Privacy Policy

Last Update: Dec 18, 2022

1. INTRODUCTION

This privacy policy (the “Privacy Policy”) describes how MAPflow Inc. (“MAPflow”, “Company”, “we”, “us”, or “our”) collects, stores, uses, and distributes personal information, personal health information and data of Health Service Providers who use the Platform, their patients, and any individuals who access MAPflow’s services (“you” or “your”), created in the course of accessing and using the Site, Platform, Materials, and/or Services, defined below.

MAPflow respects your privacy and is committed to keeping personal information and personal health information accurate, confidential and secure. We collect, use, and disclose information about you that is relevant for the purposes as laid out in this Privacy Policy, in accordance with applicable privacy legislation.

2. DEFINITIONS

For the purposes of this Privacy Policy:

• Health Service – any health care related service (as defined by relevant legislation) that is provided to a Patient by a Health Service Provider, irrespective of whether that service is delivered through the MAPflow Platform and Services or by other means
• Health Service Provider – any qualified and authorized provider of Health Services including but not limited to pharmacies and clinics contracting to make use of the Platform to deliver Health Services to patients.
• Materials – any content, materials, questions, options, results, reports, or information found on or provided by the Platform, as a result of any data, including but not limited to Patient Data provided by you.
• Minor – any person under the age of majority in the jurisdiction.
• Non-Personal Information or NPI – means information from which all personally identifiable information is removed, which as a consequence is neither Personal Information or Personal Health Information and does not identify you. In accordance with the Privacy Policy and applicable privacy legislation, information must be de-identified where necessary by MAPflow before it falls under the definition of NPI.
• Patient – any individual who receives Health Services from a Health Service Provider.
• Patient Data – information about an identifiable Patient entered into the Platform by a Health Service Provider.
• Patient Representative – a person authorized to act on the patient’s behalf to manage the patient’s prescriptions and Health Services.
• Personal Health Information or PHI – means information about an identifiable individual that may be collected when you engage a Health Service Provider for a Health Service as such term is defined in applicable legislation such as the Personal Health Information Protection Act (Ontario) (“PHIPA”) and any substantially similar privacy legislation.
• Personal Information or PI means information about an identifiable individual, including any “Personal Information” as such term is defined in the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and any substantially similar privacy legislation.
• Platform – the MAPflow user platform for Health Service Providers.
• Privacy – an individual's right to retain control over the collection, use and disclosure of their personal information.
• Services – all services, except Health Services, made available by or through MAPflow, including but not limited to services access through the Platform or the Site
• Site – means www.mapflow.ca and its related webpages.
• User Generated Content (UGC) – any content whatsoever that you submit, create, upload, transfer, or otherwise make available by access to the Site or through the Services, including but not limited to messages, information, comments, feedback, images, data or in-media screenshots, videos, audio or other content posted in any public or private area within the Site or Platform.

3. RESPONSIBILITIES REGARDING THE PRIVACY OF PERSONAL INFORMATION AND PERSONAL HEALTH INFORMATION

The Health Service Provider is responsible for the privacy of Personal Information and Personal Health Information for their patients as the Health Information Custodian, as such term is defined in applicable legislation such as the Personal Health Information Protection Act (Ontario) (“PHIPA”) and any substantially similar privacy legislation. If you have an inquiry about the collection, use and disclosure of information by Health Service Providers, please contact them directly.

In accordance with the MAPflow User Agreement (“Agreement”), Health Service Providers authorize MAPflow to act as an affiliate for the purposes of processing relevant PI and PHI, including Patient Data, in order for Health Service Providers to perform Health Services. MAPflow shall adhere to the privacy policies of the Health Service Provider and all applicable legislation in accordance with the Agreement and Privacy Policy.

This Privacy Policy applies to Patients receiving a Health Service by a Health Service Provider to the extent that it supports the Health Service Provider’s policies and clarifies our approach to safeguards and compliance in relation to this obligation. At all times, the Health Service Provider’s policies and related agreements and applicable legislation they are subject to take precedence to this Privacy Policy.

4. ACCOUNTABILITY AND IDENTIFYING PURPOSE FOR COLLECTING PERSONAL AND PERSONAL HEALTH INFORMATION

MAPflow has established policies and procedures to comply with this Privacy Policy and has designated a Privacy Officer as the contact person who is accountable for our compliance. The Privacy Officer’s contact information is contained at the end of this Privacy Policy.

MAPflow will identify the purposes for which Personal Information and Personal Health Information is collected at or before the time the information is collected. If MAPflow intends to use Personal Information and Personal Health Information for any other purpose, we will seek your consent, as required by law.

5. OBTAINING CONSENT

MAPflow will obtain consent before or when we collect, use, or disclose Personal Information and Personal Health Information about you, except where otherwise required or permitted by applicable privacy legislations. You can provide consent to the collection, use, and disclosure of Personal Information and Personal Health Information about you expressly, implicitly, or through an authorized representative, as required by applicable law. You can withdraw consent at any time, with certain exceptions, with your Health Service Provider or by contacting us at info@mapflow.ca.

You may also choose not to provide us with your Personal Information or Personal Health Information. However, if you make this choice, we may not be able to provide you with the Services you request.

BY PROVIDING PERSONAL HEALTH INFORMATION TO YOUR HEALTH SERVICE PROVIDER AND CONSENTING TO THE USE OF MAPFLOW AS PART OF RECEIVING A HEALTH SERVICE FROM THEM, YOU AUTHORIZE YOUR HEALTH SERVICE PROVIDER TO USE THE MAPFLOW PLATFORM AND SITE AND UPLOAD PATIENT DATA SPECIFIC TO YOU AND YOU AGREE THAT THE HEALTH SERVICE PROVIDER AND THEIR AFFILIATE(S), INCLUDING MAPFLOW, MAY COLLECT YOUR PERSONAL INFORMATION AND PERSONAL HEALTH INFORMATION AND YOU CONSENT TO THE USE, DISCLOSURE, AND TRANSFER OF YOUR PERSONAL INFORMATION AND PERSONAL HEALTH INFORMATION TO FACILITATE RECEIVING THIS SERVICE, IN ACCORDANCE WITH THE HEALTH SERVICE PROVIDER’S PRIVACY POLICIES AND AS PERMITTED OR REQUIRED BY LAW.

6. TYPES OF INFORMATION WE COLLECT

MAPflow collects Personal Information, including but not limited to, the following:

• information that relates to an individual’s name, health, location information, education, employment status, use or receipt of governmental services, date of birth, gender, addresses, telephone numbers, government-issued identification numbers, other identifying numbers, and any other information you provide to us, so that MAPflow can provide Services and the Health Service Provider can provide Health Services.

MAPflow collects Personal Health Information, including but not limited to, the following:

• information that relates to the physical or mental health of the individual, health or medical history of the individual or individual’s family, identification of a health care provider, details of prescriptions, medications, or allergies, and health care related identification or private health benefits information, and any other information you provide to us, so that MAPflow can provide Services and the Health Service Provider can provide Health Services.

MAPflow collects Technical Information which includes information and data that is collected when you access our Platform and Site including usage details, login information, browser types and versions, time zone setting, browser plug-in types and versions, operating system, or information about your internet connection, the equipment you use to access our Platform and Site, and usage details. Technical Information also includes non-personal details about your Site and Platform interactions such as clickstream to, through and from our Site (including date and time), pages you viewed, searches you conducted, page response times, download errors, length of visits, page interaction information (scrolling, clicks, and mouse-overs), etc.

MAPflow also collects Non-Personal Information. This information can also include anonymous usage data that is non-identifying and aggregated data that has been de-identified or anonymized in accordance with our agreements with and in compliance with the policies of the Health Service Provider and applicable legislation they are subject to. THIS PRIVACY POLICY DOES NOT RESTRICT OUR USE OF NPI FOR ANY LEGITIMATE BUSINESS PURPOSE AND MAPFLOW RESERVES THE RIGHT TO USE NPI WITHOUT FURTHER NOTICE TO YOU OR CONSENT, IN ACCORDANCE WITH LAW.

7. HOW WE COLLECT PERSONAL AND PERSONAL HEALTH INFORMATION

MAPflow collects information in different ways, including:

• When PI and PHI is provided to us - for example when a Health Service Provider registers for a MAPflow subscription, or when a Patient or Patient Representative provides PI and PHI to the Health Service Provider along with the Patient’s consent and the Health Service Provider uploads Patient Data to the Platform.
• Automated technologies or interactions – information collected automatically may include usage details, IP addresses, and information collected through cookies, web beacons, and other technologies.
• Where permitted by law – MAPflow may also collect information as otherwise permitted by law.

8. HOW WE USE PERSONAL AND PERSONAL HEALTH INFORMATION

With your consent, MAPflow uses PI and PHI for the purposes of providing you access to and enabling the use of the Platform and Site. When you voluntarily provide PI and PHI, we use this information in the following ways:

• To provide you access to and enable the use of the Platform and Site;
• To present our Platform and Materials to you;
• To provide you with information or Services that you request from us;
• To provide you with notices regarding your account, including expiration and renewal notices;
• To process subscription transactions;
• To notify you about changes to our Site or Platform;
• To improve our Site, Platform, marketing, or customer relationships and experiences;
• To conduct internal business processes;
• In any other way we may describe when you provide the information; and
• For any other purpose with your consent.

9. ELECTRONIC COMMUNICATIONS

When you visit the Site, Platform, or send emails to us, you are communicating with us electronically. You consent to receive communications from us electronically. We will communicate with you by email or by posting notices on the Site. You agree that all agreements, notices, disclosures and other communications that we provide to you electronically satisfy any legal requirement that such communications be in writing. It is your responsibility to ensure you provide an up-to-date and accurate email address regarding electronic communications.

If you have opted-in to receive marketing communications from us, we may send you promotional offers from time to time. You may unsubscribe at any time by clicking the unsubscribe link at the bottom of the message. This prevents any promotional emails from being sent to you unless you explicitly request that we re-add you to a promotion list.

10. HOW WE DISCLOSE THE DATA WE COLLECT FROM YOU

We may disclose PI or PHI that we collect, or you provide as Patient Data, as described in this Privacy Policy, with:

• Our affiliates and subsidiaries who may be involved in delivering MAPflow’s Services, providing technical and administrative support, conducting internal research and analysis, and making improvements to the Platform; and
• Our contractors, service providers, and other third parties affiliated with MAPflow. These third parties are obligated to protect PI and PHI, and they are only given the information necessary to perform their designated functions. The collection and use of such information by third parties is subject to their own privacy policies. These service providers include, without limitation:

• MedStack, a secure and compliant cloud hosting platform for healthcare applications, owned by MedStack, Inc. whose privacy policy can be found here or at https://medstack.co/legal/privacy/; and
• Stripe, a payment processing platform, owned by Stripe, Inc. whose privacy policy can be found here or at https://stripe.com/en-ca/privacy.
• ZenDesk, a customer service and relationship management service provider whose privacy policy can be found here or at https://www.zendesk.com/company/agreements-and-terms/privacy-notice/, and whose terms can be found here or at https://www.zendesk.com/company/agreements-and-terms/terms-of-use/.

We may share aggregate or anonymized information, including NPI, with service providers, business partners, and other third parties, to the extent permitted by applicable law, including but not limited to for the purposes of evaluating the Services, research and analytical purposes, marketing, etc. We take steps to keep NPI from being associated with you and we require our partners to do the same.

The choice to provide PI or PHI to you Health Service Provider is yours. If you do not wish for MAPflow to collect your PI or PHI through the use of the Platform or Site, you can choose not to provide it. However, your decision to limit or withhold certain details may limit the Services that MAPflow is able to provide the Health Service Provider. However, it is at all times your decision to provide, withhold, or withdraw your consent for the use of your PI or PHI.

11. HOW WE LIMIT COLLECTION, USE, DISCLOSURE, AND RETENTION

MAPflow collects PI and PHI only by fair and lawful means and only collects the necessary amount of information as required for the purposes of providing the Services and in accordance with this Privacy Policy.

MAPflow will use PI and PHI only for the reasons as set out in this Privacy Policy. MAPflow will keep PI and PHI only as long as necessary for the identified purposes and as required by law. MAPflow may share PI and PHI to affiliates, subsidiaries, and other third parties only for the purposes of providing Services as set out in this Privacy Policy.

We take steps to ensure security and limit access to PI and PHI, including contractual restrictions and training on confidentiality and privacy obligations.

Currently, MAPflow or our third-party service providers retain, and store information collected by, or provided to, us in the cloud and on secure servers in Canada. Some of our third-party service providers may retain and store limited information outside of Canada in accordance with their respective privacy policies and as permitted by applicable data protection laws. While we undertake measures to protect PI and PHI, when it is stored and/or processed in other jurisdictions, the laws of other countries may not provide the degree of protection for PI and PHI that is available in Canada. You will be made aware of when and what information they are sharing outside of Canada and have the option not to share this information and engage these services.

12. INDIVIDUALS UNDER THE AGE OF 16

Generally, if you are under the age of 16, your parent, a children’s aid society, or another person who is legally entitled to give consent on your behalf, will act as your Patient Representative. That person can consent to the collection, use or disclosure of your information, except in certain circumstances.

MAPflow does not knowingly collect or use any PI or PHI from individuals under the age of 16 unless provided by the Health Service Provider with the consent of the Patient Representative in accordance with the terms of this Agreement.

If you are 16 or older and capable of consenting, only you can consent to the collection, use or disclosure of your PHI unless you have designated a Patient Representative.

13. ACCESSING AND MAINTAINING ACCURACY OF YOUR PERSONAL AND PERSONAL HEALTH INFORMATION

Except as restricted by law, upon written request by you or an authorized representative, an individual will be informed of the existence, use, and disclosure of their PI and PHI and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and may request to have it amended.

MAPflow will keep PI and PHI in its possession or control accurate, complete, current and relevant, based on the most recent information available to MAPflow. You are responsible for notifying MAPflow about the accuracy and completeness of your PI and PHI and may have it amended as appropriate.

14. SAFEGUARDS

The safety and privacy of PI and PHI is our top priority. PI and PHI will be protected by security safeguards appropriate to the nature and format of the information being stored through physical, electronic, and administrative measures designed to secure PI and PHI. We strive to protect PI and PHI from theft, loss, and unauthorized access, copying, modification, use, disclosure and disposal. We conduct audits and complete investigations to monitor and manage our privacy compliance. We ensure that all of our officers, directors, employees and agents protect your privacy and only use PI and PHI for the purposes to which you have consented.

We may transfer PI or PHI that we collect or that you provide as Patient Data as described in this Privacy Policy to contractors, service providers, and other third parties we use to support our business purposes and who are contractually obligated to keep Personal Information and Personal Health Information confidential, use it only for the purposes for which we disclose it to them, and to process the PI and PHI with the same standards set out in this policy.

There is no guarantee that data may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, electronic, or administrative safeguards. We follow all privacy and security requirements as outlined in legislation. By sharing your PI and PHI with us, you acknowledge that your PI and PHI may be at risk should an external party breach our systems. As required by law, we will inform you of any breaches which would create a reasonable risk of harm to you. We will take reasonable steps to mitigate such risks and to prevent them from occurring again in the future.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE EXPRESSLY DISCLAIM ANY GUARANTEE OF SECURITY IN CONNECTION WITH YOUR PERSONAL INFORMATION AND PERSONAL HEALTH INFORMATION.

15. DATA INCIDENTS

A Data Incident involves an unauthorized access, use, or disclosure of PI or PHI, loss of PI or PHI, or other breach in the protection of your PI or PHI. In the event of a Data Incident, we will investigate to assess whether the incident poses a risk of serious injury to you. In these circumstances, you will be notified at the first reasonable opportunity.

16. OPENNESS ABOUT OUR POLICIES AND PROCEDURES

We will readily make available specific information about our policies and practices related to the management of PI and PHI. Individuals will have access to this information through this Privacy Policy or by contacting our Privacy Officer. The information will be available in a format that is easy to understand.

17. UPDATES AND CHANGES TO OUR PRIVACY POLICY

It is our policy to post any changes we make to our Privacy Policy on this page. We include the date the Privacy Policy was last revised at the top of the page. You are responsible for ensuring we have an up-to-date, active, and deliverable email address for you, and for periodically visiting our Site and this Privacy Policy to check for any changes. Your continued use or access of the Platform or Services after the effective date signifies your acceptance of and agreement to any changes.

18. QUESTIONS AND COMPLIANCE

We welcome your questions, comments, and requests regarding your Personal Information, Personal Health Information, this Privacy Policy and our privacy practices.

You may contact us as follows:

Andrea Edginton
Privacy Officer
info@mapflow.ca

If you feel we have not met our legal obligations under this policy or applicable privacy laws, please contact our Privacy Officer.

If you are not satisfied with the resolution that we have provided, the Commissioner can be reached as follows:

Office of the Privacy Commissioner of Canada
‍30 Victoria Street
Gatineau, Quebec
K1A 1H3
Canada

‍http://www.priv.gc.ca

Toll-free: 1-800-282-1376
Phone: (819) 994-5444
Fax: (819) 994-5424
TTY: (819) 994-6591