Privacy Policy

ARCH PGOL TECHNOLOGIES INC. (“PGOL”, “we”, “us” or “our”) is a corporation incorporated pursuant to the Ontario Business Corporations Act. PGOL operates a dental lab management platform (the “Platform”) that enables dental laboratories to manage the full case lifecycle, including prescription intake, case tracking, production management, quality control, shipping, billing, and client communication. The Platform is accessible at app.archforlabs.com, and various subdomains. PGOL also operates a website at www.archforlabs.com (the “Website”) which provides general information about PGOL and the Platform. Further to our Terms of Use, available at www.archforlabs.com/terms (the “Terms”) and the Enterprise Subscription Agreement entered into between PGOL and the organization that subscribes to the Platform on behalf of end-users (the “Enterprise Agreement”), this Privacy Policy sets out how we collect, store, use, and disclose personal information, personal health information, and other data in connection with the Platform and the Website. Unless otherwise indicated, any capitalized terms in this Privacy Policy have the same meaning attributed to them in our Terms or Enterprise Agreement.

By agreeing to our Terms, or by accessing or using the Platform or Website, you consent to the collection, use, and disclosure of personal information and health data in accordance with this Privacy Policy. Your organization’s Enterprise Agreement may contain additional terms governing PGOL’s handling of data, and in the event of a conflict between this Privacy Policy and the Enterprise Agreement, the Enterprise Agreement shall prevail.

As the Platform and Website continue to evolve, we may, at any time, revise this Privacy Policy by updating this page. The date of the last version of this Privacy Policy is posted above. We will provide you with no less than thirty (30) days’ prior written notice of any material amendments to this Privacy Policy by sending an email to the address associated with your account and/or by displaying a prominent notice within the Platform. Material amendments include, without limitation, changes to the types of personal information collected, the purposes for which personal information is used or disclosed, data handling practices, third-party sharing arrangements, or any other provision that materially affects your privacy rights or obligations under this Privacy Policy. Non-material amendments (such as corrections of typographical errors or minor clarifications that do not affect your rights or obligations) may be made by updating this page without prior notice. Where a material amendment requires your affirmative acceptance, we may present you with an in-Platform prompt requiring you to review and accept the updated Privacy Policy before continuing to use the Platform. Your continued use of the Platform or Website following the effective date of any other amendment constitutes your acceptance of the amended Privacy Policy. If you do not agree with a material amendment, you may terminate your account within the thirty (30) day notice period without penalty. For clarity, termination of your individual account does not terminate any Enterprise Agreement between PGOL and your organization, and your organization’s obligations under the Enterprise Agreement shall continue in accordance with its terms.

Visitors to the Website are not required to create an account or provide any personal information. However, if you visit the Website without signing in to the Platform, we may still collect certain information automatically, such as your IP address, browser type, referring URL, pages visited and session duration, through the use of cookies and similar technologies as described in Part IV below. If you voluntarily provide personal information through the Website (for example, by completing a contact form or sending us an email), you consent to our collection and use of that information in accordance with this Privacy Policy.

For the purposes of this Privacy Policy, the following terms have the meanings set out below: “Derived Data” means any de-identified, aggregated, anonymized or otherwise non-personally-identifiable data derived from personal information, Health Data or other data collected through the Platform; “Health Data” means personal health information as defined under the Personal Health Information Protection Act, 2004 (Ontario), S.O. 2004, c. 3, Sched. A (“PHIPA”) and personal information relating to health as governed by the Personal Information Protection and Electronic Documents Act (Canada), S.C. 2000, c. 5 (“PIPEDA”); “AI Features” means the artificial intelligence and machine learning features available on the Platform, including automated prescription reading, case routing, quality control evaluation and remake pattern detection; “AI Service Providers” means third-party artificial intelligence service providers engaged by PGOL (or you or your enterprise directly) in connection with the provision of AI Features; and “Platform Infrastructure Providers” means third-party providers of hosting, cloud computing, database management and content delivery services engaged and managed by PGOL in the ordinary course of operating the Platform and the Website.

If you believe that we have not adhered to this Privacy Policy or would like to request an amendment to personal information being held by us, please contact our Privacy Officer by e-mail sent to privacy@archforlabs.com.

PART I: COLLECTION OF PERSONAL INFORMATION

The Personal Information of Other Individuals

To the extent you (or your organization’s end users) provide us with, or upload data to the Platform that includes the personal information or Health Data of another individual, including patient information associated with dental cases, you represent and warrant that you (or your organization) have obtained all necessary consents and authorizations required by applicable law to provide us with such information and to permit our use of it in accordance with this Privacy Policy, the Terms and the Enterprise Agreement, including for the purposes of de-identification, aggregation, generation of Derived Data, and training and improvement of AI Features. If the required consents and authorizations have not been obtained, you agree not to upload or provide us with any such information.

In certain cases, the Platform may be accessed by end users who are not employees of the subscribing dental laboratory but are instead dental professionals (such as dentists or their staff) who access the Platform under the laboratory’s subscription to submit cases, upload prescriptions and scans, and track case status. Where such end users upload or input personal information or Health Data to the Platform, that information is collected and processed by PGOL in accordance with this Privacy Policy, the Terms and the Enterprise Agreement between PGOL and the subscribing laboratory. If you are a dental professional or other health information custodian accessing the Platform as an end user, you are solely responsible for ensuring that you have an appropriate legal basis under applicable privacy legislation, including PHIPA, to disclose personal health information through the Platform. PGOL does not independently verify whether such end users have obtained the necessary consents or authorizations required by applicable law.

To establish an account with us or use our Platform, we may collect the following personal information:

• Full name;
• Business name(s);
• Mailing address;
• Billing Address;
• Email address;
• Phone number;
• Banking and/or credit card information;
• Comments, feedback, reviews and other information you upload or provide to the Website and Platform;
• IP address and associated location data, including geo-location data;
• Website statistics and analytics data regarding your use of the Website and Platform;
• Other types of raw data relating to how you interact with the Website and Platform, for example, your browser information and session duration;
• Profile photos (where you elect to upload them);
• All other information you provide on or through the Platform and Website, including but not limited to dental case data, including prescriptions, case types, specifications, digital impressions and scan files received via integrated scanner systems (such as 3Shape and iTero), patient names and identifiers associated with dental cases, to the extent provided by you or your organization, production data, including case routing, quality control results, technician assignments, and turnaround metrics, data generated by or in connection with your use of AI Features on the Platform.

Payment Processing

We may also collect credit card and payment information from you via a third-party payment processor. As of the last date this Privacy Policy was updated, we use Stripe, Inc. and its affiliates, with their privacy policy available at https://stripe.com/en-ca/privacy.

Although we may display or link to their forms on our Website or Platform, when you provide your payment details in connection with a subscription to our Platform, you are providing them to the applicable payment processor. You acknowledge that our third-party payment processors may have their own agreements which apply to you. While we will not have access to your entire credit card number, we will be able to bill your credit card and may have access to certain card and payment details such as the name on your card, billing address and card expiration date. If you have questions regarding our payment processor, please contact us.

PART II: THE USE OF PERSONAL INFORMATION

We do not sell personal information or personal health information to third parties. However, we may use personal information and personal health information to:

• Facilitate the operation of the Website and Platform, including sharing or providing access to personal information to Third-Party Providers, see below for details;
• Bill and collect money owed to us;
• Verify your contact information;
• Provide user support or to support and improve our Website and Platform;
• Communicate with you about your account or the Platform and related services;
• Send or display informational and promotional materials and communications from us to you. You may unsubscribe from such communications at any time;
• Pursue available legal remedies to us and to prosecute or defend a court, arbitration or similar proceeding;
• Meet legal requirements or seek legal advice from a lawyer in connection with your use of our Website and Platform;
• De-identify, aggregate and anonymize data to generate Derived Data, which PGOL may use for any lawful business purpose, as further described in the Enterprise Agreement;
• Train, improve and operate AI Features on the Platform, including automated prescription reading, case routing, quality control evaluation and remake pattern detection;
• Provide data to third-party AI service providers engaged by PGOL to power AI Features, subject to the terms of this Privacy Policy and the Enterprise Agreement; and
• To enforce compliance with our Terms and applicable laws, rules and regulations.

PART III: THE DISCLOSURE OF PERSONAL INFORMATION

Sharing Personal Information and Content if Required by Law

We may share personal information and any content collected, uploaded or provided to us if required by law, such as in response to a subpoena, court order or other legal process in any jurisdiction. If we are required by law to make any disclosure of your personal information or content, we may, but are not obligated to, provide you with written notice of such disclosure, if permitted by law.

Sharing Personal Information to Cooperate with Investigations and Law Enforcement

Absent a court order, subpoena or other legal requirement to disclose personal information or content in our possession or control, you agree that we may also share personal information and content you upload or which is associated with your account to cooperate with law enforcement authorities in the investigation of any criminal matter if we reasonably believe doing so is necessary or beneficial in protecting your safety, or the safety of any third party.

Sharing Personal Information with Third-Party Providers

Our suppliers, partners, independent contractors (collectively “Third-Party Providers”) and/or employees, may have access to, or be shared personal information to use in connection with one or more of the purposes for which the information was collected.

Our Third-Party Providers may have access to personal information in providing services to us, or providing you with access to the Website and Platform. We may use a variety of Third-Party Providers in order to host our Website and Platform and facilitate their ordinary use, including for example, hosting servers which store personal information.

As of the last revision date of this Privacy Policy, among others, we use the following Third-Party Providers (and/or their affiliated or related entities) who may have access to, or store your personal information, by virtue of our use of their services:

• Vercel Inc. (application hosting) — https://vercel.com/legal/privacy-policy;
• Supabase, Inc. (database, authentication and file storage) — https://supabase.com/privacy;
• Amazon Web Services, Inc. (AI inference via AWS Bedrock, email via Amazon SES) — https://aws.amazon.com/privacy/;
• Pinecone Systems, Inc. (vector search and AI infrastructure) — https://www.pinecone.io/privacy/;
• Inngest, Inc. (background job processing) — https://www.inngest.com/privacy;
• Twilio Inc. (SMS communications) — https://www.twilio.com/legal/privacy;
• Functional Software, Inc. d/b/a Sentry (error tracking) — https://sentry.io/privacy/;
• PostHog, Inc. (product analytics and session replay) — https://posthog.com/privacy;
• Axiom, Inc. (log management) — https://axiom.co/privacy;
• 3Shape A/S (digital impression scanner integration) — https://www.3shape.com/en/privacy-policy;
• Anthropic, PBC (AI model provider accessed via AWS Bedrock) — https://www.anthropic.com/privacy;
• Align Technology, Inc. d/b/a iTero (digital impression scanner integration) — https://www.aligntech.com/privacy_policy;
• Simpler Postage, Inc. (d/b/a EasyPost) (shipping label generation and tracking) — https://www.easypost.com/privacy;
• Intuit Inc. d/b/a QuickBooks Online (accounting integration) — https://www.intuit.com/privacy/;
• Xero Limited (accounting integration) — https://www.xero.com/legal/privacy/.

We may update the above list of Third-Party Providers from time to time as our Website and Platform continue to evolve. Third-Party Providers may have their own agreements and privacy policies on the collection and use of personal information which either we or you provide them.

Data Residency and Cross-Border Transfers

The Platform is hosted on servers that may be located in Canada and the United States. Personal information and Health Data may be processed and stored in jurisdictions outside of your province or country of residence, including the United States. By using the Platform, you acknowledge and consent to the transfer of your personal information and Health Data to jurisdictions outside of Canada, including to our Platform Infrastructure Providers and AI Service Providers, which may have servers in the United States or other jurisdictions. PGOL takes reasonable measures to ensure that your personal information and Health Data receive an equivalent level of protection regardless of where they are processed or stored. If you have questions about our data storage practices, please contact our Privacy Officer.

As of the date of this Privacy Policy, the Platform is designed for use by dental laboratories operating in Canada and the United States. Our data collection and processing practices were not designed to meet the requirements of the General Data Protection Regulation of the European Union (“GDPR”). If you are located in the European Economic Area, you should not use the Platform or provide us with personal information unless you have confirmed with your organization that such use is permissible.

Sharing Personal Information if Our Business, Website or Platform is Acquired

We may share personal information with our successors (if our business, the Website or Platform is acquired by another legal entity) or any assignee of our assets relating to the Website and Platform. Disclosure in such circumstances is governed by PIPEDA.

Security Safeguards

PGOL implements security safeguards appropriate to the sensitivity of the personal information and Health Data in its custody or control. These safeguards include encryption of data in transit and at rest, role-based access controls that limit access to personal information and Health Data to authorized personnel on a need-to-know basis, audit logging and monitoring of access to systems that store personal information and Health Data, secure authentication mechanisms including multi-factor authentication for administrative access, and regular review of security practices and procedures. While no method of electronic storage or transmission is completely secure, PGOL is committed to protecting your personal information and Health Data using commercially reasonable and industry-standard measures. If you have questions about the security of your personal information, please contact our Privacy Officer.

Retention of Your Personal Information

We keep your personal information and Health Data for as long as it is required for the purpose for which it was collected. There is no single retention period applicable to the various types of personal information or Health Data collected. Please contact us if you would like to delete any personal information we hold about you following the termination of your account or your use of the Platform. Enterprise organizations that are party to an Enterprise Agreement are responsible for maintaining their own privacy policies governing the personal information and Health Data of their patients and other persons that they collect and store in connection with the Platform, including policies on the retention of such information.

PART IV: Our Use of Cookies

By using our Website and Platform, you consent to our use of cookies. This cookies policy explains what cookies are, how we use them, and how Third-Party Providers may also use cookies on, or in connection with our Website and Platform.

What are Cookies?

Cookies are small text files sent to and automatically downloaded by your web browser (assuming you have cookies enabled) when you visit our Website or Platform. A cookie file is stored in your web browser and allows our Website and Third-Party Providers we use to recognize you, track your activity across this and other websites and is usually used in conjunction with logging your internet protocol (“IP”) address.

Cookies can be “persistent” or “session” cookies. Persistent cookies remain on your computer (in your browser files) or mobile device when you go offline, while session cookies are deleted as soon as you close your web browser.

Can you block the use of Cookies?

Most web browsers allow you to disable the use of cookies. However, our Website and Platform or certain components of each may not operate properly, and you may not be able to access and use our Website or Platform if you disable cookies.

Can you delete Cookies once downloaded?

Most web browsers also permit you to delete cookies. This is typically done via your web browser’s settings, which vary depending on which web browser you use.

How we use Cookies

Our use of cookies is primarily to analyze how you use our Website and Platform, for instance which pages you visit most often and where you found our Website or Platform online. This helps us better understand your user experience and other statistics which we may use to provide a better user experience. We use PostHog, Inc. for product analytics and session replay. For more information on how PostHog uses cookies, see PostHog’s privacy policy at https://posthog.com/privacy.

We, or Third-Party Providers we use to enable cookies, may also use cookies on our Website to:

• Remembering choices you have made on the Website, such as your language of preference or region;
• Remembering your username;
• Authenticating your identity and maintaining your session when you are signed in to the Platform;
• Protecting the security of your account and our Platform;
• Collecting analytics data through PostHog, Inc., including page views, session recordings, feature usage and performance metrics, to help us improve the Platform.

PART V: YOUR PRIVACY RIGHTS AND HOW TO CONTACT US

Privacy Officer

PGOL has designated a Privacy Officer who is responsible for overseeing compliance with this Privacy Policy and applicable privacy legislation. You may contact our Privacy Officer by email at privacy@archforlabs.com or by mail at: ARCH PGOL TECHNOLOGIES INC., Attn: Privacy Officer, 320 Bay Street, Suite 101, Toronto, ON M5H 4A6.

Your Rights

Subject to applicable law, you have the right to: (a) request access to the personal information we hold about you; (b) request correction of any personal information that is inaccurate or incomplete; (c) withdraw your consent to the collection, use or disclosure of your personal information, subject to legal or contractual restrictions (noting that withdrawal of consent may affect your ability to use the Platform); and (d) request deletion of your personal information, subject to any legal obligations that require us to retain it. To exercise any of these rights, please contact our Privacy Officer using the contact information provided above.

Complaints

If you are not satisfied with our response to a privacy-related inquiry or complaint, you have the right to file a complaint with the applicable privacy regulator. For matters governed by PIPEDA, you may contact the Office of the Privacy Commissioner of Canada (www.priv.gc.ca). For matters governed by PHIPA or other Ontario privacy legislation, you may contact the Information and Privacy Commissioner of Ontario (www.ipc.on.ca). We encourage you to contact our Privacy Officer first so that we have an opportunity to address your concern directly.