1. Introduction

• This Privacy Notice explains how HEAL Access LLC (“HEAL Access,” “we,” “us”) collects, uses, stores, and protects information processed througour digital health platform (“Platform”).

• It applies to:

  • Patient Users who access the Platform (MyHealth) through a healthcare provider or clinic (“Organizations”); and

  • Healthcare Organizations and their authorized staff (“Organizations”) that use the Platform (MyCare) to manage care, assessments, and patient communications.

• HEAL Access is committed to privacy, transparency, and compliance with global and Canadian healthcare data-protection standards.

​

​

2. Introduction

• Patient-Originated Data: Information provided directly by the patient, including assessments, wellness data, and AI conversations.

• Organization-Originated Data: Data entered or generated by Organizations, including clinical notes, test results, and care plans.

• Custodian/Controller: The healthcare organization legally responsible for health records.

• Processor/Information Manager: HEAL Access LLC, processing data on behalf of custodians.

• AI Features: Machine learning tools that generate insights but do not replace clinical judgment.

​

​

3. Legal Framework

• HEAL Access operates under a multi-jurisdictional privacy and healthcare compliance model, aligning with:

  • Canada: PIPEDA (federal), PHIPA (Ontario), HIA (Alberta), FIPPA (British Columbia), and Law 25 (Quebec).

  • United States: HIPAA for Protected Health Information (PHI) and applicable state privacy laws.

  • European Union/United Kingdom: GDPR and UK GDPR for personal data processed in or transferred from the EU/UK.

  • Other jurisdictions: Local data-protection requirements where the Platform is used.

• When laws conflict, HEAL Access applies the stricter standard of protection to ensure consistent safeguarding of all users’ personal and health information.

​

​

4. Legal Framework

• The Platform is intended for:

  • Licensed healthcare organizations, and their authorized staff.

  • Patients aged 18 years or older.

• Minors under 18 may use the Platform only with verified parental/guardian consent or as permitted by local healthcare consent laws (generally 12–16 years in Canadian provinces).

• The Platform must not be used for emergencies. If you are experiencing a medical emergency, call 911 or your local emergency service immediately.

• Use of the Platform constitutes acceptance of this Privacy Notice and related Terms of Use.

​

​

5. Roles and Responsibilities

• Patients: Owners of their personal and AI interaction data, controlling what is shared with their Organization.

• Organizations: Data custodians/controllers for PHI processed through the Platform, responsible for patient consent and lawful processing.

• HEAL Access LLC: Processor/Information Manager/Service Provider on behalf of the custodian, implementing security and privacy controls in accordance with applicable laws.

​

​

6. Information We Collect

• We collect and process only the data necessary for Platform functionality and compliance:

  • Patient-Originated Data: demographic details, clinical assessments, wellness entries, self-reported symptoms, and AI interactions.

  • Organization-Originated Data: staff account credentials, permissions, audit logs, billing, and administrative records.

  • AI Interaction Data: patient prompts, system responses, and performance metadata (only when AI features are enabled).

  • Technical Information: device type, IP address, browser, operating system, and activity logs.

  • Analytics Data: anonymized metrics for system reliability and improvement.

• We do not use identifiable PHI/PII for marketing, advertising, or unrelated analytics.

​

​

7. How We Use the Information

• We process collected data only for the following purposes:

  • Delivering and supporting Platform functionality

  • Support clinical workflows, care coordination, and secure messaging.

  • Generate AI-based summaries and insights for informational support.

  • Maintain security monitoring, auditability, and incident response.

  • Manage billing, subscription, and administrative operations.

  • Managing user accounts and authentication

  • Maintaining system performance and security

  • Complying with legal, contractual, and regulatory obligations

• We do not sell, lease, or use personal information for marketing purposes.

​

​

8. Data Storage, Residency & Cross-Border Transfers

• Data is stored in secure cloud infrastructure hosted by Amazon Web Services (AWS) in the geographic region selected by the Organization (e.g., Canada Central, U.S. East, or another supported region). No persistent storage of identifiable personal or health data occurs outside the selected region without written authorization from the Organization.

• Occasionally, authorized HEAL Access technical personnel outside the region may access data temporarily for support, maintenance, or emergency troubleshooting. Such access is:

  • Strictly controlled, encrypted, and logged for audit;

  • Limited to the minimum data necessary;

  • Conducted under contractual confidentiality and data protection obligations.

• For Canadian users, all cross-border access and processing comply with PIPEDA, and applicable provincial health privacy laws such as PHIPA (Ontario), HIA (Alberta), FIPPA (BC), and Law 25 (Quebec), ensuring equivalent protection regardless of data location.

• For EU and UK users, transfers of personal data outside their region are governed by Standard Contractual Clauses (SCCs) or other recognized transfer mechanisms providing an equivalent level of protection.

• For U.S. users, processing and safeguards align with the Health Insurance Portability and Accountability Act (HIPAA) and applicable state privacy laws.

• For all other international users, HEAL Access applies comparable administrative, technical, and contractual safeguards to ensure that personal and health data receives a level of protection consistent with internationally accepted privacy standards.

​

​

9. AI Features and Consent

• HEAL Access integrates Artificial Intelligence (AI) within both the Patient (MyHealth) Platform and the Organization (MyCare) Platform to support, but never replace, clinical judgment. AI features operate under strict privacy, security, and ethical safeguards.
   

​9.1. Purpose of AI Use

• AI assists with:

  • Generating health insights and educational content;

  • Summarizing assessments and documentation for providers;

  • Supporting communication and workflow efficiency.

  • AI outputs are advisory only and must always be reviewed by qualified healthcare professionals.

​

​9.2. AI Use for Patients

• Patients may use AI to understand symptoms, access wellness information, or receive personalized insights.

• When the Personal Data Access toggle is ON, AI may process patient data to generate tailored responses. When OFF, only generic responses are provided.

• AI chats and self-entered information are private and not shared with the Organization unless the patient explicitly chooses to share them.

• Any shared AI generated summaries become part of the patient’s medical record and fall under the Organization’s custody.

​

​9.3. AI Use for Organizations

• The Organizations Platform includes AI tools to support clinical documentation and workflow automation.

• Organizations remain fully responsible for reviewing and validating all AI outputs before using them for clinical purposes.

• Role-based controls determine staff access to AI features.

• If a patient limits consent for AI processing, HEAL Access will make reasonable efforts to exclude identifiable data from AI responses, though this may limit AI functionality or related service commitments.

​

​9.4. Data Protection and Safeguards

• Identifiable data is never used to train or improve AI models without explicit written consent from patients and Organizations.

• All AI interactions are encrypted, logged, and retained according to compliance and audit requirements.

• De-identified and aggregated AI usage data may be analyzed to improve system safety and performance.

• AI systems undergo internal testing and bias monitoring to maintain accuracy and fairness.

​

​9.5. Limitations

• AI may not account for complete medical context and can contain errors or bias.

• All users (patients and organizations) must rely on clinical expertise, not AI outputs, for medical decisions.

• HEAL Access is not responsible for outcomes based solely on AI recommendations.

​

​

10. Data Sharing and Ownership

• Patients own their personal and AI interaction data.

• Organizations own or control the medical records and assessments they create.

• Once patient data is shared with an Organization, it becomes part of the medical record and follows that Organization’s retention and access policies.

• HEAL Access never sells or commercially distributes user data.

​

​

11. Your Rights (Patients & Organizations)

• Users have the right to:

  • Access, review, and correct their information.

  • Request account deletion (completed within 30 days; irreversible).

  • Obtain data in structured formats (e.g., FHIR, JSON, PDF).

  • File privacy complaints with regulatory authorities.

​

• Data retention:

  • Organization records are retained per healthcare laws (typically 1–2 years minimum).

  • De-identified analytics and audit logs may be kept for compliance verification.

​

​

12. Breach Notification

• If a confirmed data breach occurs:

  • HEAL Access will notify affected Organizations and users within 48 hours of confirmation.

  • Notifications include the nature of the breach, data involved, mitigation steps, and recommended user actions.

  • Organizations remain responsible for any additional regulatory and patient notifications required by law.

​

​

13. Subprocessors and Third Parties

• HEAL Access relies on trusted subprocessors for completing the service provision.

• All subprocessors are contractually bound to equivalent data-protection obligations.

•  Organizations are notified before new subprocessors are added.

​

​

14. Cookies and Tracking Technologies

• HEAL Access uses essential cookies for authentication, security, and performance analytics.

• No advertising or cross-site tracking cookies are used.

• Organizations and Patients can manage cookie settings in their browsers

​

​

15. Security Practices

• Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256).

• Multi-factor authentication and least-privilege access controls are applied.

• Continuous logging is provisioned via AWS CloudTrail.

• Backups are taken every 24 hours (4-hour RPO; 24-hour RTO).

• Third party security testing aligned with ISO 27001 / SOC 2 standards are conducted annually.

​