PHIPA Compliance

1. Purpose of This Document

PHIPA requires health information custodians to publicly describe their information practices. This Statement of Information Practices explains, in plain language and in technical detail, how NoteSeek Inc. handles personal health information, what safeguards we apply, and what rights patients have.

This document accompanies and does not replace our Privacy Policy. Where there is any difference between this document and the Privacy Policy, the Privacy Policy governs the legal relationship.

Audience

Patients who want to understand how their information is protected

Licensed clinicians and clinics considering joining the Platform

Employers, schools, and institutions evaluating NoteSeek as a trusted source of notes

Privacy regulators, auditors, and compliance officers

2. Our Role Under PHIPA

NoteSeek operates in two capacities under Ontario's Personal Health Information Protection Act, 2004 (PHIPA):

Capacity

What This Means

Health Information Custodian (HIC)

For PHI stored in NoteSeek's platform infrastructure that is not held solely on behalf of a specific clinician. As a custodian, NoteSeek is directly accountable under PHIPA for the collection, use, disclosure, and protection of that PHI.

Agent and Electronic Service Provider (ESP)

For the licensed clinicians who use the Platform. In this capacity, NoteSeek acts only in accordance with the clinician's instructions, our written agreements, and PHIPA, and does not use PHI for its own purposes beyond what is necessary to provide the Platform's services.

Every clinician who registers on the Platform enters into a written agreement that addresses roles, responsibilities, permitted uses of PHI, security requirements, incident response, and audit rights. This is consistent with PHIPA section 10(4) and the IPC Ontario's guidance for electronic service providers.

3. Information Practices — What We Do with PHI

3.1 What PHI we collect

We collect the minimum PHI necessary to issue an administrative medical note:

Full legal name

Date of birth

Mailing address (where required by the note type)

Mobile phone number (for SMS identity verification)

Email address (for note delivery)

Note type requested, reason for absence, duration, and any additional context the patient provides

The issued note, signed by the reviewing clinician

What we deliberately do not collect

Health card number, Social Insurance Number, passport number, driver's licence number, biometric identifiers, or detailed medical history beyond what is relevant to the specific note requested. Data minimization is a design principle, not an afterthought.

3.2 How we use PHI

We use PHI only for the following purposes:

Delivering the note service (intake, clinician review, note generation, and delivery)

Identity verification and fraud prevention

Secure storage of issued notes as medical records, as required by Ontario standards

QR code verification (confirming authenticity of a note to a verifier without disclosing PHI)

Audit, security, and incident response

Compliance with legal and professional obligations

We never use PHI for marketing

Marketing and promotional communications are only sent to individuals who have provided separate, express opt-in consent, and those communications do not rely on any PHI. A pre-checked box is not valid consent under PHIPA.

3.3 How we disclose PHI

We disclose PHI only as follows:

To the licensed clinician assigned to review your request

To our service providers (subprocessors) under written agreements that require PHIPA-equivalent protection

As you direct (for example, sending a clinic copy to an address you provide)

Where required by law, court order, or mandatory reporting

For the management of the Platform's records, under the authority of the custodian

3.4 How QR verification works without disclosing PHI

When an employer, school, or other verifier scans the QR code on a note, they are taken to a verification page on noteseek.ca that confirms only:

Whether the note is authentic (signed through the Platform, not altered)

The date the note was issued

The validity window for the note

Whether the note is being verified within that validity window

The verification page does not reveal diagnosis, symptoms, reason for absence, or any other personal health information. A warning banner is shown if the note is scanned outside its validity window.

4. Safeguards We Apply

PHIPA requires reasonable administrative, technical, and physical safeguards. We apply the following:

4.1 Administrative safeguards

Designated Privacy Officer accountable for PHIPA compliance and incident response

Privacy Impact Assessments conducted before new product features involving PHI are launched

Background checks and confidentiality obligations for all personnel with access to PHI

Mandatory privacy and security training for staff and contractors

Written agreements with every service provider handling PHI

Internal policies for access, change management, data retention, and incident response

Documented role-based access approval and periodic access review

4.2 Technical safeguards

Encryption in transit using TLS 1.2 or higher for all connections involving PHI

Encryption at rest for databases, backups, and file storage containing PHI

Role-based access control and the principle of least privilege

Multi-factor authentication for clinician, administrator, and institutional accounts

Immutable audit logs of PHI access and disclosure events, retained for investigation and regulatory inquiry

Tamper-resistant, non-editable PDFs with embedded QR verification

SMS-based identity verification at intake to prevent fabricated or duplicate requests

Rate limits, anomaly detection, and fraud-prevention signals

Regular vulnerability scanning, patching, and security review

Secure software development practices, including code review and dependency management

4.3 Physical safeguards

Canadian-region data centres operated by our cloud providers with industry-recognized physical security certifications (such as SOC 2 Type II and ISO 27001)

Secure workstation and device policies for all personnel with access to PHI

No PHI stored on local personal devices; all access is through managed systems

5. Data Residency

NoteSeek's primary storage for PHI is in Canadian regions of our cloud infrastructure. We have designed the Platform to keep PHI within Canada.

Certain ancillary services (for example, payment processing, SMS delivery, and email delivery) may process limited personal information outside of Canada, typically in the United States. Where this occurs:

We minimize the information transferred and, where feasible, tokenize or de-identify it

We require written contractual protections comparable to PHIPA

We remain accountable under PIPEDA and applicable provincial law

We disclose the transfer in our Privacy Policy

A note on US processors and PHI

Our design intent is that identified PHI does not flow to US-based processors. Payment processing typically receives name, email, and tokenized card data — not health information. SMS delivery receives phone number and verification code. Email delivery receives addressing metadata and delivery confirmation. If our processor mix changes in a way that would route identified PHI outside Canada, we will update this Statement, our Privacy Policy, and, where required, seek fresh consent.

6. Retention and Disposal

We retain PHI only for as long as necessary to meet the purpose for which it was collected and to comply with our legal and professional obligations.

Record Type

Retention Approach

Issued notes and associated intake data

Retained as required by Ontario medical record retention standards — generally a minimum of 10 years from the date of last entry for adults and 10 years past the age of majority for minors, or longer where applicable. Issued notes are kept within the system to support verification integrity.

Declined requests

Retained for [12–24 months — confirm] for quality assurance and fraud-prevention auditing, then securely destroyed.

Audit and access logs

Retained for [12–24 months — confirm] to support incident investigation and regulatory inquiry.

Payment records

Retained as required by Canadian tax and financial record-keeping laws (typically 6–7 years).

When PHI is no longer needed, it is securely disposed of in a manner that prevents reconstruction, following industry-standard practices such as cryptographic erasure for cloud storage and certified destruction for any physical media.

7. Patient Rights Under PHIPA

PHIPA gives you important rights over your personal health information. You may exercise any of these rights by contacting our Privacy Officer (Section 10). We will not charge a fee for reasonable requests.

Right

How It Works

Right of access

You may request a copy of the PHI we hold about you. We will respond within 30 days, or sooner where required, subject to a limited time extension where permitted by PHIPA.

Right to correction

You may ask us to correct information you believe is inaccurate or incomplete. Where we do not agree to the correction, we will attach a statement of disagreement to the record.

Right to withdraw consent

You may withdraw consent for future uses or disclosures of your PHI, subject to legal and contractual restrictions. Withdrawal does not require us to delete records we are required to retain.

Right to complain

You may complain to our Privacy Officer, or directly to the Information and Privacy Commissioner of Ontario. Filing a complaint does not limit any other rights you have.

Right to be informed of a breach

If your PHI is subject to a privacy breach, we will notify you at the first reasonable opportunity as required by PHIPA.

8. Privacy Breach Response

NoteSeek maintains a documented privacy breach response procedure. Our approach follows the IPC Ontario's breach protocol guidance and includes the following steps:

Contain. Stop the breach, isolate the affected systems, and preserve evidence.

Investigate. Determine what happened, what PHI was affected, and who was involved.

Notify. Notify affected patients at the first reasonable opportunity, notify the Information and Privacy Commissioner of Ontario where required, and notify the relevant professional regulatory college (such as the CPSO) in accordance with our obligations.

Remediate. Mitigate harm, restore systems, and support affected individuals.

Learn. Conduct a post-incident review, update controls, and track improvements.

We maintain a statistical report of privacy breaches annually, as required by PHIPA, and submit the required report to the Information and Privacy Commissioner of Ontario.

9. Artificial Intelligence and Clinician Oversight

The Platform uses AI to improve speed and triage accuracy. Our use of AI is governed by the following commitments:

AI drafts and routes. Humans decide. AI does not independently approve, deny, or issue a medical note. Every note is reviewed and signed by a licensed Ontario clinician who is accountable for the clinical decision.

Deterministic safety filters (red-flag criteria) route high-acuity cases to human escalation before any AI drafting occurs

AI systems used on the Platform are contractually prohibited from training on your PHI

AI outputs are supplementary to — not a substitute for — clinician review

We maintain audit logs of AI outputs to support quality assurance and investigation

If we introduce automated decision-making that could have legal or similarly significant effects on individuals, we will update this Statement, notify affected users, and provide meaningful information about the logic and the right to human review, consistent with evolving Canadian privacy law.

10. Contact Our Privacy Officer

Our Privacy Officer is accountable for NoteSeek's compliance with PHIPA, PIPEDA, and other applicable privacy law, and is your first point of contact for any privacy question, request, or complaint.

Privacy Officer: [Name — to be confirmed]

Title: Privacy Officer, NoteSeek Inc.

Email: [admin@noteseek.ca]

Mailing address: NoteSeek Inc., [insert corporate address]

Response target: Acknowledgement within 5 business days, substantive response within 30 days.

External authorities

If you are not satisfied with our response, you may contact:

Information and Privacy Commissioner of Ontario

Phone: 416-326-3333 or 1-800-387-0073

Email: [email protected]

Web: www.ipc.on.ca

Office of the Privacy Commissioner of Canada

Phone: 1-800-282-1376

Web: www.priv.gc.ca

Annex A: Compliance Checklist

NoteSeek maintains the following compliance artifacts and reviews them on a regular schedule. This list is provided for transparency to patients, clinicians, regulators, and institutional partners.

Artifact or Control

Owner

Review Cycle

Privacy Policy (published on noteseek.ca)

Privacy Officer

Annually or on material change

Terms of Service (published on noteseek.ca)

Legal / Founder

Annually or on material change

PHIPA Statement of Information Practices (this document)

Privacy Officer

Annually

Privacy Impact Assessment (PIA) for each major feature

Privacy Officer + CTO

Per release

Written agreements with every service provider handling PHI

Legal

At onboarding + annually

Provider Services Agreement with every clinician

Legal / Provider Ops

At onboarding

Staff privacy and security training

Privacy Officer

At hire + annually

Access review and role audit

CTO

Quarterly

Vulnerability scanning and patch management

CTO

Continuous / monthly review

Penetration test by independent party

CTO + external

[Annually — confirm]

Breach response plan and tabletop exercise

Privacy Officer

Annually

Annual statistical report of privacy breaches to IPC Ontario

Privacy Officer

Annually

Cyber liability insurance

Operations

Annual renewal

Retention and disposal schedule

Privacy Officer

Annually

Annex B: Open Items for Founder and Legal Review

Confirm Privacy Officer name, email, and mailing address

Confirm primary cloud hosting provider and Canadian region

Confirm service provider list, jurisdictions, and contract status

Confirm retention periods for declined requests and audit logs

Confirm penetration testing cadence and vendor

Confirm cyber liability coverage limits and review with CMPA for physician-related risk

Confirm breach response contact tree and on-call roster

Complete initial Privacy Impact Assessment before MVP launch

Decide on Quebec serving decision (impacts Law 25 obligations including PIA and transfer safeguards)

Align with CPSO policy statements regarding AI-assisted clinical workflows

Ensure the public version of this document is written at plain-language grade level (currently drafted at Grade 10–11 level)