Privacy Policy

This Privacy Policy applies to CareClinic Software Inc. and all its subsidiaries, affiliates, platforms, websites, and mobile applications (collectively “CareClinic,” “we,” “our,” or “us”). It explains how we collect, use, disclose, and protect personal information obtained through our products and services. By using any CareClinic platform, you agree to this policy and consent to the processing of your information as described.

Scope

This policy covers all CareClinic-operated digital products, websites, and services. It does not apply to third-party sites, platforms, or services that may link to or integrate with CareClinic, which are governed by their own privacy policies.

What is Personal Information

Personal information is data that can identify an individual directly or indirectly, such as name, email address, home address, IP address, or health-related data linked to an identifiable person. Aggregated or de-identified data that cannot be used to identify an individual is not personal information.

How We Collect Information

We collect personal information in several ways:

  • When you create or manage an account
  • When you input data into our applications
  • When you communicate with our support or clinical partners
  • When you make a purchase or manage a subscription
  • When you consent to optional analytics or feedback tools

We also collect limited technical data automatically, such as device type, IP address, and browser version, to maintain service integrity and security.

Legal Basis for Processing

CareClinic processes data under lawful grounds that may include:

  • Consent provided by the user
  • Contractual necessity to deliver services
  • Legitimate interests such as analytics, product improvement, and research for public health or wellness
  • Compliance with applicable laws and regulatory requirements
  • Public interest or research activities permitted under privacy legislation

Security and Encryption

We use administrative, physical, and technical safeguards to protect personal information. Data in transit is encrypted using TLS 1.2 or higher and data at rest is encrypted using AES-256. Keys are managed and rotated securely. Access is restricted to authorized personnel using multifactor authentication and audit logging. Systems are hosted on secure cloud infrastructure with continuous monitoring and periodic penetration testing.

Quality and Performance Assurance

CareClinic platforms undergo verification and validation to confirm accuracy, reliability, and performance across supported devices. We maintain continuous uptime monitoring with a target greater than 99 percent and perform regression and functionality testing before each release. Issues are tracked in a formal ticketing system and addressed through a documented bug fix cycle.

Vendor and Third-Party Processors

We work with trusted vendors for hosting, analytics, communications, and technical support. These partners act as processors under our instruction and are contractually bound to maintain confidentiality and comply with relevant laws. They may not use personal information for independent purposes.

Cookies, Analytics, and Tracking

CareClinic uses cookies and analytics tools to support essential site functions, improve usability, and measure engagement. These tools may collect anonymous usage information such as IP address and device type. You can manage cookies in your browser settings. Disabling cookies may affect functionality. CareClinic does not use personal data for behavioral advertising or AI model training without explicit consent. Automated decision-making is not performed using identifiable health data.

Aggregated and De-Identified Data

CareClinic may combine or transform collected information into aggregated or de-identified formats that do not identify individual users. This information may be used to monitor platform performance, enhance product safety and usability, generate statistical summaries, or support health-related analytics and reporting. Such insights are created and used in compliance with applicable privacy and data protection laws and cannot be traced back to any person.

Platform and Integrations

CareClinic services may integrate with third-party platforms such as Apple Health, Google Fit, or similar APIs to enable secure data synchronization, backup, and functionality improvements. Any data exchanged through these integrations occurs only after user authorization and follows the privacy controls of the respective platform.

Transactional data such as purchase confirmations or entitlement verification may be shared with Apple or Google solely to complete billing, refund, or subscription management processes. Health or identifiable personal data is not shared for these purposes.

When permissions are granted, CareClinic may access limited data through connected APIs to display insights or generate reports for user benefit. This access is read-only unless otherwise stated at the time of authorization and data is processed in accordance with this policy and the relevant platform terms.

CareClinic complies with the Apple App Store, Google Play, and Google API Services User Data Policy, including restrictions on advertising, AI model training, and data resale. Users can revoke integration access at any time from their device settings or platform account.

Verifiable Health Records (Apple Health)

CareClinic allows users to optionally import verifiable clinical records from Apple Health using the Verifiable Health Records APIs. This may include laboratory results, medications, allergies, immunizations, diagnoses, procedures, and encounter information supplied by participating healthcare institutions. Access to these records occurs only when a user explicitly initiates import and grants permission.

Imported verifiable health records are used solely for the user’s personal health tracking, care coordination, and self-management within the CareClinic app. They may be used to update the user’s profile, populate trackers, generate insights, or prepare summaries for real-world medical appointments. CareClinic does not use verifiable health records data for advertising, marketing or intervention.

Users may revoke access to Apple Health at any time from their device settings and may delete imported data directly within the app or by requesting account deletion. All verifiable health records data is encrypted in transit and at rest and stored with the same technical and organizational safeguards applied to sensitive health information throughout the platform.

Global Privacy Rights

CareClinic upholds global data rights (including those under GDPR, HIPAA, and PIPEDA). Users may:

  • Access their data and obtain a copy
  • Request correction or deletion
  • Withdraw consent at any time
  • Request portability of their data
  • Object to processing under legitimate interest

Requests can be submitted to support@careclinic.io. All requests are verified, logged, and fulfilled within 30 days unless extended by law.

Data Processing and Account Deletion

You may delete your account at any time through User Settings or by contacting support@careclinic.io. Once deleted, your data is removed from active systems and securely deleted from backups after a short retention period for disaster recovery verification.

Data Retention

We retain data only as long as needed to provide services, meet regulatory or contractual obligations, or ensure system integrity. Aggregated data used for statistical or research purposes may be stored without identifying information. When retention is no longer required, data is securely erased or anonymized.

International Data Transfers

Your data may be processed or stored in Canada, the United States, or other jurisdictions where CareClinic or its service providers operate. These regions may have different data protection laws than your country of residence. To ensure a consistent level of protection, CareClinic implements legal and technical safeguards including Standard Contractual Clauses (SCCs), regional adequacy determinations, and compliance with cross-border frameworks recognized by the OECD and EU.

Transfers are reviewed annually to verify that service providers meet security and privacy expectations equivalent to Canadian, European, and U.S. standards. All cross-border vendors must adhere to encryption, restricted access, and breach notification procedures defined in our Data Protection Agreement. Sensitive health information is never transferred to any third party unless contractually obligated under these conditions.

Where applicable, we maintain data processing agreements and records of all international transfers. Each processor’s location, function, and access level are reviewed during vendor onboarding and reassessed periodically. Users may contact privacy@careclinic.io for a summary of our current data transfer mechanisms.

Data Breach Notification

In the event of unauthorized access, loss, or disclosure of data, CareClinic initiates its Incident Response Plan immediately. This plan includes detection, containment, forensic investigation, and remediation steps. All incidents are logged and reviewed by our security team within 24 hours of discovery.

If a breach presents a material risk to user privacy, we will notify affected individuals and regulatory authorities as required by law, typically within 72 hours. Notifications include the nature of the incident, affected data categories, corrective measures taken, and recommended user actions. We also perform a post-incident review to prevent recurrence and update relevant security controls.

Post-Market Review and Incident Handling

CareClinic maintains a continuous monitoring program that reviews performance data, crash logs, analytics, and user feedback to detect usability or safety issues. Support tickets and incident reports are triaged, risk-rated, and tracked to resolution through our quality management system. Findings from these reviews inform updates, feature adjustments, and documentation improvements.

Quarterly audits are conducted to evaluate product stability, clinical accuracy of symptom tracking modules, and overall user safety. Corrective and preventive actions are documented, verified for effectiveness, and included in subsequent release cycles.

Accessibility and Usability

CareClinic products are designed to promote inclusive use by patients, caregivers, and healthcare professionals. User interfaces undergo iterative testing for readability, contrast, and accessibility across devices. All instructions and health labels are written in plain language, minimizing input errors and cognitive load. Design reviews align with recognized standards such as WCAG 2.1 and ISO 62366 for usability engineering in healthcare software.

Feedback from users with visual, motor, or cognitive challenges is incorporated into design improvements. Regular usability testing ensures that updates do not impair accessibility or comprehension.

Risk Management

CareClinic maintains an active risk management framework integrated with product development and release cycles. Risks are identified, classified, and tracked through a centralized risk register covering data protection, functionality, and user safety. Each identified risk includes mitigation measures, owners, and status.

The register is reviewed quarterly by product and compliance leads and updated following any significant software update or regulatory change. High-risk findings trigger immediate review and corrective action, ensuring continuous improvement and alignment with ISO 14971 risk management principles.

Privacy Governance

CareClinic Software Inc. serves as the data controller for all activities described in this policy. We maintain documented privacy management procedures, perform annual impact assessments, and train all staff handling sensitive data. Internal compliance audits validate that privacy and security controls remain effective.

CareClinic’s Privacy Officer oversees adherence to legal, technical, and ethical standards, ensuring alignment with GDPR, PIPEDA, HIPAA, and other regional laws. Policy revisions and updates are reviewed at least annually or whenever regulations or business practices change.

Privacy Inquiries and Complaints

Questions or complaints may be directed to our Privacy Officer at privacy@careclinic.io. Users may also contact their local data protection authority. For Ontario residents, contact the Information and Privacy Commissioner of Ontario at info@ipc.on.ca or 1-800-387-0073.

Last Modified: Nov 12, 2025