Privacy Policy

 

1. Purpose 

Aurora Cannabis Inc., Aurora Cannabis Enterprises Inc. and affiliated companies (the “Company”) are committed to safeguarding the Personal Information of our employees, patients, physicians, customers and other stakeholders (the “Users”).  This Privacy Policy describes the different types of Personal Information the Company handles and the Company’s privacy practices with respect to such Personal Information.  

While your Personal Information may be collected by a specific entity affiliated with Aurora Cannabis Inc., that information will be managed collectively with all data collected by each of the affiliated entities. Your Personal Information will be comingled with the information collected by other entities into a single aggregate database. For the purposes of this Privacy Policy, thcomingling of data collected by Aurora Cannabis Inc. and its affiliates shall not be deemed to be a disclosure of Personal Information to a third party. While your Personal Information may be transferred to affiliated entities, your Personal Information will at all times be held on the same conditions of confidentiality and with the same level of security consistent with this Policy. 

The primary purposes of this Privacy Policy are to: 

  1. explain what Personal Information we collect and why we collect it; 
  2. explain the choices you can make about how your information is collected and used; 
  3. explain how we use Personal Information that we collect; 
  4. implement methods to protect Personal Information; and 
  5. establish methods to receive and respond to complaints and inquiries. 

This Privacy Policy establishes the Company’s policies and procedures with respect to all Personal Information collected, used and disclosed by the Company.  This Privacy Policy applies to all employees of the Company, anyone that utilizes any of the services provided by the Company, and anyone that accesses any of the websites linked to this Privacy Policy and operated by the Company. 

The Company’s websites may contain links to third party websites, applications and services.  The information practices or the content of such other websites are governed by the privacy statements and policies of those websites.  The Company encourages you to review the privacy statements and policies of those websites to understand their information practices. 

Your privacy matters to the Company.  Please take the time to get to know our practices, and if you have any questions, contact our Privacy Officer at privacy@auroramj.com or by phone toll free at 1 833 287-0772.  

2. What is Personal Information or Personal Data?  

Personal Information or Personal Data refers to any information about an identified or identifiable individual.  

The term “personal information” has the same meaning as set out in the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which means any information about an identifiable individual including contact information, name, address, phone number, email address, gender, date of birth, and any other data about yourself that you choose to provide electronically through the Website or otherwise, i.e. through the Patient Registration Application Form. 

The term “personal health information” has the same meaning as set out in Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) and includes information relating to your physical or mental health, as well as your health history, medical records, prescriptions and your health card number. 

For the purposes of this Privacy Policy, the term “personal information” also encompasses “personal health information” where applicable.  

Any data that has been collected in which all personal identifiers have been removed, such that the information could not reasonably be used to identify the individual, is not considered personal information or personal health information.  This type of anonymized information may be used for research purposes. 

We may use or disclose your collected personal information without your knowledge or further consent in limited circumstances where we are required to do so by law.  In certain limited circumstances, we may be required to release your personal information in response to a court order, subpoena, search warrant, law or regulation.  We will cooperate in responding to such requests, taking appropriate measures to ensure that the requester understands the sensitive nature of the personal information they may receive.

3. How do we obtain your consent to collect your Personal Information?  

By using this website or by otherwise providing personal information to the Company, you agree to this Privacy Policy and that we may collect, use and disclose your personal information in accordance with it.  You may withdraw your consent at any time in writing.  Please contact our Privacy Officer at privacy@auroramj.com or by phone toll free at 1 833 287-0772 to find out how to withdraw your consent.  We will obtain your consent before collecting, using or disclosing your personal information for new purposes unrelated to the purposes described in this Privacy Policy.   

Typically, we will seek your consent at the time we collect your personal information.  Your consent may be implied, deemed (using an opt-out mechanism) or express.  Implied consent can be reasonably inferred from your action (e.g. entering into an agreement with us or providing payment) or inaction.  Express consent can be given orally, electronically or in writing. 

The Company will most often collect personal information directly from you.  In cases where personal information is held by a third party, we will obtain your consent before seeking this information.  In some cases, consent may be implied by your actions.  Where we obtain your personal information directly from a third party, we will take reasonable steps to ensure that the third party has represented to us that it has the right to disclose your personal information to us. 

Personal data collected on this website may also be combined with information you provide us through other sources such as other Company websites, product registration, call centres, or in conjunction with events such as trade shows, training seminars and conferences.  Information that you supply will relate to the relationship that the Company has with you or your organization.  

4. What Personal Information do we collect?  

The Company only collects the amount and type of Personal Information that is necessary for the purposes for which the Personal Information is collected.  What follows is the type of Personal Information that we may collect, depending on your relationship with the Company and how you use our services.  

a. Personal Information of Employees 

The following list includes, but is not limited to, the Personal Information that may be collected by the Company respecting employees: 

  • contact information, including name, home address, telephone number, email address; 
  • criminal background check(s); 
  • employment information, including resume (which may include educational background, work history, and references), reference information and interview notes, letters of offer and acceptance of employment, policy acknowledgment forms, background verification information, workplace performance evaluations, emergency contacts; 
  • benefit information, including forms relating to applications or changes to health and insurance benefits including medical and dental care, life insurance, short and long- term disability; and 
  • financial information, including pay cheque deposit information and tax-related information, and Social Insurance Number or other required government issued identification.  

b. Personal Information of Patients 

The following list includes the type of Personal Information that may be collected respecting users that register with the Company as patients (“Patients”) and utilize the Company’s services for medical cannabis in accordance with the Cannabis Act and its regulations (the “Legislation”): 

  • name, date of birth, gender, home address, telephone number, email address; 
  • credit card or other financial information; 
  • health care information, including health card number, any relevant diagnosis or primary condition, information respecting the health care services provided to you, and information about your health status; 
  • insurance coverage and payment information, if applicable; 
  • information in connection with the products or services you inquire about or purchase from us; and 
  • usage data respecting use of the Company’s website(s) through the website(s) (or through third-party services employed by the website(s)) which can include the IP addresses or domain names of the computers utilized by the User; the URL addresses; the time of the request; the method utilized to submit the request to the server; the size of the file received in response; the numerical code indicating the status of the server's answer (successful outcome, error, etc.); the country of origin; the features of the browser and the operating system utilized by the User; the various time details per visit (e.g., the time spent on each page within the website(s)); and the details about the path followed within the website(s) with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment. 

c. Personal Information of Physicians 

The following list includes the type of Personal Information that may be collected respecting individuals that register with the Company as physicians that prescribe medical cannabis (“Physicians”): 

  • contact information, including name, email address, and phone number; and 
  • usage data respecting use of the Company’s website(s) through the website(s) (or through third-party services employed by the website(s) which can include the IP addresses or domain names of the computers utilized by the User; the URL addresses; the time of the request; the method utilized to submit the request to the server; the size of the file received in response; the numerical code indicating the status of the server's answer (successful outcome, error, etc.); the country of origin; the features of the browser and the operating system utilized by the User; the various time details per visit (e.g., the time spent on each page within the website(s)); and the details about the path followed within the website(s) with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment. 

d. Personal Information of All Users (Including Patients and Physicians)  

The following list includes the type of Personal Information that may be collected from users that utilize services provided by the Company, which may include a Patient or Physician (“Users”): 

  • contact information, including name, date of birth, gender, home address, telephone number, email address; 
  • credit card or other financial information; 
  • usage data respecting use of the Company’s website(s) through the website(s) (or through third-party services employed by the website(s)) which can include the IP addresses or domain names of the computers utilized by the Users; the URL addresses; the time of the request; the method utilized to submit the request to the server; the size of the file received in response; the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the website(s)) and the details about the path followed within the website(s) with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment; and 
  • other information as necessary to maintain our business relationship with you, such as information related to your preferences, feedback and information requested or provided by you. 

Unless specified otherwise, all Personal Information requested by the Company is mandatory in order for the Company to provide its services to the User.  As such, failure to provide this Personal Information may affect the ability for a User to utilize the Company’s services.  In cases where we have stated that the Personal Information is not mandatory to utilize the service, Users are free to not communicate this Personal Information without any impact on the User’s ability to use the Company’s services.  Any questions respecting what information is mandatory can be directed to our Privacy Officer at privacy@auroramj.com or by phone toll free at 1 833 287-0772.  

The Company may also collect Personal Information for the purpose of evaluating market trends and other activities relating to our business.  To provide you with timely, valuable information, we may also ask you to provide us with information regarding your professional interests and experiences with our products or services.  Providing us with this information is optional. 

5. How do we use your Personal Information? 

We collect your Personal Information to operate, maintain, enhance and provide all features of the Company’s services to send you marketing communications, to respond to comments and questions, to provide support to Users of the Company’s services and, from time to time, in medical and academic research.  We use information collected from cookies and other technologies to improve your experience and the overall quality of our services and website. 

What is a Cookie? 

Cookies are small amounts of text or software code, which is often a unique and anonymous identifier that is stored on your computer and only with your permission. Cookies help facilitate your experience on the Sites by updating things like your date and time of visit and general interaction on the Sites. 

(Still not sure what Cookies are? click here) 

How do I consent to or block Cookies? 

When you access Aurora’s Sites you will be asked to consent to Aurora’s use of the Cookies described in this Cookie Policy. 

If you wish to block Cookies you may activate the relevant settings in your browser. If you are unsure how to do this please visit here. 

Should you not consent to Aurora’s use of Cookies you may find that the Sites may not work as intended or your access of the Sites is limited. 

What Cookies does Aurora Use? 

  • _ga 
  • _gat_<Tracking ID> 
  • _gat_gtag_<Tracking ID> 
  • _gid 

These cookies are used to distinguish users and expedite user experience on the Sites. The information from these Cookies is only stored as long as necessary and not longer than 30 days. 

You will be notified of one or more specific purposes of collection at the time of providing your Personal Information, and asked for your consent to the collection and use of your Personal Information for those purposes.  If your Personal Information is to be utilized for any purpose besides that outlined at the time of collection, you will be notified of that new purpose and asked for consent prior to the Company using your Personal Information for that new purpose, except as otherwise permitted by the applicable legislation and this Privacy Policy.   

For example, when a User registers as a Patient with the Company, the Company collects and retains Personal Information such as the individual’s name and contact information. The Company will use this information to:  

  • confirm the individual’s registration status and to maintain the individual’s account; 
  • fill orders made online and provide other information requested by you; 
  • establish, maintain and manage our relationship with you so we can provide you with products and services as requested and in line with your needs and preferences; 
  • distribute medical cannabis to you; 
  • provide you with information about our products and services, including the latest news on Company activities and initiatives, information about new products and services, product updates, technical support issues, events and special offers; 
  • recommend products, services or programs on our Website(s) by providing customized content on our Website(s) or otherwise; 
  • obtain and process payments for medical cannabis dispensed to you, which includes providing necessary information to our third party service providers (please see Third Party Service Providers section below); 
  • seek reimbursement from your insurer; 
  • enable us to comply with applicable laws and specifically the requirements of the federal Cannabis Act and Regulations. 

At the time of collection, the Company will document the purposes for which the information was collected.  Upon request, the Company will explain the purposes for which the information is being collected, or refer the User requesting the purposes to a designated person within the Company who will explain the purposes of collection.  

6. How do we collect your Personal Information? 

We collect information in the following ways: 

  1. Information you give us:  Some of our services require you to sign up for an account.  When you do, we will ask for Personal Information, including your name, birth date, email addressphone number and other applicable information to create your account.  Some of our services will also require you to provide us with your Personal Information in order to obtain a product or receive information from us, such as newsletters or other email messages containing information of a commercial or promotional nature. 
  2. Information from Physicians about Patients: If you are registered as a Patient with the Company, your Personal Information, including your name, date of birth, gender, email address, phone number and health information may be collected directly from a Physician who provides the Company with a complete Medical Document on your behalf.  This information will not be collected from your Physician without your consent. 
  3. Cookies and similar technologies:  The Company uses cookies or other tracking tools to provide services required by the User, if consented to by the User.
  4. Google Analytics:  Google Analytics is a web analysis service provided by Google Inc. (“Google”) that is used on the Company’s website(s).  Google utilizes the data collected to track and examine the use of the Company’s website(s), to prepare reports on the Company’s website(s) activities and to provide the Company with other services related to website and Internet use.  Google may use the data collected to contextualize and personalize the advertisements of its own advertising network. 
  5. Google Analytics processes information in the USA.  The Personal Information collected by Google includes cookies and usage data.  We encourage you to review the Privacy Policy for Google Analytics if you would like any further details regarding how they process Personal Information.    
  1. Who has access to your Personal Information within the Company? 

Only those employees and contracted individuals of the Company who require access for business reasons or whose duties reasonably so require shall be granted access to Personal Information about Users. 

  1. Disclosure of your Personal Information Outside of the Company 

The Company may disclose your Personal Information with third party companies, organizations and individuals outside of the Company if: 

  1. You have provided your consent:  We will share Personal Information with companies, organizations or individuals outside of the Company when we have your consent to do so.
  2. For external data processing: We may provide Personal Information to certain third party agents or service providers to process for us, in order to carry out the requested services or as necessary for otherwise lawfully processing Personal Information.  For example, the Company may share your Personal Information with payment processors so that these payment processors can provide services on our behalf.  The Company shall ensure that any such parties accessing Personal Information do so in compliance with our Privacy Policy and any other appropriate confidentiality and security measures to reasonably ensure the protection of Personal Information. 
  3. To comply with a legal obligation: The Company may disclose Personal Information if required to do so pursuant to any applicable law, regulation, legal process or enforceable governmental request.  For example, it may be necessary for the Company to disclose Personal Information to law enforcement officials, regulatory bodies, or government agencies for the purposes of investigating or preventing drug, fraud, or other offences as may be required or permitted by applicable laws.  Additionally, under the Legislation and other applicable laws, the Company may be required to disclose some of a User’s Personal Information to government officials, law enforcement personnel, or competent authorities of foreign governments. This information includes:
    1. an individual’s given name, surname, date of birth and gender;  
    2. contact information including the individual’s mailing address, phone number, and email address; 
    3. the given name, surname, date of birth and gender of one or more persons who are responsible for the individual, as well as contact information for such persons; 
    4. a valid prescription or other medical document issued by an authorized medical practitioner;  
    5. the given name, surname, professional status and address of the health care practitioner who issued a prescription or other medical document on behalf of the Individual;  
    6. if applicable, the consent of the health care practitioner to receive shipments on the individual’s behalf; order details about the product sold or provided, including the quantity ordered; and the address to which the product is to be shipped. 
    7. For Legal Reasons: The Company may also disclose Personal Information to establish or exercise our legal rights or defend against legal claims or in connection with an emergency that warrants use or disclosure of the information. 
    8. For Purposes of Contracts: The Company may disclose Personal Information for executing a contract to which a User is part or to take steps at the request of the User prior to entering into a contract. 
    9. For other reasons authorized by law:  We will share Personal Information with companies, organizations or individuals outside of the Company if disclosure of the information is reasonably necessary for other reasons authorized by law. 

      We may share non-personally identifiable (anonymized) information publicly and with our partners.  For example, we may share anonymized information publicly to show trends about the general use of our services. 

      The Company shall not otherwise disclose Personal Information to third parties for commercial or other reasons, except as may be specifically required to comply with applicable laws or where you have provided your consent. 

      In any case, the Company will gladly help to clarify the specific legal basis that applies to the disclosure of Personal Information, and in particular whether the provision of Personal Information is a statutory or contractual requirement or a requirement necessary to enter into a contract.  

      9. How is your Personal Information secured?  

      The Company is committed to protecting the confidentially and security of all Personal Information against loss and unauthorized access, disclosure, modification or destruction, and therefore has security safeguards appropriate to the sensitivity level of the information in place.

      The Company will ensure that all employees and third party service providers with access to information of individuals shall be required as a condition of employment or provision of services to respect the confidentiality of such information and that all employees and third party service providers are aware of the importance of maintaining the confidentiality of such information as part of training requirements.   

      10. Your rights respecting your Personal Information 

      Users may exercise certain rights regarding their Personal Information processed by the Company.  In particular, Users have a right to: 

      a. Withdraw their consent at any time:  Users have the right to withdraw consent where they have previously given their consent to the collection, use, disclosure or other processing of their Personal Information.  Users may withdraw their consent by contacting our Privacy Officer at privacy@auroramj.com.

      b. Access their Personal Information:  Individuals are entitled, with certain legal restrictions, to access and review their Personal Information held by the Company.  The Company will make the following information available upon request: 

      • The name or title, and the address of the person accountable for the Company’s policies and practices and to whom complaints or inquiries can be forwarded; 
      • The means of gaining access to Personal Information held by the Company;  
      • A general description of the type of Personal Information held by the Company, including a general account of its use; 
      • A copy of any information available explaining the Company’s policies, standards or codes; and 
      • What Personal Information is made available to related organizations.

      The Company reserves the right to refuse to provide access to Personal Information in circumstances during which the Company is permitted by law to refuse access, including where providing access would reveal Personal Information about a third party, if the release of the Personal Information could affect the security of an individual, or if the Personal Information is subject to privilege. 

      Requests for access to Personal Information should be made to our Privacy Officer at privacy@auroramj.com or by phone toll free at 1 833 287-0772. 

      c. Request Corrections to Personal Information:  Accurate Personal Information is required for efficient and effective delivery of product and services. Individuals may contact our Privacy Officer at privacy@auroramj.com or by phone toll free at 1 833 287-0772 to modify or correct any Personal Information. Corrections will be made within a reasonable timeframe. 

      d. Object to Processing of their Personal Information:  Users have the right to object to the processing of their Personal Information or Personal Data in certain circumstances where Personal Information is being processed on a basis other than consent.  In particular, Users can object to processing of their Personal Information for purposes of direct marketing at any time. 

      e. Restrict the processing of their Personal Information:  Users have the right, under certain circumstances, to restrict the collection, use, disclosure or other processing of their Personal Information, meaning Users can limit how the Company uses their Personal Information or Personal Data. 

      f. Have their Personal Information deleted or otherwise removed:  Users have the right, under certain circumstances, to obtain the erasure of their Personal Information or Personal Data from the Company.  If required to erase Personal Information or Personal Data, the Company will do so without delay. 

      g. Have their Personal Information transferred to another Controller:  Users have the right to receive their Personal Information or Personal Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another Controller (as defined in GDPR) without any hindrance, under certain circumstances. 

      h. Lodge a complaint: Users have the right to bring a claim before their competent data protection authority. 

      Any requests to exercise User rights can be directed to the Company through the contact details provided in this Privacy Policy. These requests can be exercised free of charge and will be addressed by the Company as early as possible.  

      11. How can you contact us? 

      If you have questions about our Privacy Policy or have a concern or complaint about privacy, confidentiality, or our information handling practices; please contact our Privacy Officer at privacy@auroramj.com or by phone toll free at 1 833 287-0772 for more information.  

      The Company shall maintain procedures for receiving and responding to complaints or inquiries about policies and practices relating to the handling of Personal Information. 

      The Company shall inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. 

      The Company shall investigate all complaints made through the proper complaint procedure.  Where complaints are justified, the Company will take the necessary steps to remedy the contravention. 

      The individual(s) appointed by the Company as responsible for compliance with this Privacy Policy shall investigate all complaints concerning compliance.  The individual(s) appointed as responsible for compliance may seek external advice where appropriate prior to providing a final response to individual complaints. 

      12. Do we transfer the data internationally? 

      If you are utilizing services or visiting the Company’s website(s) from outside of Canada please be aware that you may be sending information (including Personal Information) to Canada where our servers are located.  That information may then be transferred within Canada or back out of Canada to other countries outside your country of residence, depending on the type of information and how it is stored by us.  These countries may not necessarily have data protection laws as comprehensive or protective as those in your country of residence; however, our collection, use and disclosure of your Personal Information will at all times continue to be governed by this Privacy Policy. 

      13. How Long is Your Personal Data Retained? 

      Personal Information and Personal Data shall be stored for as long as required by the purpose for which it has been collected, used or disclosed. 

      Personal Information or Personal Data which the Company no longer needs to retain shall be destroyed, erased or made anonymous in a secure manner in accordance with the Company’s policies respecting the destruction of records.  The Company shall use care in the disposal or destruction of information so as to prevent unauthorized parties from gaining access to the information.  The right to access, the right to erasure, the right to rectification and the right to portability cannot be enforced after the information has been destroyed.  

      14. Changes to this Privacy Policy 

      If we make a change to this Privacy Policy, we will provide you with notice (for example, by email, a sign-in notification, or some other means) prior to the change becoming effective.  Should the changes affect processing activities performed on the basis of the User’s consent, the Company shall collect new consent from the User, where required.