Privacy Policy
Effective 2026-06-19 · Version 2026-06-19
Who we are
The controller of your personal information is 1001511837 Ontario Inc. (“Nursio”, “we”, “us”), incorporated in Ontario, Canada.
- Address: 1025 King Street Est, Unit 107, Cambridge, Ontario, N3H 3P5, Canada
- Email: contact@nursio.io
Privacy Officer / Responsable de la protection des renseignements personnels: the Privacy Officer, reachable at contact@nursio.io.
This policy applies to the Nursio app on iOS and Android in Canada (including Quebec), the United States, Europe and Latin America.
Personal information we collect
- Account: your email address (to send a sign-in code and identify your account) and, optionally, your name, avatar and language.
- Learning preferences: country, goal, specialty, exam profile, monthly study time and topic weights set during onboarding.
- Performance data: your case attempts, answers, scores, competency strengths/weaknesses, streaks, points and badges — used to personalize and adapt your learning path. This is your performance on educational cases; you are never asked to enter patient or clinical data about yourself.
- Organization data: if your employer enrolls you, a roster entry (email, optionally name and employee number) provided by your organization.
We do not collect advertising identifiers, and we use no third-party analytics, crash or advertising SDKs.
Why we use it and our legal bases (GDPR)
| Purpose | Legal basis |
|---|---|
| Create/operate your account, sign-in, deliver the service | Performance of a contract (Art. 6(1)(b)) |
| Personalize and adapt your learning path from performance data | Performance of a contract — this is the core product (Art. 6(1)(b)) |
| Security, fraud prevention, breach handling | Legal obligation / legitimate interests (Art. 6(1)(c)/(f)) |
| Optional product emails | Consent (Art. 6(1)(a)) — withdraw anytime |
Performance data reflects your learning, not your own medical condition, and we process it as ordinary personal data to provide the service you requested.
Automated personalization
We use automated processing of your performance data to adapt which cases and reinforcement you see (e.g. emphasizing topics you found difficult). This is low-stakes personalization with no legal or similarly significant effect on you. You can ask us about the main factors used and request human review or adjustment at contact@nursio.io. (This disclosure also addresses Quebec Law 25 s.12.1 and GDPR Art. 13(2)(f)/22.)
How we use AI
Nursio uses AI to generate an adaptive reinforcement portion of the content and to adapt it to your learning (curated content is human-authored). To personalize reinforcement we send a pseudonymous user identifier and an anonymized weak-topic signal (the competencies and questions you struggled with — never your name, email or country) to our AI processors listed below.
Who we share with (sub-processors) and international transfers
| Processor | Purpose | Location / transfer mechanism |
|---|---|---|
| Supabase | Authentication, database, storage | United States (AWS us-east-1); SCCs where applicable |
| Cloudflare | Content generation, file/object storage | Global edge; SCCs where applicable |
| Anthropic | Generate + verify case content (receives pseudonymous id + weak-topic signal) | United States; SCCs |
| Google (via OpenRouter) | Verify content | United States; SCCs |
| Mistral | OCR of organization-uploaded protocols | European Union |
When your data is stored or processed outside Canada (e.g. the United States), it may be accessible to foreign courts and authorities under that country’s laws. Transfers outside Quebec are assessed as required by Quebec Law 25 (s.17). A copy of the safeguards (e.g. Standard Contractual Clauses) is available on request.
How long we keep your data
| Category | Retention |
|---|---|
| Account & profile | Until you delete your account, plus a short backup window |
| Performance / learning data | For the life of your account |
| Organization roster PII | Until you or the organization remove the entry |
| AI content snapshots | Short retention (audit logs about shared, reusable content; not linked to you personally) |
| AI processor batch records | Governed by the processor’s own retention; we cannot delete these |
Your rights
Subject to your region (Canada PIPEDA, Quebec Law 25, EU/UK GDPR, US state laws), you may: access, correct/rectify, delete/erase, port (receive a structured, machine-readable copy), restrict or object to processing, withdraw consent (without affecting prior lawful processing), and request an account of disclosures. Authorized agents may submit requests with proof. We will not discriminate against you for exercising these rights. To exercise any right, email contact@nursio.io.
You may lodge a complaint with your privacy authority: the Office of the Privacy Commissioner of Canada, Quebec’s Commission d’accès à l’information (CAI), or your EU/UK data protection supervisory authority.
United States — California (CCPA/CPRA)
We do not sell or share your personal information and have not in the preceding 12 months. We do not engage in targeted advertising or cross-context behavioral tracking. We process sensitive personal information (e.g. detailed performance/competency data) only to provide and personalize the service — a permitted purpose — so the “Limit the Use of My Sensitive Personal Information” right does not change how we use it. The free tier never requires extra data in exchange for access (no financial incentive). You have the rights to know, delete, correct and opt out described above.
Other US states (Virginia, Colorado, Connecticut, Texas, and more)
We do not sell personal data, conduct targeted advertising, or profile you for decisions producing legal or similarly significant effects. Sensitive data is processed only to provide the service.
Breach notification
If a confidentiality incident / data breach creates a real risk of significant harm, we notify the relevant authority (OPC, CAI, or your supervisory authority) and affected users as required by law, and we keep a record of incidents.
Local storage
We store only strictly-necessary data on your device (your session token and preferences) to provide the service you requested. We use no tracking or advertising cookies, so no consent banner is required.
Children
Nursio is intended for adult nursing professionals and students (18+). It is not directed to children and we do not knowingly collect data from anyone under 13.
Changes to this policy
We may update this policy; material changes will be notified in the app and/or by email, and the version and effective date above will be updated. The current version is always available in the app and at https://nursio.io.
Contact
Questions or requests: contact@nursio.io.