Privacy Policy

1. Accountability

We are responsible for personal information under our control and have designated a Privacy Officer who is accountable for compliance with PIPEDA and applicable privacy laws.

All employees, contractors, and licensed healthcare professionals with access to personal information are bound by confidentiality obligations and receive privacy and security training appropriate to their role.

2. Identifying Purposes

We identify and document the purposes for collecting personal information at or before the time of collection.

Personal information is collected for purposes including:

• Enabling patients to submit health questionnaires and relevant information
• Reviewing submissions by licensed healthcare professionals
• Determining clinical eligibility for issuing sick notes or related documentation
• Generating and delivering medical documentation to patients
• Managing user accounts, identity verification, and authentication
• Processing payments, where applicable
• Ensuring platform security, quality assurance, auditability, and fraud prevention
• Meeting legal, regulatory, and professional obligations

3. Consent

We obtain meaningful consent for the collection, use, and disclosure of personal information, except where permitted or required by law.

• Patients provide express consent through electronic acknowledgement and submission of information
• By using the platform, patients consent to the review of their information by a licensed healthcare professional
• Consent is limited to purposes reasonably necessary to provide the requested service
• Consent may be withdrawn at any time, subject to legal, regulatory, contractual, and clinical record-keeping requirements.

4. Limiting Collection

We collect only the personal information necessary to fulfill the identified purposes.

Information collected may include:

• Identifying information (e.g., name, date of birth, contact details)
• Health information provided through questionnaires or uploads
• Employment-related details strictly required for sick note documentation (e.g., employer name, dates missed)
• Account credentials and authentication information
• Technical information (e.g., IP address, device type, system logs)

We do not collect personal information indiscriminately or beyond what is required to provide the service.

5. Limiting Use, Disclosure, and Retention

Personal information is used and disclosed only for the purposes for which it was collected or as required by law.

Information may be disclosed:

• To licensed healthcare professionals reviewing submissions
• To service providers supporting platform operations (e.g., hosting, payments), under contractual confidentiality and security obligations
• To regulatory bodies or authorities where legally required

Personal information is retained only for as long as necessary to fulfill its purpose and to meet legal, professional, and regulatory retention requirements. Once no longer required, information is securely destroyed or anonymized.

6. Accuracy

We take reasonable steps to ensure personal information is accurate, complete, and up to date.

• Patients are responsible for providing truthful, accurate, and complete information
• Patients may review and update non-clinical account information
• Healthcare professionals are responsible for the clinical assessment and documentation they issue based on the information provided

7. Safeguards

We protect personal information using safeguards appropriate to its sensitivity, including:

• Encryption of data in transit and at rest
• Role-based access controls and least-privilege access
• Secure authentication and activity logging
• Application, network, and infrastructure security controls
• Written policies and incident response procedures

Safeguards apply regardless of the format in which information is stored or transmitted.

8. Openness

We make information about our privacy practices readily available through this Privacy Policy and upon request.

This policy explains:

• What personal information we collect
• How it is used and disclosed
• How it is protected
• How individuals may access their information or raise concerns

9. Individual Access

Upon written request, individuals may:

• Be informed of the existence, use, and disclosure of their personal information
• Access their personal information, subject to legal or clinical limitations
• Request corrections to inaccurate or incomplete information

Requests may be directed to the Privacy Officer using the contact information below and will be handled within reasonable timelines as required by law.

10. Challenging Compliance

Individuals may raise concerns or complaints regarding our privacy practices.

All complaints will be:

• Acknowledged promptly
• Investigated thoroughly
• Responded to in writing

If concerns are not resolved, individuals may contact the Office of the Privacy Commissioner of Canada.

11. Third-Party Services and Data Location

We may use third-party service providers (e.g., cloud hosting, payment processing, communications tools) to support platform operations. These providers act on our behalf and are contractually required to maintain privacy and security safeguards consistent with PIPEDA.

Personal information may be stored or processed in Canada or other jurisdictions. Where information is transferred outside Canada, it remains subject to appropriate safeguards.

12. Breach Notification

In the event of a breach of security safeguards involving personal information that poses a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as required under PIPEDA.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be posted on our website or communicated through the platform with an updated effective date.