PRIVACY NOTICE EFFECTIVE DATE
This Privacy Notice is effective as of December 2, 2019.
BY INTERACTING WITH THE WEBSITE AT HTTPS://WWW.PHOENIX.CA (THE “SITE”) AND ITS WEB APPLICATION (“WEBAPP”) AVAILABLE THROUGH THE SITE, EITHER AS A VISITOR OR AS A USER, YOU AGREE TO BE BOUND BY THE TERMS OF THIS PRIVACY NOTICE AND TO OUR TERMS AND CONDITIONS.
This Privacy Notice applies to Personally Identifiable Information and Personal Health Information that Phoenix Digital Health Inc. (“Phoenix DH”), located 110 Bond St. Toronto, Ontario M5G 1L5 Canada, collects through its Site, and WebApp in providing its Services.
Below are highlights of our Personally Identifiable Information and Personal Health Information handling practices.
Privacy Notice Highlights
The terms “we”, “our” and “us” mean Phoenix DH and the terms “you” and “your” mean the
visitors or Users of the Site and the Users of the WebApp.
Capitalized words in these Privacy Notice Highlights are defined in the Detailed Privacy Notice or our Terms of Service.
1 Information We Collect
We collect your Personally Identifiable Information (“PII”) and Personal Health Information (“PHI”) from the following sources:
- information you give us when you contact us through the Contact Us Page on our Site, open an Account or subscribe for Services, or engage with us to provide Services, when you submit customer service inquiries, or when you submit customer feedback or reviews; and
- information we collect automatically when you visit our Site or WebApp such as information about your browser settings, operating system, and other information collected through cookies; and
2 How We Use and Disclose Your Information
- We use your PII and PHI that we or our service providers collect from you to provide the Services on our WebApp and to manage our business operations, such as to authenticate you when you sign into your Account, to prevent loss of data and fraud, process your subscription payment, and to monitor and improve the performance of our Site and WebApp;
- We and our service providers may combine or aggregate your de-identified and pseudonymized PII and PHI, so that it will be unlikely to re-identify you from it, to monitor trends and provide and improve our respective products and services;
- We may share with or transfer your PII and PHI that we collect from you to our service providers or Affiliates who may be outside of Canada, so that information and may be subject to privacy laws that are different from Canada’s privacy laws.
- We may also disclose your PII and/or PHI if a court order requires us to do so.
- With your consent, we may use your PII to contact you for marketing, promotional, or other purposes.
- Your Choices and Consent
- You can change your communication preferences for marketing and advertising e-mails, participation in surveys, and to provide or withdraw consent for specific requests we or our service providers may make to collect and use your PII and PHI in the Settings tab of your Account.
- You may withdraw your consent from our further use of your PII or PHI and you may close your Account. If you do so, we may still use your PII and PHI for the purposes to which you consented before you withdrew consent and we may keep information about you and your previous transactions with us for audit purposes, to ensure the integrity of our data, and to fulfill legal requirements.
- How to Contact Us
If you have a privacy question or concern, please contact us at: email@example.com.
Please review our Detailed Privacy Notice for more information about our data handling practices.
DETAILED PRIVACY NOTICE:
- LIMITING COLLECTION: WHAT INFORMATION DO WE COLLECT?
- LIMITING USE: HOW DO WE USE YO UR PERSONAL INFORMATION?
- DISCLOSURE: WHEN DO WE DISCLOSE YOUR PII AND PHI TO OTHERS?
- SAFEGUARDS: HOW DO WE PROTECT YOUR PERSONAL INFORMATION?
- DATA BREACH
- DATA RETENTION: HOW LONG DO WE KEEP YOUR PII AND PHI?
- DATA STORAGE AND TRANSFER
- AGE AND CONSENT
- THIRD-PARTY SERVICES AND LINKS
- ACCURACY: HOW DO YOU MODIFY YO UR INFORMATION?
- ACCESS: RIGHT TO YOUR DATA
- ACCOUNT CLOSURE: DATA DELETION
- CHALLENGE COMPLIANCE
- CHANGES TO THIS PRIVACY NOTICE
The website https://www.phoenix.ca (the “Site”) and its web application (“WebApp”) available
through the Site are owned and operated by Phoenix Digital Health Inc. (“Phoenix DH”).
Phoenix DH provides a secure prescription platform through our WebApp (the “Platform”) that connects individuals seeking prescriptions for erectile dysfunction medication with licensed medical doctors who Evaluate those individuals and issue such prescriptions when clinically warranted (together the “Services”).
As used in this Policy Notice capitalized terms not otherwise defined here have the meaning assigned to them in the Terms and Conditions, otherwise the following terms have the following meaning:
“Personally-Identifiable Information” or “PII” means information that identifies you or could be combined by us or our service providers and Affiliates with other information to identify you. This information includes your personal date of birth, birth certificate information, social insurance number, the number of any government issued identification, medical record number, health card number, professional licensee number, e-mail address, home mailing address, home telephone number, personal cellphone number, your internet provider (IP) address and other similar information when associated with you. PII may also include information about how you have used our Site and the WebApp, if we can associate that PII with you. If you interact with our Site or our WebApp on behalf of an entity, PII does not include your title, your business e-mail and mailing address, or your business telephone number when we use that information to contact you in your business capacity.
“Personal Health Information” or “PHI” means information about you, while living or deceased, that relates to: your physical or mental health; any health or medical services you received; your medical examinations, tests, and surgeries; whether you donated any organs or fluids; and information collected in the course of, or related to, providing health services to you. PHI may be found in your medical records, treatment and examination notes, and communications between you and your healthcare providers (including with our Doctors as part of the Services).
“we”, “us” or “our” means Phoenix Digital Health Inc. and any of our Affiliates.
“you” or “your” means an individual Using the Site, the WebApp, or the Content as a visitor, a prospective or current Client, or a prospective or current Doctor.
This Privacy Notice helps our visitors to our Site and Users of the Web App to better understand how we collect, use, and store your PII and PHI.
We take the privacy of your PII and PHI seriously and are committed to safeguarding it. We developed and implemented policies, practices, and procedures to protect PII and PHI and we train our staff in our PII and PHI handling practices.
We commit not to rent or sell any of your PII or PHI we collect directly from you or as part of our Services. We and our service providers comply with privacy and data security legislation including:
- (a) the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Personal Health Information Protection Act (Ontario) (“PHIPA”), Personal Information Protection Act (“PIPA”) (Alberta and British Columbia), the Health Information Act (“HIA”) (Alberta); E-Health Act (British Columbia); An Act Respecting the Protection of Personal Information in the Private Sector (Quebec); Personal Health Information Privacy and Access Act (New Brunswick); Personal Health Information Act (Newfoundland and Labrador; all including their Regulations and as updated from time to time.
- (b) any other provincial or federal laws and regulations that govern the security or data and the privacy of individuals, if not pre-empted by PIPEDA and as applicable to the subject matter of this Agreement; and
- (c) Compliance with ISO/IEC 27002:2013 Code of practice for information security controls: 15.1: Information security in supplier relationships for both Canadian and American service providers.
We have appointed a Chief Privacy Officer accountable for our PII and PHI handling practices. If you have a question or complaint about our information handling practices, please contact us at firstname.lastname@example.org.
4. Limiting Collection: What Information Do We Collect?
The ways we collect PII and PHI can be broadly categorized into:
Information you provide to us directly: When you visit or use parts of our Site, the WebApp, we might ask you to provide PII to us. For example, we may ask for your name and email address on our Contact Us page so we can reply to a message you post there.
We collect your PII and PHI when you open an Account and when you interact with a Doctor on our Platform. For example, we will collect identification and contact information, such as your name, mailing address, date of birth, and demographic information to be able to properly identify you, to contact you, and to process a credit card payment for your subscription to our Services. We will also collect PHI that you disclose to a Doctor on our Platform, such as your medical conditions, treatment information, surgeries, allergies, and other information that a Doctor may need to determine if you are eligible to receive the Services.
If you do not wish to provide us with all or some of the PII or PHI required to open an Account and to receive the Services you do not have to, but it might mean you cannot receive our Services.
InformationfromotherSources:WemayreceivePIIandPHIaboutyoufromothersources.For example, we will receive PII from credit card processors regarding whether the credit card details you entered have been accepted or declined.
5. Limiting Use: How Do We Use Your Personal Information?
We collect and use PII, PHI and non-personal information for the following purposes:
- b) To provide Services. We use your PII and PHI to provide the Services and to manage our business operations such as to register your Account, to authenticate you when you log into your Account, to deliver the Services, and to protect the security or integrity of our Site, the WebApp, the Content, our Services, and our business.
- c) To improve our Site, WebApp, and Services and develop new ones: We monitor how you use the Site, the WebApp and the Services so we can improve our offerings, user experience, and design new features.
- d) To detect and prevent any fraudulent or malicious activity and to make sure that our Site, WebApp, Content, and Services are used fairly and according to our Terms of Service.
- e) With your consent, to send you targeted advertisement such as general or personalized notices and promotional messages, or to send news about us;
- f) With your consent, to use aggregated de-identified and pseudonymized PII and PHI and non-Personal Information, which we or our business partners may use to monitor trends, to improve our respective products and services;
- g) To comply with any laws and regulations.
6. Disclosure: When Do We Disclose Your PII and PHI to Others?
We may share your PII and PHI with our service providers and our Affiliates that help us with our business operations. If you consented to receive marketing and promotional emails from us, we may share select PII with service providers who help us with marketing and promotional services.
We may share with selected third-parties certain demographic and contact information about you, including name, date of birth and any email addresses or phone numbers to verify your identity.
We may share your PII or PHI, as applicable, without your explicit consent and without notice to you:
- a) To collect a debt from you or to prevent or investigate fraudulent or illegal activity on your Account.
- b) To comply with an order, subpoena, warrant or other legal requirement issued by a court, tribunal, regulator or government body with competent jurisdiction to compel disclosure of your PII or PHI, including to meet national security or law enforcement requirements, to prevent, investigate, or take action against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service, this Privacy Notice, or as otherwise required by law.
- c) To establish or defend our legal rights. Where possible and appropriate, we will notify you.
- d) To an actual or potential buyer of Phoenix DH (and its agents and advisers) in connection with an actual or proposed purchase, merger or acquisition of any part of our business. In such case, your PII and PHI will be protected by security safeguards appropriate for the sensitivity of the information.
- e) To other companies who assist us to process your payment for your Service subscription or any service providers on whom we rely to conduct our business with you.
- f) To protect the security of the Site, the WebApp, our Services, and the security of your Account.
7. Safeguards: How Do We Protect Your Personal Information?
We take administrative, technical and physical measures to safeguard your PII and PHI against unauthorized access, unauthorized disclosure, theft and misuse.
Although we cannot guarantee that unauthorized access, hacking, data loss or breaches of our security systems will never occur, we try to minimize these risks by: (1) active monitoring: monitoring access to your PII and PHI through activity logs and regular audits to ensure that no unauthorized access attempts have been made, (2) secure storage: we store your PII and PHI over which we have custody and control in Canada in data centers that are ISO 27001 certified and adhere to global privacy and data protection best practices, (3) network security: we implemented controls to protect against unauthorized access, including segregating our internal systems from our publicly-accessible systems, (4) end-to-end encryption: we encrypt all data transmissions and communications on the Site, WebApp, and our Services from end-to-end using industry-standard transport layer security (“TLS”) or secure socket layer (“SSL”) encryption technology, and (4) training: we implemented policies, procedures that address and train our staff on the handling of PII and PHI. All our staff members and contractors are legally bound to confidentiality.
We do not store your credit card information. Payments are handled by Stripe, a reputable direct payment gateway provider. The data they collect is encrypted according to the Payment Card Industry Data Security Standard (PCI-DSS) and implement additional generally accepted industry standards.
We expect our Affiliates and service providers to protect your PII and PHI that we share with them or that they collect from you directly.
8. Data Breach
We take precautions against breaches of our security systems, but you acknowledge and agree that no company can eliminate the risks of unauthorized access to your PII and PHI and no transmission over the internet is 100% secure. Therefore, you provide your PII and PHI to us and our service providers at your own risk.
Despite our rigorous precautions against data breaches, the risk of a breach remains. We have a well-developed data breach procedure and if a breach of your PII or PHI in our custody or control occurs we will comply with the stringent breach notification requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA).
IF A BREACH OF YOUR PII OR PHI THAT IS IN THE CUSTODY OR CONTROL OF ONE OF OUR SERVICE PROVIDERS, THEN THAT SERVICE PROVIDER’S BREACH POLICIES APPLY.
9. Data Retention: How Long Do We Keep your PII and PHI?
We keep your PII and PHI that is in our custody and control if we have a legal or legitimate business need to keep it, for example, to provide you the Services to which you subscribe or to comply with information retention requirements in Ontario or Canada.
Once our relationship ends, we generally will continue to store archived copies of your PII and PHI in our custody and control for legitimate business purposes, such as to defend a contractual claim, for audit purposes, and to comply with the law. We maintain a records retention and destruction policy to destroy information when we no longer have a business need for it and are not required by law to keep it.
PII collected by our direct payment gateway provider to process a transaction on the WebApp is stored only during your subscription period with us, then it is deleted. We do not collect or store any information related to your payment transactions.
We and our service providers may continue to store and use aggregated de-identified PII and PHI to improve our respective products and services.
10.Data Storage And Transfer
The PII and PHI we or our service providers collect from you will be stored in Canada, however some of your PII may be used or stored by our service providers in the United States.
If your PII is used or stored outside Canada, these data will be subject to the laws of the country in which they are used or stored, which may differ from and be less protective of PII than the privacy laws of Canada.
11 .Age and Consent
Only individuals 18 years of age or older may subscribe to our Services and access the WebApp.
When you provide PII or PHI to open an Account, interact with a Doctor to be evaluated for receiving the Services, or to provide PII to complete a transaction by credit card, you consent to our collecting your PII and PHI required to complete these activities only.
When you register your Account, you can provide your consent to receive marketing and promotional e-mails and to consent to our use of your PII and PHI in our custody and control (in aggregated and de-identified form) for Service improvement purposes, or other outlined purposes.
YOU CAN WITHDRAW CONSENT FOR OUR USE OF YOUR PII OR PHI IN FUTURE USES WITHIN THE SCOPE OF YOUR CONSENT BUT YOU CANNOT WITHDRAW YOUR CONSENT FOR OUR USE OF YOUR PII OR PHI FOR USES THAT BEGAN BEFORE THE DATE ON WHICH YOU WITHDREW YOUR CONSENT. YOU WILL ALSO NOT BE ABLE TO WITHDRAW YOUR CONSENT WHERE OUR USE OR DISCLOSURE OF YOUR PII OR PHI IS AUTHORIZED OR REQUIRED BY LAW.
Please visit the Settings tab in your Account or contact us at email@example.com if you wish to withdraw your consent for our use of your PII and/or PHI.
12.Third-Party Services and Links
You may access third-party websites through links available on our Site or the WebApp. These links are provided for convenience only. Once you leave our Site or WebApp and you are redirected to a third-party website or application, you are no longer governed by this Privacy Notice or our Terms of Service.
We have no control over those third-party websites, and you access them at your own risk. We recommend that you read the privacy policies of these third-party providers so you can understand how they handle your PII and PHI.
You acknowledge that these links may lead you to third-parties that may operate outside of Canada. If you provide your PII or PHI to these entities, then your information may become subject to the laws of the jurisdiction(s) in which that site operates or where its facilities are located.
13.Accuracy: How Do You Modify Your Information?
We want to ensure that the PII and the PHI we collect from you and that is in our custody and control is accurate, complete, and up-to-date for the purpose for which it is to be used and we will destroy any information that is out-of-date or that is no longer required for the purpose for which it was collected, unless we must keep it to comply with Ontario or Canadian law.
We use reasonable means to ensure that the information in your Account record is accurate. You may update certain PII directly in your Account and you may also request access to your Account Record.
If you have questions or identify any errors in your Account Record, please contact us at firstname.lastname@example.org. We will strive to address any correction requests promptly. If we dispute a correction request, we will log the reason for the disagreement.
14.Access: Right to your data
You may access your Account Record and port the information from us to another entity. If you request a copy of your Account Record, we will provide it to you at no charge. You can request access to your Account Record by contacting us at email@example.com.
Before we grant you access to your Account Records we will first authenticate you to confirm your identity. We will handle all access requests promptly, subject to applicable privacy laws. We will provide you the legends for any special codes, acronyms or other similar information in the disclosed material, so your right of access is meaningful.
15.Account Closure: Data Deletion
To close your Account or to request that the PII or PHI we have about you be deleted, please email us at to firstname.lastname@example.org. Once we receive your request and authenticate your identity we will remove your Account from active use. If you do not re-activate your Account within 12 months, we will delete your Account Record, but we will keep some PII as described in Section 9. If you wish to delete your Account Record immediately, but subject to Section 9, indicate so in your email to us.
If you believe that we have not adhered to this Privacy Notice you may challenge our compliance with this Privacy Notice and our compliance with privacy laws applicable to it.
We are not responsible for the PII or PHI handling practices of third-party service providers to whom you consented to access your information, whether on our behalf or otherwise. If your complaint has to do with the privacy practice of those providers, we will direct you to them.
Please notify our Chief Privacy Officer of your complaint by emailing at email@example.com. You can also reach us at:
Phoenix Digital Health Inc.
110 Bond St.
M5G 1L5 Canada
We pledge to address your complaint promptly. If we cannot resolve your complaint to your satisfaction you can file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Ontario.
If you are unhappy with the response you receive from us, we hope you would contact us to resolve the issue.
17.Changes to This Privacy Notice
We may change or update this Privacy Notice from time to time. All changes and updates are logged in the CHANGE LOG section below.
When our Privacy Notice changes, the Site and the WebApp, will display a notice prompting you to review the changes.
If we make substantive changes to this Privacy Notice, then in addition to displaying a notice on the Site and the WebApp, we may also notify you by email at the email address associated with your Account.
The changes to the Privacy Notice will take effect on the date on which they were made or on the date provided in the notice.
By continuing to use the Site, the WebApp, or the Services after you receive the notice you IMPLICITLY CONSENT TO BE BOUND BY THE PRIVACY NOTICE TERMS IN EFFECT ON THAT DATE ON WHICH YOU VISIT THE SITE OR THE WEBAPP.
LAST UPDATED on December 2, 2019. CHANGE LOG: