Privacy Policy

Last Revised: November 1, 2023

1. INTRODUCTION

This privacy policy (the “PrivacyPolicy”) describes how MAPflow Inc. (“MAPflow”, “Company”, “we”,“us”, or “our”) collects, stores, uses, and distributes personalinformation, personal health information and data of Health Service Providers, their Patients, and any other individuals (collectively, “you” or “your”),in the course of accessing and using the Site, Platform, Materials, and/orServices, defined below.

MAPflow respects your privacy and is committed to keeping personal information and personal health information accurate, confidential and secure. As a Patient, when you receive a HealthService from your Health Service Provider, your privacy is the responsibility of that Health Service Provider. When your Health Service Provider accesses and uses the MAPflow Platform and Services to perform Health Services for you, theHealth Service Provider authorizes MAPflow to act as their affiliate for the purposes of electronic processing of relevant personal and health information you provide to the Health Service Provider, to the extent permitted by applicable law.

By accessing the Site or submitting information to us (either independently or through your Health ServiceProvider), you consent to the collection, use, and disclosure of your information by MAPflow for the provision of Health Services by your HealthService Provider in accordance with the Health Service Provider’s privacy policies, this Privacy Policy, and applicable privacy legislation. This PrivacyPolicy is intended to be subordinate to and supports the Health ServiceProvider’s privacy policies.

You are also deemed to have read and accepted the terms of the MAPflow WebsiteTerms of Use https://www.mapflow.ca/terms-of-use. In addition, when you use any current or future MAPflow Services, you will also be subject to the MAPflow Terms of Use Agreement or other agreement governing your use of our Services as applicable.

IF YOU DO NOT AGREE WITH OUR PRIVACY POLICY, YOU MUST NOT ACCESS OR USE THE PLATFORM AND/OR MATERIALS IN ANY CAPACITY, YOU MUST INSTRUCT YOUR HEALTH SERVICE PROVIDER IMMEDIATELY TO CEASE ACCESSING OR USING THE PLATFORM OR MAPFLOW’S SERVICES IN THE COURSE OF PROVIDING HEALTH SERVICES TO YOU, AND YOU MUST DISCONTINUE ALL USE OF THE PLATFORM AND SITE IMMEDIATELY.

2. DEFINITIONS

For the purposes of this Privacy Policy:

• Health Service – any health care related service (as defined by relevant legislation) that is provided to a Patient by a Health Service Provider, irrespective of whether that service is delivered through the MAPflow Platform and Services or by other means.
• Health Service Provider – any qualified and authorized provider (as defined by relevant legislation) of Health Services including, but not limited to, pharmacists, pharmacies and clinics contracting to make use of the Platform to deliver Health Services to Patients.
• Materials – any content, materials, questions, options, results, reports, or information found on or provided by the Platform, as a result of any data, including but not limited to Patient Data provided by you.
• Minor – any person under the age of majority in the jurisdiction.
• Non-Personal Information – means information from which all personally identifiable information is removed, which as a consequence is neither Personal Information or Personal Health Information and does not identify you, as such information is defined in any applicable provincial and federal legislation.
• Patient – any individual who receives Health Services from a Health Service Provider.
• Patient Data – information about an identifiable Patient entered into the Platform by a Health ServiceProvider
• Patient Representative – a person authorized to act on the patient’s behalf to manage the patient’s prescriptions and Health Services.
• Personal Health Information - means information about an identifiable individual that may be collected when you engage a Health Service Provider for a Health Service as such term is defined in any applicable legislation.
• Personal Information - means information about an identifiable individual, including any “PersonalInformation” as such term is defined in the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and any applicable privacy legislation.
• Platform – the MAPflow user platform for Health Service Providers.
• Privacy – an individual's right to retain control over the collection, use and disclosure of their personal information and personal health information.
• Services – all services, except Health Services, made available by or through MAPflow, including but not limited to services access through the Platform or the Site.
• Site – means www.mapflow.ca and its related webpages.
• User Generated Content (UGC) – any content whatsoever that you submit, create, upload, transfer, or otherwise make available by access to the Site or through the Services, including but not limited to messages, information, comments, feedback, images, data or in-media screenshots, videos, audio or other content posted in any public or private area within the Site or Platform.

3. RESPONSIBILITIES REGARDING THE PRIVACY OF PERSONAL INFORMATION AND PERSONAL HEALTH INFORMATION

The Health Service Provider is responsible for the privacy of Personal Information and Personal Health Information for their patients as the ‘health information custodian’, as such term or other similar designation is defined in any applicable provincial legislation. If you have an inquiry about the collection, use and disclosure of information by Health Service Providers, please contact them directly.

In accordance with the MAPflow Terms of UseAgreement (“Agreement”), Health Service Providers authorize MAPflow to act as an affiliate for the purposes of processing relevant PersonalInformation and Personal Health Information, including Patient Data, in order for Health Service Providers to perform Health Services. MAPflow shall ad hereto the privacy policies of the Health Service Provider and all applicable legislation in accordance with the Agreement and Privacy Policy.

This Privacy Policy applies to Patients receiving a Health Service by a Health Service Provider to the extent that it supports the Health Service Provider’s policies and clarifies MAPflow’s approach to safeguards and compliance in relation to this obligation. At all times, the Health Service Provider’s policies and related agreements and applicable legislation they are subject to take precedence to this Privacy Policy.

4. ACCOUNTABILITY AND IDENTIFYING PURPOSE FOR COLLECTING PERSONAL AND PERSONAL HEALTH INFORMATION

MAPflow has established policies and procedures to comply with this Privacy Policy and has designated a Privacy Officer as the contact person who is accountable for our compliance. ThePrivacy Officer’s contact information is contained at the end of this Privacy Policy.

MAPflow will identify the purposes for which Personal Information and Personal Health Information is collected at or before the time the information is collected. If MAPflow intends to use Personal Information and Personal Health Information for any other purpose, we will seek your consent, as required by law.

5. OBTAINING CONSENT

MAPflow will obtain consent before or when we collect, use, or disclose Personal Information and Personal Health Information about you, except where otherwise required or permitted by applicable privacy legislation. You can provide consent to the collection, use, and disclosure of Personal Information and Personal Health Information about you expressly, implicitly, or through an authorized representative, as required by applicable law. You can withdraw consent at any time, with certain exceptions, with your Health Service Provider or by contacting us at info@mapflow.ca.

You may also choose not to provide us with your Personal Information or Personal Health Information. However, if you make this choice, we may not be able to provide you with the Services you request.

BY PROVIDING PERSONAL INFORMATION AND PERSONAL HEALTH INFORMATION TO YOUR HEALTH SERVICE PROVIDER AND CONSENTING TO THE USE OF MAPFLOW AS PART OF RECEIVING A HEALTH SERVICE FROM THEM, YOU AUTHORIZE YOUR HEALTH SERVICE PROVIDER TO USE THE MAPFLOW PLATFORM AND SITE AND UPLOAD PATIENT DATA SPECIFIC TO YOU AND YOU AGREE THAT THE HEALTH SERVICE PROVIDER AND THEIR AFFILIATE(S), INCLUDING MAPFLOW, MAY COLLECT YOUR PERSONAL INFORMATION AND PERSONAL HEALTH INFORMATION AND YOU CONSENT TO THE USE, DISCLOSURE, AND TRANSFER OF YOUR PERSONAL INFORMATION AND PERSONAL HEALTH INFORMATION TO FACILITATE RECEIVING THIS SERVICE, IN ACCORDANCE WITH THE HEALTH SERVICE PROVIDER’S PRIVACY POLICIES AND AS PERMITTED OR REQUIRED BY LAW.

6. TYPES OF INFORMATION WE COLLECT

MAPflow collects Personal Information, including but not limited to, the following:

• information that relates to an individual’s name, health, location information, education, employment status, use or receipt of governmental services, date of birth, gender, addresses, telephone numbers, government-issued identification numbers, other identifying numbers, and any other information you provide to us, so that MAPflow can provide Services and the Health Service Provider can provide Health Services.

MAPflow collects Personal Health Information, including but not limited to, the following:

• information that relates to the physical or mental health of the individual, health or medical history of the individual or individual’s family, identification of a health care provider, details of prescriptions, medications, or allergies, and health care related identification or private health benefits information, and any other information you provide to us, so that MAPflow can provide Services and the Health Service Provider can provide Health Services.

MAPflow collects Technical Information which includes information and data that is collected when you access our Platform and Site including usage details, login information, browser types and versions, time zone setting, browser plug-in types and versions, operating system, or information about your internet connection, the equipment you use to access our Platform and Site, and usage details. Technical Information also includes non-personal details about your Site and Platform interactions such as clickstream to, through and from our Site (including date and time), pages you viewed, searches you conducted, page response times, download errors, length of visits, page interaction information (scrolling, clicks, and mouse-overs), etc.

MAPflow also collects Non-Personal Information. This information can also include anonymous usage data that is non-identifying and aggregated data that has been de-identified or anonymized in accordance with our agreements with and in compliance with the policies of the Health Service Provider and applicable legislation they are subject to. THIS PRIVACY POLICY DOES NOT RESTRICT OUR USE OF NON-PERSONAL INFORMATION FOR ANY LEGITIMATE BUSINESS PURPOSE AND MAPFLOW RESERVES THE RIGHT TO USE NON-PERSONAL INFORMATION WITHOUT FURTHER NOTICE TO YOU OR CONSENT, IN ACCORDANCE WITH LAW.

7. HOW WE COLLECT PERSONAL AND PERSONAL HEALTH INFORMATION

MAPflow collects information in different ways, including:

• When Personal Information and Personal Health Information is provided to us – for example when a Health Service Provider registers for a MAPflow subscription, or when a Patient or Patient Representative provides Personal Information and Personal Health Information to the Health Service Provider along with the Patient’s consent and the Health Service Provider uploads Patient Data to the Platform.
• Automated technologies or interactions – information collected automatically may include usage details, IP addresses, and information collected through cookies, web beacons, and other technologies.
• Where permitted by law – MAPflow may also collect information as otherwise permitted by law.

8. HOW WE USE PERSONAL AND PERSONAL HEALTH INFORMATION

As a Patient of a Health Service Provider, MAPflow will only use your Personal Information and Personal Health Information in the manner and for the purposes authorized and directed by the Health Service Provider as part of delivering the requested Health Services to you, in accordance with Health Service Provider’s privacy policies, our agreements with them, this Privacy Policy, and applicable legislation they are subject to.

With your consent, MAPflow uses PersonalInformation and Personal Health Information for the purposes of providingaccess to and enabling the use of the Platform and Site. When you voluntarilyprovide Personal Information and Personal Health Information, we use thisinformation in the following ways:

• To provide you access to and enable the use of the Platform and Site;
• To present our Platform and Materials to you;
• To provide you with information or Services that you request from us;
• To provide you with notices regarding your account, including expiration and renewal notices;
• To process subscription transactions;
• To notify you about changes to our Site or Platform;
• To improve our Site, Platform, marketing, or customer relationships and experiences;
• To conduct internal business processes;
• In any other way we may describe when you provide the information; and
• For any other purpose with your consent.

9. ELECTRONIC COMMUNICATIONS

When you visit the Site, Platform, or send emails to us, you are communicating with us electronically. You consent to receive communications from us electronically. We will communicate with you by email or by posting notices on the Site. You agree that all agreements, notices, disclosures and other communications that we provide to you electronically satisfy any legal requirement that such communications be in writing. It is your responsibility to ensure you provide an up-to-date and accurate email address regarding electronic communications.

If you have opted-in to receive marketing communications from us, we may send you promotional offers from time to time. You may unsubscribe at any time by clicking the unsubscribe link at the bottom of the message. This prevents any promotional emails from being sent to you unless you explicitly request that we re-add you to a promotion list.

10. HOW WE DISCLOSE THE DATA WE COLLECT FROM YOU

To the extent permitted by applicable law, we may disclose Personal Information and Personal Health Information that we collect, or you provide as Patient Data, as described in this Privacy Policy, with:

• Our affiliates and subsidiaries who may be involved in delivering MAPflow’s Services, providing technical and administrative support, conducting internal research and analysis, and making improvements to the Platform; and
• Our contractors, service providers, and other third parties affiliated with MAPflow. These third parties are obligated to protect Personal Information and Personal Health Information, and they are only given the information necessary to perform their designated functions. The collection and use of such information by third parties is subject to their own privacy policies. These service providers include, without limitation:

• MedStack, a secure and compliant cloud hosting platform for healthcare applications, owned by MedStack, Inc. whose privacy policy can be found here or at https://medstack.co/legal/privacy/; and
• Stripe, a payment processing platform, owned by Stripe, Inc. whose privacy policy can be found here or at https://stripe.com/en-ca/privacy.
• ZenDesk, a customer service and relationship management service provider whose privacy policy can be found here or at https://www.zendesk.com/company/agreements-and-terms/privacy-notice/, and whose terms can be found here or at https://www.zendesk.com/company/agreements-and-terms/terms-of-use/.

We may share aggregate or anonymized information, including Non-Personal Information, with service providers, business partners, and other third parties, to the extent permitted by applicable law, including but not limited to for the purposes of evaluating the Services, research and analytical purposes, marketing, etc. We take steps to keep Non-Personal Information from being associated with you and we require our partners to do the same.

The choice to provide Personal Information and Personal Health Information to your Health Service Provider is yours. If you do not wish for MAPflow to collect your Personal Information and Personal Health Information through the use of the Platform or Site, you can choose not to provide it. However, your decision to limit or withhold certain details may limit the Services that MAPflow is able to provide the Health Service Provider. However, it is at all times your decision to provide, withhold, or withdraw your consent for the use of your Personal Information and Personal Health Information.

11. HOW WE LIMIT COLLECTION, USE, DISCLOSURE, AND RETENTION

MAPflow collects Personal Information and Personal Health Information only by fair and lawful means and only collects the necessary amount of information as required for the purposes of providing the Services and in accordance with this Privacy Policy.

MAPflow will use Personal Information and Personal Health Information only for the reasons as set out in this Privacy Policy. MAPflow will keep Personal Information and Personal Health Information only as long as necessary for the identified purposes and as required by law. MAPflow may share Personal Information and Personal Health Information to affiliates, subsidiaries, and other third parties only for the purposes of providing Services as set out in this Privacy Policy.

We take steps to ensure security and limit access to Personal Information and Personal Health Information, including contractual restrictions and training on confidentiality and privacy obligations.

We retain Personal Information and Personal Health Information only as long as your Health Service Provider directs us to, in accordance with the Health Service Provider’s policies, our agreements with them, this Privacy Policy, and applicable legislation they are subject to.

Currently, MAPflow or our third-party service providers retain, and store information collected by, or provided to, us in the cloud and on secure servers in Canada. Some of our third-party service providers may retain and store limited information outside of Canada in accordance with their respective privacy policies and as permitted by applicable data protection laws. While we undertake measures to protect Personal Information and Personal Health Information, when it is stored and/or processed in other jurisdictions, the laws of other countries may not provide the degree of protection for Personal Information and Personal Health Information that is available in Canada.  You will be made aware of when and what information they are sharing outside of Canada and have the option not to share this information and engage these services.

12. INDIVIDUALS UNDER THE AGE OF 16

Generally, if you are under the age of 16, your parent, a children’s aid society, or another person who is legally entitled to give consent on your behalf, will act as your Patient Representative. That person can consent to the collection, use or disclosure of your information, except in certain circumstances.

MAPflow does not knowingly collect or use any Personal Information and Personal Health Information from individuals under the age of 16 unless provided by the Health Service Provider with the consent of the Patient Representative in accordance with the terms of this Agreement.

If you are 16 or older and capable of consenting, only you can consent to the collection, use or disclosure of your Personal Health Information unless you have designated a Patient Representative.

13. ACCESSING AND MAINTAINING ACCURACY OF YOUR PERSONAL AND PERSONAL HEALTH INFORMATION

Except as restricted by law, upon written request by you or an authorized representative, an individual will be informed of the existence, use, and disclosure of their Personal Information and Personal Health Information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and may request to have it amended.

MAPflow will keep Personal Information and Personal Health Information in its possession or control accurate, complete, current and relevant, based on the most recent information available to MAPflow. You are responsible for notifying MAPflow, through your Health Service Provider, about the accuracy and completeness of your Personal Information and Personal Health Information and may have it amended as appropriate.

14. SAFEGUARDS

The safety and privacy of Personal Information and Personal Health Information is our top priority. Personal Information and Personal Health Information will be protected by security safeguards appropriate to the nature and format of the information being stored through physical, electronic, and administrative measures. We strive to protect Personal Information and Personal Health Information from theft, loss, and unauthorized access, copying, modification, use, disclosure and disposal. We conduct audits and complete investigations to monitor and manage our privacy compliance. We ensure that all of our officers, directors, employees and agents protect your privacy and only use Personal Information and Personal Health Information for the purposes to which you have consented.

We may transfer Personal Information and Personal Health Information that we collect or that Health Service Provider’s provide as Patient Data as described in this Privacy Policy to contractors, service providers, and other third parties we use to support our business purposes and who are contractually obligated to keep Personal Information and Personal Health Information confidential, use it only for the purposes for which we disclose it to them, and to process the Personal Information and Personal Health Information with the same standards set out in this policy.

There is no guarantee that data may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, electronic, or administrative safeguards. We follow all privacy and security requirements as outlined in legislation. By sharing your Personal Information and Personal Health Information with us, you acknowledge that your Personal Information and Personal Health Information may be at risk should an external party breach our systems. As required by law, we will inform you of any breaches which would create a reasonable risk of harm to you. We will take reasonable steps to mitigate such risks and to prevent them from occurring again in the future.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE EXPRESSLY DISCLAIM ANY GUARANTEE OF SECURITY IN CONNECTION WITH YOUR PERSONAL INFORMATION AND PERSONAL HEALTH INFORMATION.

15. DATA INCIDENTS

A Data Incident involves an unauthorized access, use, or disclosure of Personal Information and Personal Health Information, loss of Personal Information and Personal Health Information, or other breach in the protection of your Personal Information and Personal Health Information. In the event of a Data Incident, we will investigate to assess whether the incident poses a risk of serious injury to you. In these circumstances, you will be notified at the first reasonable opportunity or as otherwise required by law.

16. OPENNESS ABOUT OUR POLICIES AND PROCEDURES

We will readily make available specific information about our policies and practices related to the management of Personal Information and Personal Health Information. Individuals will have access to this information through this Privacy Policy or by contacting our Privacy Officer. The information will be available in a format that is easy to understand.

17. UPDATES AND CHANGES TO OUR PRIVACY POLICY

It is our policy to post any changes we make to our Privacy Policy on this page. We include the date the Privacy Policy was last revised at the top of the page. You are responsible for ensuring we have an up-to-date, active, and deliverable email address for you, and for periodically visiting our Site and this Privacy Policy to check for any changes. Your continued use or access of the Platform or Services after the effective date signifies your acceptance of and agreement to any changes.

18. QUESTIONS AND COMPLIANCE

We welcome your questions, comments, and requests regarding your Personal Information, Personal Health Information, this Privacy Policy and our privacy practices.

You may contact us as follows:

Andrea Edginton
Privacy Officer
info@mapflow.ca

If you feel we have not met our legal obligations under this policy or applicable privacy laws, please contact our Privacy Officer.

If you are not satisfied with the resolution that we have provided, the Commissioner can be reached as follows:

Office of the Privacy Commissioner of Canada
‍30 Victoria Street
Gatineau, Quebec
K1A 1H3
Canada

‍http://www.priv.gc.ca

Toll-free: 1-800-282-1376
Phone: (819) 994-5444
Fax: (819) 994-5424
TTY: (819) 994-6591