Last update: June 2022
Personal Information Protection Officer
350 Charest Blvd East, Suite 300
Quebec City, Quebec G1K 3H5
If you are located in Europe, please note that we act as a “subcontractor” for our customers in the provision of our professional services (as defined below). Our customers are the data controllers for the personal data under their control. They therefore decide on the legitimate bases for the processing of personal data and respond to your requests regarding your personal data. We process your personal data according to their instructions. We encourage you to review the privacy policies of these entities if you need more information.
1. When does this Policy apply?
This Policy applies in connection with our services and products, such as our medical appointment or healthcare productivity management platforms (our “professional services”). We provide professional services to our customers, including hospitals, healthcare professionals, and public and government agencies. Here are some examples of our professional services:
- Our care orchestrator services, provided in real time for healthcare organizations through our cloud-based platform;
- Our patient appointment portal services;
- The Petal platform for patient primary care requests;
- Our Xacte billing services;
- Training and support services.
This Policy applies only to the processing of “personal” data. By “personal data” we mean any data that allows us to identify you directly or indirectly, including cookies. Some of the personal data indicated in this Policy may not be protected under the laws that apply to you. This Policy is for transparency purposes.
2. When does this Policy not apply?
This Policy does not apply in the following cases:
- In our marketing activities, including digital marketing through our website;
- If you interact with us outside of our professional services;
- When you subscribe to our mailing list;
- When you browse our website;
- If you apply for a job with us.
3. What personal data do we collect and for what purposes?
We collect personal data necessary for the delivery of our professional services, which may include health data (related to appointments with professionals, for example), as well as data pertaining to the business conducted by healthcare professionals. The personal data we collect in the provision of our professional services is not resold or used for marketing purposes. We have contracts with our customers and follow their instructions regarding the processing of your personal data. Our customers determine the lawful basis for such processing.
We collect personal information directly from users about their use of our professional services. However, healthcare professionals using our professional services may also provide us with personal data about their patients, mainly for billing purposes.
In the provision of our professional services, we collect the types of personal data listed below for the purposes identified. If you have any questions, please do not hesitate to contact us.
Personal account information
Examples: Email address, password, avatar or photograph, preferences, settings, date of account creation.
When you create an account, you must provide certain information depending on the nature of the account and the intended use. You also have the option to add a photograph that will be visible to other users. We use your personal account information to create your account, to allow you to interact with your co-workers and be linked to your organization, and to enable you to use the features of our professional services.
We use your email address to send you updates and information about your account.
Personal data relating to healthcare professionals
Examples: Phone numbers, medical specialty, licensure number and issuing authority, employer, professional contact information, schedules, absences, events, secure messages in the platform, documents, patient billing information, distribution lists.
In the provision of our professional services, we collect personal data about healthcare professionals so that they can use the relevant features of our services. For example, our secure messaging platform is used by healthcare professionals to communicate with each other about schedules and sometimes about patients. One of the functionalities of our professional services is schedule coordination, which requires the collection of employment information.
In the provision of our medical billing services, we also collect information about the services provided and billed, as well as the applicable rates.
Personal usage data
Examples: Daily logs, information about professional services usage by the user, technical bugs and errors associated with the account, hours logged in, pages visited, content of technical support requests.
Our platform automatically collects personal data related to your usage. This information is used only as directed by our customers, which may include aggregating or anonymizing personal data to provide them with an overview of their business, or as necessary to secure our professional services, respond to your requests for technical support, and manage the performance of our professional services.
Personal data relating to patients and their health
Examples: Medical appointment information (attending physician, date, time, reasons, and the clinic or facility where the appointment is made), any data or documentation provided by healthcare professionals about an individual in the provision of professional services, patient identification information, health insurance number, symptoms, vaccination status.
In the provision of our appointment scheduling services, patients are asked to provide the information that our customers require, which may vary from one situation to the next. We process the information that patients provide when using these digital appointment scheduling platforms.
We also process certain personal patient data for the purpose of Xacte’s medical billing for professional services.
We use this personal data in accordance with our customer contracts and to provide services to our customers, such as demand and waitlist management, virtual care delivery and vaccination program management. Your personal data is not used for any purpose other than the delivery of professional services.
Payment and subscription data
Examples: Credit card numbers, billing address, payment date, CVV code, type of subscription.
We process your financial information in order to provide you with access to services, as per the service contract in place with you or your institution. You have the option to select recurring payments or no automated payment.
If you pay online, you pay directly through the Stripe secure digital portal, and we do not have access to your full credit card number. However, we have access to the history of payments made.
4. Who do we share your personal data with?
We share your personal information with third parties in order to provide our professional services, including with our subcontractors, with government entities, or with integration partners as directed by our customers. Our subcontractors may also share some of your personal information with their own subcontractors. We have contracts with our subcontractors to protect your personal data.
Our customers may also disclose your personal data in accordance with their policies, including for the provision of healthcare services and to comply with applicable laws.
We’ll also disclose your personal data in the following situations:
- If required by law, subpoena, or a request from authorities that we believe we should respond to, or if the disclosure is made necessary by an urgent and justified medical situation.
- With our subsidiaries and affiliates, when necessary for the purpose of providing professional services or for business development.
- In connection with a merger, acquisition or sale of some or all of our assets.
In the provision of our professional services, some personal data may be transferred between our subsidiaries. For example, if our customer is located in the European Union, our Canadian subsidiary may access personal data when responding to technical support requests. We share your personal information as required for the delivery and management of professional services.
Under the laws in force, we may be required to share your personal information with government authorities, including on behalf of healthcare professionals who use our professional services. For example, as required by the Régie de l’assurance maladie du Québec, certain aggregate statistics on the billing of healthcare professionals must be disclosed. These disclosures are required by the applicable laws, and vary from region to region.
Our customers themselves may also share your personal data with government authorities. Please see their own privacy policies.
We use the services of data centres and other providers to offer you professional services online. We also use security service providers. We disclose only the personal data they need to perform their services, and we have contracts that prevent secondary use.
Secure Digital Payment Provider
We use trusted third parties to process your credit card payments. Our payment processing provider is Stripe, which is PCI DSS level 1 certified. Stripe may share your payment information as necessary to complete your payments, in particular with banking institutions or credit card companies.
We work with subcontractors for some of the features of our services. For example:
- We use Zendesk for our support services.
5. Where do we store your personal data?
We are located in Canada and in the European Union. However, some of our subcontractors are located outside these regions. For example, we use Chargebee to manage our subscriptions. Chargebee uses subcontractors located in the United States. You can consult the list of these subcontractors and their locations by clicking here.
When we transfer your personal data outside your country of residence, we ensure that appropriate safeguards are in place to provide it with protection similar to that of your country of residence. For example, in the European Union, we can use the standard model clauses, available here.
6. How long do we keep your personal data?
We retain your personal data for as long as necessary for the purposes of collection, or longer if required by the applicable law. Our customers may maintain copies of your personal data for longer periods of time, depending on their privacy policies.
If you are a platform user, you may delete your account at any time, subject to the requirements of your employer, by sending an email to firstname.lastname@example.org. Any personal data pertaining to you will then be deleted.
7. How do we ensure the security of your personal data?
The security of your data is important to us, but please keep in mind that no method of transmission over the web or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. For example, some of our subcontractors, such as Stripe, comply with PCI DSS, the global standard for financial information processing.
That said, Petal has administrative, technological and physical measures and practices in place to protect your personal data. For example, we restrict access to your personal data to those who need it in order to perform their duties. We train our staff on privacy issues and sign confidentiality agreements with our third parties.
8. What are your rights regarding your personal data?
You have certain rights regarding your personal data. Your rights vary depending on the laws that apply to you and the specific circumstances of your request.
To exercise your rights, it’s best to go directly to the organization that provided you with access to professional services, a healthcare facility or a level of government. We have contracts with our customers that contain obligations to collaborate with them in responding to your requests. Consequently, if you submit a request to us, we may need to share it with the institution that gave you access to our professional services.
Your rights may include, for example, the right to access your personal data, to modify it or even to obtain a copy of it in certain cases. For security reasons and to prevent fraud, we may ask you to provide proof of identity with your request. Once the request is processed, we will securely delete this personal data.
To exercise your rights or ask about how we process your personal data, you can contact us:
Personal Information Protection Officer /
350 Charest Blvd East, Suite 300
Quebec City, Quebec G1K 3H5
We will help you at no extra charge. However, if you request a transcription, reproduction or transmission of your personal data, we may charge you a reasonable fee to process your request, subject to the applicable laws. In that case, we will contact you about the fee before processing your request.
If your request is denied, we will notify you in writing, providing detailed reasons and information on how to challenge our decision. We will retain the relevant personal data until you have exhausted your remedies.
If you have any comments about how we responded to your request, please let us know by writing to us at email@example.com. We’ll do our best to improve our processes so that it does not happen again. We’ll also provide you with additional information about our practices if you wish. If you’re not satisfied with our handling of your request, you may file a formal complaint with the Office of the Privacy Commissioner of Canada by completing this form or by addressing the local authorities in your country of residence.