Alan - Privacy Policy

In the course of its activity as a health insurer and as a health management services provider, Alan is required to process sensitive personal data. We attach the utmost importance to the security and confidentiality of the data of Alan's services’ users, whether on the alan.com website or on the mobile application made available to them.

The purpose of this privacy policy is to help you understand how we treat the personal data you provide us with, in accordance with the Personal Information Protection and Electronic Documents Act ("PIPEDA") and, where applicable, provincial privacy laws.

This privacy policy may be updated regularly, to enrich it, according to Alan's needs, circumstances or if required by law. We therefore invite you to check for updates on a regular basis, although we will always notify you of any significant changes affecting the way your data is processed.

Version dated February 18th 2026

Above all, we have set ourselves two key principles which are also included in our contracts:

• Alan will never sell the data collected about its members in connection with the services offered. We make our living by building and managing insurance products and services around health, not by reselling our users' data. Users remain in control of their data.
• As a health insurer, Alan will never use health data to apply differentiated rates based on a member's situation or history. We strongly believe in the strength of solidarity and risk sharing between insured members.

Furthermore, in accordance with the regulations and particularly the PIPEDA and GDPR, we undertake to collect and process only the data that is strictly necessary for their purpose. Similarly, we undertake to ensure that the data collected is kept in a form that allows your identification for a period that does not exceed the time required for the purposes for which the data is collected and processed.

Alan, including all of its affiliates (Alan Insurance, Alan Services, Alan Tech, Marmot Belgium, Marmot Iberia, and Alan CA Inc.) is responsible for collecting your personal data.

Alan requires your consent to collect, use, or disclose your personal data, except under the exceptions permitted by law. Please note that your consent may be either expressed (verbal or written) or implied (inferred from your actions).

You have the right to withdraw your consent at any time, subject to our legal, regulatory, or contractual obligations. However, this may limit your access to some of our services and products. To withdraw your consent, please contact our Data Protection Officer (DPO), the contact details are in the section below.

If you have any questions regarding security and personal data, or to exercise your rights of access, correction, deletion, withdrawal of consent, limitation of processing, opposition to processing or portability, you may contact us and our Data Protection Officer (DPO) at [email protected]. Alan will ensure that you receive a response promptly.

For any complaint concerning your personal data, you can either contact our DPO or contact:

For Canadian residents: the Office of the Privacy Commissioner of Canada directly at:
Office of the Privacy Commissioner of Canada

• 30 Victoria Street
• Gatineau, Québec
• K1A 1H3
• Telephone: 1-819-994-5444
• Toll Free: 1-800-282-1376
• Website: www.priv.gc.ca

For Ontario residents, you can also contact the Information and Privacy Commissioner of Ontario at:

• ‍Information and Privacy Commissioner of Ontario
• 2 Bloor Street East, Suite 1400
• Toronto, Ontario M4W 1A8
• Telephone: 1-416-326-3333
• Toll Free: 1-800-387-0073
• Website:www.ipc.on.ca

For Québec residents, you can also contact the Commission d’accès à l’information du Québec at:

• Commission d’accès à l’information du Québec 525 René-Lévesque Blvd East, Suite 2.36 Québec, Quebec G1R 5S9 Phone: 418-528-7741 Toll-free: 1-888-528-7741 Website: www.cai.gouv.qc.ca

Insurance Services

• Management of company contracts
• Health and life and disability insurance
• Dependent data
• Fraud fighting
• Travel Assistance (Xodus)

Care and support

• Messages and chat

Health Services

• To speak to therapist or social worker by video or phone
• To speak to the Alan health team by private message within the Alan Clinic

Statistics and Performances

• Measuring our members’ satisfaction
• Audience measurement (analytics) and technical data
• Marketing and Ad targeting
• Statistics and scientific research

Insurance Services

Management of company contracts

Administrators

When registering for a company contract, we collect the following personal data for each administrator:

• Name and surname
• Professional email address
• Messages to our customer service department

Employees

The company contract administrators are led to send us data concerning their employees, including those who have left the company for less than a year ( as part of the portability of health insurance rights):

• Name, surname and social security number
• Employees' professional email address
• Personal e-mail address of former employees
• Dates of arrival and departure from the company
• Birth date
• Gender
• Salary and occupation where applicable

This is a legal obligation of the employer from which employees cannot escape, even when they do not wish to benefit from health coverage (exemption mechanism).

Health and life and disability insurance

Personal data is transmitted to us directly by or on behalf of the insured members with their explicit consent (e.g. to automate the retrieval of receipts from a third party site), in particular :

• Name and surname
• Personal email address
• Birth date
• Postal address
• Name, surname, birth date and gender of the spouse and/or children where applicable
• Bank details (for payments and reimbursements)
• Documents required for reimbursement of care acts
• Messages to our customer service department
• Data necessary for the reimbursement (date of treatment, act code, amount paid, recognized rights, prescription, Drug Identification Number, etc.)
• Other insurance plan information (if any, for coordination of benefits)
• Proof of good health, if applicable
• Proof of exemption where applicable
• Life insurance beneficiary information (including names, relationship to insured, date of birth, and contact information)

We also generate individual policy numbers.

Dependent data

I have been added as a dependent

When the possibility is offered to him/her and an insured member declares a dependent (spouse or child) to his/her contract, he/she vouches that the beneficiary agrees to become a party to its insurance contract (or gives consent as a parent of a minor). Alan treats the personal data of the dependent in the same way as those of any other user insured member in this capacity.

Account sharing

Our insured members and their dependents share a single Alan account. By default, both the insured members and the dependents (if they are of legal age and choose to access Alan's online insurance or management services themselves) will be able to view all account information related to the insurance services, without separation. Members with an Alan account can also choose to restrict visibility of their care acts to other members covered under the same policy.

How can I have access to this privacy setting?

Through the "Privacy and security" section on your member profile.

Fraud fighting

We use personal data you provide us with in the context of our health insurance (including your health data) in order to detect and fight insurance fraud. We may also use the following connexion data to identify fraudulent behavior:

• IP address and service provider,
• information about your equipment, for example: type of internet connection, type of device used, browser used and version, etc.

Travel Assistance (Xodus)

In order to provide travel assistance and allow you to be covered in case of problems while traveling abroad, we transmit the following information to our partner Xodus:

• First name, last name
• e-mail address, date of birth,
• Policy start date with Alan and membership card number

Care and support

Messages and chat

In order to answer questions or resolve problems raised by our members, admins or prospects when they contact Alan we collect the following information:

• Messages and attachments sent to our customer service;
• Voice notes;
• Any data related to your insurance contract required to answer your question or resolve your problem;
• Customer satisfaction surveys.

We may thus collect the following personal data:

• identification data,
• financial or payment data,
• health data.

Health Services

To speak to therapist or social worker by video or phone

When you book or attend a session, we collect information needed to schedule, deliver, and administer the service, such as:

• your first and last name,
• the date, time, and duration of the session,
• your time zone,
• your province/territory and language preference,
• the practitioner’s name and professional details.

In some cases, we may also collect intake information you provide (for example, questionnaire responses) to support your care.

We do not record your calls. However, during your care, the practitioner may create clinical notes (for example, session notes or care summaries).

Depending on how the practitioner works, notes may be:

• entered into Alan’s platform,
• written separately by the practitioner.

Where clinical notes and intake forms are stored in Alan’s platform:

• access is restricted to authorized clinicians involved in your care,
• Alan applies technical and organizational safeguards, including encryption and access controls, designed to protect confidentiality,
• this information is not used for insurance administration or reimbursement decisions.

For orientation call, if the member accepts, orientation psychologist will share the reason for consultation and situation with the psychologist booked. This information is deleted once shared.

Note that the Alan attributed e-mail address of the Practitioner is solely for communicating on administrative matters with you and/or your employer. This emailing address shall not contain any health related information.

To facilitate scheduling and coordination, we also process the practitioner’s identifying and professional data, as well as their calendar availability.

To speak to the Alan health team by private message within the Alan Clinic

When you exchange messages with Alan health team members for a question relating to your health (excluding video consultation), we use the following data:

• first name, surname, date of birth, and gender (that we deduce from your insurance profile),
• phone number for emergency situation,
• messages and attachments exchanged with the health team member.

To delivered more personalized and contextualized care to members, health team members will also have access to:

• your company's vertical, the number of employees, and your start date with the company,
• the gender and age of your children beneficiaries,
• your city of residence,
• some usage data of our health services.

Your messages and clinical information are accessible only to health professional of the Clinic involved in providing care, and to a limited set of authorized personnel as needed to operate and secure the Clinic (for example, to maintain the platform). We use role‑based access controls and other safeguards to protect confidentiality. Your health information is not used for insurance purposes.

Statistics and Performances

Measuring our members’ satisfaction

Because it is important for us to build a tailored service for our members, we measure their satisfaction over time through a rating system that our members can choose to enter in the application. This is the "Net Promoter Score" or "NPS".

Audience measurement (analytics) and technical data

Certain data is collected automatically when you visit alan.com (including other websites published by Alan such as blog.alan.com and map.alan.com) and when you use our mobile app. The data collected includes :

• IP address and service provider;
• user ID;
• information about your equipment, for example: type of internet connection, type of device used, browser used and version, etc;
• time stamp information and length of visit;
• pages visited;
• clicks and other interactions on individual pages;
• possible errors (on the browser, the mobile application or our servers).

Marketing and Ad targeting

To build our audience and client basis, Alan may reach out to prospects by emails and organize online advertising campaigns before sending them mails or emails. In this context, Alan handles email addresses available online (such as on Linkedin) but also from providers already used by Alan (Societeinfo.com, Kaspr) for audience-building purposes on social networks.

Statistics and scientific research

Data collected by Alan in the performance of our services, may be further used in a way compatible with the original purpose for which it was collected. Only aggregated and/or anonymized data may become subject to scientific research and/or for statistical studies, including for statistical learning. It could for instance be used in the selection and creation of relevant health stories to improve our services and Members' health, create aggregated usage reports or to streamline and improve the management of exchanges with Alan medical team.

Data security is an extremely important issue for Alan: we do our utmost to be worthy of the trust you place in us. Here are a few examples of the measures we have taken. If you have any questions on a specific point, we will be happy to answer them at [email protected].

In order to protect your data on your computer or mobile phone, you can take a few simple measures:

• apply regular system updates to benefit from security patches;
• use antivirus software to detect the presence of malware or spyware, or to disable security features;
• protect your passwords well (your Alan account password, your mailbox password...);
• enable Privacy mode in the mobile application. You will then be prompted for biometric authentication (Face ID/TouchID) or a PIN every time you open the application;
• enable two-step authentication in the mobile application. After entering your email and password at login, you will receive an email with a unique code to enter the application.

You can also consult the official recommendations on good IT security practices.

Who else besides Alan has access to my data?

The data collected may be communicated as required to Alan's partners, reinsurers, subcontractors, legal and financial advisors, and service providers. These data transfers are carried out solely within the framework of the operations mentioned above and to the extent necessary for the performance of the tasks we entrust to third parties. These third parties are fully informed by Alan of the confidentiality of the data communicated to them in this context, and these partners have an obligation to ensure the protection of this data. They are also bound by their own confidentiality and privacy policies, which can be consulted on their websites. When the nature of the operation carried out allows it, the data is subject to prior anonymisation before being communicated to third parties.

The main persons and tools that receive the data in the context of our processing operations include:

Insurance data

Amazon Web Services (hosting and storage) Stripe.com (payment) Revolut.com (refunds) Intercom.com (online chat and customer service) Google Vision (document recognition) Sendgrid.com (emails) Sentry (error management) Linear (ticket management) Customer.Io (emails) Hubspot (CRM) Outreach (CRM) Salesforce (CRM) Snowflake Datadog Scale Studio (document annotation) Microsoft Azure (Azure OpenAI for document parsing) Xodus (travel insurance partner) OmbudService for Life & Health Insurance or the Financial Services Regulatory Authority of Ontario (external review of complaints) Telus (claims processing) Northbridge (travel insurance) Programmed Insurance Brokers (life & disability insurance) RWAM Insurance Inc. (life & disability insurance)

Audience and usage measurement data

Segment.com (audience analysis) Amplitude.com (audience analysis) Google Ads (targeted advertising) Google Optimize (AB testing) Google Speech-To-Text (voice recognition) Google Calendar (calendar) Meta Pixel (audience analysis and targeted advertising) X Ads (targeted advertising) LinkedIn Insights (targeted advertising) Customer.io (e-mails) Bing (audience analysis and targeted advertising) Datadog App Security (security) Cloudflare.com (network, security and audience analysis) Hubspot (Audience analysis and CRM) Piwik (audience analysis) Hotjar (user survey and navigation analysis) Calendly (scheduling tool for meetings)

Furthermore, in order to meet legal and regulatory obligations, we may be required to communicate personal information to administrative or judicial authorities at their request. In this case, we ensure that only the data strictly required by the authorities is transmitted.

In order to fulfill all the purposes for which we collect your data, we may transfer some of your data to third parties, who host them in data centers located in:

• the European Union (Alan AWS infrastructure in Germany)
• other Canadian provinces (partners and service providers)
• the United States (certain service providers)

In this case, we ensure that the hosting is subject to applicable data protection standards:

• Before communicating your personal data outside your province, Alan carries out a privacy impact assessment and takes protective measures.
• All these transfers are governed by contracts including personal data protection clauses as well as appropriate security measures for the communicated data.

To obtain more information about our data transfer practices, please contact our data protection officer at [email protected].

What's a cookie?

In addition to being a delicious biscuit, a cookie is a file on your device that contains data. We obtain your consent before using cookies where it is required. You can delete or limit the storage of these files at any time in the settings of your internet browser (see below).

What's it for?

• First of all to identify yourself once you are connected to the application.
• Technical cookies ensure the proper functioning of our website by managing essential features like security and remembering your preferences (such as language settings).
• Functional cookies help us personalize your experience, save information you've entered, remember your navigation choices, and maintain your session data so you don't have to re-enter information as you move through our website.
• Some cookies also allow us to reply to you in the online chat, in the window that opens at the bottom of your screen when you visit our website.
• Performance cookies help us detect and resolve technical issues to ensure our website runs smoothly.
• Audience measurement cookies enable us to know the use and performance of our website, to establish statistics, traffic volumes and use of the various elements of our website (content visited, paths) enabling us to improve the interest and ergonomics of our services. The data collected is analysed solely by Alan and its subcontractors, and used solely by Alan.
• Cookies linked to targeted advertising operations enable us to measure the effectiveness of our advertising campaigns and to limit the number of times an advertisement for Alan is offered to you. None of these advertising cookies are used by Alan when members are authenticated.
• Consent management cookies remember your cookie preferences so we don't repeatedly ask for your consent during subsequent visits to our website.

What are the third-party cookies used on our website?

Third-party cookies used only on our public website based on user choice:

• Google Ads (targeted advertising) - you can find more information about Google's data processing through this link.
• Meta Pixel (audience measurement and targeted advertising)
• X Ads (targeted advertising)
• LinkedIn Insights (targeted advertising)
• Bing (audience measurement and targeted advertising)
• Hubspot (audience measurement and CRM)
• Piwik (audience measurement)
• Hotjar (user surveys and browsing analysis)
• Posthog (audience measurement, user survey, A/B tests)
• Affilae (affiliate program)
• Tally (technical cookie forms)

Third-party cookies used on our public website and dashboard (member and administrator) based on user choice:

• Segment.com (audience measurement)
• Amplitude.com (audience measurement)
• Snowflake (audience measurement)

Can I refuse?

Of course you can! During your first visit (or if you use your browser's private or incognito browsing), a banner (called a cookie banner) will be displayed asking you for permission to use cookies. Simply refuse and no cookies (other than those we need to operate the site and allow you to use our online chat) will be set. If you accept, your consent will be valid for 13 months from the date of registration.

You can change your mind and manage your cookie preferences at any time via this link.

Simply put, no.

You will receive emails from us, but in the vast majority of cases it will be in the context of the execution of our contract, for example to invite you to register, to ask you for additional information to enable a refund or to inform you of contractual modifications or changes related to your account. There is no escaping this, but it is for your own good.

A small minority of emails are not directly related to our contract with you or your employer, but are still for a legitimate interest (e.g. to offer to sponsor a relative with a financial reward, to send you a quote, or to announce new services similar to those you currently enjoy).

If you are an administrator, you may also receive commercial offers from us. In these cases, you always have the possibility of unsubscribing from this type of message by following the link in each of our emails (opt-out).

You can also choose to subscribe to our newsletter or to our waiting lists to be notified of the availability of our new services (opt-in).

As for push notifications, we will ask for your permission directly in the mobile application and you will be able to deactivate or reactivate them from your phone.