PRIVACY POLICY
Effective Date: Mar 26, 2026
INTRODUCTION
We at 1854320 Ontario Inc., operating as Med-Ai-Doc (together with our affiliates, "Med-Ai-Doc," “Med-Ai-Doctor website” “Med-Ai-Doctor App.” "we," "our," or "us") respect your privacy and are strongly committed to keeping secure any information we obtain from you or about you. This Privacy Policy describes our practices with respect to Personal Information and Protected Health Information ("PHI") we collect from or about you when you use our website located at www.medaidoctor.com, our mobile applications, and our healthcare artificial intelligence services (collectively, the "Services").
This Privacy Policy is designed to comply with the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable Canadian provincial privacy legislation, as well as the United States Health Insurance Portability and Accountability Act ("HIPAA") where applicable to the processing of PHI. We have developed this comprehensive policy to ensure transparency about our data practices and to inform you of your rights regarding your personal and health information.
It is important that you read this Privacy Policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing Personal Information about you so that you are fully aware of how and why we are using your data. This Privacy Policy supplements other notices and is not intended to override them. We encourage you to review this Policy carefully and contact us if you have any questions or concerns about our privacy practices.
For questions about this Privacy Policy or our privacy practices, please contact our Privacy Officer at privacy@medaidoctor.com.
TABLE OF CONTENTS
1. DEFINITIONS
For the purposes of this Privacy Policy, the following definitions apply throughout this document and govern the interpretation of terms used herein.
"Anonymous Data" means data that is not associated with or linked to your Personal Information or PHI. Anonymous Data does not permit the identification of individual persons and is therefore not subject to the same restrictions as identifiable information. We may create Anonymous Data from Personal Information by removing identifiers that would allow the data to be linked back to you.
"Business Associate" means a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a Covered Entity that involve the use or disclosure of PHI, as defined under HIPAA. When Med-Ai-Doc acts as a Business Associate, we enter into Business Associate Agreements that establish the permitted and required uses and disclosures of PHI.
"Covered Entity" means a health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. Med-Ai-Doc may act as a Covered Entity or Business Associate depending on the nature of the services provided and the relationship with users and healthcare organizations.
"Personal Information" means information about an identifiable individual, as defined under PIPEDA. This includes identifiers such as your real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, date of birth, or other similar identifiers. It also includes commercial information such as records of products or services purchased, obtained, or considered, Internet or other electronic network activity information, geolocation data, professional or employment-related information, and inferences drawn from any of the foregoing categories of information.
"Protected Health Information" or "PHI" means individually identifiable health information, including demographic information, that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, as defined under HIPAA. PHI includes information maintained in any form or medium, including electronic, paper, and oral communications.
"Processing" means any operation or set of operations performed on Personal Information or PHI, whether or not by automated means. Processing includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of information.
"Services" means our website, mobile applications, healthcare AI platform, and any other products or services we provide. This includes our AI-powered medical document analysis tools, symptom assessment features, medication information analysis services, and any other healthcare-related technology solutions offered by Med-Ai-Doc.
"Special Categories of Personal Information" means Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. These categories of information are subject to additional protections due to their sensitive nature.
2. PURPOSE OF THIS PRIVACY POLICY
Med-Ai-Doc is committed to protecting your privacy and maintaining the confidentiality of your personal and health information. We have prepared this Privacy Policy to describe to you our practices regarding the Personal Information and PHI we collect from users of our Services. This Policy explains what information we collect, how we use it, with whom we share it, and what rights you have regarding your information. In addition, this Privacy Policy tells you about your privacy rights under applicable laws and how those laws protect you.
This Privacy Policy applies to information collected through our website and mobile applications, information collected in connection with our healthcare AI Services, information collected when you communicate with us through any channel, and information collected from healthcare providers, patients, and other users of our Services. The Policy covers all interactions you may have with Med-Ai-Doc, whether as a patient using our consumer-facing applications, a healthcare provider using our professional tools, or a business partner integrating our services into your systems.
This Privacy Policy does not apply to information processed on behalf of our enterprise customers where we act as a data processor or Business Associate, which is governed by our customer agreements and Business Associate Agreements. It also does not apply to information collected by third-party websites or services that may be linked to or integrated with our Services, as those third parties maintain their own privacy policies. Finally, this Policy does not apply to Anonymous or de-identified data that cannot reasonably be used to identify you, as such data falls outside the scope of privacy regulations.
3. CONTROLLER AND CONTACT DETAILS
1854320 Ontario Inc., operating as Med-Ai-Doc, is the controller of Personal Information submitted in accordance with this Privacy Policy and is responsible for that Personal Information. Our principal place of business is located at 2233 Argentia Road, Mississauga, Ontario, Canada, L5N 2X7, Canada. As the data controller, we determine the purposes and means of processing your Personal Information and PHI, and we are accountable for ensuring that such processing complies with applicable privacy laws.
We have appointed a Privacy Officer who is responsible for overseeing questions in relation to this Privacy Policy, including any requests to exercise your legal rights. The Privacy Officer ensures that Med-Ai-Doc complies with applicable privacy legislation, responds to privacy-related inquiries and complaints, and oversees our privacy program and practices. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact our Privacy Officer by email at privacy@medaidoctor.com, or by mail at Privacy Officer, 1854320 Ontario Inc. (Med-Ai-Doc), 2233 Argentia Road, Mississauga, Ontario, Canada, L5N 2X7, Canada.
For questions specifically related to HIPAA and the processing of PHI from the United States, we have designated a HIPAA Privacy Officer who can be reached by email at hipaa@medaidoctor.com. The HIPAA Privacy Officer is responsible for the development and implementation of our HIPAA compliance program, including policies and procedures for the use and disclosure of PHI, individual rights under HIPAA, and breach notification procedures.
You or your authorized agent may also submit requests to exercise your legal rights by submitting the web form available at www.medaidoctor.com/privacy or by email privacy@medaidoctor.com. We have established these multiple channels to ensure that you can easily reach us with privacy-related questions or requests.
4. TYPES OF INFORMATION WE COLLECT
We collect Personal Information and PHI from you when you visit our website, when you send us information or communications, when you engage with us through online chat applications, when you download and use our Services, when you register for events hosted by us, and when you use our healthcare AI Services. The types of information we collect depend on how you interact with our Services and the features you use.
4.1 Identifiers
We collect various identifiers that help us identify you and provide our Services. These identifiers include your full name, alias or username, postal address, email address, phone number, and date of birth. We may also collect your Social Insurance Number where legally required for tax reporting or identity verification purposes. When you create an account, we collect account credentials including your username and password. Additionally, we collect unique personal identifiers, online identifiers, Internet Protocol (IP) addresses, and device identifiers that help us recognize your devices and provide a consistent experience across sessions.
4.2 Health Information and Protected Health Information
Given the healthcare focus of our Services, we collect various categories of health information and PHI. This includes your medical history, current health conditions and diagnoses, symptoms and complaints, medications and prescriptions, and allergies. We collect laboratory test results and diagnostic imaging results such as X-rays, MRIs, CT scans, and ultrasounds that you upload or that are shared with us through healthcare provider integrations. We also collect clinical notes and assessments, treatment plans and recommendations, immunization records, and mental health information where relevant to the Services you use. Where you provide genetic information, we treat such information with the highest level of protection. We also collect health insurance information and healthcare provider information necessary to coordinate your care and process payments.
4.3 Financial and Commercial Information
To process transactions and provide our Services, we collect financial and commercial information. This includes payment card information such as credit and debit card numbers, billing addresses, and transaction history. We maintain records of Services purchased or considered, which helps us understand your needs and improve our offerings. Where applicable, we collect insurance information necessary to verify coverage and process claims.
4.4 Professional or Employment-Related Information
For healthcare providers and business users of our Services, we collect professional and employment-related information. This includes your employer’s name, job title, professional credentials, professional license numbers, and work contact information. This information helps us verify your professional status, provide appropriate access to professional features, and comply with regulatory requirements.
4.5 Internet or Electronic Network Activity Information
We collect information about your interactions with our Services, including your browsing history on our Services, search history within our Services, and information regarding your interaction with our website or applications. This includes log data such as browser type, access times, pages viewed, and referring URLs. We also collect usage data including features used, actions taken, and time spent on various parts of our Services.
4.6 Geolocation Data
We may collect information about your location to provide location-relevant services and comply with legal requirements. This includes approximate location based on your IP address and, with your consent where applicable, precise geolocation from your mobile device. We also collect time zone information to display times correctly and schedule communications appropriately.
4.7 Audio, Visual, and Similar Information
We collect audio, visual, and similar information in connection with our Services. This includes photographs or images you upload, medical images such as X-rays, scans, prescriptions and lab reports that you submit for analysis, and voice recordings if you contact us by phone, use voice or scribe features within our applications. We also maintain chat transcripts from your interactions with our customer support team and AI-powered chat features.
4.8 Inferences
We may draw inferences from the information we collect to create a profile about you. These inferences may reflect your preferences, characteristics, health trends, or predispositions. We use such inferences to personalize your experience, provide relevant recommendations, and improve our Services. Any inferences related to your health are treated as PHI and protected accordingly.
4.9 Special Categories of Personal Information
We generally do not collect Special Categories of Personal Information except for health-related information necessary to provide our Services. We do not collect information about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, or trade union membership unless you voluntarily provide such information to us in the context of your healthcare needs. When we do collect health-related Special Categories of Personal Information, we apply enhanced protections and obtain appropriate consent.
4.10 Sensitive Personal Information Under HIPAA
When we process PHI subject to HIPAA, we treat all such information as sensitive and apply the protections required by HIPAA, including the Privacy Rule and Security Rule. This includes implementing administrative, physical, and technical safeguards to protect PHI, limiting uses and disclosures to the minimum necessary, and providing you with rights to access, amend, and receive an accounting of disclosures of your PHI.
5. HOW WE COLLECT INFORMATION
5.1 Information You Provide to Us
We collect Personal Information and PHI that you provide directly to us through various interactions with our Services. When you create an account or register for our Services, we collect your name, email address, password, and contact information necessary to establish and manage your account. When you use our healthcare AI Services to analyze medical documents, lab reports, or imaging, we collect the documents, images, and health information you upload or input for analysis.
You provide information when you input symptoms, health questions, or medical history into our assessment tools, when you upload medical documents, images, or files for analysis, and when you complete forms, questionnaires, or surveys. We collect information wen you subscribe to our newsletters or marketing communications, when you communicate with us via email, phone, chat, or other channels, and when you participate in webinars, events, or research studies. If you apply for employment opportunities with 1854320 Ontario Inc. (Med-Ai-Doc), we collect the information you provide in your application. We also collect information when you provide feedback or submit support requests.
5.2 Information Collected Automatically
When you visit, use, or interact with our Services, we automatically collect certain information about your visit, use, or interactions. This Technical Information helps us understand how our Services are used, diagnose technical problems, and improve user experience.
We automatically collect Log Data, which is information that your browser or device automatically sends when you use our Services. Log Data includes your Internet Protocol (IP) address, browser type and version, browser settings and preferences, operating system, date and time of your request, referring website or source, pages viewed and features used, and how you interact with our Services.
We also automatically collect Usage Data about your use of the Services. This includes the types of content you view or engage with, features you use and actions you take, your time zone and country, dates and times of access, duration of visits, user agent and version, type of computer or mobile device, and computer connection information.
Device Information is collected automatically and includes your device name and model, operating system and version, device identifiers such as UDID, IDFA, or Android ID, browser type and version, screen resolution, and language settings. This information helps us optimize our Services for different devices and troubleshoot device-specific issues.
We may collect Location Information automatically, including approximate location based on your IP address, precise geolocation with your consent, and time zone information. Location information helps us provide location-relevant services, comply with geographic restrictions, and understand our user base.
5.3 Information Collected Through Cookies and Similar Technologies
We use cookies, pixels, web beacons, and similar technologies (collectively, "Cookies") to collect information about your use of our Services. Cookies are small pieces of information that a website sends to your computer's hard drive while you are viewing a website. We may use both session Cookies, which expire once you close your web browser, and persistent Cookies, which stay on your computer until you delete them, to provide you with a more personal and interactive experience on our Services. Please see Section 15 (Cookies and Tracking Technologies) for more detailed information about our use of these technologies and your choices.
5.4 Information from Third Parties
We may receive Personal Information and PHI about you from third-party sources to supplement the information we collect directly from you. Healthcare Providers and Organizations may share information with us, including referring physicians or healthcare providers, hospitals, clinics, and healthcare facilities, health information exchanges, laboratories and diagnostic imaging centers, and pharmacies. This information helps us coordinate your care and provide comprehensive services.
Health Insurance Plans may provide us with insurance eligibility and coverage information, as well as claims and payment information, to facilitate billing and payment processing. Business Partners, including companies that provide our Services through co-branded or private-labeled arrangements and integration partners whose services you connect to our platform, may share information with us to enable seamless service delivery.
We may receive information from Data Providers, including identity verification services and fraud prevention services, to help us verify your identity and protect against fraudulent activity. Business data providers may provide us with professional information about healthcare provider users. When you interact with our social media pages on platforms like LinkedIn, Twitter, Facebook, or Instagram, we may collect information you elect to provide, such as your contact details.
Other Users may provide information about you, including healthcare providers who input information about you as a patient and family members or caregivers who provide information on your behalf with appropriate authorization. We require that anyone providing information about another person has the authority to do so.
5.5 Information About Others
If you provide us with Personal Information about another individual, such as a family member, dependent, or patient, you represent that you have the authority to do so and have provided them with appropriate notice about how their information will be used. For healthcare providers entering patient information, you represent that you have obtained any necessary patient authorizations and are complying with applicable privacy laws. We rely on these representations and expect all users to respect the privacy rights of others when using our Services.
6. PURPOSES FOR WHICH WE USE YOUR INFORMATION
6.1 Providing and Maintaining Our Services
We use your Personal Information and PHI to provide, operate, and maintain our Services. This includes creating and managing your account, authenticating your identity, and maintaining your preferences and settings. We use your information to provide our healthcare AI Services, including analysis of medical documents, lab reports, and imaging that you submit. We process and respond to your health-related queries, generate health insights and recommendations based on the information you provide, and facilitate communication between you and healthcare providers where applicable. We also use your information to process transactions and send related information, including purchase confirmations and invoices, and to provide customer support and respond to your requests, comments, and questions.
6.2 Treatment, Payment, and Healthcare Operations Under HIPAA
Where we act as a Covered Entity or Business Associate under HIPAA, we use PHI for treatment, payment, and healthcare operations as permitted by HIPAA. For treatment purposes, we use PHI to provide, coordinate, or manage healthcare and related services, including consultation between healthcare providers regarding a patient and referral of a patient from one provider to another. For payment purposes, we use PHI to obtain payment for healthcare services, including billing, claims management, collection activities, medical data processing, and utilization review. For healthcare operations, we use PHI to support our business activities, including quality assessment and improvement activities, reviewing the competence or qualifications of healthcare professionals, training programs, accreditation, licensing, credentialing, and business planning and development.
6.3 Improving and Developing Our Services
We use information to understand how users interact with our Services, identify trends and usage patterns, and improve user experience. We conduct research and analysis to improve our AI models and algorithms, using de-identified or aggregated data where possible to minimize privacy risks. We develop new products, features, and services based on user needs and feedback. We train and improve our machine learning models using de-identified or aggregated data to enhance the accuracy and usefulness of our healthcare AI tools. We also conduct quality assurance and testing to ensure our Services function correctly and meet user expectations.
6.4 Communication
We use your information to communicate with you about your account and our Services. This includes sending you information about your account status, changes to our Services, and updates to our policies. We respond to your comments, questions, and requests and provide customer service and support. We send you technical notices, updates, security alerts, and support and administrative messages to keep you informed about important developments. With your consent where required, we send you marketing communications about products, services, and events offered by Med-Ai-Doc and our partners. We also invite you to participate in surveys, research studies, or events that may be of interest to you.
6.5 Safety and Security
We use your information to protect against fraud, unauthorized transactions, and other illegal activities. We detect, prevent, and address technical issues, security vulnerabilities, and potential threats to our Services. We protect the security of our IT systems, architecture, and networks through monitoring, logging, and analysis of system activities. We verify your identity through multi-level password requirement and prevent unauthorized access to accounts and sensitive personal medical information. We investigate and respond to security incidents, including potential breaches of Personal Information or PHI, and take appropriate remedial action.
6.6 Legal and Compliance
We use your information to comply with applicable laws, regulations, and legal processes, including privacy laws, healthcare regulations, and financial reporting requirements. We respond to lawful requests from public authorities, including law enforcement, regulatory agencies, and courts.
We use your information to protect our rights, privacy, safety, or property, and that of our affiliates, users, or others. We enforce our terms of service, acceptable use policies, and other agreements to which you are bound. We use information to establish, exercise, or defend legal claims in litigation, arbitration, or other legal proceedings. We also conduct audits and maintain records as required by law or as necessary for our business operations.
6.7 Business Operations
We use your information to carry out business transfers, including mergers, acquisitions, reorganizations, sales of assets, or bankruptcy proceedings, where your information may be transferred as a business asset. We manage our business relationships with partners, vendors, and other third parties. We conduct audits and maintain records for financial, tax, and regulatory compliance purposes. We administer and protect our business and website, including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data.
6.8 Use of PHI Under HIPAA
When we process PHI subject to HIPAA, we limit our use and disclosure to uses and disclosures permitted or required by HIPAA without authorization, such as treatment, payment, healthcare operations, public health activities, health oversight activities, judicial and administrative proceedings, law enforcement purposes, and other purposes specified in the HIPAA Privacy Rule. We also use and disclose PHI for purposes for which you have provided written authorization in accordance with HIPAA requirements. Additionally, we may use and disclose de-identified information that meets HIPAA de-identification standards, as such information is no longer considered PHI.
We apply the "minimum necessary" standard to uses and disclosures of PHI, meaning we limit PHI used, disclosed, or requested to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This standard applies to most uses and disclosures, with certain exceptions for treatment purposes, disclosures to the individual, disclosures pursuant to an authorization, disclosures required by law, disclosures to the Department of Health and Human Services, and uses or disclosures required for HIPAA compliance.
6.9 De-Identification and Aggregation
We may de-identify Personal Information and PHI so that it can no longer be used to identify you. De-identification is performed in accordance with applicable legal standards, including the HIPAA de-identification requirements where applicable. We use de-identified and aggregated information to analyze the effectiveness of our Services and identify areas for improvement. We improve and add features to our Services based on aggregate usage patterns and trends. We conduct research and publish findings that contribute to medical knowledge and healthcare improvement. We train and improve our AI models to provide more accurate and helpful results. We generate industry insights and benchmarks that help healthcare organizations understand trends and best practices.
We maintain and use de-identified information in de-identified form and will not attempt to re-identify the information, except as permitted by law or for purposes of assessing our de-identification methods. We require any third parties who receive de-identified information from us to agree not to attempt to re-identify individuals from such information.
7. LEGAL BASES FOR PROCESSING
7.1 Legal Bases Under PIPEDA
Under PIPEDA, we process your Personal Information based on one or more legal bases that justify our collection, use, and disclosure of your information. The primary legal basis for processing under PIPEDA is consent, and we obtain your meaningful consent for the collection, use, and disclosure of your Personal Information. Consent may be express, such as written or oral consent, or implied, depending on the sensitivity of the information and the reasonable expectations of the individual. For sensitive Personal Information, including health information, we obtain express consent unless an exception applies under PIPEDA.
Meaningful consent requires that you understand what you are consenting to and that your consent is voluntary. We provide clear and understandable information about our privacy practices so that you can make informed decisions about your Personal Information. We do not use deceptive or misleading practices to obtain consent, and we do not make consent a condition of providing a product or service beyond what is necessary to provide that product or service.
You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. To withdraw your consent, you may contact us using the contact information provided in this Privacy Policy. Withdrawal of consent may affect our ability to provide certain Services to you, and we will inform you of the consequences of withdrawing consent when you make such a request.
PIPEDA permits the collection, use, or disclosure of Personal Information without consent in limited circumstances. These exceptions include situations where collection is clearly in the interests of the individual and consent cannot be obtained in a timely way, where collection is for journalistic, artistic, or literary purposes, where information is publicly available as specified in regulations, where required to comply with a subpoena, warrant, or court order, for the investigation of a breach of an agreement or contravention of law, in an emergency that threatens life, health, or security, and for statistical or scholarly research where consent is impracticable and certain conditions are met.
7.2 Legal Bases Under HIPAA
When we process PHI subject to HIPAA, our legal bases for processing are established by the HIPAA Privacy Rule. The primary legal bases include treatment, payment, and healthcare operations, which permit us to use and disclose PHI without authorization for these fundamental healthcare purposes. Treatment includes the provision, coordination, or management of healthcare and related services by one or more healthcare providers. Payment includes activities undertaken to obtain or provide reimbursement for healthcare services. Healthcare operations include quality assessment, training, accreditation, licensing, business planning, and other activities specified in the Privacy Rule.
For uses and disclosures not permitted without authorization, we obtain your written HIPAA authorization. A valid HIPAA authorization must contain specific elements, including a description of the information to be used or disclosed, identification of the persons authorized to make the use or disclosure, identification of the persons to whom the disclosure may be made, a description of the purpose of the use or disclosure, an expiration date or event, and your signature and date. You have the right to revoke your authorization at any time, except to the extent that we have already acted in reliance on the authorization.
HIPAA also permits certain uses and disclosures without authorization for purposes required by law, including public health activities, health oversight activities, judicial and administrative proceedings, law enforcement purposes, disclosures about decedents, organ donation, research subject to certain conditions, serious threats to health or safety, specialized government functions, and workers' compensation. When we make such disclosures, we comply with the specific requirements and limitations set forth in the HIPAA Privacy Rule.
8. DISCLOSURE OF YOUR INFORMATION
8.1 Disclosure to Affiliates
We may share your Personal Information with other companies under our common control, which we refer to as our Affiliates. Our Affiliates are required to honor this Privacy Policy and to implement appropriate safeguards for your Personal Information and PHI. We share information with Affiliates for purposes consistent with this Privacy Policy, including to provide and improve our Services, to conduct business operations, and to comply with legal obligations. When we share PHI with Affiliates, we do so in accordance with HIPAA requirements and applicable Business Associate Agreements.
8.2 Disclosure to Service Providers and Business Associates
We engage third-party companies and individuals to perform functions on our behalf and to assist us in providing, analyzing, and improving our Services. These service providers may have access to your Personal Information and PHI as necessary to perform their functions but are contractually obligated not to use it for other purposes. We require our service providers to implement appropriate security measures and to comply with applicable privacy laws.
Our service providers include cloud hosting and infrastructure providers who store and process data on our behalf, payment processors who handle payment transactions securely, customer support providers who assist us in responding to your inquiries, email and communication service providers who help us send notifications and marketing communications, analytics providers who help us understand how our Services are used, and security and fraud prevention services who help us protect against unauthorized access and fraudulent activity. We also engage professional advisors, including lawyers, accountants, and consultants, who provide professional services to us.
When service providers process PHI on our behalf, we enter into Business Associate Agreements as required by HIPAA. These agreements establish the permitted and required uses and disclosures of PHI, require the Business Associate to implement appropriate safeguards, require reporting of security incidents and breaches, and ensure that the Business Associate complies with applicable HIPAA requirements.
8.3 Disclosure to Healthcare Providers and Organizations
We may disclose your Personal Information and PHI to healthcare providers and organizations involved in your care. This includes referring physicians and healthcare providers who need information to provide treatment, hospitals, clinics, and healthcare facilities where you receive care, laboratories and diagnostic imaging centers that perform tests and procedures, pharmacies that fill your prescriptions, and health information exchanges that facilitate the secure sharing of health information among authorized participants. These disclosures are made for treatment, payment, and healthcare operations purposes and in accordance with applicable privacy laws.
8.4 Disclosure to Health Insurance Plans
We may disclose your Personal Information and PHI to health insurance plans for purposes of verifying coverage, obtaining prior authorization, processing claims, and coordinating benefits. These disclosures are made for payment purposes and in accordance with applicable privacy laws, including HIPAA where applicable.
8.5 Disclosure for Legal and Compliance Purposes
We may disclose your Personal Information and PHI when required by law or when we believe in good faith that disclosure is necessary to comply with applicable laws, regulations, or legal processes, such as subpoenas, court orders, or government requests. We may also disclose information to respond to lawful requests from public authorities, including law enforcement, regulatory agencies, national security agencies, and other government bodies. We disclose information to protect our rights, privacy, safety, or property, and that of our affiliates, users, or others, and to enforce our terms of service and other agreements. We may also disclose information to establish, exercise, or defend legal claims in litigation, arbitration, or other legal proceedings.
When we receive legal requests for information, we review them carefully to ensure they are valid and lawful. Where permitted by law, we may notify you of such requests so that you have an opportunity to object or seek protective measures. We limit our disclosures to the information specifically requested and required by law.
8.6 Disclosure in Business Transfers
We may disclose your Personal Information and PHI in connection with business transfers, including mergers, acquisitions, reorganizations, sales of assets, or bankruptcy proceedings. In such transactions, your information may be transferred as a business asset to the acquiring entity or successor organization. We will require the acquiring entity or successor to honor this Privacy Policy or to provide you with notice of any changes to privacy practices and an opportunity to opt out where required by law. If a business transfer results in a material change to the use of your PHI, we will obtain your authorization as required by HIPAA.
8.7 Disclosure with Your Consent
We may disclose your Personal Information and PHI to third parties when you have given us your consent to do so. For example, you may authorize us to share your health information with family members, caregivers, or other individuals involved in your care. You may also authorize us to share information with third-party applications or services that you choose to connect to our platform. When we seek your consent for disclosure, we will provide you with clear information about what information will be shared, with whom it will be shared, and for what purpose.
8.8 Disclosure of De-Identified and Aggregated Information
We may disclose de-identified and aggregated information to third parties for research, analytics, industry benchmarking, and other purposes. De-identified information is information that has been processed to remove or obscure identifiers so that the information cannot reasonably be used to identify an individual. Aggregated information is information that has been combined with information from other individuals so that it does not identify any particular individual. Because de-identified and aggregated information does not identify you, it is not subject to the same restrictions as Personal Information or PHI.
9. INTERNATIONAL DATA TRANSFERS
9.1 Storage and Processing Locations
Your Personal Information and PHI may be stored and processed in Canada and in other jurisdictions where Med-Ai-Doc, our Affiliates, or our service providers maintain facilities. These jurisdictions may include the United States and other countries. When your information is transferred to another jurisdiction, it may be subject to the laws of that jurisdiction, which may differ from the laws of your country of residence.
9.2 Safeguards for International Transfers
When we transfer Personal Information and PHI to other jurisdictions, we apply appropriate safeguards to protect your information and ensure compliance with applicable privacy laws. These safeguards include entering into data transfer agreements with recipients that include standard contractual clauses or other approved transfer mechanisms, ensuring that recipients are subject to laws that provide adequate protection for Personal Information, implementing technical and organizational measures to protect information during transfer and storage, and conducting due diligence on recipients to ensure they have appropriate privacy and security practices.
9.3 Transfers to the United States
If you are located outside the United States and your information is transferred to the United States, please be aware that the United States may not have privacy laws that are equivalent to those in your country. By using our Services and providing your information, you acknowledge that your information may be transferred to and processed in the United States. We implement appropriate safeguards to protect your information when it is transferred to the United States, including contractual protections and security measures.
9.4 Your Rights Regarding International Transfers
You have the right to obtain information about the safeguards we use for international transfers of your Personal Information. You may contact us using the contact information provided in this Privacy Policy to request such information. If you have concerns about international transfers of your information, please contact us and we will work with you to address your concerns.
10. DATA RETENTION
10.1 Retention Principles
We retain Personal Information and PHI only as long as necessary to fulfill the purposes for which it was collected, as disclosed in this Privacy Policy. We consider several factors in determining appropriate retention periods, including the nature and sensitivity of the information, the purposes for which we process the information, applicable legal and regulatory requirements, contractual obligations, and the potential risk of harm from unauthorized use or disclosure.
10.2 Retention Periods
Retention periods vary by data category and legal requirement. Account information is retained for as long as your account is active and for a reasonable period thereafter to allow you to reactivate your account or to comply with legal obligations. Health information and PHI are retained in accordance with applicable medical record retention requirements, which may require retention for a minimum period of years after the last date of service or, for minors, until a specified age plus a minimum number of years. Financial and transaction records are retained in accordance with tax and accounting requirements, typically for a minimum of seven years. Communications and support records are retained for a reasonable period to allow us to respond to inquiries and improve our services. Technical and usage data are retained for a limited period for analytics and security purposes, after which they are deleted or anonymized.
10.3 Retention of PHI Under HIPAA
When we retain PHI subject to HIPAA, we comply with HIPAA's documentation retention requirements, which require us to retain certain documents for six (6) years from the date of creation or the date when the document was last in effect, whichever is later. These documents include privacy policies and procedures, privacy notices, authorizations, and other documentation required by the HIPAA Privacy Rule. We also comply with state medical record retention requirements, which may require longer retention periods.
10.4 Secure Destruction
When Personal Information and PHI are no longer needed for the purposes for which they were collected and retention is no longer required by law or contract, we securely destroy or de-identify the information. Secure destruction methods include shredding paper records containing Personal Information or PHI, using secure deletion methods for electronic records that render the information unreadable and unrecoverable, and de-identifying information in accordance with applicable standards so that it can no longer be used to identify individuals. We require our service providers to implement similar secure destruction practices for information they process on our behalf.
11. SECURITY OF YOUR INFORMATION
11.1 Our Commitment to Security
We are committed to protecting your Personal Information and PHI from unauthorized access, use, disclosure, alteration, and destruction. We implement and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards appropriate to the nature and sensitivity of the information we process. Our security program is designed to comply with applicable legal requirements, including PIPEDA and HIPAA, and to meet industry best practices for healthcare information security.
11.2 Administrative Safeguards
We implement administrative safeguards to manage the selection, development, implementation, and maintenance of security measures. These safeguards include designating a Security Officer responsible for the development and implementation of our security program and a Privacy Officer responsible for our privacy program. We conduct regular risk assessments to identify potential threats and vulnerabilities to Personal Information and PHI and implement measures to address identified risks. We develop and maintain written security policies and procedures that govern the handling of Personal Information and PHI. We implement workforce security measures, including background checks for employees with access to sensitive information, role-based access controls that limit access to Personal Information and PHI based on job responsibilities, and confidentiality agreements that require employees to protect the confidentiality of information. We provide regular security awareness training to employees on their responsibilities for protecting Personal Information and PHI. We implement incident response procedures for detecting, responding to, and recovering from security incidents. We conduct due diligence on service providers and require them to implement appropriate security measures through contractual agreements.
11.3 Technical Safeguards
We implement technical safeguards to protect Personal Information and PHI and control access to systems that store or process such information. These safeguards include encryption of Personal Information and PHI at rest and in transit using industry-standard encryption protocols such as TLS for data in transit and AES-256 for data at rest. We implement access controls, including unique user identification, strong password requirements, and multi-factor authentication for privileged access. We maintain audit controls that record and examine activity in systems that contain Personal Information or PHI. We implement integrity controls to ensure that Personal Information and PHI have not been improperly altered or destroyed. We implement transmission security measures to protect Personal Information and PHI during electronic transmission. We conduct regular vulnerability assessments and penetration testing to identify and address security weaknesses. We implement malware protection and intrusion detection systems to detect and prevent unauthorized access. We maintain secure system development practices, including security testing and code review.
11.4 Physical Safeguards
We implement physical safeguards to protect our facilities, equipment, and systems from unauthorized physical access, tampering, and theft. These safeguards include facility access controls that limit physical access to facilities where Personal Information and PHI are stored or processed. We implement workstation security measures that govern the use and positioning of workstations that access Personal Information or PHI. We implement device and media controls that govern the receipt, removal, and disposal of hardware and electronic media that contain Personal Information or PHI. We maintain secure data center facilities with environmental controls, fire suppression, and backup power systems.
11.5 Ongoing Security Monitoring and Improvement
We continuously monitor our security program and implement improvements to address new threats and vulnerabilities. We conduct regular audits of our security practices and controls. We monitor systems for security events and anomalies. We stay informed about emerging threats and security best practices. We update our security measures as necessary to address new risks.
11.6 Limitations of Security
While we implement robust security measures, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your Personal Information or PHI. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately using the contact information provided in this Privacy Policy.
12. YOUR PRIVACY RIGHTS UNDER PIPEDA
12.1 Right to Access
You have the right to request access to the Personal Information we hold about you. Upon request, we will inform you of the existence, use, and disclosure of your Personal Information and provide you with access to that information, subject to certain exceptions permitted by law. Exceptions to the right of access include information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client privilege.
To exercise your right to access, you may submit a request using the contact information provided in this Privacy Policy. We may require you to verify your identity before responding to your request. We will respond to your request within 30 days, or we will notify you if we require an extension of time. If we refuse your request for access, we will provide you with the reasons for the refusal and inform you of your right to challenge the refusal.
12.2 Right to Correction
You have the right to request correction of Personal Information that is inaccurate or incomplete. If you believe that the Personal Information, we hold about you is incorrect, you may request that we correct the information. We will correct the information if we are satisfied that the information is inaccurate or incomplete.
If we do not agree that the Personal Information requires correction, we will note your request and the correction you requested in our files so that anyone accessing the information will be aware of your request. If we have disclosed inaccurate or incomplete information to third parties, we will notify those third parties of the correction where appropriate.
12.3 Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. To withdraw your consent, you may contact us using the contact information provided in this Privacy Policy. We will inform you of the consequences of withdrawing consent, which may include our inability to provide certain Services to you.
12.4 Right to Request Deletion
You have the right to request that we delete your Personal Information in certain circumstances, such as when the information is no longer necessary for the purposes for which it was collected, when you withdraw your consent and there is no other legal basis for processing, or when the information was unlawfully collected. We will delete your Personal Information unless we
are required to retain it by law, we need it to complete a transaction or provide a service you requested, it is necessary for our legitimate business purposes such as fraud prevention or security, or deletion would impair our ability to conduct lawful research or comply with legal obligations.
When you request deletion of your Personal Information, we will take reasonable steps to delete the information from our active systems and instruct our service providers to do the same. However, please note that some information may remain in backup systems for a limited period, and we may retain de-identified or aggregated information that does not identify you.
12.5 Right to Challenge Compliance
You have the right to challenge our compliance with PIPEDA by filing a complaint with our Privacy Officer. If you are not satisfied with our response to your complaint, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada. The Privacy Commissioner has the authority to investigate complaints, make recommendations, and pursue legal remedies in certain circumstances.
To file a complaint with our Privacy Officer, please contact us using the contact information provided in this Privacy Policy. We will investigate your complaint and respond within 30 days. If you wish to file a complaint with the Office of the Privacy Commissioner of Canada, you may do so by visiting their website at www.priv.gc.ca or by contacting them by mail at 30 Victoria Street, Gatineau, Quebec K1A 1H3, Canada.
12.6 Exercising Your Rights
To exercise any of your privacy rights under PIPEDA, you may contact us using the contact information provided in Section 3 of this Privacy Policy. You may submit requests by email to privacy@medaidoctor.com, by mail to our Privacy Officer at the address provided, or through the web form available at www.medaidoctor.com/privacy.
When you submit a request, we may require you to verify your identity to protect your privacy and prevent unauthorized access to your information. Verification methods may include confirming information we have on file about you, providing government-issued identification, or other reasonable verification methods. We do not charge a fee for responding to access requests, except in cases of manifestly unfounded or excessive requests, where we may charge a reasonable fee or refuse to act on the request.
13. YOUR PRIVACY RIGHTS UNDER HIPAA
13.1 Applicability of HIPAA Rights
The rights described in this section apply when we act as a Covered Entity under HIPAA or when we maintain PHI on behalf of a Covered Entity as a Business Associate. If you are unsure whether your information is subject to HIPAA, please contact us using the contact information provided in this Privacy Policy.
13.2 Right to Access PHI
You have the right to access and obtain a copy of your PHI that we maintain in a designated record set. A designated record set includes medical records, billing records, charting records and other records used to make decisions about you. Upon your written request, we will provide you with access to your PHI, except for certain limited exceptions permitted by HIPAA, such as psychotherapy notes, information compiled for legal proceedings, and information subject to the Clinical Laboratory Improvements Amendments.
You may request that we provide your PHI in a specific format, and we will comply with your request if the format is readily producible. If you request electronic access to PHI that we maintain electronically, we will provide the information in the electronic form and format you request if readily producible, or in a readable electronic format agreed upon by you and us. We may charge a reasonable, cost-based fee for providing copies of your PHI, which may include the cost of labor for copying, supplies, postage, and preparing an explanation or summary if you request one.
To request access to your PHI, please submit a written request to our HIPAA Privacy Officer using the contact information provided in Section 3 of this Privacy Policy. We will respond to your request within 30 days. If we are unable to provide access within 30 days, we may extend the response period by up to 30 additional days if we provide you with a written statement of the reasons for the delay and the date by which we will complete action on your request.
13.3 Right to Request Amendment
You have the right to request that we amend your PHI if you believe the information is incorrect or incomplete. We will consider your request and may deny the request if we determine that the PHI was not created by us, is not part of the designated record set, is not available for inspection under HIPAA, or is accurate and complete.
If we approve your request for amendment, we will make the amendment to your PHI, inform you that the amendment has been made, and make reasonable efforts to inform others who have received the PHI and who may have relied on the information to their detriment. If we deny your request for amendment, we will provide you with a written denial that explains the basis for the denial, your right to submit a written statement disagreeing with the denial, and how to file a complaint with us or with the Secretary of Health and Human Services.
To request an amendment to your PHI, please submit a written request to our HIPAA Privacy Officer that includes the specific information you wish to amend and the reason for the amendment.
13.4 Right to an Accounting of Disclosures
You have the right to receive an accounting of certain disclosures of your PHI that we have made. The accounting will include disclosures made during the six years prior to your request, except that we are not required to account for disclosures made before our HIPAA compliance date, disclosures made more than six years before the date of your request, or disclosures for which an accounting is not required under HIPAA.
Disclosures that are not required to be included in an accounting include disclosures for treatment, payment, and healthcare operations, disclosures to you or pursuant to your authorization, disclosures for national security or intelligence purposes, disclosures to correctional institutions or law enforcement officials, disclosures that are part of a limited data set, and disclosures made before our HIPAA compliance date.
The accounting will include the date of each disclosure, the name and address of the person or entity who received the PHI, a brief description of the PHI disclosed, and a brief statement of the purpose of the disclosure or a copy of the request for disclosure. We will provide the first accounting in any 12-month period without charge. For additional requests within the same 12-month period, we may charge a reasonable, cost-based fee if we inform you of the fee in advance and provide you with an opportunity to withdraw or modify your request.
To request an accounting of disclosures, please submit a written request to our HIPAA Privacy Officer.
13.5 Right to Request Restrictions
You have the right to request that we restrict our use or disclosure of your PHI for treatment, payment, or healthcare operations. You may also request that we restrict disclosures to family members, friends, or others involved in your care or payment for your care. We are not required to agree to your request for restrictions, except that we must agree to a request to restrict disclosure of PHI to a health plan for payment or healthcare operations purposes if the PHI pertains solely to a healthcare item or service for which you have paid out of pocket in full.
If we agree to a restriction, we will comply with the restriction except in emergency treatment situations. If we disclose PHI to a healthcare provider for emergency treatment, we will request that the provider not further use or disclose the information. A restriction may be terminated by you at any time, either orally or in writing. We may also terminate a restriction if we inform you that we are terminating the restriction, although the termination will only apply to PHI created or received after we inform you. To request a restriction, please submit a written request to our HIPAA Privacy Officer that describes the specific restriction you are requesting and to whom the restriction applies.
13.6 Right to Request Confidential Communications
You have the right to request that we communicate with you about your PHI in a certain way or at a certain location. For example, you may request that we contact you only at your work address or only by mail. We will accommodate reasonable requests for confidential communications. We will not require you to explain the reason for your request, and we will not condition treatment, payment, or eligibility for benefits on your request.
To request confidential communications, please submit a written request to our HIPAA Privacy Officer that specifies how or where you wish to be contacted.
13.7 Right to a Paper Copy of the Notice of Privacy Practices
You have the right to obtain a paper copy of our Notice of Privacy Practices at any time, even if you previously agreed to receive the notice electronically. To obtain a paper copy, please contact our HIPAA Privacy Officer using the contact information provided in this Privacy Policy.
13.8 Right to File a Complaint
If you believe that your privacy rights have been violated, you have the right to file a complaint with us or with the Secretary of the U.S. Department of Health and Human Services. To file a complaint with us, please contact our HIPAA Privacy Officer using the contact information provided in this Privacy Policy. To file a complaint with the Secretary, you may submit a complaint to the Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Washington, D.C. 20201, or by visiting www.hhs.gov/ocr/privacy/hipaa/complaints.
We will not retaliate against you for filing a complaint. You will not be penalized or otherwise discriminated against for exercising your rights under HIPAA.
13.9 Personal Representatives
You may exercise your HIPAA rights through a personal representative. A personal representative is a person who has authority under applicable law to make healthcare decisions on your behalf. For adults, a personal representative may include a person with healthcare power of attorney, a court-appointed guardian, or an executor or administrator of a deceased individual's estate. For minors, a personal representative is typically a parent or legal guardian, subject to certain exceptions under state law.
We may require documentation of a personal representative's authority before disclosing PHI or allowing the representative to exercise rights on your behalf. We may refuse to treat a person as a personal representative if we reasonably believe that doing so would endanger the individual.
14. ADDITIONAL U.S. STATE PRIVACY DISCLOSURES
14.1 California Privacy Rights
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). However, please note that the CCPA does not apply to PHI that is subject to HIPAA or to clinical trial data. To the extent that we process Personal Information about California residents that is not subject to these exemptions, the following disclosures apply.
You have the right to know what Personal Information we collect, use, disclose, and sell or share. You may request that we disclose to you the categories of Personal Information we have collected about you, the categories of sources from which the Personal Information was collected, the business or commercial purposes for collecting, selling, or sharing the Personal Information, the categories of third parties to whom we disclose the Personal Information, and the specific pieces of Personal Information we have collected about you.
You have the right to request deletion of your Personal Information, subject to certain exceptions. You have the right to request correction of inaccurate Personal Information. You have the right to opt out of the sale or sharing of your Personal Information. We do not sell Personal Information for monetary consideration. However, certain disclosures of Personal Information for targeted advertising purposes may constitute "sharing" under the CCPA. You may opt out of such sharing by contacting us using the contact information provided in this Privacy Policy.
You have the right to limit the use and disclosure of your sensitive Personal Information. Sensitive Personal Information under the CCPA includes Social Security numbers, driver's license numbers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, union membership, contents of mail, email, or text messages, genetic data, biometric information, health information, and information about sex life or sexual orientation. You may request that we limit our use of your sensitive Personal Information to uses that are necessary to provide the Services you requested.
You have the right not to be discriminated against for exercising your CCPA rights. We will not deny you goods or services, charge you different prices, provide you with a different level or quality of goods or services, or suggest that you will receive a different price or quality of goods or services because you exercised your CCPA rights.
To exercise your California privacy rights, you or your authorized agent may submit a request by contacting us using the contact information provided in this Privacy Policy. We will verify your identity before responding to your request by matching information you provide with information we have on file. If you use an authorized agent, we may require the agent to provide proof of authorization and we may require you to verify your identity directly with us.
14.2 Virginia, Colorado, Connecticut, and Utah Privacy Rights
If you are a resident of Virginia, Colorado, Connecticut, or Utah, you may have additional rights under the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), or Utah Consumer Privacy Act (UCPA). These laws provide rights similar to those under the CCPA, including the right to access, correct, and delete your Personal Information, the right to obtain a copy of your Personal Information in a portable format, and the right to opt out of targeted advertising, the sale of Personal Information, and profiling in furtherance of decisions that produce legal or similarly significant effects.
To exercise your rights under these laws, please contact us using the contact information provided in this Privacy Policy. If we decline to act on your request, you may appeal our decision by contacting us and requesting an appeal. We will respond to your appeal within the time required by applicable law.
14.3 Nevada Privacy Rights
If you are a Nevada resident, you have the right to opt out of the sale of your Personal Information. We do not currently sell Personal Information as defined under Nevada law. If we change our practices in the future, we will update this Privacy Policy and provide you with an opportunity to opt out.
14.4 Other State Privacy Rights
Privacy laws are evolving, and additional states may enact comprehensive privacy legislation. We are committed to complying with applicable state privacy laws and will update this Privacy Policy as necessary to reflect new legal requirements. If you have questions about your rights under the privacy laws of your state, please contact us using the contact information provided in this Privacy Policy.
15. COOKIES AND TRACKING TECHNOLOGIES
15.1 What Are Cookies
Cookies are small text files that are placed on your computer or mobile device when you visit a website. Cookies are widely used by website operators to make their websites work more efficiently, to provide a better user experience, and to collect information about user behavior. Cookies may be set by the website you are visiting (first-party cookies) or by third parties whose content or services are embedded on the website (third-party cookies).
In addition to cookies, we may use other tracking technologies such as pixel tags (also known as web beacons or clear GIFs), which are small graphic images that may be included in our website, emails, or advertisements. Pixel tags allow us to track whether emails have been opened and links have been clicked, and to collect information about your interaction with our content. We may also use software development kits (SDKs) in our mobile applications that function similarly to cookies and pixel tags.
15.2 Types of Cookies We Use
We use several types of cookies on our Services. Strictly necessary cookies are essential for the operation of our website and enable you to navigate our website and use its features. These cookies cannot be disabled because they are necessary for the website to function properly. They include cookies that enable you to log into secure areas of our website, use a shopping cart, or make use of e-billing services.
Performance cookies collect information about how visitors use our website, such as which pages visitors go to most often and whether they receive error messages from web pages. These cookies do not collect information that identifies a visitor. All information collected by these cookies is aggregated and therefore anonymous. We use this information to improve how our website works.
Functionality cookies allow our website to remember choices you make, such as your username, language preference, or the region you are in, and provide enhanced, more personalized features. These cookies can also be used to remember changes you have made to text size, fonts, and other customizable parts of web pages. The information collected by these cookies may be anonymized and cannot track your browsing activity on other websites.
Targeting cookies are used to deliver advertisements that are more relevant to you and your interests. They are also used to limit the number of times you see an advertisement and to help measure the effectiveness of advertising campaigns. These cookies are usually placed by advertising networks with our permission. They remember that you have visited a website, and this information is shared with other organizations such as advertisers.
15.3 Third-Party Cookies
Some cookies on our website are placed by third parties on our behalf. These third parties may include analytics providers such as Google Analytics, which helps us understand how visitors use our website. Advertising networks may place cookies to deliver targeted advertisements and measure the effectiveness of advertising campaigns. Social media platforms may place cookies when you interact with social media features on our website, such as "Like" or "Share" buttons.
We do not control third-party cookies and recommend that you review the privacy policies of these third parties to understand their practices. You can opt out of certain third-party cookies by visiting the Network Advertising Initiative opt-out page at www.networkadvertising.org/choices or the Digital Advertising Alliance opt-out page at www.aboutads.info/choices.
15.4 Your Cookie Choices
You have several options for managing cookies. Most web browsers allow you to control cookies through their settings preferences. You can set your browser to refuse all cookies, to accept only first-party cookies, or to alert you when cookies are being sent. However, if you disable or refuse cookies, some parts of our website may become inaccessible or not function properly.
You can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on, available at tools.google.com/dlpage/gaoptout. You can manage your preferences for targeted advertising by visiting the opt-out pages mentioned above or by using the privacy settings on your mobile device.
When you first visit our website, we may display a cookie banner that allows you to accept or decline non-essential cookies. You can change your cookie preferences at any time by accessing the cookie settings on our website. Please note that if you delete your cookies or use a different browser or device, you may need to set your preferences again.
15.5 Do Not Track Signals
Some web browsers transmit "Do Not Track" signals to websites. Because there is no common understanding of how to interpret Do Not Track signals, our website does not currently respond to such signals. However, you can manage your cookie preferences as described above.
16. THIRD-PARTY WEBSITES AND SERVICES
16.1 Links to Third-Party Websites
Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by Med-Ai-Doc. These links are provided for your convenience and information. When you click on a link to a third-party website, you will leave our website and be subject to the privacy practices of that third party. We are not responsible for the privacy practices or content of third-party websites.
We encourage you to review the privacy policies of any third-party websites you visit before providing any Personal Information. The inclusion of a link to a third-party website does not imply endorsement of the website or its content by Med-Ai-Doc.
16.2 Third-Party Integrations
Our Services may integrate with third-party applications, services, or platforms that you choose to connect. For example, you may choose to connect your Med-Ai-Doc account with electronic health record systems, health tracking devices, or other healthcare applications. When you enable these integrations, you may be authorizing the exchange of information between Med-Ai-Doc and the third-party service.
The information shared through integrations is subject to the privacy practices of the third-party service as well as this Privacy Policy. We recommend that you review the privacy policies of any third-party services you connect to understand how they collect, use, and share your information. You can manage your integrations and disconnect third-party services at any time through your account settings.
16.3 Social Media Features
Our Services may include social media features, such as the Facebook "Like" button, Twitter "Tweet" button, or LinkedIn "Share" button. These features may collect your IP address, which page you are visiting on our website, and may set a cookie to enable the feature to function properly. Social media features are either hosted by a third party or hosted directly on our Services. Your interactions with these features are governed by the privacy policy of the company providing the feature.
17. CHILDREN'S PRIVACY
17.1 Age Restrictions
Our Services are not directed to children under the age of 18, and we do not knowingly collect Personal Information from children under 18. If you are under 18, please do not use our Services or provide any Personal Information to us. If you are a parent or guardian and believe that your child has provided Personal Information to us without your consent, please contact us using the contact information provided in this Privacy Policy, and we will take steps to delete such information.
17.2 Parental Consent for Minors
In certain circumstances, healthcare providers or parents may use our Services on behalf of minor patients. When a healthcare provider uses our Services to process PHI of a minor patient, the healthcare provider is responsible for obtaining any necessary parental consent and for ensuring compliance with applicable laws governing the privacy of minors' health information. When a parent or guardian uses our Services on behalf of a minor child, the parent or guardian represents that they have the authority to provide consent on behalf of the child.
17.3 Special Protections for Minors' Health Information
We recognize that minors' health information may be entitled to special protections under applicable law. In the United States, HIPAA generally treats a minor's parent or guardian as the minor's personal representative with authority to act on behalf of the minor with respect to PHI. However, there are important exceptions where the minor may control access to their own PHI, including when the minor consents to healthcare and parental consent is not required under state law, when the minor may lawfully obtain healthcare without parental consent and has done so, when a parent agrees that the minor and the healthcare provider may have a confidential relationship, and when a court or other legal authority authorizes someone other than the parent to make healthcare decisions for the minor.
We comply with applicable federal and state laws governing the privacy of minors' health information and defer to healthcare providers regarding the appropriate handling of minors' PHI in their care. If you have questions about how we handle minors' health information, please contact our Privacy Officer.
18. CHANGES TO THIS PRIVACY POLICY
18.1 Updates and Modifications
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes to this Privacy Policy, we will revise the "Effective Date" at the top of this Privacy Policy and post the updated Privacy Policy on our website. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.
18.2 Notification of Material Changes
If we make material changes to this Privacy Policy that affect your rights or how we use your Personal Information or PHI, we will provide you with prominent notice prior to the change becoming effective. Prominent notice may include posting a notice on our website, sending you an email notification, displaying a notice within our applications, or other methods reasonably designed to inform you of the changes.
Material changes include changes that expand the categories of Personal Information or PHI we collect, changes that expand the purposes for which we use or disclose Personal Information or PHI, changes that reduce your privacy rights or protections, changes to our data retention practices that result in longer retention periods, and changes to the categories of third parties with whom we share Personal Information or PHI.
18.3 Your Continued Use
Your continued use of our Services after we post changes to this Privacy Policy or provide you with notice of changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated Privacy Policy, you should stop using our Services and contact us to request deletion of your Personal Information. For changes that require your consent under applicable law, we will obtain your consent before implementing the changes.
18.4 Prior Versions
You may request a copy of prior versions of this Privacy Policy by contacting us using the contact information provided in this Privacy Policy. We maintain records of prior versions for a reasonable period to demonstrate our compliance with applicable privacy laws.
19. HOW TO CONTACT US
19.1 General Privacy Inquiries
If you have any questions, comments, or concerns about this Privacy Policy or our privacy practices, please contact our Privacy Officer using the following contact information:
Privacy Officer 1854320 Ontario Inc. (Med-Ai-Doc) 2233 Argentia Road, Mississauga, Ontario, L5N2X7, Canada.
Email: privacy@medaidoctor.com
19.2 HIPAA-Related Inquiries
For questions specifically related to HIPAA and the processing of PHI from the United States, please contact our HIPAA Privacy Officer: Email: hipaa@medaidoctor.com
19.3 Privacy Rights Requests
To exercise your privacy rights under PIPEDA, HIPAA, or applicable state privacy laws, you may submit a request using any of the following methods:
Online: Submit a request through our web form at www.medaidoctor.com/privacy
Email: Send your request to privacy@medaidoctor.com
Mail: Send your request to our Privacy Officer at the address above
When submitting a request, please provide sufficient information to allow us to verify your identity and process your request. We may contact you for additional information if necessary to verify your identity or clarify your request.
19.4 Complaints
If you have a complaint about our privacy practices, please contact our Privacy Officer using the contact information above. We take all complaints seriously and will investigate and respond to your complaint within a reasonable time. If you are not satisfied with our response, you may have the right to file a complaint with the applicable regulatory authority:
For Canadian residents: Office of the Privacy Commissioner of Canada 30 Victoria Street Gatineau, Quebec K1A 1H3 Canada Website: www.priv.gc.ca Phone: 1-800-282-1376
For U.S. residents (HIPAA complaints): Office for Civil Rights U.S. Department of Health and Human Services 200 Independence Avenue, S.W. Washington, D.C. 20201 Website: www.hhs.gov/ocr/privacy/hipaa/complaints Phone: 1-800-368-1019
20. APPENDIX A: SUMMARY EXAMPLES OF INFORMATION COLLECTED
This appendix provides in the interest of time, summary examples of the types of information we collect, organized by category. This list is illustrative and not exhaustive, see extensive policy document for more information.
A.1 Identifiers
Examples of identifiers we collect include:
Full legal name and any aliases or nicknames
Home address, mailing address, and billing address
Email addresses (personal and work)
Phone numbers (home, mobile, and work)
Date of birth and age
Gender and sex assigned at birth
Social Insurance Number (where legally required)
Driver's license number or government-issued ID number
Passport number (for identity verification)
Account username and password
IP address and device identifiers
Cookie identifiers and advertising identifiers
Health insurance member ID
Medical record numbers
Unique patient identifiers
A.2 Health Information and PHI
Examples of health information and PHI we collect include:
Medical history, including past illnesses, surgeries, and hospitalizations
Current health conditions, diagnoses, and symptoms
Vital signs such as blood pressure, heart rate, temperature, and weight
Medications, dosages, and prescriptions
Allergies and adverse reactions
Immunization records and vaccination history
Laboratory test results, including blood tests, urine tests, and pathology reports
Diagnostic imaging results, including X-rays, MRIs, CT scans, ultrasounds, and mammograms
Clinical notes, assessments, and progress notes
Treatment plans, care plans, and discharge summaries
Mental health information, including psychiatric evaluations and therapy notes
Substance use history and treatment
Reproductive health information
Genetic test results and family health history
Dental records and vision records
Physical therapy and rehabilitation records
Home health and hospice records
Health insurance information, including plan details, coverage, and claims
Healthcare provider information, including names, specialties, and contact information
A.3 Financial and Commercial Information
Examples of financial and commercial information we collect include:
Credit card and debit card numbers
Bank account information
Billing address and billing contact information
Transaction history and purchase records
Payment history and outstanding balances
Insurance claim information
Records of Services purchased, obtained, or considered
Subscription and membership information
Promotional codes and discount information
A.4 Professional or Employment-Related Information
Examples of professional or employment-related information we collect include:
Employer name and address
Job title and department
Professional credentials and certifications
Professional license numbers and expiration dates
National Provider Identifier (NPI) for healthcare providers
DEA registration number for prescribers
Medical school and residency information
Board certifications and specialty information
Work email address and phone number
Professional biography and curriculum vitae
Professional affiliations and memberships
A.5 Internet or Electronic Network Activity Information
Examples of internet or electronic network activity information we collect include:
Browsing history on our Services
Search queries within our Services
Pages viewed and features used
Links clicked and content accessed
Time spent on pages and features
Referring website or source
Exit pages
Interactions with advertisements
App usage data, including features used and actions taken
Error logs and crash reports
Session recordings and heatmaps (on an anonymized basis)
A.6 Geolocation Data
Examples of geolocation data we collect include:
Approximate location based on IP address
Precise geolocation from mobile devices (with consent)
City, state/province, and country
Time zone information
Location history (with consent)
A.7 Audio, Visual, and Similar Information
Examples of audio, visual, and similar information we collect include:
Profile photographs
Medical images uploaded for analysis
Voice recordings from phone calls or voice features
Video recordings from video consultations (where applicable)
Chat transcripts and messaging history
Voicemail messages
Screen recordings for customer support purposes (with consent)
A.8 Inferences
Examples of inferences we may draw include:
Health risk assessments based on symptoms and medical history
Preferences for types of content or features
Likelihood of interest in certain Services or features
Communication preferences
Engagement patterns and usage trends
21. APPENDIX B: HIPAA NOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Effective Date: March 26, 2026
B.1 Our Commitment to Your Privacy
We are committed to protecting the privacy of your health information. This Notice of Privacy Practices describes how we may use and disclose your Protected Health Information (PHI) and your rights regarding your PHI. PHI is information that identifies you and relates to your past, present, or future physical or mental health condition, healthcare services you receive, or payment for those services.
We are required by law to maintain the privacy of your PHI, provide you with this Notice of our legal duties and privacy practices, notify you following a breach of unsecured PHI, and follow the terms of the Notice currently in effect.
B.2 How We May Use and Disclose Your PHI
We may use and disclose your PHI for the following purposes without your authorization:
Treatment: We may use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. For example, we may use your PHI to analyze medical documents you submit, provide health insights and recommendations, and share information with healthcare providers involved in your care.
Payment: We may use and disclose your PHI to obtain payment for healthcare services. This includes billing and collection activities, verification of insurance coverage, and submission of claims to health plans.
Healthcare Operations: We may use and disclose your PHI for our healthcare operations, which include quality assessment and improvement activities, reviewing the competence of healthcare professionals, training programs, accreditation activities, business planning and development, and customer service.
As Required by Law: We may use and disclose your PHI when required by federal, state, or local law.
Public Health Activities: We may disclose your PHI for public health activities, including reporting disease, injury, vital events, and conducting public health surveillance, investigations, and interventions.
Health Oversight Activities: We may disclose your PHI to health oversight agencies for activities authorized by law, such as audits, investigations, inspections, and licensure.
Judicial and Administrative Proceedings: We may disclose your PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process.
Law Enforcement: We may disclose your PHI to law enforcement officials for law enforcement purposes as permitted by HIPAA.
Coroners, Medical Examiners, and Funeral Directors: We may disclose your PHI to coroners, medical examiners, and funeral directors for purposes related to their duties.
Organ and Tissue Donation: We may disclose your PHI to organizations involved in organ, eye, or tissue procurement, banking, or transplantation.
Research: We may use and disclose your PHI for research purposes subject to certain conditions and safeguards.
Serious Threats to Health or Safety: We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.
Specialized Government Functions: We may disclose your PHI for specialized government functions, including military and veterans' activities, national security and intelligence activities, and protective services for the President.
Workers' Compensation: We may disclose your PHI as authorized by workers' compensation laws.
Inmates and Persons in Custody: We may disclose your PHI to correctional institutions or law enforcement officials if you are an inmate or in custody.
De-Identified Information: We may use and disclose information that has been de-identified in accordance with HIPAA standards.
B.3 Uses and Disclosures Requiring Your Authorization
We will obtain your written authorization before using or disclosing your PHI for purposes other than those described above. Uses and disclosures requiring authorization include most uses and disclosures of psychotherapy notes, uses and disclosures for marketing purposes, and disclosures that constitute a sale of PHI.
You may revoke your authorization at any time by submitting a written revocation to our HIPAA Privacy Officer. Revocation will not affect any uses or disclosures made in reliance on your authorization before we received your revocation.
B.4 Your Rights Regarding Your PHI
You have the following rights regarding your PHI:
Right to Access: You have the right to inspect and obtain a copy of your PHI in a designated record set. We may charge a reasonable, cost-based fee for copies.
Right to Amendment: You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. We may deny your request in certain circumstances.
Right to an Accounting of Disclosures: You have the right to receive an accounting of certain disclosures of your PHI made during the six years prior to your request.
Right to Request Restrictions: You have the right to request restrictions on our use or disclosure of your PHI. We are not required to agree to your request except in limited circumstances.
Right to Request Confidential Communications: You have the right to request that we communicate with you about your PHI in a certain way or at a certain location.
Right to a Paper Copy of This Notice: You have the right to obtain a paper copy of this Notice at any time.
Right to File a Complaint: You have the right to file a complaint with us or with the Secretary of Health and Human Services if you believe your privacy rights have been violated. We will not retaliate against you for filing a complaint.
B.5 How to Exercise Your Rights
To exercise any of your rights, please submit a written request to our HIPAA Privacy Officer at:
HIPAA Privacy Officer 1854320 Ontario Inc. (Med-Ai-Doc) 2233 Argentia Road, Mississauga, Ontario, L5N 2X7, Canada.
Email: hipaa@medaidoctor.com
B.6 Changes to This Notice
We reserve the right to change this Notice and to make the revised Notice effective for PHI we already have about you as well as any PHI we receive in the future. We will post the current Notice on our website and make copies available upon request.
B.7 Contact Information
If you have any questions about this Notice or our privacy practices, please contact our HIPAA Privacy Officer using the contact information above.
END OF PRIVACY POLICY
This Privacy Policy was last updated on March 26, 2026.
© 2026 1854320 Ontario Inc. (Med-Ai-Doc). All rights reserved.