1. Introduction and Commitment
CareNucleus Inc. is committed to protecting the privacy and security of personal information and personal health information entrusted to us. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information in accordance with Canadian federal and provincial privacy laws.
We recognize that privacy is a fundamental right. As a healthcare technology provider, we hold ourselves to the highest standards of privacy protection, understanding that the information we process is among the most sensitive types of personal information.
Scope of This Policy
This Privacy Policy applies to:
- •All personal information and personal health information we collect, use, or disclose
- •Healthcare providers, practitioners, and their staff who use our platform
- •Patients whose health information is processed through our platform
- •All users of the CareNucleus platform, website, and services
- •Information collected online, offline, and through any electronic means
Our Privacy Principles
We adhere to the ten (10) fair information principles established in Schedule 1 of PIPEDA:
Accountability
We are responsible for personal information under our control
Identifying Purposes
We identify why we collect information at or before collection
Consent
We obtain meaningful consent for collection, use, and disclosure
Limiting Collection
We collect only what is necessary for identified purposes
Limiting Use & Disclosure
We use, disclose, and retain only as necessary
Accuracy
We keep personal information accurate, complete, and up-to-date
Safeguards
We protect information with appropriate security measures
Openness
We make our privacy policies and practices readily available
Individual Access
We provide individuals access to their personal information
Challenging Compliance
We provide a process for privacy complaints
2. Definitions
| Term | Definition |
|---|---|
| Personal Information | Information about an identifiable individual, as defined in section 2(1) of PIPEDA. |
| Personal Health Information (PHI) | Information that identifies an individual and relates to their physical or mental health, health care history, or payments for health care. |
| Health Information Custodian | A healthcare provider or organization who has custody or control of personal health information (PHIPA s. 3). |
| Agent | A person authorized by a Health Information Custodian to perform services in respect of personal health information. |
| Consent | Voluntary agreement with what is being done or proposed, which is knowledgeable and specific to the collection, use, or disclosure at issue. |
| Breach of Security Safeguards | Loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of security safeguards (PIPEDA s. 10.1). |
3. Accountability
Designated Privacy Officer
CareNucleus has designated a Privacy Officer who is accountable for our compliance with this Privacy Policy and applicable privacy legislation.
Privacy Officer Contact
Title: Privacy Officer, CareNucleus Inc.
Email: privacy@carenucleus.ca
Response Time: We acknowledge receipt of all privacy inquiries within 5 business days.
Accountability for Third Parties
When we transfer personal information to third parties for processing, we remain accountable for that information. We require all third parties to:
- •Enter into written agreements containing privacy and security obligations
- •Provide a comparable level of protection while information is being processed
- •Use the information only for the purposes for which it was transferred
- •Implement appropriate technical and organizational security measures
- •Notify us immediately of any breach of security safeguards
4. Information We Collect
AHealthcare Provider Information
- • Name, professional designation, and license number
- • Business contact information (address, phone, email)
- • Billing and payment information
- • Login credentials and authentication information
- • Professional affiliations and specialty information
- • Usage data and platform activity logs
BPatient Personal Health Information
On behalf of Healthcare Custodians, we may process:
- • Patient identification information (name, date of birth, health card number)
- • Contact information (address, phone number, email)
- • Medical history and clinical notes
- • Diagnosis and treatment information
- • Prescription and medication information
- • Laboratory and diagnostic test results
- • Audio recordings of clinical encounters (with consent)
- • AI-generated clinical documentation
CTechnical and Usage Information
- • IP addresses and device identifiers
- • Browser type and operating system
- • Access times and referring URLs
- • Platform usage patterns and feature utilization
- • Error logs and diagnostic information
5. Consent
Meaningful Consent
We obtain meaningful consent for the collection, use, and disclosure of personal information except where permitted or required by law. For consent to be meaningful, individuals must understand:
Forms of Consent
| Information Type | Form of Consent |
|---|---|
| Personal Health Information | Express Consent — Clear, affirmative action required |
| AI Processing of Health Data | Express Consent — Specific informed consent required |
| Audio Recording of Encounters | Express Consent — Explicit verbal or written consent |
| Basic Account Information | Implied Consent — Where collection is obvious |
| Cookies and Analytics | Opt-out Consent — With clear notice |
Withdrawal of Consent
Individuals may withdraw consent at any time by contacting our Privacy Officer. We will process withdrawal requests within thirty (30) days.
6. Use, Disclosure, and Retention
Data Residency Commitment
All patient personal health information processed by CareNucleus is stored and processed exclusively within Canada, in data centers located in Canadian territory (Azure Canada Central and Azure Canada East regions).
Retention Periods
| Information Type | Retention Period | Legal Basis |
|---|---|---|
| Patient Health Records | Minimum 10 years from last entry | PHIPA; Provincial requirements |
| Audit Logs (PHI Access) | Minimum 10 years | Healthcare accountability |
| Account Information | Duration of account + 7 years | Tax and business records |
| Billing Records | 7 years from transaction | CRA requirements |
7. Accuracy
We strive to ensure that personal information is as accurate, complete, and up-to-date as necessary for the purposes for which it is used.
Individuals may request correction of their personal information by contacting our Privacy Officer. We will respond to correction requests within thirty (30) days.
8. Security Safeguards
Administrative Safeguards
- ✓Designated Privacy Officer
- ✓Written policies & procedures
- ✓Employee background checks
- ✓Regular privacy training
Technical Safeguards
- ✓AES-256 encryption at rest
- ✓TLS 1.2+ in transit
- ✓Role-based access control
- ✓Multi-factor authentication
Physical Safeguards
- ✓Secure Azure Canada data centers
- ✓Physical access controls
- ✓Environmental monitoring
- ✓Redundancy systems
9. Your Privacy Rights
Right of Access
Request access to your personal information
Right to Correction
Request correction of inaccurate information
Right to Know
Request info about our use and disclosure
Right to Withdraw
Withdraw consent for non-essential processing
Right to Complain
File a complaint with us or regulators
Response Timeline
We will respond to access requests within thirty (30) days of receipt. If an extension is required, we will notify you within the initial 30-day period.
10. Privacy Breach Notification
In accordance with PIPEDA section 10.1 and provincial health privacy legislation, we maintain procedures for responding to and reporting breaches of security safeguards.
Contain
Take immediate steps to contain the breach and limit impact
Assess
Investigate to determine scope and assess risk of harm
Notify
Provide required notifications if there is real risk of significant harm
Prevent
Implement measures to prevent similar breaches
11. Complaints and Challenging Compliance
If you believe we have not handled your personal information in accordance with this Privacy Policy or applicable law, you may file a complaint.
Internal Complaint Process
- Contact our Privacy Officer at privacy@carenucleus.ca
- Describe your complaint with relevant details
- We acknowledge within 5 business days
- Substantive response within 30 days
External Complaint Options
Office of the Privacy Commissioner of Canada
1-800-282-1376 | priv.gc.ca
IPC Ontario
1-800-387-0073 | ipc.on.ca
12. Artificial Intelligence and Automated Processing
CareNucleus uses artificial intelligence technology to assist Healthcare Custodians with clinical documentation, including transcription, note generation, and summarization.
Human Oversight
All AI content is reviewed and approved by Healthcare Custodians
Transparency
We clearly identify when AI has been used to generate content
Data Minimization
We process only the minimum data necessary
Canadian Processing
AI processing occurs within secure Canadian infrastructure
No Secondary Use
Patient data is not used to train AI models
Explicit Consent
Use of AI features requires explicit consent
14. Children's Privacy
CareNucleus services are intended for use by healthcare professionals. We do not knowingly collect personal information directly from children under 13. Where our platform processes health information about minors, such processing is performed on behalf of Healthcare Custodians with appropriate consents.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make changes:
- •We will update the "Last Updated" date
- •For material changes, we will provide notice through our platform or email
- •We will obtain new consent where required by law
- •Previous versions will be available upon request
16. Contact Us
Governing Law: Province of Ontario and federal laws of Canada
CareNucleus Inc. | Privacy Policy Version 1.0 | © 2026 CareNucleus Inc.