PRIVACY POLICY 

Last Updated: 20 November 2024

Aya Health Technologies Inc. (“Company”/“we”/”us”) is proud to offer you our website, Autochart.ai (the “Website”), and the associated voice-enabled artificial intelligence-powered application as further described in our Terms of Use (the “Application”). This Privacy Policy describes how we collect, store, use, and distribute information about the healthcare practitioners who use the Application and their patients.

By using our website or using the Application, you consent to the use of personal information as described in this Privacy Policy. We update this privacy policy frequently. We may notify you if there are material changes to the text of this policy. Your continued use of the Services after any changes or revisions to this Privacy Policy shall indicate your agreement with the terms of this revised Privacy Policy.

The company’s customers are healthcare practitioners who are utilizing the Application. If you are a patient of a healthcare practitioner who uses the Application and do not wish for your personal information to be collected and used in the manner described in this Privacy Policy, then you may inform the healthcare practitioner that you do not consent to the use of your personal information by the Application.

What personal information do we collect and how?

Website Access

Unless you opt out, our website uses “Cookies” and other automatic data collection technologies with your consent to collect personal information whenever you visit or interact with our website, including unique identifiers and preference information such as IP address, browser type, operating system, pages viewed or navigation behavior for online interactions.

These cookies help us understand how you use our website and interact with the content of our website to make improvements. We also may use these Cookies to promote our services through marketing and advertising.

Some of the information mentioned above that is collected by Cookies can constitute personal information of the person visiting our website. You can opt out of Cookies or prevent third-party websites from accessing our Cookies through the privacy settings on your browser. Opting out of our Cookies may disable some of our website’s features and may prevent us from providing you with the information and services you have requested.

Website Form

When you submit a form on our website or contact us directly via e-mail, we will collect the information provided by you like your name, e-mail, phone number, clinic/organization you work for, and any other information you may include in your message. This information will be used by us to communicate with you and to provide you with the information you requested.

Direct Marketing

If you sign up to receive direct marketing or promotional communications from the Company, we will collect your name and e-mail and any other information you may provide to inform you about relevant updates. We will only share direct marketing communications of the types that you have consented to. We will never share the information you provide with third-party advertisers or similar organizations.

Mobile Information and Data Sharing

We respect your privacy and are committed to safeguarding your mobile information. We do not share mobile information, including phone numbers, with third parties or affiliates for marketing or promotional purposes. Mobile numbers collected through our services are solely used for delivering requested communications and providing the services you have opted into, which includes two-factor authentication.

Application

Healthcare Practitioner Information

The Application is available for use by healthcare practitioners through a subscription. Information like the healthcare practitioner’s name, billing information, and contact details will be collected by the Company to administer their account (“Account Information”).

Patient Information

The Application only collects the personal information that is entered into it by the healthcare practitioners, or which is recorded by the Application when it is being used by the healthcare practitioner. The collection of extensive data sets, including device information, is crucial for enhancing user experience, optimizing service functionality, and ensuring robust security measures. We process such information based on legitimate interests—improving our services and maintaining security—and where applicable, through explicit consent, which is transparently obtained at the point of data collection. If you choose not to provide the requested information, it may hinder our ability to deliver these services to you fully.

As a feature of the Application is to make a summary of what was discussed during an appointment, the entire conversation between a patient and healthcare practitioner could be collected by the Application, including sensitive personal health information. The audio is used to make a text transcript of such an encounter (the “Transcript”) and to support other clinical workflows. The audio is immediately deleted after transcription.

Why do we use personal information?

Account Information

We use the Account information you provide and other information collected from our website to:

• Manage our relationship with you and provide you with the information or services requested,
• Conduct research and evaluate improvements,
• Communicate with you regarding inquiries for information or customer service requests or employment opportunities,
• Detect, prevent, or investigate security breaches,
• Process credit card or other payment information,
• Protect our business, and
• Maintain appropriate records for internal administrative purposes.

Transcripts

The Company uses machine learning algorithms and other artificial intelligence technologies that need to analyze the Transcript to provide services and improve performance. Without the ability to process the Transcript, the Application would not work as intended.

We emphasize that the Company does not share this data with third parties.

The Company relies on the healthcare practitioners to obtain consent for the collection of patient’s personal information to be used by the Company. If a healthcare practitioner does not have a patient’s consent for their personal information to be used in this manner, the healthcare practitioner must not use the Application with that patient.

Audio Files

How do we use data?

We will never sell anyone’s data. We only share your personal information with our service providers such as hosting, cloud, analytics, support, and payment providers to operate our website and the Application. This includes sharing your personal information for:

• Fraud prevention,
• Payment processing and notifications,
• Providing requested services or information,
• Operating our website and Application, and
• Customer service.

We only use service providers who ensure high industry-standard levels of protection for your personal information, as provided in this Privacy Policy. Our contracts with our service providers ensure they comply with that obligation and do not use your personal information for their own purposes.

We may have to disclose your personal information to law enforcement agencies if required to do so by applicable law.

We may also disclose your personal information in connection with a corporate re-organization, amalgamation, or sale of the business (or potential sale of our business). We shall ensure that all such information disclosed as part of such process is protected in a manner consistent with this Privacy Policy.

Other than as described in this Policy, the Company will not use or share any information gathered or stored about the user or patient.

How does the Company use artificial intelligence?

The Company uses artificial intelligence service providers (the “AI Service Providers”) to help provide the Application, create and process the Transcripts, and return a summary of the Transcript for the healthcare practitioner to review (the “Summarized Note”) and to assist with other clinical workflow solutions. Our contracts with our AI Service Providers ensure that they do not collect, use, or disclose any information provided to them, except to provide the services we specifically request. 

How long do we keep personal information?

The audio is not stored. After it is transcribed it is immediately deleted.

We retain personal and health information for a maximum of thirty (30) days from the date of collection. After this period, all data is securely and irreversibly destroyed, unless there is a documented and legally mandated reason for extended retention. This ensures compliance with privacy regulations and minimizes risks related to data over-retention.

Users have the right to request deletion of their data before the 30-day retention period ends. Upon receiving a verified request, we will securely delete the specified data within fourteen (14) calendar days, unless applicable laws require further retention. This provides users with more control over their data and enhances privacy protection.

We use industry-standard methods to securely destroy data, including secure electronic deletion, cryptographic erasure, and physical destruction of storage media. These methods comply with standards such as NIST Special Publication 800-88, ensuring data cannot be reconstructed or accessed once removed.

We maintain detailed records of when, how, and by whom data is destroyed. Our internal compliance and security teams regularly audit these processes to ensure adherence to our policies and all applicable legal standards. This provides accountability and transparency in our data destruction practices.

In certain situations, legal or compliance obligations may necessitate retaining data beyond the standard thirty (30) days. Such exceptions are carefully reviewed and documented, with additional safeguards to ensure the confidentiality and security of retained information.

Healthcare practitioners using the Application are required to comply with different statutory and regulatory requirements. This includes any Transcripts or Summarized Notes they elect to save within their electronic medical record system. We encourage patients to speak with healthcare practitioners directly about how long they are required to store your personal information.

How do we keep personal information accurate?

We take reasonable steps to ensure that any personal information in our custody is accurate and up-to-date but we mostly rely on our healthcare practitioners to notify us of any changes to the personal information they provide us.

How do we protect your personal information?

We use physical, administrative, and technical measures designed to help secure personal information against accidental or unlawful loss, access, or disclosure. Only staff and service providers who have a legitimate business purpose for accessing the personal information collected by us are authorized to do so. Unauthorized use of personal information by anyone affiliated with the Company is prohibited and constitutes grounds for disciplinary action.

Our contracts with our service providers require them to use administrative, physical, and technical measures to protect your data. The service providers have agreed to not use the information we provide them for their own purposes.

Even though we take all necessary steps to protect your personal information, security breaches cannot be eliminated and we cannot guarantee a breach will never occur.

Where do we store personal information?

All data is stored in Canada and the AI Service Providers will perform processing and store data in Canada.

For users located in jurisdictions with specific data residency requirements, we may, where necessary and feasible, store and process data within those jurisdictions to comply with local laws and regulations regarding data residency. This may involve establishing data centers or utilizing local third-party service providers to store data in the required jurisdiction. Our commitment to protecting personal information will remain consistent, regardless of where data is stored or processed. 

While outside of Canada, personal information is subject to that jurisdiction’s laws, which may give governmental authorities the right to access your personal information.

Disclosure of Information Outside Quebec

In accordance with Quebec Law 25, we inform users that personal information collected through our Website or Application may be disclosed outside of Quebec, including outside of Canada. This may occur when we work with service providers located in other Canadian jurisdictions to process or store data. We ensure that all such transfers are subject to appropriate safeguards to protect your personal information. This information is provided to you at the time of data collection and is available upon request.

Information collected by cookies 

We may collect de-identified information via cookies on our website, such as your browser type, operating systems, and other websites visited. We may also collect some personal information when using cookies, such as where a cookie is linked to your account. 

Information collected for recruitment purposes

When you apply for a job or position with us we may collect certain information from you (including your name, contact details, working history, and relevant records checks) from any recruitment consultant, your previous employers, and others who may be able to provide information to us to assist in our decision on whether or not to make you an offer of employment or engage you under a contract.

We may also de-identify and/or aggregate your personal information for other purposes that may not be set out in this Privacy Policy. We may also share this de-identified information with our partners for those partners' other purposes, which are not set out in this Privacy Policy. This may include, for example, partners using de-identified information to assist them in marketing products and services that are likely to be relevant to your interests and preferences.

For more information on our service providers or where we store personal information, contact us at privacy@autochart.ai.

Employees

Your general personal information includes information or an opinion about you that is reasonably identifiable. For example: your name, address, age or date of birth, contact number, email address, and image. Educational and social information includes details of your education, references from your institutions of study, and information relating to your interests and extra-curricular activities. Work-related information includes details of your work history, professional activities and interests, involvement with and membership of industry bodies and professional associations, and any personal information captured in the work product(s) you create while employed by us.

If you are a current or former employee and you have any questions about our handling of your personal information, please get in touch with us at privacy@autochart.ai.

Links to third-party sites

Our Website may lead you to third-party websites, including websites advertising other products or services. Those organizations are separate and distinct from the Company and have their own privacy policies. We are not responsible for how any third party collects, uses, or discloses your personal information, so it is important to familiarize yourself with the privacy policies of these websites before providing your personal information to them.

Direct marketing

You may sign up to receive marketing or promotional communications from the Company. Where you have expressly consented, we may use your personal information to inform you about our products and our services, including promotional offers and events.

If you no longer wish to receive marketing or promotional communications from us, you can opt out at any time by:

• Using the unsubscribe feature found in our emails and other electronic communications, or
• Contacting us via email at privacy@autochart.ai.

We will stop sending you marketing emails within a reasonable amount of time after receiving your unsubscribe request.

Your rights

You also have the right to:

• Make a written request to access your personal information,
• Request us to restrict our continued use or disclosure of your personal information,
• Object to our continued use or disclosure of your personal information,
• Request that we edit, but not remove, certain information (like an e-mail address),
• Request that we transfer to another organization the personal information you have provided us, and
• Request us to delete the personal information we hold about you.

Contact us at privacy@autochart.ai to exercise any of these rights. We will respond within a reasonable amount of time. If we cannot grant your request, for example, if you make an access request and access would disclose personal information about another person, we will give reasons.

We will address all requests with equal attention.

Contacting us

Accountability concerning your personal information is important to the Company. If you have any questions (including how personal information is managed by the Company), complaints, or concerns about this Privacy Policy, or if you have reason to believe that we may have failed to adhere to it, please get in touch with us by sending an email to privacy@autochart.ai.

Questions regarding your rights and responsibilities under this Privacy Policy can be directed to our privacy officer at privacy@autochart.ai.