Privacy Policy

Last Updated: March 8, 2026

1. Introduction

By using our services, whether in person at our Yorkville or Lawrence Park locations or through our digital health platforms, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy.

This Privacy Policy applies to:

• All healthcare services provided by Care&
• The use of our websites, mobile applications, and patient portals
• Communications with our administrative and clinical teams
• Any other interactions with our organization

Careand Family Health Inc. is a health information custodian as defined under PHIPA. Care& Health Tech Inc. acts as an agent of Care& Family Health for the purposes of electronic health record management, and is bound by the same privacy obligations.

This Privacy Policy should be read together with our Terms of Use, which govern your use of our services.

2. Information We Collect

2.1 Personal and Demographic Information

• Full name, date of birth, gender identity
• Contact information (phone, email, address)
• Government-issued identification (health card numbers)
• Emergency contact information
• Payment information (credit card details, banking information)
• Family relationships (for linked accounts, including parent-child relationships)
• Referral information and referral codes

2.2 Health Information

• Medical history and family health history
• Current health conditions and symptoms
• Allergies and adverse reactions
• Medications and treatment plans
• Consultation notes and clinical observations
• Diagnostic and laboratory results
• Immunization records
• Sexual health information
• Maternal health and lactation information
• Mental health assessments and treatment records

2.3 Technical and Usage Information

• IP address and device information when using our digital platforms
• Appointment scheduling history
• Service utilization patterns
• Mobile app and web portal usage statistics
• Location data (limited to verifying Ontario residency for telehealth services)
• Integration data with third-party health platforms (such as Apple Health)

3. How We Collect Information

3.1 Direct Collection

• In-person consultations at our Yorkville and Lawrence Park locations
• Telehealth appointments (phone or video consultations)
• Patient registration and intake forms
• Electronic communications (email, secure messaging)
• Payment processing systems

3.2 Indirect Collection

• From family members or caregivers with appropriate authorization
• From other healthcare providers with your consent
• From third-party diagnostic and laboratory services
• Through our mobile applications and web portal

3.3 Automated Collection

• Cookies and similar technologies on our websites
• Usage tracking within our mobile applications
• Technical logs and analytics tools
• Appointment scheduling and reminder systems

4. Audio Recording and Transcription Process

Care& employs a medical scribe system that records patient-practitioner encounters to ensure accurate clinical documentation through the following process:

• Audio Recording: With your explicit consent, clinical encounters are recorded solely for the purpose of creating accurate medical records.
• Transcription: Audio recordings are transcribed into text format by authorized transcription services.
• Automated Deletion: All audio recordings are automatically and permanently deleted immediately following successful transcription.
• Transcript Retention: Transcribed text is maintained as part of your confidential medical record in accordance with regulatory requirements for health information retention.
• Clinical Documentation: Transcripts may be processed by artificial intelligence systems to generate structured clinical documentation (e.g., SOAP notes) to be reviewed and approved by healthcare practitioners.

You may withdraw your consent for audio recording at any time before or at the start of your appointment by notifying your healthcare provider, in which case alternative documentation methods will be used.

All audio recording, transcription, and AI processing occurs within Canada on Canadian-hosted servers. No personal health information is transferred outside of Canada for these purposes.

5. How We Use Your Information

5.1 Primary Uses

• Providing and coordinating your healthcare services
• Maintaining an accurate and up-to-date health record
• Communicating with you about appointments and care plans
• Processing payments for services rendered
• Facilitating prescription management and medication orders
• Enabling healthcare providers to make informed clinical decisions
• Coordinating lab work and diagnostic services

5.2 Administrative and Operational Uses

• Scheduling and managing appointments
• Processing billing and supporting patient insurance reimbursement requests
• Verifying identity and eligibility for services
• Maintaining and improving our operations
• Training and quality assurance activities
• Conducting internal audits and evaluations
• Managing the referral program and associated credits

5.3 Communications

• Sending appointment reminders and follow-up communications
• Distributing health education materials
• Notifying you about service updates or changes
• Responding to your inquiries and requests
• Providing information about additional services that may benefit your health

5.4 Electronic Marketing Communications (CASL)

Care& complies with Canada's Anti-Spam Legislation (CASL) for all commercial electronic messages. We distinguish between:

• Transactional Messages (no consent required): Appointment confirmations and reminders, lab result notifications, prescription updates, account and billing notices, and messages directly related to your ongoing care.
• Commercial Messages (express consent required): Promotional offers for new services, referral program invitations, health education newsletters, and information about programs you are not enrolled in.

For commercial messages, we obtain your express opt-in consent before sending. Every commercial message includes our name and contact information, a clear and functioning unsubscribe mechanism, and a description of the consent obtained. You may unsubscribe from commercial messages at any time. Unsubscribing from commercial messages does not affect transactional messages related to your care.

5.5 Mobile App and Digital Platform Uses

• Enabling appointment booking and management
• Facilitating prescription refills through the app
• Providing access to health records and test results
• Supporting secure messaging with healthcare providers
• Managing linked accounts for family members
• Processing referrals and managing referral program credits

6. Legal Basis for Collection and Use

Care& collects and uses your personal health information primarily on the basis of:

• Your explicit consent
• Implied consent in emergency situations
• Legal obligations under Ontario healthcare regulations
• Purposes permitted by PHIPA without consent, including planning and managing the health system, risk management, and as otherwise authorized by law

7. Consent

7.1 Express Consent

We obtain your express consent for:

• Initial collection of your health information
• Audio recording of clinical encounters
• Sharing information with third parties not directly involved in your care
• Using your information for research or quality improvement initiatives
• Creating linked accounts for children or dependents
• Processing payments through our digital platforms

7.2 Implied Consent

Your consent may be implied when:

• You seek healthcare services from Care&
• You participate in a healthcare appointment
• Information sharing is necessary for continuity of care
• You use our mobile app or web portal for healthcare-related functions, subject to express consent obtained at account registration

7.3 Withdrawal of Consent

You may withdraw or limit your consent at any time by contacting our Privacy Officer, with the understanding that this may impact our ability to provide certain services.

7.4 Consent for Minors and Dependents

• Parents or legal guardians provide consent for children under 16 years of age
• As minors mature, we involve them in consent decisions appropriate to their capacity
• When a minor reaches the age of majority, consent authority transfers to them
• Special protocols are in place for shared custody situations

8. Information Sharing and Disclosure

8.1 Healthcare Team

Your information is shared among your Care& healthcare team to facilitate coordinated care, including:

• Nurse Practitioners
• Administrative staff
• Laboratory technicians and phlebotomists
• Other healthcare professionals within our organization

8.2 External Healthcare Providers

With your consent, we may share information with:

• Specialists
• Diagnostic and laboratory services
• Pharmacies for prescription fulfillment
• Other healthcare institutions

8.3 Third-Party Service Providers

We may disclose information to trusted service providers who assist us in:

• Electronic health record management
• Data storage and security
• Payment processing
• Transcription services
• Technical support for our digital platforms
• Translation services

All third-party service providers operating as agents of Care& have executed written agreements in compliance with PHIPA s. 17, restricting the use of personal health information to the purposes specified by Care& and requiring compliance with all applicable privacy legislation.

8.4 Linked Family Accounts

When accounts are linked (such as parent-child relationships), parents/guardians can access their children's health information, subject to the following:

• Access is controlled based on legal custody arrangements
• Special security measures protect sensitive information
• Access permissions evolve as children mature

8.5 Legal and Regulatory Disclosures

We may disclose information without consent in the following circumstances:

• When required by law, court order, or regulatory authority
• When necessary to prevent serious harm
• As mandated for public health reporting
• As required for health professional regulatory investigations

9. Referral Program Privacy Protections

Care& operates a referral program that allows Family Practice members to refer friends and earn credits. Both the referrer and the referred person receive a $50 credit when the referred person subscribes. Regarding privacy within this program:

• Only minimal contact information is used in referral communications
• Referral status is only shared with the referrer and the referred person
• Credit balances and tracking information are maintained securely within your account
• Referral information is never sold or shared with external parties
• Referral codes contain no personally identifiable information
• Both parties must consent to participate in the referral process

10. Mobile App and Digital Platform Privacy

The Care& mobile application (iOS/Android) and web portal (app.careand.ca) implement the following privacy measures:

• End-to-end encryption for all sensitive communications
• Secure storage of health information on mobile devices
• Automatic session timeouts to prevent unauthorized access
• Biometric authentication options for enhanced security
• Strict access controls for linked accounts
• Transparent data synchronization with electronic health records
• Option to control push notification privacy settings
• Ability to manage third-party health platform integrations (e.g., Apple Health)

11. Data Security

Care& implements strong technical, administrative, and physical safeguards to protect your information, including:

• Technical Safeguards:
  • Encryption of electronic health records and communications
  • Secure access controls and authentication procedures
  • Regular security assessments and vulnerability testing
  • Continuous monitoring for unauthorized access attempts
• Administrative Safeguards:
  • Staff training on privacy and security protocols
  • Confidentiality agreements
  • Access limited to authorized personnel on a need-to-know basis
• Physical Safeguards:
  • Physical security measures at our Yorkville and Lawrence Park facilities
  • Secure data backup and disaster recovery protocols
  • Strict protocols for mobile device security

All patient data, including personal health information, electronic health records, and payment information, is stored and processed on servers located in Canada. Care& does not transfer patient data outside of Canada.

12. Data Retention

We retain your health information for the period required by Ontario healthcare regulations and professional standards:

• Adult Records: Minimum 10 years from the last patient encounter
• Minor Records: 10 years after the patient reaches the age of majority
• Transcripts: Retained as part of your permanent health record
• Payment Information: 7 years for financial record-keeping requirements
• Audio Recordings: Deleted immediately after successful transcription
• Mobile App Usage Data: Retained for up to 2 years

After the retention period, records are securely destroyed in compliance with applicable regulations.

13. Laboratory and Diagnostic Information

For laboratory and diagnostic services:

• Specimen collection follows strict chain of custody procedures
• Results are securely transmitted to our electronic health record system
• Test requisitions contain only the minimum necessary information
• External laboratory partners are bound by strict data protection agreements
• Results are maintained according to our standard retention policies
• OHIP-covered diagnostic services follow Ministry of Health privacy standards

14. Telehealth Privacy Considerations

For telehealth services (phone or video consultations):

• Services are only available to patients physically located in Ontario
• We use secure, encrypted telehealth platforms
• Multiple participants may join video consultations with patient consent
• Recording of telehealth sessions by patients is strictly prohibited
• Sessions are conducted in private environments to protect confidentiality
• Practitioners verify patient identity prior to each telehealth encounter

15. Business Healthcare Solutions

For our business healthcare clients:

• Employee health information is never shared with employers without explicit consent
• Aggregate, de-identified utilization reports may be provided to business clients
• Strict data segregation between individual and employer-sponsored accounts
• Workplace consultations maintain the same privacy standards as clinic visits
• Clear boundaries between employer access and employee privacy
• Special consent protocols for workplace health initiatives

16. Your Privacy Rights

Under PHIPA and applicable legislation, you have the right to:

• Access your personal health information
• Request corrections to inaccurate or incomplete information
• Withdraw consent for certain uses and disclosures
• Be informed about how your information is collected, used, and disclosed
• Know who has accessed your information and why
• File a complaint regarding privacy practices
• Set specific restrictions on certain uses of your information
• Receive your information in a portable format

17. Language and Translation Services

Care& primarily offers services in English but recognizes the importance of clear communication in healthcare:

• Translation services are available upon request
• Translators are bound by confidentiality agreements
• Documentation indicates when translation was used during a consultation
• Translated materials maintain the same privacy protections as English materials
• Only qualified medical translators are used for healthcare communications
• Family members are not used as translators for clinical discussions unless requested

18. Accessing and Correcting Your Information

To request access to or correction of your personal health information:

• Submit a written request to our Privacy Officer
• Provide sufficient detail to identify the information you seek
• Specify whether you want to view the record, obtain a copy, or request corrections

We will respond to access and correction requests within 30 days of receiving your request. If additional time is needed, we may extend this period by up to 30 additional days with written notice to you explaining the reason for the extension, as permitted by PHIPA s. 54(7).

For parents/guardians requesting access to a child's information:

• Verification of legal custody may be required
• Access may be limited based on the mature minor doctrine
• Special protocols apply in shared custody situations

19. Privacy Breaches

In the event of a privacy breach involving your personal health information, we will take the following steps at the first reasonable opportunity:

• Contain the breach and mitigate potential harm
• Notify affected individuals as required by law
• Conduct a thorough investigation
• Implement corrective measures to prevent recurrence
• Report to the Information and Privacy Commissioner of Ontario as required

Breach notifications will include:

• A description of what happened and when
• What personal health information was involved
• What Care& is doing to address the breach and prevent recurrence
• What steps you can take to protect yourself

We will provide notification at the first reasonable opportunity, and in any event no later than 30 days after confirming a breach has occurred.

20. Cookies and Website Analytics

Our website uses cookies and similar technologies to analyze website traffic and usage patterns, improve website functionality, and remember your preferences. We use the following analytics tools:

• Google Analytics 4 (GA4) — tracks page views, session data, and general usage patterns
• Google Tag Manager (GTM) — manages analytics and marketing tags
• Google Ads — used for advertising measurement
• Matomo — self-hosted analytics for privacy-focused usage tracking

Cross-Border Data Transfers: Google Analytics, GTM, and Google Ads transmit usage data to Google LLC servers located in the United States. This data does not include personal health information or information entered through the Care& patient portal. By using our website, you acknowledge that your non-health browsing data may be processed on servers outside of Canada. Google's data processing is governed by Google's Privacy Policy and, where applicable, the EU Standard Contractual Clauses.

Matomo analytics data is processed on Canadian servers and does not leave Canada. Website analytics data does not include personal health information.

You can control cookies through your browser settings. Disabling cookies may affect website functionality. For more information about the cookies we use, refer to your browser's developer tools or contact us at privacy@careand.ca.

21. Changes to This Privacy Policy

Care& reserves the right to modify this Privacy Policy at any time. Any changes will be posted on our website and mobile application, available in print at our clinic locations, and communicated through appropriate channels when material changes occur. The "Last Updated" date at the top indicates when it was most recently revised.

22. Contact Us

Information and Privacy Commissioner of Ontario

If you are not satisfied with our response to your privacy concern, you may contact:

Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8
Phone: 1-800-387-0073
Website: www.ipc.on.ca

23. Applicable Laws

This Privacy Policy is governed by the laws of Ontario and the federal laws of Canada applicable therein, including:

• Personal Health Information Protection Act, 2004 (PHIPA). Ontario legislation governing the collection, use, and disclosure of personal health information by health information custodians.
• Personal Information Protection and Electronic Documents Act (PIPEDA). Federal legislation governing the collection, use, and disclosure of personal information in commercial activities.