Privacy Policy for WOXY Health

1. Information We Collect

We collect information about you in various ways depending on how you interact with us and our Services. This includes information you provide directly, information collected automatically, and information from third parties.

1.1 Personal Information You Provide Directly

• Identity Information: Full name, date of birth, gender, photograph
• Contact Information: Email address, phone number, mailing address, emergency contact
• Account Credentials: Username, password, security question answers
• Payment Information: Credit/debit card details, billing address, transaction history
• Communication Preferences: Language preference, marketing opt-ins, notification settings
• Insurance Information: Insurance provider, policy number, coverage details

1.2 Health and Medical Information

• Health History: Past and present medical conditions, surgeries, hospitalizations
• Family Medical History: Hereditary conditions, family health patterns
• Medication Information: Current medications, allergies, adverse reactions
• Vital Signs: Blood pressure, heart rate, temperature, respiratory rate, oxygen saturation
• Test Results: Body composition data, blood test results, ECG readings, lung function tests
• Lifestyle Information: Diet habits, exercise frequency, smoking/alcohol status, sleep patterns
• Appointment Records: Appointment dates, service types, nurse notes, follow-up recommendations

1.3 Technical Information Collected Automatically

• Device Information: Device type, operating system, browser type, unique device identifiers
• Log Information: Access times, pages viewed, click paths, IP address, referring URL
• Location Information: Approximate location based on IP address (city, province/state, country)
• Cookie Information: Session cookies, persistent cookies, tracking pixels
• Usage Data: Feature usage patterns, service interactions, error reports

1.4 Information from Third Parties

• Healthcare Providers: Referral information, medical records with your authorization
• Laboratory Partners: Test results, diagnostic reports
• Payment Processors: Transaction confirmations, payment status
• Identity Verification Services: Identity verification results

2. How We Use Your Information

We only process your personal information when we have a valid legal basis to do so. We use the information we collect for the following purposes:

2.1 Service Delivery

• Processing and managing your appointments and health assessments
• Providing personalized health recommendations and reports
• Coordinating care with other healthcare providers (with your consent)
• Maintaining your health records and history

2.2 Communications

• Sending appointment confirmations, reminders, and follow-up notifications
• Providing health-related information and educational content
• Responding to your inquiries and support requests
• Sending promotional communications (only if you have opted in)

2.3 Business Operations

• Processing payments and managing billing
• Preventing fraud and unauthorized activities
• Analyzing usage patterns to improve our services
• Conducting internal research and development

2.4 Legal and Compliance

• Complying with applicable laws, regulations, and professional standards
• Responding to legal process and government requests
• Protecting our rights, privacy, safety, or property
• Enforcing our Terms of Service and other agreements

3. Information Sharing and Disclosure

We do not sell your personal information. We only share your information in the following circumstances:

3.1 With Your Consent

• Sharing health information with healthcare providers you designate
• Sharing with family members or caregivers (with your explicit authorization)

3.2 Service Providers

• Payment Processors: Processing transactions and fraud prevention
• Cloud Service Providers: Secure data storage and hosting
• Analytics Services: Website usage analysis (anonymized data)
• Communication Services: Email, SMS, and notification delivery
• Laboratory Partners: Processing and analyzing health tests

3.3 Legal Requirements

• Responding to subpoenas, court orders, or other legal process
• Cooperating with government investigations or regulatory requirements
• Protecting public health and safety (legally required reporting)
• Preventing or investigating possible criminal activity

3.4 Business Transfers

If WOXY is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, your information may be transferred as part of that transaction. We will notify you before any such transfer, and any new entity will be bound by this Privacy Policy.

4. Data Security

We implement comprehensive technical, administrative, and physical security measures to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction.

4.1 Technical Safeguards

• AES-256 encryption for data in transit and at rest
• TLS 1.3 secure protocols for all web communications
• Multi-factor authentication (MFA) for account access
• Regular security assessments and penetration testing
• Intrusion detection and prevention systems
• Automated security updates and patch management

4.2 Administrative Safeguards

• Employee background checks and confidentiality agreements
• Regular privacy and security training programs
• Role-based access controls (principle of least privilege)
• Data access auditing and monitoring
• Incident response plans and procedures
• Vendor security assessments and contractual requirements

4.3 Physical Safeguards

• Secure data center facilities with 24/7 monitoring
• Access control systems and visitor logs
• Environmental controls (fire suppression, climate control)
• Secure equipment disposal procedures

5. Cookies and Tracking Technologies

We use cookies and similar technologies to collect information, improve your experience, and analyze website usage.

5.1 Types of Cookies

• Essential Cookies: Required for the website to function properly, including authentication and security features
• Functional Cookies: Remember your preferences such as language and display options
• Analytics Cookies: Help us understand how visitors use our website to improve our services
• Marketing Cookies: Used to deliver relevant advertisements (only with your consent)

5.2 Managing Your Cookie Preferences

You can manage your cookie preferences through:

• Browser Settings: Most browsers allow you to block or delete cookies
• Our Cookie Consent Tool: The cookie banner displayed on your first visit
• Opt-out Links: For specific analytics and advertising services

6. Your Privacy Rights

Under Canadian privacy laws (including PIPEDA and PHIPA), you have the following rights regarding your personal information:

• Right to Access: Request a copy of the personal information we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete information
• Right to Erasure: Request deletion of your personal information (subject to legal retention requirements)
• Right to Restrict Processing: Request limitation of how we use your information
• Right to Data Portability: Request to receive your information in a structured, commonly used format
• Right to Withdraw Consent: Withdraw any consent you have previously given
• Right to Complain: File a complaint with the Office of the Privacy Commissioner of Canada or the Information and Privacy Commissioner of Ontario

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected and to comply with legal requirements:

• Health Records: Minimum 10 years as required by Ontario healthcare regulations (from the date of last service)
• Account Information: Retained while your account is active and for 7 years after account closure
• Transaction Records: 7 years as required for tax and accounting purposes
• Marketing Preferences: Retained until you withdraw consent or request deletion
• Website Analytics Data: Anonymized data retained for 26 months

8. Children's Privacy

Our Services are primarily directed to adults. For health services involving minors (under 18 years of age):

• We require parental or legal guardian consent to collect and process personal information of minors
• Parents or guardians may exercise privacy rights on behalf of their children
• We do not knowingly collect personal information from children under 13 without parental consent
• If you believe we have mistakenly collected information from a minor, please contact us immediately

9. International Data Transfers

Your information is primarily stored and processed within Canada. However, in certain circumstances, your information may be transferred to countries outside of Canada:

• When we use service providers located in other countries
• When you request information be transferred to healthcare providers outside Canada
• For backup and disaster recovery purposes

When we transfer personal information outside of Canada, we ensure appropriate safeguards are in place, including contractual clauses, encryption, and access controls, to protect your information in accordance with PIPEDA requirements.

10. Data Breach Notification

In the event of a security incident involving your personal information, we will:

• Immediately investigate and take steps to contain the incident
• Assess the risk of significant harm to affected individuals
• Notify affected individuals as soon as feasible if there is a risk of significant harm
• Report to the Office of the Privacy Commissioner of Canada as required by PIPEDA
• For health information breaches, report to the Information and Privacy Commissioner of Ontario as required by PHIPA
• Maintain records of all breach incidents

11. Third-Party Services

Our website and services may contain links to third-party websites or services. This Privacy Policy does not apply to these third-party services. We encourage you to review the privacy policies of these third parties.

Third-party services we use include but are not limited to:

• Payment Processing: Stripe, Square
• Cloud Hosting: Amazon Web Services (AWS), Supabase
• Analytics: Google Analytics (anonymized)
• Communications: Twilio (SMS), SendGrid (Email)
• Appointment Scheduling: Square Appointments

12. Special Protection for Health Information

As a health service provider, we implement additional protections for your health information:

• Health information is only accessed by authorized healthcare professionals
• All health information access is audit-trailed
• Use and disclosure of health information requires your explicit consent (except where required by law)
• You have the right to request restrictions on certain disclosures of your health information
• You have the right to receive an accounting of disclosures of your health information

13. Consent and Choice

We respect your control over your personal information. Here is how we obtain consent:

13.1 Express Consent

• Collection and use of health information
• Sharing information with third-party healthcare providers
• Receiving marketing communications
• Participating in research or surveys

13.2 Implied Consent

• Using our website (for essential cookies and basic functionality)
• Booking services (for information processing necessary for service delivery)

13.3 Withdrawing Consent

You may withdraw consent at any time, but this may affect our ability to provide certain services to you. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:

• We will post the updated policy on our website with a new effective date
• For significant changes, we will notify you in advance via email or website notification
• We encourage you to review this policy periodically
• Your continued use of our services after changes take effect constitutes acceptance of the updated policy

15. Contact Us

If you have any questions, comments, or complaints about this Privacy Policy or our privacy practices, or if you wish to exercise your privacy rights, please contact our Privacy Officer: