Legal

Privacy Policy

How NoteSeek collects, uses, and protects personal information and personal health information. Draft for legal review.

Your Agreement with Noteseek

We built NoteSeek to make getting a legitimate medical note simple, fast, and private. Before reading the full policy, here is what you should know in plain language:

We only collect what we need. Your name, date of birth, contact information, and the reason you need a note. That is it.

We never sell your information. Not to advertisers, not to data brokers, not to anyone.

We never use your health information for marketing. Marketing only happens with your separate, explicit consent.

Your data stays in Canada. Our primary systems are hosted on Canadian-region servers.

Employers and schools never see your health information. Our QR verification confirms that a note is authentic without exposing any medical detail.

A human clinician always makes the final call. We use AI to draft and route requests, but every note is reviewed and signed by a licensed Ontario healthcare professional.

The rest of this document explains these commitments in legal detail.

1. Introduction and Scope

NoteSeek Inc. ("NoteSeek," "we," "us," or "our") operates the noteseek.ca website and related digital services (collectively, the "Platform") that enable individuals in Ontario to request administrative medical notes (such as sick notes, work notes, school notes, and return-to-work notes) from licensed Ontario healthcare professionals.

This Privacy Policy explains how we collect, use, disclose, safeguard, retain, and allow you to access personal information and personal health information when you use the Platform.

Who this policy applies to

Patients and individuals who request medical notes through the Platform

Licensed healthcare professionals ("Providers") who register with the Platform to issue notes

Clinics, hospitals, and other institutional partners that register with the Platform

Employers, schools, and verifiers that use our QR verification feature

Visitors to the noteseek.ca website and related web properties

Governing law

NoteSeek is an Ontario-first platform. This Privacy Policy is governed primarily by the Ontario Personal Health Information Protection Act, 2004 ("PHIPA") for personal health information, and by the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") for other personal information collected in the course of commercial activity. Where Quebec's Act Respecting the Protection of Personal Information in the Private Sector ("Law 25") applies to any user we interact with, we honour its additional requirements. We also comply with Canada's Anti-Spam Legislation ("CASL") for all commercial electronic messages.

2. Key Definitions

Term

Meaning

Personal Information

Information about an identifiable individual, other than business contact information used solely for commercial purposes. Examples include name, email address, phone number, IP address, and payment details.

Personal Health Information (PHI)

Identifying information about an individual that relates to their physical or mental health, the provision of health care, or payment for health care, as defined under PHIPA. Examples include the reason you are requesting a note, your symptoms, the duration of your absence, and the note itself.

Health Information Custodian (HIC)

A person or organization listed in PHIPA that has custody or control of PHI as a result of the work they do. Licensed Ontario clinicians on the Platform are HICs for notes they issue.

Agent / Electronic Service Provider (ESP)

An entity authorized to act on behalf of an HIC in respect of PHI, subject to the HIC's instructions. NoteSeek operates as an ESP for the Providers on the Platform and as a custodian in its own right where applicable.

Provider

A licensed Ontario physician, nurse practitioner, chiropractor, or other regulated health professional registered with NoteSeek to review and issue administrative medical notes within their scope of practice.

Verifier

An employer, school, institution, or other third party that uses the Platform's QR code feature to confirm the authenticity of a note.

3. Our Role Under PHIPA

NoteSeek operates in two complementary capacities under Ontario privacy law:

As a Health Information Custodian for PHI held in NoteSeek's platform infrastructure that is not held on behalf of a specific clinician.

As an Agent and Electronic Service Provider to the licensed clinicians (Health Information Custodians) who use the Platform, strictly in accordance with their instructions and our written agreements.

In both capacities, NoteSeek is accountable for the PHI under our control and for the practices of our service providers. We have appointed a Privacy Officer (see Section 16) who is responsible for compliance with this Policy and applicable law.

4. Information We Collect

We deliberately practice data minimization: we only collect information that is necessary to deliver the service, meet legal obligations, and protect the Platform.

4.1 Personal Health Information (collected from patients)

Full legal name

Date of birth

Mobile phone number (for SMS identity verification and note delivery)

Email address

Note type requested (sick, work, school, return-to-work, etc.)

Reason for absence (e.g., flu/fever, injury, mental health, other) and duration

The issued note itself, including the clinician's assessment and signature

4.2 Personal Information (non-health)

Payment information, processed through our third-party payment processor (see Section 7). We do not store full credit card numbers on NoteSeek servers.

Account credentials for Providers and institutional users

Professional credentials, licence numbers, and identity verification information for Providers

Business contact information for clinics, employers, and verifying institutions

Waitlist, newsletter, and marketing preferences (where you have opted in)

Communications you send to us (support requests, feedback, inquiries)

4.3 Technical and Usage Information

IP address, device type, operating system, browser, and general location (derived from IP)

Referring URL, pages viewed, session duration, and other analytics events

Cookies, pixels, and similar technologies (see Section 11)

Security and audit logs, including access events and fraud-prevention signals

4.4 Information We Do Not Collect

To minimize risk and respect your privacy, NoteSeek does not collect:

Your health card number, Social Insurance Number, passport, or driver's licence number

Your detailed medical history beyond what is relevant to the specific note requested

Biometric identifiers

Any information from a child without appropriate guardian involvement (see Section 13)

5. Why We Collect Your Information (Purposes)

Under PHIPA and PIPEDA, we are required to identify the purposes for which we collect your information at or before the time of collection. We collect and use your information only for the following purposes:

Purpose

Information Used

Delivering the note service

PHI, intake details, identity verification, note content, payment. This is the core reason most users interact with NoteSeek.

Identity verification and fraud prevention

Mobile number, IP address, device signals, anomaly detection. Protects against fabricated or duplicate requests.

Payment processing

Name, email, payment details (tokenized by our payment processor).

Clinician review and sign-off

PHI, intake details, AI-generated triage summary, shared with the reviewing licensed clinician only.

Note delivery and QR verification

Email or SMS for delivery; the QR code contains only a verification link and does not expose PHI to verifiers.

Platform security and compliance

Audit logs, access events, retention of issued notes as required by medical records standards.

Service communications

Email and SMS about your request status, receipts, note delivery, and account matters.

Marketing (opt-in only)

Email address and name of individuals who have given express consent. PHI is never used for marketing.

Analytics and product improvement

De-identified or aggregated data only. PHI is not used for product analytics.

Legal and regulatory obligations

As required by PHIPA, other Canadian laws, professional regulators, or lawful orders.

6. Legal Basis and Consent

6.1 Consent model

PHIPA permits a health information custodian to collect, use, and disclose PHI with the knowledgeable consent of the individual. By submitting a note request through the Platform, you provide knowledgeable consent for NoteSeek and the reviewing clinician to collect, use, and disclose your PHI for the purposes set out in Section 5.

We rely on implied consent only within the "circle of care" — for example, for a clinician to review your intake and issue your note. We rely on express consent for any use or disclosure outside the circle of care, including any marketing communication.

6.2 Separate consent for marketing

If you ask us to send you marketing communications (such as newsletter updates, new feature announcements, or early-access invitations), we will obtain your express, opt-in consent separately. Marketing consent is never bundled with consent to receive the note service, and a pre-checked box does not constitute valid consent.

6.3 Withdrawing consent

You may withdraw your consent at any time, subject to legal and contractual restrictions and reasonable notice. Withdrawing consent may affect our ability to provide certain services (for example, we cannot complete a note request if you withdraw consent during intake). To withdraw consent, contact our Privacy Officer (Section 16).

6.4 Important limitation

Notes are medical records

Once a note is issued, it forms part of your medical record. Canadian medical record retention standards require us and the issuing clinician to retain these records for a minimum period regardless of whether you subsequently withdraw consent to other uses of your information. Withdrawal of consent does not require us to delete issued notes before the lawful retention period has expired.

7. How We Share and Disclose Your Information

We do not sell your personal information or personal health information. We share information only as described below.

7.1 With the reviewing clinician

Your intake information and a structured case summary (which may include AI-generated drafting) are shared with the licensed Ontario clinician assigned to your request for the sole purpose of reviewing and issuing your note.

7.2 With service providers (subprocessors)

We engage trusted third-party service providers to operate the Platform. Each service provider is bound by a written agreement that requires them to protect your information, use it only for the services we have engaged them for, and comply with Canadian privacy law. Our current service providers include:

Function

Service Provider

Data Processed

Jurisdiction

Cloud hosting and storage

[AWS / Azure — confirm]

All PHI and PI stored on Platform

Canada (Canadian region)

Payment processing

[Stripe / confirm]

Name, email, tokenized payment details

Canada / United States

SMS identity verification

[Twilio / confirm]

Mobile number, verification code

[Confirm]

Transactional email

[Postmark / SendGrid / confirm]

Email address, note delivery metadata

[Confirm]

Website analytics

[Confirm; prefer Canadian or privacy-first]

De-identified usage data

[Confirm]

Customer support tooling

[Confirm]

Support correspondence

[Confirm]

Before we add, replace, or materially change a service provider that handles PHI or sensitive PI, we update this Privacy Policy and, where required, notify you directly.

7.3 With verifiers (employers, schools, institutions)

When a verifier scans the QR code on your note or visits the verification URL, we confirm only (a) that the note is authentic, (b) the date it was issued, and (c) the validity window. We do not share your diagnosis, your reason for absence, your symptoms, or any other PHI with verifiers.

7.4 For legal reasons

We may disclose information when required or permitted by law, including to respond to a valid court order, subpoena, or lawful regulatory request; to comply with a mandatory reporting obligation; to protect the rights, property, or safety of NoteSeek, our users, or the public; or in the context of a corporate transaction such as a merger, acquisition, or financing, subject to confidentiality safeguards.

7.5 With your direction

We will share your information with third parties you explicitly direct us to, such as a clinic copy of your note sent to an email address you provide.

8. Data Residency and Cross-Border Transfers

NoteSeek stores personal health information and patient personal information on servers located in Canadian regions of our cloud infrastructure. This is a core design principle of the Platform.

Certain service providers that support ancillary functions (for example, payment processing or email delivery) may process limited personal information outside of Canada, typically in the United States. Where this occurs:

We minimize the information transferred and, where possible, tokenize or de-identify it

We enter into written agreements that require comparable protection

We remain accountable for the information under PIPEDA and applicable provincial law

We disclose the transfer in Section 7 so you can make an informed choice

Your rights when data leaves Canada

You should be aware that information processed outside of Canada may be subject to the laws of the jurisdiction in which it is processed, including lawful access by foreign government authorities. If you have concerns about cross-border transfers, contact our Privacy Officer before using the Platform.

9. How Long We Keep Your Information

We retain personal information and personal health information only for as long as necessary to fulfill the purposes set out in this Policy and to meet our legal and professional obligations.

10. How We Protect Your Information

We apply administrative, technical, and physical safeguards appropriate to the sensitivity of the information, consistent with PHIPA's reasonable-safeguards standard and industry best practice for digital health platforms.

Technical safeguards

Encryption in transit (TLS 1.2 or higher) and encryption at rest for databases and backups

Role-based access controls and the principle of least privilege

Multi-factor authentication for clinician, administrator, and institutional accounts

Immutable audit logs of access to PHI

Tamper-resistant, non-editable PDF generation for issued notes

SMS-based identity verification at intake

Vulnerability monitoring, patching, and regular security review

Administrative safeguards

Background checks and confidentiality obligations for personnel with access to PHI

Privacy and security training for staff and contractors

Written agreements with all service providers handling personal information

Designated Privacy Officer accountable for policy and incident response

Physical safeguards

Canadian-region data centres with certified physical security controls operated by our cloud providers

Secure workstation and device policies for all personnel

No system is completely immune to risk. If you become aware of a suspected vulnerability or unauthorized access, please contact our Privacy Officer immediately.

11. Cookies and Similar Technologies

We use cookies and similar technologies on noteseek.ca to operate the Platform, remember your preferences, measure usage, and improve our service. We use the following categories:

Strictly necessary cookies. Required for core functionality such as authentication, request security, and load balancing. These cannot be disabled.

Functional cookies. Remember your preferences (for example, language and form state).

Analytics cookies. Help us understand how visitors use the Platform so we can improve it. Where required by applicable law, we obtain your consent before setting these.

Marketing cookies. Used only with your consent for targeted communications. You may withdraw consent at any time through our cookie preferences tool or your browser settings.

You can manage cookie preferences through our cookie banner (where applicable), your browser settings, or industry opt-out tools. Blocking strictly necessary cookies may prevent parts of the Platform from working.

12. Artificial Intelligence and Automated Processing

NoteSeek uses artificial intelligence to support the intake and triage process. Specifically:

AI is used to structure your intake, flag ineligible or high-acuity requests for escalation, and draft a case summary for the reviewing clinician

AI does not independently approve, deny, or issue a medical note

Every issued note is reviewed and signed by a licensed Ontario healthcare professional, who is accountable for the clinical decision

AI systems used on the Platform are governed by written agreements that prohibit training on your PHI and require Canadian or equivalent safeguards

If we introduce any automated decision-making that could have a legal or significantly similar effect on you, we will update this Policy, notify affected users, and provide meaningful information about the logic involved and the right to request human review.

13. Children and Young People

The Platform is designed for adult users. Under PHIPA, a person under 16 may consent to the collection, use, and disclosure of their own PHI if they are capable of doing so, but the default is parental or guardian involvement.

Requests for school or student notes involving a minor should be submitted by a parent or legal guardian on the minor's behalf, unless the minor is capable of providing consent under PHIPA

We do not knowingly collect information from children under 13 without parental involvement

If you believe a child has provided us with information without appropriate consent, please contact our Privacy Officer and we will take prompt steps to delete the information

14. Your Privacy Rights

Subject to applicable law, you have the following rights with respect to your personal information and personal health information:

Right to access. You may request a copy of the personal information and PHI we hold about you. Under PHIPA, we will respond within 30 days unless a time extension is permitted by law.

Right to correction. You may request that we correct inaccurate or incomplete information. Where we do not agree to make a correction, we will attach a statement of disagreement to the record as required by PHIPA.

Right to withdraw consent. You may withdraw consent for future uses or disclosures, subject to legal and contractual restrictions.

Right to unsubscribe. You may unsubscribe from marketing emails at any time using the link in any message or by contacting our Privacy Officer.

Right to complain. You may file a complaint with our Privacy Officer or directly with the Information and Privacy Commissioner of Ontario or the Office of the Privacy Commissioner of Canada (contact details in Section 16).

To exercise any of these rights, contact our Privacy Officer. We may need to verify your identity before responding. We will not charge a fee for reasonable requests.

15. Privacy Breach Response and Notification

We take privacy breaches seriously and have an internal breach response procedure. If we confirm a privacy breach involving your PHI:

We will notify you at the first reasonable opportunity as required under PHIPA

We will notify the Information and Privacy Commissioner of Ontario where required

We will notify the relevant professional regulator (such as the CPSO) in accordance with our obligations

We will take reasonable steps to contain the breach, mitigate harm, and prevent recurrence

For breaches involving non-health personal information, we follow PIPEDA's breach-of-security-safeguards framework, including notification where there is a real risk of significant harm.

16. How to Contact Us

NoteSeek Privacy Officer

Name: [To be confirmed]

Title: Privacy Officer, NoteSeek Inc.

Email: [admin@noteseek.ca]

Mail: [Insert corporate mailing address]

Response time: We aim to acknowledge privacy inquiries within 5 business days and respond substantively within 30 days.

Regulatory authorities

If you are not satisfied with our response, you may contact the following authorities:

Information and Privacy Commissioner of Ontario (IPC)

Phone: 416-326-3333 or 1-800-387-0073

Email: [email protected]

Web: www.ipc.on.ca

Office of the Privacy Commissioner of Canada (OPC)

Phone: 1-800-282-1376

Web: www.priv.gc.ca

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last Updated" date at the top of this Policy

Post a notice on noteseek.ca

Where appropriate, notify registered users and, for material changes affecting PHI, obtain fresh consent where required by law

We encourage you to review this Policy periodically. Your continued use of the Platform after a material change constitutes your acceptance of the updated Policy, except where fresh consent is required.

Appendix A: Open Items for Founder and Legal Review

The following items require confirmation by NoteSeek leadership and legal counsel before publication. They are marked in [brackets] throughout the Policy:

Effective date and version numbering at launch

Name and contact details of the designated Privacy Officer

Corporate mailing address for privacy correspondence

Final list of service providers (subprocessors) and their processing jurisdictions

Final retention periods for account data and audit logs

Confirmation of cloud hosting provider and Canadian region

Confirmation of payment, SMS, email, and analytics vendors

Whether Quebec residents will be served at launch (triggers Law 25 obligations) or geo-restricted

Whether a cookie consent banner will be deployed (recommended)

Alignment with final Terms of Service and a separate PHIPA Compliance / Statement of Information Practices page

Completion of a Privacy Impact Assessment (PIA) before launch

Execution of written Data Processing Agreements with all subprocessors

Legal counsel review of CASL consent flows for the existing waitlist form

Legal counsel review of marketing assets on noteseek.ca for CPSO Advertising Policy compliance (including removal of patient testimonials)