Last Updated: March 3, 2020
We reserve the right to change this policy from time to time as industry practice, the law, and our procedures in this area may change from time to time. We will post the current version of this policy at https://candrecannabis.com/privacy/.
What is Personal Information?
If the policies and procedures outlined in this document do not address a specific situation, individuals are advised to contact the Privacy Officer at firstname.lastname@example.org for guidance or clarification.
What Personal Information Do We Collect?
The Company collects and uses only the personal information that we need for providing services and operating our business. Generally, the Company collects the following personal information from individuals for the various purposes set out below:
- address, email address (work or home),
- age, date of birth,
- credit card number,
- prescription information,
The Company collects uses and discloses personal information for the following purposes:
- To process prescriptions.
- To manage the Company’s business and operations, including customer relationships and matters.
- To meet legal and regulatory requirements.
- Inform individuals about the Company’s products and services that we believe may be of interest to them.
- Better understand an individual’s interests in our products and services.
- Deliver, develop, enhance or improve products and services.
- Evaluate suitability of candidates.
- Provide warranties for products and services.
- Provide information on future opportunities.
- Verify access rights to our website, account creation and purchases.
- Contact clients about appointments and meetings.
- Meet regulatory requirements.
- Conduct market research.
- To third party service providers to assist in the operation of our business and marketing.
- To our subsidiaries and affiliates.
- To enforce our legal relationship with you.
- As is necessary in contemplation of a business transaction.
We normally collect information directly from our clients. We may collect your information from other persons with your consent or as authorized by law. Before or at the time of collecting personal information, we identify the purposes for which we are collecting the information. We do not provide this notification when personal information is volunteered for an obvious purpose. If we wish to use or disclose your information for a new purpose not included in this policy, we will notify you and seek your consent.
In addition, we also receive and send data from our servers and from your browser when you visit our website, including your IP address, the time and information about the page you requested and the website through which you were linked to our site, if any. We may use tracking technologies in a variety of ways, including the following: keeping count of return visits to our site; accumulating and reporting anonymous, aggregate (data collected in mass), statistical information on website usage; and determining which features users like best. Finally, your Internet browser has a feature called “cookies”, which stores small amounts of data on your computer about your visit to our site. Cookies tell us nothing about who you are, however, unless you specifically give us personal information. You do not need to have cookies turned on to visit www.candrecannabis.com or any other websites operated by us. You may also elect not to allow cookies to be collected by selecting certain options on your browser.
Ordinarily we ask for consent to collect, use or disclose personal information, except in specific circumstances where collection, use or disclosure without consent is authorized or required by law. We may assume your consent in cases where you volunteer information for an obvious purpose.
You may withdraw consent to the use and disclosure of personal information at any time, unless the personal information is necessary for us to fulfil our reasonable business or legal obligations. We will respect your decision, but we may not be able to provide you with certain products and services if we do not have the necessary personal information.
The purpose for collecting personal information is set out in this policy. Any necessary consents shall be obtained before personal information is collected, used or disclosed.
We ask for your express consent for some purposes and may not be able to provide certain services if you are unwilling to provide consent to the collection, use or disclosure of certain personal information. Where express consent is needed, we will normally ask clients to provide their consent orally (in person, by telephone), in writing (by signing a consent form), or electronically (by clicking a button).
In cases that do not involve sensitive personal information, we may rely on “opt-out” consent.
The amount and type of personal information collected by the Company shall be limited to what is necessary to fulfill the identified purpose. Personal information shall only be used or disclosed for the purposes for which it is collected. Exceptions may be made with the consent of the individual or if authorized or required by law.
In certain cases, we may transfer your personal information outside of Canada, including to our service providers who may need to access, process or store your personal information in the United States. When your personal information is used or stored in a jurisdiction outside of Canada, it may be subject to the law of this foreign jurisdiction, including any law permitting or requiring disclosure of the information to the government, government agencies, courts and law enforcement in that jurisdiction.
How do I Access my Personal Information?
Upon request received by the Company in writing, individuals shall be informed of the existence, use, and disclosure of their personal information records and shall be given access to that information. Requests to access personal information held by the Company should be directed to the Privacy Officer.
Requests must be made in writing or by e-mail. Individuals may be required to verify their identity in order to access their personal information. Any such documentation provided shall be used for verification purposes only.
The Company responds to requests for access to personal information within thirty (30) days of receipt of the request, or as may be permitted in accordance with applicable privacy legislation.
A fee for reasonable costs incurred may be charged when responding to more complex requests. The individual will be informed of the applicable fee.
Requested information will be provided in a form that is generally understandable.
The Company will be as specific as possible when describing third parties to whom it has disclosed personal information about an individual. When it is not possible to provide a list of the organizations to which it has actually disclosed information, the Company will provide a list of organizations to which it is likely to have disclosed information.
Individuals are permitted either to view the original record, or to request a copy, subject to limitations as permitted or required by law. To preserve the integrity of the record and ensure that documents are not removed from the Company, individuals wishing to view an original record will do so at the Company’s head office and under the supervision of designated the Company personnel.
Limitations on Access
The Company will only refuse access to information about you in those circumstances permitted or required by applicable privacy legislation.
In the event that the Company refuses to provide access to information, it will provide you with the reasons for its refusal upon request. Exceptions may include information that contains references to or opinions of other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons, or information that is subject to solicitor-client or litigation privilege. The Company will respond to your requests for access in accordance with applicable privacy legislation.
How will my Personal Information be Maintained?
Personal information shall be kept as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.
Individuals have the right to challenge the accuracy and completeness of the personal information that is maintained by the Company and have it amended as appropriate.
Individuals seeking a correction or amendment to their personal information should direct their requests in writing to the Company’s Privacy Officer.
All formal requests to amend personal information must be accompanied by appropriate supporting documentation. The Company’s Privacy Officer will manage any exceptions. The amended information will be transmitted to third parties, as appropriate.
If the individual is not satisfied with the results of the request, the Company shall internally document the issue, and provide a response. The existence of the unresolved challenge will be transmitted to third parties, as appropriate.
How is my Personal Information Stored and Secured?
Personal information will be retained only as long as necessary and will be disposed of in a manner that is appropriate to the sensitivity of the information. We render client personal information non-identifying, or destroy records containing personal information once the information is no longer needed. We use appropriate security measures when destroying client personal information, including shredding paper records and permanently deleting electronic records.
Personal information will be protected by security safeguards, appropriate to the sensitivity of the personal information.
Please note that we use cloud-based services to store information in the following countries: Canada and the United States. Where personal information is stored or processed outside of Canada, it is subject to the laws of that foreign jurisdiction, and may be accessible to that jurisdiction’s governments, courts, law enforcement, or regulatory agencies.
We will notify all required authorities including the Office of the Information and Privacy Commissioner of Alberta, without delay, of a security breach affecting personal information if it creates a real risk of significant harm to individuals.
If you are not satisfied with the response from our Privacy Officer after making a complaint, you may have recourse to additional remedies under applicable privacy legislation. For further information, please contact the Federal Privacy Commissioner or your provincial Privacy Commissioner, as applicable.
Questions and Complaints
If you have a question or concern about any collection, use or disclosure of personal information by the Company, or would like to request access to your own personal information, please contact:
ATTN: Privacy Officer: email@example.com