PoetMD

Privacy Policy

Last updated: 2025-07-21

1. Introduction

Versor Technology Inc. ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our medical school application assistance service ("Service").

This Policy complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. By using our Service, you consent to the practices described in this Policy.

2. Our Privacy Principles

We follow PIPEDA's ten fair information principles:

1. Accountability - We are responsible for personal information under our control
2. Identifying Purposes - We identify why we collect personal information
3. Consent - We obtain your consent for collection, use, and disclosure
4. Limiting Collection - We collect only what is necessary
5. Limiting Use, Disclosure, and Retention - We use information only for stated purposes
6. Accuracy - We keep personal information accurate and up-to-date
7. Safeguards - We protect personal information with appropriate security
8. Openness - We are transparent about our privacy practices
9. Individual Access - You can access and correct your personal information
10. Challenging Compliance - You can challenge our compliance with these principles

3. Information We Collect

3.1 Information You Provide

For Email-Based Accounts:

• Name and email address
• Password (encrypted)
• Profile information you choose to provide
• Payment information (processed by third parties)

For Anonymous Accounts:

• Device fingerprint data only (no email or name required)
• Payment information if you make purchases

Content and Usage:

• Essays, prompts, and application materials you create or upload
• Questions and inputs you provide to our AI system
• Communications with our support team
• Feedback and suggestions

3.2 Information We Collect Automatically

• Device Information: Browser type, operating system, IP address
• Device Fingerprinting (Anonymous Accounts): Through Stytch, we collect:
  • Browser configuration and version
  • Screen resolution and color depth
  • Operating system and version
  • Timezone and language settings
  • Hardware specifications
  • Network information
• Usage Data: Features used, credits consumed, session duration
• Analytics Data: Through PostHog, we collect:
  • Session recordings showing how you interact with our Service
  • Click patterns, scrolling behavior, and navigation paths
  • Performance metrics and page load times
  • Console logs and errors for debugging
  • Device and browser information
• Log Data: Access times, pages viewed, errors encountered
• Cookies: Session management, functionality, and analytics cookies

3.3 Information from Third Parties

• Stripe provides payment processing and transaction confirmations
• Google provides authentication when you sign in with Google SSO
• Google AI processes your inputs to generate AI responses according to their policies

4. How We Use Your Information

We use your personal information to:

4.1 Provide Our Service

• Enable AI-powered application assistance
• Process your payments and manage credits
• Maintain your account and preferences
• Generate personalized AI responses
• Provide customer support

4.2 Improve Our Service

• Analyze usage patterns (aggregated and anonymized)
• Develop new features
• Fix bugs and technical issues
• Enhance AI performance

4.3 Communicate With You

• Send technical notices and updates
• Respond to your inquiries
• Provide customer support
• Send important service announcements
• Contact you about your usage to improve our Service (email accounts only)
• Follow up on technical issues or user experience feedback

4.4 Legal and Security Purposes

• Comply with legal obligations
• Enforce our Terms and Conditions
• Protect against fraud and abuse
• Investigate security incidents
• Cooperate with educational institutions when required by law

4.5 Anonymous Account Management

• Enable device-based authentication through Stytch
• Maintain session continuity
• Note: We cannot recover anonymous accounts if device fingerprint changes

5. Legal Basis for Processing

We process your personal information based on:

• Consent: You consent by creating an account and using our Service
• Contract: Processing necessary to provide our Service under our Terms
• Legal Obligations: When required by law
• Legitimate Interests: For fraud prevention and security

6. Information Sharing and Disclosure

We do not sell your personal information. We share information only in these circumstances:

6.1 Service Providers

We share data with trusted third parties who assist in operating our Service:

• Stytch - Device fingerprinting for anonymous accounts
  • Data processed in: United States
  • Security: SOC 2 Type II certified
• Stripe - Payment processing and billing
  • Data processed in: Multiple regions based on transaction origin
  • Security: PCI DSS Level 1, SOC 1/2/3 certified
• Google AI - AI-powered content generation and assistance
  • Data processed in: Global data centers
  • Security: ISO 27001/27017/27018, SOC 2/3 certified
• Google - Authentication services (SSO)
  • Data processed in: Global data centers
  • Security: ISO 27001/27017/27018, SOC 2/3 certified
• Fly.io - Server hosting and infrastructure
  • Data processed in: North America (primary), with global edge locations
  • Security: SOC 2 Type II certified
• NeonDB - Database hosting and storage
  • Data processed in: United States (primary region)
  • Security: SOC 2 Type II certified, encrypted at rest and in transit
• Axiom - Log aggregation and monitoring
  • Data processed in: United States
  • Security: SOC 2 Type II certified
• Cloudflare - Content delivery network and security
  • Data processed in: Global network (200+ cities)
  • Security: ISO 27001, SOC 2 Type II, PCI DSS certified
• PostHog - Analytics, session replay, and user behavior analysis
  • Data processed in: United States (US cloud) or European Union (EU cloud)
  • Security: SOC 2 Type II certified, GDPR compliant

6.2 Legal Requirements

We may disclose information when required by:

• Court orders or subpoenas
• Government requests
• Legal proceedings
• Law enforcement investigations

6.3 Educational Institutions

We may cooperate with institutions investigating:

• Academic integrity violations
• Misuse of our Service
• Violations of institutional policies Note: We will only share information when legally required or permitted

6.4 Business Transfers

If we merge with or are acquired by another company, your information may be transferred to the new entity.

6.5 Aggregated Data

We may share aggregated, non-identifiable data for research or business purposes.

7. Data Security

7.1 Security Measures

We implement reasonable security measures including:

• Encryption: TLS 1.3+ for data in transit, AES-256 for data at rest
• Infrastructure Security:
  • Servers (Fly.io): Isolated containers, automatic security updates
  • Database (NeonDB): Encrypted storage, automated backups, point-in-time recovery
  • CDN (Cloudflare): Enterprise-grade DDoS protection, Web Application Firewall
• Access Controls:
  • Multi-factor authentication for administrative access
  • Role-based access control (RBAC)
  • API key rotation and secure storage
• Monitoring and Compliance:
  • Real-time security monitoring (Axiom)
  • Automated vulnerability scanning
  • Regular third-party security assessments
  • Compliance with SOC 2 standards through our providers
• Employee Security:
  • Background checks where permitted by law
  • Security training and awareness programs
  • Confidentiality agreements

7.2 Your Responsibilities

• Keep your password secure (email accounts)
• Use strong, unique passwords
• Notify us immediately of unauthorized access
• Understand anonymous account risks (see Section 8)

7.3 No Absolute Security

Despite our efforts, no system is completely secure. We cannot guarantee absolute security of your information.

8. Anonymous Accounts and Device Fingerprinting

8.1 How It Works

• We use Stytch Device Fingerprinting to identify your browser/device
• This creates a unique identifier without requiring personal information
• The technology uses tamper-resistant methods with encryption

8.2 Data Collected by Stytch

• Browser type and version
• Operating system
• Screen resolution
• Timezone and language
• IP address and approximate location
• Hardware configuration

8.3 Critical Risks and Limitations

WARNING: Anonymous accounts have significant limitations:

• Permanent Loss Risk: You will lose access if:
  • You switch browsers or devices
  • You update your browser or OS
  • You clear browser data
  • Privacy settings change
  • Stytch's algorithm changes
• No Recovery: We cannot recover lost anonymous accounts
• No Data Export: Without access, you cannot export your data
• Credits Lost: Purchased credits cannot be retrieved

8.4 Recommendation

We strongly recommend email-based accounts for reliable access and full privacy rights.

9. Data Retention and Deletion

9.1 Active Accounts

We retain your information while your account is active and as needed to provide our Service.

9.2 Inactive Accounts

• Accounts inactive for 2 years may be deleted
• We'll attempt to notify email-based accounts before deletion
• Anonymous accounts cannot be notified

9.3 Post-Termination

• Personal data deleted within 90 days of account termination
• Some data may be retained for legal compliance
• Aggregated, anonymized data may be retained indefinitely

9.4 Backup Systems

Deleted data may persist in backup systems for up to 90 days.

10. Payment Processing and Financial Data

10.1 Payment Processor

We use Stripe as our exclusive payment processor. We do not directly handle or store your payment card information.

10.2 Information Shared with Stripe

When you make a purchase, we share with Stripe:

• Your email address (for receipts)
• Billing name and address
• Credit card or payment method details (transmitted directly to Stripe)
• Purchase amount and currency
• Your IP address (for fraud prevention)

10.3 Payment Security

• PCI Compliance: Stripe is PCI DSS Level 1 certified (highest level)
• Tokenization: Your card details are tokenized and never touch our servers
• Encryption: All payment data is encrypted using TLS 1.3+
• 3D Secure: Additional authentication may be required for certain transactions

10.4 What We Store

We only store:

• Stripe customer ID (a unique identifier)
• Last 4 digits of your card
• Card brand (e.g., Visa, Mastercard)
• Transaction history (amounts, dates, credit purchases)
• Billing address for tax purposes

10.5 Recurring Payments

We do not currently offer subscriptions, but if you authorize future purchases:

• Authorization can be revoked anytime
• You'll be notified before any charges
• Payment methods can be updated through Stripe

10.6 Refunds and Disputes

• Refund requests are processed through Stripe
• Refunds typically take 5-10 business days
• Disputes are handled according to Stripe's policies and your card issuer's rules
• We maintain transaction records for 7 years for tax compliance

10.7 Regional Considerations

• Canadian transactions: Processed in accordance with Canadian payment regulations
• US transactions: May be processed in the United States
• Currency conversion: Handled by Stripe at current exchange rates

11. Your Privacy Rights

Under PIPEDA, you have the right to:

10.1 Access Your Information

• Request a copy of personal information we hold about you
• Understand how we use your information
• See who we've shared it with

10.2 Correct Your Information

• Update inaccurate or incomplete information
• Request corrections to your personal data

10.3 Withdraw Consent

• Withdraw consent for certain uses of your information
• Note: This may limit Service functionality

10.4 Data Portability

• Request your data in a portable format
• Transfer your content to another service

10.5 Deletion

• Request deletion of your personal information
• Subject to legal retention requirements

10.6 How to Exercise Rights

• Email: [email protected]
• Include proof of identity with requests
• We respond within 30 days
• Anonymous accounts must have active session to exercise rights

12. Cookies and Tracking Technologies

12.1 Essential Cookies

We use essential cookies for:

• Maintaining your session
• Security purposes
• Basic Service functionality

12.2 Analytics and Session Replay

We use PostHog for analytics and session replay to:

• Record and replay user sessions to improve our Service
• Identify and fix user experience issues
• Understand feature usage and user behavior
• Monitor performance and errors Session recordings may include your interactions, but sensitive data is masked.

12.3 Your Choices

• Browser settings control cookie acceptance
• Disabling cookies may affect Service functionality
• You can opt out of session recording by contacting support
• We don't use advertising or tracking cookies
• Analytics data helps us improve the Service for all users

13. International Data Transfers

Your information may be processed in countries other than Canada:

• Primary Infrastructure:
  • Application servers (Fly.io): United States, with CDN edge locations globally
  • Database (NeonDB): United States (primary), with backups in secure cloud storage
• Payment Processing:
  • Stripe: Processes in the region closest to the transaction, data may be stored in US/EU
• AI and Authentication:
  • Google: Global infrastructure, data routed to nearest data center
• Analytics and Monitoring:
  • PostHog: US cloud (we can configure EU cloud on request)
  • Axiom: United States
• Security and Performance:
  • Cloudflare: Global edge network, data cached temporarily worldwide

All international transfers are protected by:

• Standard contractual clauses where required
• Adequacy decisions where applicable
• Technical safeguards including encryption
• Compliance with PIPEDA requirements for international transfers

By using our Service, you consent to these transfers.

14. Children's Privacy

Our Service is not intended for individuals under 18. We do not knowingly collect information from children. If you believe we have collected information from someone under 18, please contact us immediately.

15. AI-Specific Considerations

15.1 AI Processing

• Your inputs are processed by Google AI models to generate responses
• Google AI services are subject to Google's privacy policies and terms
• AI processing may occur in Google's global data centers
• We do not have control over Google's AI model training or updates

15.2 Training Data

• We do not use your personal content to train external AI models
• Aggregated, anonymized patterns may improve our internal systems
• You retain ownership of your original content

15.3 Generated Content

• AI outputs are non-exclusive and may not be unique
• Similar outputs may be generated for other users
• Quality and accuracy are not guaranteed

16. Session Recording and Real-Time Monitoring

16.1 What We Record

Through PostHog, we may record your sessions to understand how you use our Service:

• Screen recordings: Visual replay of your interactions with our interface
• Mouse movements: Clicks, scrolls, and cursor movements
• Form interactions: Text input is masked for privacy
• Navigation patterns: Pages visited and time spent
• Technical data: Console logs, errors, and network requests
• Performance metrics: Load times and responsiveness

16.2 Purpose of Recording

We use session recordings to:

• Identify and fix bugs or technical issues
• Improve user interface and experience
• Understand feature adoption and usage patterns
• Provide better customer support when you report issues
• Ensure Service quality and performance

16.3 Privacy Protections

• Sensitive data masking: Passwords, credit card numbers, and other sensitive fields are automatically masked
• No audio recording: We do not record audio or video from your device
• No keystroke logging: We do not capture individual keystrokes
• CSS-based blocking: Certain elements can be excluded from recordings

16.4 Your Controls

• Opt-out: Contact [email protected] to opt out of session recording
• Anonymous accounts: Session recordings are tied to your device fingerprint
• Deletion requests: You can request deletion of your recorded sessions
• Do Not Track: We respect browser Do Not Track settings where technically feasible

16.5 Data Retention for Recordings

• Session recordings are retained for 30 days
• Recordings linked to reported issues may be retained longer for resolution
• Aggregated insights from recordings may be retained indefinitely

16.6 Third-Party Processing

• PostHog processes session recordings according to their privacy policy (SOC 2 compliant)
• Axiom may process debugging data from session recordings for error tracking
• Both services follow industry security standards for data protection

17. Third-Party Links and Services

Our Service may contain links to third-party websites or services. We are not responsible for their privacy practices. Please review their privacy policies before providing personal information.

18. Updates to This Policy

We may update this Policy to reflect changes in:

• Our practices
• Legal requirements
• Service features

We'll notify you of material changes by:

• Email (for email-based accounts)
• Service notifications
• Posting the updated Policy with a new date

Your continued use after changes constitutes acceptance.

19. Accessibility

We are committed to making our Privacy Policy accessible to all users. For accessible formats or assistance understanding this Policy, contact [email protected].

20. Privacy Officer

We have designated a Privacy Officer responsible for our compliance with PIPEDA and this Policy.

For privacy-related inquiries or complaints:

Privacy Officer Versor Technology Inc. Email: [email protected]

Please allow 30 days for a response to privacy inquiries.

21. Regulatory Complaints

If you're not satisfied with our response to your privacy concern, you may file a complaint with:

Office of the Privacy Commissioner of Canada 30 Victoria Street Gatineau, Quebec K1A 1H3 Toll-free: 1-800-282-1376 Website: https://www.priv.gc.ca

22. Language

This Policy is written in English. Any translations are provided for convenience only. In case of conflicts, the English version prevails.

---

Version: 2.0