Privacy Policy

1. About This Policy

This Privacy Policy explains how HealthGrid Technologies Inc. ("HealthGrid", "we", "us", or "our") collects, uses, discloses, and protects your personal information when you use our AI-powered health triage and virtual care services.

HealthGrid Technologies Inc. is a Canadian federal corporation (Corporation #1709844-8) headquartered in Calgary, Alberta.

2. Information We Collect

We collect the following types of information to provide our services:

• Contact Information: Name, phone number, email address
• Health Information: Symptoms, medical history, medications, health concerns shared during triage conversations
• Communication Records: Messages exchanged through WhatsApp for service delivery
• Technical Information: Device type, operating system, usage patterns to improve our services
• Location Information: General location (province/territory) to connect you with appropriate healthcare providers

3. How We Use Your Information

We use your personal information for the following purposes:

• Providing AI-powered health triage and symptom assessment
• Connecting you with licensed healthcare providers
• Sending medication reminders and wellness check-ins (with your consent)
• Improving the quality and accuracy of our services (see Section 4 below for important detail on AI model training)
• Communicating important service updates
• Complying with legal and regulatory requirements

4. AI Processing and Model Training

Our triage service uses AI inference provided by Amazon Web Services. The AI inference service processes your messages in real time to provide triage responses. The following commitments apply:

• The AI inference service does not retain your messages beyond the immediate processing window required to generate a response.
• The AI inference service does not use your messages or your health information to train AI models.
• You may decline AI processing at any time by replying STOP to the WhatsApp conversation, in which case your follow-up is handled by a human team member.

5. Consent

We obtain your consent before collecting, using, or disclosing your personal information. By using our services, you consent to the collection and use of information as described in this policy.

You may withdraw your consent at any time by contacting us at privacy@healthgridtech.ca. Please note that withdrawing consent may affect our ability to provide certain services.

6. Disclosure of Information and Sub-Processors

We share your information only as required to deliver our services or as required by law. The categories of recipients are:

• Healthcare Providers: Licensed physicians and healthcare professionals you choose to consult with.
• Service Partners: Pharmacies and laboratories, only when you request prescription or lab services.
• Cloud Infrastructure and AI Inference Provider: Amazon Web Services Inc., which hosts our compute, storage, networking, and AI inference services. AWS acts as a data processor on our behalf under a Data Processing Agreement (see Section 7).
• Telephony and Messaging Provider: Twilio Inc., which delivers our WhatsApp, SMS, and voice messages.
• Legal Authorities: When required by law or to protect safety.

We do not share your personal health information with employers, insurers, or other third parties without your explicit consent. Additional sub-processors, including any AI inference provider operating under a separate processor agreement, are available for review on request to our Privacy Officer under a confidentiality arrangement.

7. Cross-Border Data Processing

Some of your information is processed in the United States by our cloud infrastructure provider. The following describes the residency of each category of information:

• Patient triage sessions and patient records: stored in Canada, in Amazon Web Services Canada West region (Calgary), since 8 April 2026.
• AI inference for triage: processed in the United States, in Amazon Web Services US East region (Virginia). Your messages are sent to this region for the moments needed to generate a triage response, and are not retained beyond that processing window.
• Voice recordings, consent records, access logs, and breach records: currently reside on US-based AWS infrastructure. We are progressively moving these to the Canadian region as part of our ongoing data residency programme.

This cross-border processing is governed by our Data Processing Agreement with Amazon Web Services. The AWS Data Processing Addendum applies automatically to all AWS services we use, incorporates the Standard Contractual Clauses adopted by the European Commission as a cross-border transfer safeguard, and imposes contractual confidentiality, security, sub-processor management, and data subject rights obligations on AWS. The current version of the AWS Data Processing Addendum is published at d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf.

The legal basis for this transfer is your express consent at the point of first contact with our service.

8. Data Security

We implement security measures appropriate to the sensitivity of your information:

• Industry-standard encryption in transit (TLS 1.2 or higher) for all communications between you and our services, and between our services and our sub-processors.
• Encryption at rest using Amazon Web Services Key Management Service for all data stored in our cloud infrastructure.
• Role-based access controls limiting who within HealthGrid can view your information, with audit logging.
• Regular security audits and vulnerability assessments by our cloud infrastructure provider and our internal team.
• Employee training on privacy and security practices.

9. Breach Notification

In the event of a breach of security safeguards affecting your personal information, where the breach creates a real risk of significant harm:

• We will notify the Office of the Privacy Commissioner of Canada as soon as feasible after determining that real risk of significant harm exists, as required by Section 10.1 of PIPEDA.
• Where the breach involves health information protected under the Alberta Health Information Act, we will additionally notify the Office of the Information and Privacy Commissioner of Alberta as soon as practicable, as required by Section 60.1 of HIA.
• We will notify you directly without undue delay, and provide guidance on any steps you can take to reduce the risk of harm.
• We will notify any other organisation that may be able to reduce or mitigate the harm.

10. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes for which it was collected, or as required by law. Specifically:

• Triage conversation transcripts: retained for the duration of your relationship with the service, plus the retention period required by applicable provincial health information legislation.
• Voice recordings: retained for thirty (30) days from the date of the call by default. Customer contracts may specify a different retention period; where they do, the contracted period applies.
• Consent records: retained for the duration of your relationship with the service, plus seven (7) years thereafter for audit purposes.
• Clinical summary records: retained in accordance with the Alberta Health Information Act retention schedule.

You may request deletion of your personal information at any time by writing to privacy@healthgridtech.ca, subject to legal retention requirements.

11. Your Rights

Under PIPEDA, PIPA, and the Alberta Health Information Act, you have the right to:

• Access your personal information held by HealthGrid
• Request correction of inaccurate information
• Withdraw consent for future collection or use
• Request deletion of your information (subject to legal requirements)
• File a complaint with the Office of the Privacy Commissioner of Canada, or the Office of the Information and Privacy Commissioner of Alberta where health information is involved

We will respond to requests to exercise these rights within thirty (30) days of receipt, as required by PIPEDA Schedule 1, Principle 4.9. To exercise a right or to make a request, write to our Privacy Officer at privacy@healthgridtech.ca.

12. Children's Privacy

Our services are commonly used by parents and guardians to seek health guidance for their children. We recognise that this means we routinely process personal information relating to minors. We treat this information with the same care as any other patient information, and the following rules apply:

• Parental and guardian consent: when a parent or guardian uses the service to describe a child's symptoms or seek guidance for a child, the parent or guardian provides consent on the child's behalf. By using the service in this way, you confirm that you have parental or guardian authority over the child whose information you are sharing.
• Direct use by minors: the service is not designed for direct, unsupervised use by children under 16 years of age. We do not knowingly accept consent from a minor acting alone. If a minor contacts the service directly, our triage flow encourages the involvement of a parent or guardian.
• Rights of the minor: all rights described in Section 11 of this policy apply to a minor's information. A parent or guardian may exercise those rights on the child's behalf by writing to privacy@healthgridtech.ca.
• Sensitive paediatric data: health information about a child is sensitive personal information under PIPEDA and the Alberta Health Information Act, and is processed only for the purposes of the triage and any referral or fulfilment the parent or guardian requests.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, through direct communication.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact our Privacy Officer:

HealthGrid Technologies Inc.
Privacy enquiries: privacy@healthgridtech.ca
General enquiries: hello@healthgridtech.ca
Calgary, Alberta, Canada

You may also contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca, or the Office of the Information and Privacy Commissioner of Alberta at www.oipc.ab.ca, if you have concerns about our privacy practices.