Privacy Policy

How clinic.ca collects, uses, protects, and discloses your personal health information under Ontario's Personal Health Information Protection Act (PHIPA, 2004).

1. Who we are

clinic.ca is operated by Capital Z Technologies Inc., a federally incorporated Canadian company based in Mississauga, Ontario. We operate an Ontario async document service where licensed Ontario Nurse Practitioners (CNO-registered, Extended Class) review patient intake submissions and issue lab requisitions, referral letters, prescriptions, and medical notes when clinically appropriate. clinic.ca is a one-way document delivery service — we do not review or interpret lab results, and we do not provide ongoing clinical care.

2. Privacy Officer

Our designated Privacy Officer is responsible for PHIPA compliance, handling access requests, and managing any privacy incidents.

3. What personal health information we collect

When you use clinic.ca, we may collect the following categories of personal health information (PHI):

• Identity information: full name, date of birth, biological sex, email address, phone number, mailing address
• Health card information: Ontario OHIP card number, version code, and expiry date
• Health information: symptoms, medical history, risk factors, current medications, and clinical notes you provide during intake
• Service information: test or service requested, add-ons selected, OHIP eligibility determination, nurse practitioner review notes
• Payment information: last four digits of your payment card (full card details are processed by Stripe and never stored on our servers)

4. How we use your information

We use your PHI solely for the following purposes:

• Facilitating nurse practitioner review of your intake submission by a licensed Ontario NP
• Generating lab requisitions, specialist referral letters, or prescriptions when approved by the reviewing nurse practitioner
• Sharing your requisition with LifeLabs or Dynacare to fulfill your lab test order
• Communicating with you about your order status, results, and follow-up care
• Processing your payment and issuing refunds when applicable
• Complying with legal and regulatory obligations

We do not use your PHI for marketing, advertising, data analytics, research, or any purpose not directly related to your clinical care through clinic.ca.

5. Who we share your information with

We share your PHI only with the following parties, and only to the extent necessary to provide your requested service:

• Reviewing nurse practitioner: a CNO-registered Ontario NP who reviews your intake and exercises independent clinical judgment
• TELUS Health CHR: our clinical health record system where your patient file is created and maintained
• LifeLabs and/or Dynacare: Ontario-based laboratory providers who receive your requisition and perform your lab tests
• Stripe: our payment processor, which handles card transactions under its own PCI-DSS compliant systems
• Fax service provider: used to transmit requisitions to your designated lab or pharmacy

Each vendor handling PHI has signed a Data Processing Agreement confirming PHIPA-compliant handling and Canadian data residency.

We will not disclose your PHI to any other party without your express consent, except where required by law (e.g., court order, mandatory public health reporting).

6. Consent

We obtain your express consent before collecting your PHI. You provide consent through the intake questionnaire consent checkbox before any health data is collected. Your consent covers:

• Collection of PHI for the purpose of nurse practitioner review
• Sharing of your requisition with LifeLabs or Dynacare
• Storage of your patient record in TELUS Health CHR
• Communication about your order and results via the email address you provide

Withdrawing consent

You may withdraw your consent at any time by contacting our Privacy Officer at privacy@clinic.ca. Please note:

• Withdrawal of consent does not affect the legality of processing that occurred before withdrawal
• If you withdraw consent during an active order, we may be unable to complete your service and will process a refund
• Certain records may be retained as required by Ontario medical record retention laws, even after consent withdrawal

7. Data storage and security

Your PHI is stored on Canadian servers. We implement the following safeguards in accordance with PHIPA s.12(1):

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls limiting PHI access to authorized personnel and nurse practitioner
• Audit logging of all PHI access events
• Secure credential management and multi-factor authentication for administrative access
• Regular security assessments and penetration testing

8. Data retention and destruction

We retain your patient records in accordance with Ontario requirements:

• Adult patients: 10 years from the date of last interaction
• Patients under 18: 10 years from the date the patient turns 18
• Payment records: 7 years as required by CRA

When the retention period expires, records are securely destroyed using cryptographic erasure for digital records. No PHI is retained beyond the required period without your express consent.

9. Your rights under PHIPA

As an Ontario patient, you have the following rights under PHIPA:

• Right of access (s.51): You may request a copy of your personal health information held by clinic.ca
• Right of correction (s.55): You may request correction of inaccurate or incomplete PHI
• Right to withdraw consent: You may withdraw consent for future collection, use, or disclosure of your PHI
• Right to complain: You may file a complaint with our Privacy Officer or with the Information and Privacy Commissioner of Ontario

To exercise any of these rights, contact our Privacy Officer at privacy@clinic.ca. We will respond within 30 days.

10. Breach notification

In the event of a theft, loss, or unauthorized access to your PHI, we will:

• Contain the breach and assess the risk of significant harm
• Notify you at the earliest opportunity if there is a real risk of significant harm
• Report the breach to the Information and Privacy Commissioner of Ontario (IPC)
• Document the incident and remediation steps taken

11. Cookies and analytics

clinic.ca does not use third-party analytics or tracking cookies. We do not use Google Analytics, Facebook Pixel, or any similar tracking technology. No third-party advertising or tracking scripts are loaded on any page.

If we implement analytics in the future, we will use a privacy-first tool with Canadian data residency and obtain your consent before any tracking occurs.

12. Third-party services

We self-host all fonts and static assets to prevent third-party data collection. No external resources are loaded that would transmit your IP address or browsing behavior to third parties while you use clinic.ca.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to active patients and posted on this page with an updated "Last updated" date. Your continued use of clinic.ca after changes constitutes acceptance of the updated policy.

14. Contact and complaints

If you are not satisfied with our response to a privacy concern, you have the right to file a complaint with:

Information and Privacy Commissioner of Ontario (IPC)
2 Bloor Street East, Suite 1400, Toronto, ON M4W 1A8
Phone: 1-800-387-0073
Website: ipc.on.ca