Home/Privacy Policy

Privacy Policy for WOXY Health

Effective Date: April 20, 2026|Last Updated: April 20, 2026

PHIPA and PIPEDA Compliance Statement

WOXY Health Inc. is a health information custodian operating in Ontario under the Personal Health Information Protection Act (PHIPA, S.O. 2004, c. 3, Sched. A) and the Personal Information Protection and Electronic Documents Act (PIPEDA). We collect, use, and disclose personal health information (PHI) only with your consent or as expressly permitted by law.

Privacy Officer

WOXY Health Inc. has designated a Privacy Officer responsible for overseeing compliance with PHIPA and PIPEDA, and for handling all inquiries, requests, and complaints relating to personal health information.

WOXY Health Inc.

Privacy Officer

Unit 356, 4750 Yonge Street

Toronto, ON M2N 0J6, Canada

Email: privacy@woxy.ca

Phone: +1 365-698-5115

Response Time: Within 30 calendar days of receiving your request

1. Personal Health Information We Collect

Under PHIPA s.4, "personal health information" (PHI) means identifying information about an individual that relates to their health. We collect only the minimum information necessary to provide our services.

1.1 Personal Health Information (PHI)

Health history: current and past medical conditions, surgeries, hospitalizations
Medication information: current medications, allergies, adverse reactions
Vital signs: blood pressure, heart rate, oxygen saturation, temperature
Test results: body composition data, blood tests, ECG readings, lung function tests
Family medical history: hereditary conditions and family health patterns
Lifestyle information: diet, exercise, smoking and alcohol status
Care records: appointment dates, service types, nurse notes, and follow-up recommendations

1.2 Personal Identifying Information

Identity: full name, date of birth, gender
Contact: email address, phone number, mailing address, emergency contact
Payment: credit card details, billing address, transaction history
Account credentials: username and encrypted password

1.3 Technical Information Collected Automatically

Device information: device type, operating system, browser type
Log information: access times, pages viewed, IP address
Cookie information: session and persistent cookies (see Section 10)

2. How We Use Your Personal Health Information

Under PHIPA s.29, a health information custodian may use PHI only (a) with the individual's consent, or (b) as expressly permitted by law. We use your PHI for the following purposes:

Providing care: processing appointments, conducting health assessments, providing personalized health recommendations and reports
Care coordination: coordinating care with other healthcare providers with your consent
Communications: sending appointment confirmations, reminders, and follow-up notifications
Billing: processing payments and managing billing records
Quality improvement: analyzing anonymized data to improve our services (no identifiable PHI used)
Legal compliance: complying with applicable laws, regulations, and professional standards

Important: We do not use your PHI for marketing purposes and do not sell or share it with third parties without your explicit consent.

3. Consent

Under PHIPA ss.18-20, we must obtain your informed consent before collecting, using, or disclosing your PHI. Consent must be voluntary, specific, and based on adequate information.

3.1 Express Consent

We require your express consent for:

Collecting and using your personal health information
Sharing PHI with healthcare providers you designate
Sharing with family members or caregivers (requires your explicit authorization)
Receiving marketing communications

3.2 Withdrawing Consent

You may withdraw consent for the use or disclosure of your PHI at any time, except where (a) law requires us to retain or use the information, or (b) withdrawal would affect our ability to provide care and you have been informed of that consequence.

To withdraw consent, contact our Privacy Officer in writing at privacy@woxy.ca. We will confirm your request within 30 days and explain any consequences.

4. Information Sharing and Disclosure

We do not sell your personal health information. Under PHIPA ss.38-41, we disclose PHI only in the following circumstances:

4.1 With Your Consent

Sharing health information with healthcare providers you designate
Sharing with family members or caregivers (with your explicit authorization)

4.2 Service Providers (Agents)

We may share PHI with service providers acting as our agents, who are contractually bound to use PHI only as directed by us and subject to equivalent privacy protections:

Cloud service providers: secure data storage (within Canada)
Payment processors: processing transactions and fraud prevention
Communication services: email and SMS notification delivery
Laboratory partners: processing and analyzing health tests

4.3 Legally Required Disclosures

Under PHIPA ss.43-45, we may disclose PHI without consent in limited circumstances including:

Responding to subpoenas, court orders, or other legal process
Public health reporting (legally required communicable disease reporting)
Preventing or reducing a serious risk of harm to an individual or the public
Cooperating with government investigations or regulatory requirements

5. Data Retention

We retain your personal health information in accordance with PHIPA and applicable Ontario regulations. The following are our retention schedules:

Data Type	Retention Period	Legal Basis
Personal health records	10 years from date of last service	PHIPA s.13; O. Reg. 329/04
Minor health records	10 years from 18th birthday	PHIPA s.13; O. Reg. 329/04
Account and contact information	7 years after account closure	PIPEDA; CRA requirements
Transaction and billing records	7 years	Income Tax Act; CRA
Consent records	Duration of consent plus 7 years	PHIPA s.18
Breach incident records	2 years from incident	PHIPA s.12.2
Marketing preferences	Until consent withdrawn or deletion requested	CASL; PIPEDA

Upon expiry of retention periods, we will securely destroy or anonymize your information.

6. Data Storage Location

Your personal health information is primarily stored on servers located within Canada. PHIPA requires health information custodians to ensure PHI transferred or stored outside Canada receives equivalent protection.

Our Data Storage Arrangements

Primary database: within Canada (AWS ca-central-1, Montreal)
Backups: redundant storage within Canada
Payment processing: via PCI-DSS compliant processors (may be outside Canada)

If your information must be transferred outside Canada, we will ensure appropriate contractual safeguards are in place and will notify you in advance where feasible.

7. Your Privacy Rights

Under PHIPA ss.52-55 and PIPEDA, you have the following rights regarding your personal health information. To exercise any right, contact our Privacy Officer at privacy@woxy.ca. We will respond within 30 calendar days.

Right to Access (PHIPA s.52)

You have the right to request access to a copy of the PHI we hold about you. We will provide access within 30 days or explain any legal exceptions.

Right to Correction (PHIPA s.55)

If you believe PHI we hold is inaccurate or incomplete, you may request a correction. If we disagree, we will attach a statement of disagreement to the record.

Right to Accounting of Disclosures (PHIPA s.54)

You have the right to receive a list of disclosures of your PHI made without your consent in the past 3 years.

Right to Restrict Disclosure (PHIPA s.41)

You may request that we restrict disclosure of your PHI to specific persons or organizations, even where such disclosure would otherwise be permitted.

Right to Withdraw Consent (PHIPA s.20)

You may withdraw consent for the use or disclosure of your PHI at any time, except for legally required uses.

Right to Complain

If you believe we have violated PHIPA, you may file a complaint with the Information and Privacy Commissioner of Ontario (www.ipc.on.ca, phone: 1-800-387-0073).

8. Data Security

Under PHIPA s.12, we must take reasonable technical, administrative, and physical safeguards to protect PHI against unauthorized access, use, disclosure, modification, disposal, or destruction.

Technical Safeguards

AES-256 encryption for data in transit and at rest
TLS 1.3 secure protocols for all web communications
Multi-factor authentication (MFA) for account access
Role-based access controls (principle of least privilege)
Audit logs for all PHI access
Regular security assessments and penetration testing

Administrative Safeguards

Employee background checks and confidentiality agreements
Regular PHIPA privacy and security training
Written privacy policies and procedures
Vendor security assessments and contractual requirements
Incident response plans and procedures

Physical Safeguards

Secure data center facilities with 24/7 monitoring
Access control systems and visitor logs
Secure equipment disposal procedures (NIST 800-88 compliant)

9. Privacy Breach Notification

Under PHIPA s.12.2, if a privacy breach involving your PHI occurs and there is a real risk of harm to you, we must notify you as soon as reasonably possible.

Containment (Immediate)

Immediately investigate and take steps to contain the breach and prevent further unauthorized access.

Risk Assessment (24-72 hours)

Assess the scope of the breach, the type of PHI affected, and the real risk of harm to affected individuals.

Notify Affected Individuals (As Soon As Possible)

If there is a real risk of harm, we will directly notify affected individuals by email or phone, describing the nature of the breach, the PHI affected, and steps we have taken.

Report to IPC (Where Applicable)

Under PHIPA s.12.2, we will report significant breaches to the Information and Privacy Commissioner of Ontario.

Documentation (2 Years)

We maintain records of all breach incidents for a minimum of 2 years, including the nature of the breach, notification steps, and remediation actions.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to collect non-health-related website usage information. Cookies are not used to collect PHI.

Essential Cookies: Required for the website to function, including authentication and security
Functional Cookies: Remember your preferences such as language selection
Analytics Cookies: Help us understand how visitors use our website (anonymized data)

You can manage cookie preferences through your browser settings or our cookie consent tool on the website.

11. Privacy of Minors

For health services involving minors (under 18), we require parental or legal guardian consent to collect and process PHI. Parents or guardians may exercise all PHIPA privacy rights on behalf of their children.

If you believe we have mistakenly collected information from a minor, please contact our Privacy Officer immediately at privacy@woxy.ca.

12. Third-Party Services

Our website may contain links to third-party websites. This Privacy Policy does not apply to those third-party services. We encourage you to review their privacy policies.

Key third-party services we use include:

Cloud hosting: Supabase (AWS ca-central-1 within Canada)
Payment processing: PCI-DSS compliant processors
Communications: email and SMS service providers
Analytics: anonymized website analytics services

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will post the updated policy with a new effective date and notify you in advance by email.

Your continued use of our services after changes take effect constitutes acceptance of the updated policy. If you disagree with any changes, please discontinue use and contact our Privacy Officer.

PIPEDA Compliance Statement

WOXY Health Inc. complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and adheres to the following 10 fair information principles:

Accountability: We have designated a Privacy Officer to oversee compliance and are responsible for personal information under our control.
Identifying Purposes: We identify the purposes for collecting personal information at or before the time of collection.
Consent: We obtain meaningful consent for the collection, use, or disclosure of personal information.
Limiting Collection: We limit collection to information necessary for identified purposes.
Limiting Use, Disclosure, and Retention: We use or disclose personal information only for purposes for which it was collected, and retain it only as long as necessary.
Accuracy: We keep personal information accurate, complete, and up-to-date as necessary.
Safeguards: We protect personal information with appropriate security safeguards.
Openness: We make information about our privacy policies and practices readily available.
Individual Access: Upon request, we inform individuals of the existence, use, and disclosure of their personal information and provide access.
Challenging Compliance: Individuals may challenge our compliance with these principles to our Privacy Officer.

PHIPA Compliance Statement (Ontario)

WOXY Health Inc. is a health information custodian under the Personal Health Information Protection Act (PHIPA, S.O. 2004, c. 3, Sched. A). The following summarizes our key obligations under PHIPA:

We collect, use, and disclose PHI only with your consent or as expressly permitted by PHIPA (s.29, s.38).
We take reasonable safeguards to protect PHI from unauthorized access (s.12).
We notify affected individuals and the IPC in the event of a privacy breach (s.12.2).
We retain PHI for a minimum of 10 years as required by law (s.13; O. Reg. 329/04).
We provide individuals with access to and correction of their PHI (s.52, s.55).
We provide an accounting of disclosures of PHI (s.54).
We have designated a Privacy Officer to oversee PHIPA compliance.

Information and Privacy Commissioner of Ontario

2 Bloor Street East, Suite 1400

Toronto, ON M4W 1A8

Phone: 1-800-387-0073

Website: www.ipc.on.ca

My Reports 立即预约