---
title: Privacy Policy
date: 2026-06-05T15:31:00-07:00
author: rollinadmin
canonical_url: "https://cohenhallowell.com/legal/privacy-policy/"
section: Legal
---
# Privacy Policy

**Effective date: January 1, 2026 Last updated: April 5, 2026**

**A note on the personal information BrainPulse™ handles**

This Privacy Policy explains how CohenHallowell collects, uses, discloses, and protects personal information through the BrainPulse™ platform. Because the Service supports neurodivergent learners and is used by children, families, and schools, it may involve sensitive information, children’s information, and education records, each of which we treat with particular care and additional safeguards as described below.

## 1. Introduction and scope

**1.1 Scope.** This Privacy Policy applies to personal information we handle when you use the BrainPulse™ platform, websites, and applications, and when you interact with us. It should be read together with the Terms and Conditions and the Cookie Policy.

**1.2 Frameworks.** We design our privacy practices to comply with applicable Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and substantially similar provincial laws (such as Quebec’s Law 25 and the personal-information protection acts of Alberta and British Columbia), and with applicable United States privacy laws, including the Children’s Online Privacy Protection Act (“COPPA”), the Family Educational Rights and Privacy Act (“FERPA”) as it applies to our school customers, the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the “CCPA”), and other applicable state privacy and student-data-protection laws.

**1.3 Controller and processor roles.** For personal information about consumer users, CohenHallowell generally determines the purposes and means of processing. Where we process personal information on behalf of an Institutional Customer (for example, a school), we generally act as that customer’s service provider or processor under their instructions and under a separate agreement, and that customer’s own privacy notices also apply.

## 2. Who we are, accountability, and our Privacy Officer

**2.1 Identity.** The organisation responsible for your personal information is CohenHallowell Research Institute Inc., located at 2001 Blvd. Robert Bourassa, Suite 1700, Montreal, Quebec, H3A 2A6.

**2.2 Privacy Officer.** Consistent with PIPEDA, we have designated an individual accountable for our compliance. You may contact our Privacy Officer at legal@cohenhallowell.com. Quebec residents may also contact the person responsible for the protection of personal information at the same address.

**2.3 Accountability.** We are responsible for personal information under our control, including information transferred to service providers for processing, and we use contractual and other means to provide a comparable level of protection while it is processed on our behalf.

## 3. Information we collect

We collect the following categories of personal information, depending on how you use the Service.

### 3.1 Information you provide

- Account and profile information: name, email address, password, role (for example, learner, parent, educator, administrator), age or age band where required, and preferences.
- Billing information: billing name, address, and payment details. Card numbers are processed by our payment processor; we do not store full card numbers on our own systems.
- Uploaded materials: the study or course materials and other User Content you submit for transformation, which may contain personal information depending on what you upload.
- Learning configuration: the neurodivergence profile or profiles you select or are assigned, accessibility and display preferences, and onboarding-questionnaire responses where you choose to complete one.
- Communications: messages, support requests, feedback, and survey responses.

### 3.2 Information we collect automatically

- Usage data: sessions, features used, content nodes generated, Credits consumed, accuracy and progress metrics, time on task, and similar activity data.
- Device and technical data: IP address, device and browser type, operating system, identifiers, and diagnostic and performance data.
- Cookies and similar technologies: as described in the Cookie Policy.

### 3.3 Information from third parties

- From Institutional Customers: where a school, employer, or other organisation provisions your account, we may receive identifiers, roster information, and configuration data from them.
- From service providers: for example, payment-status information from our payment processor, or fraud-prevention signals.
- From integrations: where you connect a third-party platform such as a learning-management system, we may receive information you authorise that platform to share.

## 4. Sensitive information and neurodivergence profile data

**4.1 Sensitive nature.** Information indicating that a learner is associated with a neurodivergence profile, together with related learning-support preferences and onboarding responses, may be considered sensitive personal information. We treat such information with heightened care.

**4.2 Not a diagnosis.** A profile selection within the Service is a configuration choice used to adapt content; it is not a clinical diagnosis and we do not treat it as a medical record. We do not require you to disclose any diagnosis to use the Service.

**4.3 How we limit use.** We use neurodivergence-related and other sensitive information only to provide and personalise the learning experience, to operate and support the Service, and for the other purposes you have consented to or that Applicable Law permits. We do not use sensitive information to make decisions that produce legal or similarly significant effects about you, and we do not sell sensitive information.

**4.4 Consent for sensitive information.** Where Applicable Law requires consent for the collection or use of sensitive information, we obtain it, and for children this consent is obtained from a parent, guardian, or authorised school as described below.

## 5. How we collect information

We collect information directly from you when you register, configure your account, upload materials, communicate with us, or use features; automatically through your use of the Service and through cookies and similar technologies; and from third parties such as Institutional Customers, service providers, and integrations you authorise.

## 6. How and why we use information

We use personal information for the following purposes:

- to provide, operate, maintain, and secure the Service, including transforming your uploaded materials into adapted learning content;
- to personalise the learning experience to the selected neurodivergence profile and your preferences;
- to manage your account, process payments, and administer subscriptions, Credits, and institutional licences;
- to provide customer support and respond to your requests;
- to monitor, analyse, and improve the Service, develop new features, and conduct research and analytics (using de-identified or aggregated data wherever practicable);
- to detect, prevent, and address fraud, abuse, security incidents, and violations of our Terms, including enforcing fair-use limits;
- to send service and transactional communications, and, with consent where required, marketing communications;
- to comply with Applicable Law and respond to lawful requests; and
- to establish, exercise, or defend legal claims, and to carry out corporate transactions such as a merger or asset sale.

**6.1 De-identified and aggregated data.** We may create de-identified or aggregated data that does not identify you and use it for any lawful purpose, including improving the Service and reporting. We maintain de-identified data without attempting to re-identify it except as permitted by law to test our de-identification.

**6.2 Use of content to improve models.** We do not use the personal information in your uploaded materials or your Generated Content to train third parties’ general-purpose AI models. Where we use content to improve our own Service, we seek to use de-identified or aggregated data, and we describe and obtain any consent required by Applicable Law.

## 7. Consent and legal bases for processing

**7.1 Consent.** Under Canadian law, we rely on your consent (express or, where appropriate and permitted, implied) to collect, use, and disclose personal information, except where the law permits or requires us to do so without consent. The form of consent we seek reflects the sensitivity of the information; for sensitive information we seek express consent.

**7.2 Withdrawing consent.** Subject to legal and contractual restrictions and reasonable notice, you may withdraw consent at any time by contacting us; doing so may limit or end your ability to use some or all of the Service.

**7.3 Other bases.** Where other legal frameworks apply, we rely on the bases they recognise, such as performance of a contract with you, our legitimate interests in operating and improving the Service (balanced against your rights), and compliance with legal obligations.

## 8. Artificial intelligence and automated processing

**8.1 Automated transformation.** The core of the Service is an automated pipeline that analyses your uploaded material and generates adapted content using artificial-intelligence models, including third-party models for language processing and text-to-speech. This processing is necessary to provide the Service you request.

**8.2 No significant automated decisions about you.** We do not use automated processing to make decisions that produce legal or similarly significant effects about you (such as eligibility, pricing penalties, or assessment outcomes that determine real-world consequences) without appropriate human involvement or the safeguards required by Applicable Law.

**8.3 Subprocessors.** AI inference, text-to-speech, and image-matching functions involve service providers that process the content needed to perform those functions, under contractual confidentiality and security obligations. See the section on service providers.

**8.4 Accuracy.** Automated output may contain errors. We encourage you to review Generated Content, and you may contact us to correct inaccuracies in personal information we hold about you.

## 9. Children’s privacy

**How we handle children’s information**

We are committed to protecting children’s privacy. We do not knowingly collect personal information from a child under 13 in the United States (or under the equivalent minimum age in other jurisdictions) without verifiable parental consent or the authorisation of a school acting within the scope permitted by law.

**9.1 Parental consent.** Where a parent or guardian establishes an account for a child, we rely on that adult’s consent. Where a child uses the Service through a school, we rely on the school’s authority to consent on behalf of parents for educational purposes to the extent permitted by COPPA and applicable student-data laws.

**9.2 Limited collection.** We collect from children only the information reasonably necessary to provide the Service, and we do not condition a child’s participation on disclosing more than is reasonably necessary. We do not use children’s information for behavioural advertising and do not sell or share it for cross-context behavioural advertising.

**9.3 Parental rights.** A parent, guardian, or authorised school may review the child’s personal information, request its deletion, and refuse further collection or use, by contacting us. We may need to verify identity and authority before acting.

**9.4 Discovery of underage use.** If we learn that we have collected personal information from a child without the required consent, we will take reasonable steps to delete it promptly.

## 10. Students, schools, and education records

**10.1 School official role.** When we provide the Service to a school or district, we may handle student information that constitutes “education records” under FERPA. In that context, we act under the direct control of the educational institution and only for the authorised educational purpose, consistent with the FERPA “school official” exception and the institution’s instructions.

**10.2 Student data protections.** We handle student personal information consistent with applicable student-data-privacy laws (for example, California’s Student Online Personal Information Protection Act and similar state laws). We do not sell student personal information, do not use it to engage in targeted advertising to students, and do not create profiles of students except in furtherance of the school’s educational purposes.

**10.3 Retention and return.** On request or at the end of the relationship, we will, as directed by the school and subject to law, return or delete student personal information in accordance with our agreement with the institution.

**10.4 Canadian institutions.** For Canadian schools and post-secondary institutions, we handle student information consistent with applicable provincial privacy and education legislation and our agreement with the institution.

## 11. How and with whom we disclose information

We do not sell your personal information for money. We disclose personal information only as described here:

- Service providers and sub-processors: vendors who perform functions on our behalf (for example, hosting, AI inference, text-to-speech, image matching, payment processing, analytics, communications, and customer support), under contracts requiring confidentiality and appropriate safeguards and limiting their use to providing services to us.
- Institutional Customers: where you use the Service through an organisation, we may share relevant information with that organisation’s administrators.
- Integrations you authorise: where you connect a third-party platform, we share information as needed for that integration.
- Legal and safety: to comply with law, enforce our Terms, protect the rights, property, or safety of CohenHallowell, our users, or others, and respond to lawful requests by public authorities.
- Corporate transactions: in connection with a merger, acquisition, financing, reorganisation, or sale of assets, subject to appropriate confidentiality and continued protection.
- With your consent or at your direction: for any other purpose disclosed to you at the time.

**11.1 No advertising sale.** We do not disclose your personal information to third parties for their own direct-marketing or cross-context behavioural advertising purposes, and in particular we do not do so for children or students.

## 12. Service providers and sub-processors

**12.1 Categories.** To operate the Service we rely on categories of providers including cloud hosting and storage, large-language-model inference, text-to-speech generation, licensed stock-image matching, payment processing, email and notification delivery, analytics, and security.

**12.2 Safeguards.** We require service providers to protect personal information with security and confidentiality measures comparable to ours and to use it only to provide services to us. We remain accountable for personal information transferred to them for processing.

## 13. Data retention

**13.1 Retention principle.** We retain personal information only as long as necessary to fulfil the purposes for which it was collected, to provide the Service, to comply with legal, accounting, or reporting obligations, to resolve disputes, and to enforce our agreements.

**13.2 Uploaded materials and outputs.** Uploaded materials and Generated Content are retained while your account is active and for a limited period afterwards, and cached transformation outputs may be retained to improve performance. You may delete content where the Service provides that functionality, after which residual copies may remain briefly in backups before being overwritten.

**13.3 Deletion.** When personal information is no longer required, we delete, anonymise, or securely destroy it in accordance with our retention schedule and Applicable Law. Specific retention periods are available on request.

## 14. How we protect information

**14.1 Safeguards.** We maintain administrative, technical, and physical safeguards designed to protect personal information against loss, theft, and unauthorised access, use, disclosure, copying, or modification. These may include encryption in transit, access controls, content fingerprinting, logical separation, and monitoring.

**14.2 Your role.** No method of transmission or storage is completely secure. You are responsible for keeping your credentials confidential and for using up-to-date, secure devices.

## 15. International transfers and storage

**15.1 Cross-border processing.** Personal information may be stored and processed in Canada, the United States, and other countries where we or our service providers operate. Those countries may have data-protection laws different from those in your jurisdiction, and personal information may be subject to lawful access by courts, law enforcement, and authorities in those countries.

**15.2 Safeguards for transfers.** Where we transfer personal information across borders, we use contractual and other measures to provide a comparable level of protection. Quebec and certain other residents will be informed, where required, before personal information is transferred outside their jurisdiction, and we will conduct any assessment the law requires.

## 16. Your privacy rights and choices

Subject to Applicable Law and verification of your identity, you may have the following rights, which you can exercise by contacting us:

- Access: to ask whether we hold personal information about you and to obtain a copy of it.
- Correction: to ask us to correct inaccurate or incomplete personal information.
- Deletion: to ask us to delete personal information, subject to legal exceptions.
- Withdrawal of consent: to withdraw consent to processing, subject to legal and contractual limits.
- Portability: where the law provides, to receive certain personal information in a structured, commonly used format, or to have it transferred where technically feasible (including under Quebec’s data-portability right).
- Objection or restriction: to object to or restrict certain processing where the law provides.
- Information about automated processing: to obtain information about the use of automated processing where the law provides.

**16.1 How to exercise.** Contact our Privacy Officer using the details below. We will respond within the time required by Applicable Law. We may need to verify your identity and, for requests on behalf of a child, your authority. We will not discriminate against you for exercising your rights.

**16.2 Complaints to a regulator.** If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada, the relevant provincial regulator (such as the Commission d’accès à l’information du Québec), or the applicable authority in your jurisdiction.

## 17. Additional rights for California residents

**17.1 CCPA disclosures.** If you are a California resident, the CCPA provides additional rights regarding personal information we collect. In the past 12 months we have collected the categories of personal information described in the section on information we collect, for the purposes described in this Policy, from the sources described, and we disclose them to the categories of recipients described.

**17.2 No sale or sharing.** We do not sell personal information and do not share it for cross-context behavioural advertising as those terms are defined under the CCPA, and we do not knowingly do so for consumers under 16.

**17.3 Your CCPA rights.** California residents may request to know, access, correct, and delete personal information, and to limit the use of sensitive personal information, subject to exceptions. We use sensitive personal information only for permitted business purposes such as providing the Service. We will not discriminate against you for exercising these rights.

**17.4 Authorised agents and appeals.** You may use an authorised agent to submit requests, subject to verification. Where Applicable Law provides an appeal process, we will describe how to appeal a decision on your request.

## 18. Marketing communications, CASL, and CAN-SPAM

**18.1 Consent and opt-out.** We send commercial electronic messages only in accordance with Canada’s Anti-Spam Legislation (“CASL”) and the United States CAN-SPAM Act. Where required, we obtain consent before sending marketing messages, we identify ourselves, and we include an easy unsubscribe mechanism in each marketing message.

**18.2 Transactional messages.** We may always send you non-marketing service and transactional messages necessary to administer your account and the Service.

## 19. Cookies and similar technologies

We use cookies and similar technologies as described in our Cookie Policy, which forms part of this Privacy Policy. The Cookie Policy explains the categories of cookies we use and how you can manage your preferences.

## 20. Do Not Track and Global Privacy Control

Some browsers offer “Do Not Track” signals; there is no common industry standard for responding to them, and our response is described in the Cookie Policy. Where required by Applicable Law, we honour recognised opt-out preference signals such as the Global Privacy Control for applicable purposes.

## 21. Third-party links and services

The Service may link to or integrate with third-party sites and services that we do not control. This Privacy Policy does not apply to them, and we encourage you to review their privacy notices.

## 22. Data breaches and notification

We maintain procedures to detect, assess, and respond to security incidents. Where a breach of security safeguards creates a real risk of significant harm, or where Applicable Law otherwise requires, we will notify affected individuals and the relevant authorities (such as the Office of the Privacy Commissioner of Canada and applicable state authorities) within the timeframes required, and we will keep records of breaches as the law requires.

## 23. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated Policy with a revised “last updated” date and, for material changes, provide additional notice where required by Applicable Law. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy to the extent permitted by law; where the law requires fresh consent, we will obtain it.

## 24. How to contact us and make a complaint

To exercise your rights, ask questions, or make a complaint, contact our Privacy Officer at legal@cohenhallowell.com. We will acknowledge and respond within the time required by Applicable Law.

 

 

 

    # Privacy Policy

**Effective date: January 1, 2026 Last updated: April 5, 2026**

**A note on the personal information BrainPulse™ handles**

This Privacy Policy explains how CohenHallowell collects, uses, discloses, and protects personal information through the BrainPulse™ platform. Because the Service supports neurodivergent learners and is used by children, families, and schools, it may involve sensitive information, children’s information, and education records, each of which we treat with particular care and additional safeguards as described below.

## 1. Introduction and scope

**1.1 Scope.** This Privacy Policy applies to personal information we handle when you use the BrainPulse™ platform, websites, and applications, and when you interact with us. It should be read together with the Terms and Conditions and the Cookie Policy.

**1.2 Frameworks.** We design our privacy practices to comply with applicable Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and substantially similar provincial laws (such as Quebec’s Law 25 and the personal-information protection acts of Alberta and British Columbia), and with applicable United States privacy laws, including the Children’s Online Privacy Protection Act (“COPPA”), the Family Educational Rights and Privacy Act (“FERPA”) as it applies to our school customers, the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the “CCPA”), and other applicable state privacy and student-data-protection laws.

**1.3 Controller and processor roles.** For personal information about consumer users, CohenHallowell generally determines the purposes and means of processing. Where we process personal information on behalf of an Institutional Customer (for example, a school), we generally act as that customer’s service provider or processor under their instructions and under a separate agreement, and that customer’s own privacy notices also apply.

## 2. Who we are, accountability, and our Privacy Officer

**2.1 Identity.** The organisation responsible for your personal information is CohenHallowell Research Institute Inc., located at 2001 Blvd. Robert Bourassa, Suite 1700, Montreal, Quebec, H3A 2A6.

**2.2 Privacy Officer.** Consistent with PIPEDA, we have designated an individual accountable for our compliance. You may contact our Privacy Officer at legal@cohenhallowell.com. Quebec residents may also contact the person responsible for the protection of personal information at the same address.

**2.3 Accountability.** We are responsible for personal information under our control, including information transferred to service providers for processing, and we use contractual and other means to provide a comparable level of protection while it is processed on our behalf.

## 3. Information we collect

We collect the following categories of personal information, depending on how you use the Service.

### 3.1 Information you provide

- Account and profile information: name, email address, password, role (for example, learner, parent, educator, administrator), age or age band where required, and preferences.
- Billing information: billing name, address, and payment details. Card numbers are processed by our payment processor; we do not store full card numbers on our own systems.
- Uploaded materials: the study or course materials and other User Content you submit for transformation, which may contain personal information depending on what you upload.
- Learning configuration: the neurodivergence profile or profiles you select or are assigned, accessibility and display preferences, and onboarding-questionnaire responses where you choose to complete one.
- Communications: messages, support requests, feedback, and survey responses.

### 3.2 Information we collect automatically

- Usage data: sessions, features used, content nodes generated, Credits consumed, accuracy and progress metrics, time on task, and similar activity data.
- Device and technical data: IP address, device and browser type, operating system, identifiers, and diagnostic and performance data.
- Cookies and similar technologies: as described in the Cookie Policy.

### 3.3 Information from third parties

- From Institutional Customers: where a school, employer, or other organisation provisions your account, we may receive identifiers, roster information, and configuration data from them.
- From service providers: for example, payment-status information from our payment processor, or fraud-prevention signals.
- From integrations: where you connect a third-party platform such as a learning-management system, we may receive information you authorise that platform to share.

## 4. Sensitive information and neurodivergence profile data

**4.1 Sensitive nature.** Information indicating that a learner is associated with a neurodivergence profile, together with related learning-support preferences and onboarding responses, may be considered sensitive personal information. We treat such information with heightened care.

**4.2 Not a diagnosis.** A profile selection within the Service is a configuration choice used to adapt content; it is not a clinical diagnosis and we do not treat it as a medical record. We do not require you to disclose any diagnosis to use the Service.

**4.3 How we limit use.** We use neurodivergence-related and other sensitive information only to provide and personalise the learning experience, to operate and support the Service, and for the other purposes you have consented to or that Applicable Law permits. We do not use sensitive information to make decisions that produce legal or similarly significant effects about you, and we do not sell sensitive information.

**4.4 Consent for sensitive information.** Where Applicable Law requires consent for the collection or use of sensitive information, we obtain it, and for children this consent is obtained from a parent, guardian, or authorised school as described below.

## 5. How we collect information

We collect information directly from you when you register, configure your account, upload materials, communicate with us, or use features; automatically through your use of the Service and through cookies and similar technologies; and from third parties such as Institutional Customers, service providers, and integrations you authorise.

## 6. How and why we use information

We use personal information for the following purposes:

- to provide, operate, maintain, and secure the Service, including transforming your uploaded materials into adapted learning content;
- to personalise the learning experience to the selected neurodivergence profile and your preferences;
- to manage your account, process payments, and administer subscriptions, Credits, and institutional licences;
- to provide customer support and respond to your requests;
- to monitor, analyse, and improve the Service, develop new features, and conduct research and analytics (using de-identified or aggregated data wherever practicable);
- to detect, prevent, and address fraud, abuse, security incidents, and violations of our Terms, including enforcing fair-use limits;
- to send service and transactional communications, and, with consent where required, marketing communications;
- to comply with Applicable Law and respond to lawful requests; and
- to establish, exercise, or defend legal claims, and to carry out corporate transactions such as a merger or asset sale.

**6.1 De-identified and aggregated data.** We may create de-identified or aggregated data that does not identify you and use it for any lawful purpose, including improving the Service and reporting. We maintain de-identified data without attempting to re-identify it except as permitted by law to test our de-identification.

**6.2 Use of content to improve models.** We do not use the personal information in your uploaded materials or your Generated Content to train third parties’ general-purpose AI models. Where we use content to improve our own Service, we seek to use de-identified or aggregated data, and we describe and obtain any consent required by Applicable Law.

## 7. Consent and legal bases for processing

**7.1 Consent.** Under Canadian law, we rely on your consent (express or, where appropriate and permitted, implied) to collect, use, and disclose personal information, except where the law permits or requires us to do so without consent. The form of consent we seek reflects the sensitivity of the information; for sensitive information we seek express consent.

**7.2 Withdrawing consent.** Subject to legal and contractual restrictions and reasonable notice, you may withdraw consent at any time by contacting us; doing so may limit or end your ability to use some or all of the Service.

**7.3 Other bases.** Where other legal frameworks apply, we rely on the bases they recognise, such as performance of a contract with you, our legitimate interests in operating and improving the Service (balanced against your rights), and compliance with legal obligations.

## 8. Artificial intelligence and automated processing

**8.1 Automated transformation.** The core of the Service is an automated pipeline that analyses your uploaded material and generates adapted content using artificial-intelligence models, including third-party models for language processing and text-to-speech. This processing is necessary to provide the Service you request.

**8.2 No significant automated decisions about you.** We do not use automated processing to make decisions that produce legal or similarly significant effects about you (such as eligibility, pricing penalties, or assessment outcomes that determine real-world consequences) without appropriate human involvement or the safeguards required by Applicable Law.

**8.3 Subprocessors.** AI inference, text-to-speech, and image-matching functions involve service providers that process the content needed to perform those functions, under contractual confidentiality and security obligations. See the section on service providers.

**8.4 Accuracy.** Automated output may contain errors. We encourage you to review Generated Content, and you may contact us to correct inaccuracies in personal information we hold about you.

## 9. Children’s privacy

**How we handle children’s information**

We are committed to protecting children’s privacy. We do not knowingly collect personal information from a child under 13 in the United States (or under the equivalent minimum age in other jurisdictions) without verifiable parental consent or the authorisation of a school acting within the scope permitted by law.

**9.1 Parental consent.** Where a parent or guardian establishes an account for a child, we rely on that adult’s consent. Where a child uses the Service through a school, we rely on the school’s authority to consent on behalf of parents for educational purposes to the extent permitted by COPPA and applicable student-data laws.

**9.2 Limited collection.** We collect from children only the information reasonably necessary to provide the Service, and we do not condition a child’s participation on disclosing more than is reasonably necessary. We do not use children’s information for behavioural advertising and do not sell or share it for cross-context behavioural advertising.

**9.3 Parental rights.** A parent, guardian, or authorised school may review the child’s personal information, request its deletion, and refuse further collection or use, by contacting us. We may need to verify identity and authority before acting.

**9.4 Discovery of underage use.** If we learn that we have collected personal information from a child without the required consent, we will take reasonable steps to delete it promptly.

## 10. Students, schools, and education records

**10.1 School official role.** When we provide the Service to a school or district, we may handle student information that constitutes “education records” under FERPA. In that context, we act under the direct control of the educational institution and only for the authorised educational purpose, consistent with the FERPA “school official” exception and the institution’s instructions.

**10.2 Student data protections.** We handle student personal information consistent with applicable student-data-privacy laws (for example, California’s Student Online Personal Information Protection Act and similar state laws). We do not sell student personal information, do not use it to engage in targeted advertising to students, and do not create profiles of students except in furtherance of the school’s educational purposes.

**10.3 Retention and return.** On request or at the end of the relationship, we will, as directed by the school and subject to law, return or delete student personal information in accordance with our agreement with the institution.

**10.4 Canadian institutions.** For Canadian schools and post-secondary institutions, we handle student information consistent with applicable provincial privacy and education legislation and our agreement with the institution.

## 11. How and with whom we disclose information

We do not sell your personal information for money. We disclose personal information only as described here:

- Service providers and sub-processors: vendors who perform functions on our behalf (for example, hosting, AI inference, text-to-speech, image matching, payment processing, analytics, communications, and customer support), under contracts requiring confidentiality and appropriate safeguards and limiting their use to providing services to us.
- Institutional Customers: where you use the Service through an organisation, we may share relevant information with that organisation’s administrators.
- Integrations you authorise: where you connect a third-party platform, we share information as needed for that integration.
- Legal and safety: to comply with law, enforce our Terms, protect the rights, property, or safety of CohenHallowell, our users, or others, and respond to lawful requests by public authorities.
- Corporate transactions: in connection with a merger, acquisition, financing, reorganisation, or sale of assets, subject to appropriate confidentiality and continued protection.
- With your consent or at your direction: for any other purpose disclosed to you at the time.

**11.1 No advertising sale.** We do not disclose your personal information to third parties for their own direct-marketing or cross-context behavioural advertising purposes, and in particular we do not do so for children or students.

## 12. Service providers and sub-processors

**12.1 Categories.** To operate the Service we rely on categories of providers including cloud hosting and storage, large-language-model inference, text-to-speech generation, licensed stock-image matching, payment processing, email and notification delivery, analytics, and security.

**12.2 Safeguards.** We require service providers to protect personal information with security and confidentiality measures comparable to ours and to use it only to provide services to us. We remain accountable for personal information transferred to them for processing.

## 13. Data retention

**13.1 Retention principle.** We retain personal information only as long as necessary to fulfil the purposes for which it was collected, to provide the Service, to comply with legal, accounting, or reporting obligations, to resolve disputes, and to enforce our agreements.

**13.2 Uploaded materials and outputs.** Uploaded materials and Generated Content are retained while your account is active and for a limited period afterwards, and cached transformation outputs may be retained to improve performance. You may delete content where the Service provides that functionality, after which residual copies may remain briefly in backups before being overwritten.

**13.3 Deletion.** When personal information is no longer required, we delete, anonymise, or securely destroy it in accordance with our retention schedule and Applicable Law. Specific retention periods are available on request.

## 14. How we protect information

**14.1 Safeguards.** We maintain administrative, technical, and physical safeguards designed to protect personal information against loss, theft, and unauthorised access, use, disclosure, copying, or modification. These may include encryption in transit, access controls, content fingerprinting, logical separation, and monitoring.

**14.2 Your role.** No method of transmission or storage is completely secure. You are responsible for keeping your credentials confidential and for using up-to-date, secure devices.

## 15. International transfers and storage

**15.1 Cross-border processing.** Personal information may be stored and processed in Canada, the United States, and other countries where we or our service providers operate. Those countries may have data-protection laws different from those in your jurisdiction, and personal information may be subject to lawful access by courts, law enforcement, and authorities in those countries.

**15.2 Safeguards for transfers.** Where we transfer personal information across borders, we use contractual and other measures to provide a comparable level of protection. Quebec and certain other residents will be informed, where required, before personal information is transferred outside their jurisdiction, and we will conduct any assessment the law requires.

## 16. Your privacy rights and choices

Subject to Applicable Law and verification of your identity, you may have the following rights, which you can exercise by contacting us:

- Access: to ask whether we hold personal information about you and to obtain a copy of it.
- Correction: to ask us to correct inaccurate or incomplete personal information.
- Deletion: to ask us to delete personal information, subject to legal exceptions.
- Withdrawal of consent: to withdraw consent to processing, subject to legal and contractual limits.
- Portability: where the law provides, to receive certain personal information in a structured, commonly used format, or to have it transferred where technically feasible (including under Quebec’s data-portability right).
- Objection or restriction: to object to or restrict certain processing where the law provides.
- Information about automated processing: to obtain information about the use of automated processing where the law provides.

**16.1 How to exercise.** Contact our Privacy Officer using the details below. We will respond within the time required by Applicable Law. We may need to verify your identity and, for requests on behalf of a child, your authority. We will not discriminate against you for exercising your rights.

**16.2 Complaints to a regulator.** If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada, the relevant provincial regulator (such as the Commission d’accès à l’information du Québec), or the applicable authority in your jurisdiction.

## 17. Additional rights for California residents

**17.1 CCPA disclosures.** If you are a California resident, the CCPA provides additional rights regarding personal information we collect. In the past 12 months we have collected the categories of personal information described in the section on information we collect, for the purposes described in this Policy, from the sources described, and we disclose them to the categories of recipients described.

**17.2 No sale or sharing.** We do not sell personal information and do not share it for cross-context behavioural advertising as those terms are defined under the CCPA, and we do not knowingly do so for consumers under 16.

**17.3 Your CCPA rights.** California residents may request to know, access, correct, and delete personal information, and to limit the use of sensitive personal information, subject to exceptions. We use sensitive personal information only for permitted business purposes such as providing the Service. We will not discriminate against you for exercising these rights.

**17.4 Authorised agents and appeals.** You may use an authorised agent to submit requests, subject to verification. Where Applicable Law provides an appeal process, we will describe how to appeal a decision on your request.

## 18. Marketing communications, CASL, and CAN-SPAM

**18.1 Consent and opt-out.** We send commercial electronic messages only in accordance with Canada’s Anti-Spam Legislation (“CASL”) and the United States CAN-SPAM Act. Where required, we obtain consent before sending marketing messages, we identify ourselves, and we include an easy unsubscribe mechanism in each marketing message.

**18.2 Transactional messages.** We may always send you non-marketing service and transactional messages necessary to administer your account and the Service.

## 19. Cookies and similar technologies

We use cookies and similar technologies as described in our Cookie Policy, which forms part of this Privacy Policy. The Cookie Policy explains the categories of cookies we use and how you can manage your preferences.

## 20. Do Not Track and Global Privacy Control

Some browsers offer “Do Not Track” signals; there is no common industry standard for responding to them, and our response is described in the Cookie Policy. Where required by Applicable Law, we honour recognised opt-out preference signals such as the Global Privacy Control for applicable purposes.

## 21. Third-party links and services

The Service may link to or integrate with third-party sites and services that we do not control. This Privacy Policy does not apply to them, and we encourage you to review their privacy notices.

## 22. Data breaches and notification

We maintain procedures to detect, assess, and respond to security incidents. Where a breach of security safeguards creates a real risk of significant harm, or where Applicable Law otherwise requires, we will notify affected individuals and the relevant authorities (such as the Office of the Privacy Commissioner of Canada and applicable state authorities) within the timeframes required, and we will keep records of breaches as the law requires.

## 23. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated Policy with a revised “last updated” date and, for material changes, provide additional notice where required by Applicable Law. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy to the extent permitted by law; where the law requires fresh consent, we will obtain it.

## 24. How to contact us and make a complaint

To exercise your rights, ask questions, or make a complaint, contact our Privacy Officer at legal@cohenhallowell.com. We will acknowledge and respond within the time required by Applicable Law.