian privacy law.

1. Plain English summary

  • We process information about your organisation's staff (name, work email, role) so they can sign in and so the system can record who did what.
  • We do not handle patient health information.
  • We do not sell your data, share it with advertisers, or use it to train AI.
  • We store your data in Canada/the EU through our sub-processors (Supabase, Vercel) and apply industry-standard security.
  • You can request a copy, correction, or deletion of your information at any time.

2. Who is responsible for your data

When your employer uses ResponseCore, your employer is the “controller” of your personal information — they decide what gets entered and why. We are the “processor” — we run the software on their behalf under a written Data Processing Agreement. Contact your employer's designated privacy contact first for access, correction, or deletion requests about information your employer has entered.

For questions about how we operate the platform, contact us at [SUPPORT EMAIL TO BE CONFIRMED].

3. What we collect

We handle the following categories of personal information:

  • Account information. Name, work email, username, role, organisation, and account status.
  • Authentication credentials. Hashed passwords (we never see your password in clear text), passkey public keys, and sign-in tokens stored on NFC tags.
  • Audit records. Which user created, moved, used, or signed off on stock items, with timestamps. This is essential for controlled-drug accountability.
  • Device information. Browser type, approximate device type, sign-in IP address, and idle/active timestamps used by the session lock.

We do not collect special-category data such as health, biometric (other than the on-device biometric used to unlock a passkey, which never leaves your device), or financial information.

4. Why we use it

  • To authenticate users and operate the service.
  • To produce the audit trails that your organisation needs for regulatory and operational purposes.
  • To investigate security incidents and prevent unauthorised access.
  • To debug problems and improve reliability (anonymous logs only).

We do not use your information for marketing, advertising, or training machine-learning models.

5. Sub-processors

We use a small number of trusted infrastructure providers to operate the service. They are bound to confidentiality and equivalent security commitments under contract:

  • Supabase (database, authentication, file storage) — data residency: [CANADIAN OR EU REGION TO BE CONFIRMED].
  • Vercel (application hosting and content delivery) — data residency: global edge with primary in [REGION TO BE CONFIRMED].
  • Resend / SMTP provider (transactional email such as password resets) — if applicable.

An up-to-date list of sub-processors is available at /legal/dpa.

6. How long we keep it

By default we keep account information for as long as the organisation's subscription is active, plus 90 days. Audit records may be retained longer where law or contract requires it (for example, controlled-drug movement records are typically retained for [RETENTION PERIOD TO BE CONFIRMED] years). On account closure or organisation termination, we delete or anonymise personal information within 90 days unless we are required to retain it.

7. Your rights under Canadian law

Under Canadian federal (PIPEDA) and Alberta provincial (PIPA) law, you have the right to:

  • Know what personal information we hold about you, and obtain a copy.
  • Have inaccurate information corrected.
  • Withdraw consent (subject to reasonable notice and operational constraints).
  • Complain to your employer's privacy contact, to our team at [SUPPORT EMAIL], or to the Office of the Information and Privacy Commissioner of Alberta or the federal Privacy Commissioner of Canada.

8. Security

We apply industry-standard security controls including encryption in transit (TLS 1.2+), encryption at rest, row-level security in the database, audited authentication (including optional passkey/WebAuthn second factors), session idle timeouts, and least-privilege access for our own personnel.

9. Changes to this policy

We'll bump the version number above and prompt every user to re-accept the new policy on next sign-in when we change anything material.

10. Contact

[SUPPORT EMAIL TO BE CONFIRMED]
[POSTAL ADDRESS TO BE CONFIRMED]