Privacy Policy

Privacy Policy

Effective Date: November 1, 2025
Last Updated: October 31, 2025

1. Introduction

Vivologix (“we,” “us,” or “our”) is committed to protecting the privacy and security of personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information in compliance with:

  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Personal Health Information Protection Act, 2004 (PHIPA) of Ontario
  • Freedom of Information and Protection of Privacy Act (FIPPA) where applicable
  • Other applicable Canadian federal and provincial privacy legislation

This Policy applies to:

  • Visitors to our website (www.vivologix.com)
  • Clients engaging our services
  • Individuals whose information we process on behalf of clients
  • Business contacts and partners

2. Who We Are

Business Name: Vivologix
Location: Ontario, Canada
Nature of Business: Healthcare data analytics, AI-powered health analytics, and research consulting services
Contact: hello@vivologix.com

Privacy Officer: Dr. Urooj Fatima
Contact for Privacy Matters: hello@vivologix.com

3. Information We Collect

3.1 Information Collected Directly From You

Contact and Business Information:

  • Name, title, and organization
  • Email address, phone number, and mailing address
  • Professional credentials and affiliations
  • Communication preferences

Website and Service Inquiry Information:

  • Information submitted through contact forms
  • Project requirements and consultation requests
  • Appointment scheduling information
  • Newsletter subscription preferences

Client Engagement Information:

  • Service agreements and contracts
  • Project specifications and requirements
  • Billing and payment information
  • Correspondence and communications

3.2 Information We Process on Behalf of Clients

When providing services, we may process various types of data as a service provider, including:

Personal Health Information (PHI):

  • Patient demographics (age, gender, location)
  • Medical diagnoses and procedures
  • Laboratory and test results
  • Clinical notes and reports
  • Treatment histories
  • Health outcomes data
  • Prescription and medication information

De-identified or Anonymized Data:

  • Aggregated health statistics
  • Population health metrics
  • Research datasets with identifiers removed

Administrative Health Data:

  • Healthcare utilization records
  • Insurance and billing information
  • Hospital admission and discharge records

Note: When processing PHI, we act as a “health information network provider” or “agent” under PHIPA, or as a “processor” under PIPEDA, depending on the context. Our clients (as “health information custodians” or “controllers”) remain responsible for compliance with consent and legal authority requirements.

3.3 Information Collected Automatically

Website Usage Information:

  • IP addresses and device identifiers
  • Browser type and version
  • Pages visited and time spent
  • Referral sources
  • Cookies and similar technologies

System and Security Logs:

  • Access logs for security monitoring
  • Authentication attempts
  • System performance metrics
  • Error logs

4. Legal Basis and Purposes for Processing

4.1 Business Contact Information

Legal Basis: Legitimate business interests (PIPEDA Section 7(1)(b))

Purposes:

  • Responding to inquiries and consultation requests
  • Providing information about our services
  • Managing client relationships
  • Sending newsletters (with consent)
  • Business communications

4.2 Client Engagement Data

Legal Basis: Contractual necessity and legitimate interests

Purposes:

  • Executing service agreements
  • Delivering contracted services
  • Invoicing and payment processing
  • Project management and communication
  • Quality assurance and improvement
  • Legal compliance and dispute resolution

4.3 Personal Health Information

Legal Basis: Processing on behalf of clients who have the legal authority (consent, legislation, or other lawful basis under PHIPA/PIPEDA)

Purposes (as specified by clients):

  • Healthcare data analysis and reporting
  • Clinical research and studies
  • Public health surveillance
  • Quality improvement initiatives
  • Health services evaluation
  • Predictive modeling and AI development
  • Systematic reviews and evidence synthesis
  • Real-world evidence generation

Important: We only process PHI under written agreements with clients who confirm they have the legal authority to disclose such information to us.

4.4 Website Analytics

Legal Basis: Legitimate interests with opt-out mechanisms

Purposes:

  • Website performance optimization
  • Understanding user behavior
  • Improving user experience
  • Security monitoring

5. How We Use Information

5.1 Primary Uses

Service Delivery:

  • Performing data analysis, AI modeling, and research services
  • Creating deliverables (reports, dashboards, models)
  • Providing consultation and recommendations
  • Communicating project updates and findings

Business Operations:

  • Managing client relationships
  • Processing payments and maintaining records
  • Internal quality assurance
  • Staff training (using anonymized examples)
  • Business analytics and planning

Legal and Compliance:

  • Meeting regulatory requirements
  • Responding to legal processes
  • Enforcing our terms and conditions
  • Protecting our rights and those of others

5.2 Secondary Uses

We may use de-identified or aggregated data for:

  • Developing and improving analytical methodologies
  • Training AI models and algorithms (non-PHI only)
  • Publishing research findings (with appropriate anonymization)
  • Industry benchmarking and reports
  • Marketing and promotional materials (in anonymized, aggregate form)

Important: Any secondary use of PHI requires explicit authorization from clients and, where required, from individual data subjects.

6. Information Sharing and Disclosure

6.1 We Do NOT Sell Personal Information

We never sell, rent, or trade personal information or personal health information to third parties.

6.2 Sharing with Service Providers

We may share information with trusted service providers who assist us, including:

Cloud Infrastructure Providers:

  • AWS, Microsoft Azure, or Google Cloud (Canadian regions where possible)
  • Subject to strict data processing agreements
  • SOC 2 Type II certified providers

Software and Tools:

  • Project management and collaboration platforms
  • Secure file transfer services
  • Analytics and visualization tools
  • Communication platforms

Professional Services:

  • Legal counsel (subject to solicitor-client privilege)
  • Accounting and financial services
  • IT security consultants

All service providers:

  • Are contractually required to protect information
  • May only use information for specified purposes
  • Must comply with Canadian privacy laws
  • Are subject to regular security assessments

6.3 Sharing with Clients

We share findings, analyses, and deliverables with the clients who engaged us, as specified in service agreements.

6.4 Legal Disclosures

We may disclose information when required by law:

  • Court orders or subpoenas
  • Legal proceedings or investigations
  • Regulatory compliance requirements
  • Public health emergencies (as required by legislation)
  • To protect health or safety in urgent circumstances

We will notify affected parties unless prohibited by law.

6.5 Business Transactions

If Vivologix is involved in a merger, acquisition, or sale of assets, information may be transferred. Affected parties will be notified, and information will remain subject to privacy protections.

6.6 With Your Consent

We may share information in other circumstances with your explicit consent.

7. Data Security Measures

We implement comprehensive safeguards to protect information from unauthorized access, use, disclosure, modification, or destruction.

7.1 Technical Security Measures

Encryption:

  • TLS 1.3 or higher for all data in transit
  • AES-256 encryption for data at rest
  • End-to-end encryption for file transfers
  • Encrypted email for sensitive communications (when supported)

Access Controls:

  • Multi-factor authentication (MFA) for all system access
  • Role-based access control (RBAC) – minimum necessary access
  • Unique user accounts – no shared credentials
  • Automatic session timeouts
  • Regular access rights reviews

Network Security:

  • Firewalls and intrusion detection/prevention systems
  • Virtual private networks (VPNs) for remote access
  • Network segmentation and isolation
  • Regular vulnerability scanning
  • Penetration testing (annually)

Endpoint Security:

  • Full disk encryption on all work devices
  • Antivirus and anti-malware software
  • Mobile device management (MDM) for mobile devices
  • Automatic security patch management
  • Remote wipe capability for lost/stolen devices

Data Protection:

  • Automated encrypted backups (daily)
  • Geographic redundancy for critical data
  • Backup integrity testing
  • Secure data deletion protocols (NIST 800-88 standards)
  • Data loss prevention (DLP) tools

Application Security:

  • Secure software development lifecycle
  • Regular security code reviews
  • Dependency vulnerability monitoring
  • Input validation and sanitization
  • SQL injection and XSS prevention

7.2 Administrative Security Measures

Personnel Security:

  • Background checks for all employees
  • Signed confidentiality and non-disclosure agreements
  • Privacy and security training (upon hiring and annually)
  • Clear acceptable use policies
  • Defined security roles and responsibilities

Policies and Procedures:

  • Documented information security policy
  • Data classification and handling procedures
  • Incident response and breach notification plans
  • Business continuity and disaster recovery plans
  • Secure disposal and destruction procedures
  • Vendor management and assessment procedures

Oversight and Monitoring:

  • Security incident logging and monitoring
  • Regular security audits and assessments
  • Privacy impact assessments for new projects
  • Continuous compliance monitoring
  • Third-party security audits (annually)

Access Management:

  • Formal onboarding and offboarding procedures
  • Immediate access revocation upon termination
  • Regular access recertification
  • Privileged access management
  • Audit trails for all data access

7.3 Physical Security Measures

Data Center Security:

  • Use of certified data centers (SOC 2, ISO 27001)
  • 24/7 physical security and monitoring
  • Biometric or card-based access controls
  • Environmental controls (fire suppression, climate control)
  • Redundant power and network connectivity

Office Security:

  • Secure office facilities with controlled access
  • Locked storage for physical documents
  • Clean desk policy
  • Visitor management procedures
  • Secure destruction of physical materials (cross-cut shredding)

Device Security:

  • Cable locks for portable devices
  • Privacy screens for laptops
  • Secure storage when not in use
  • Prohibition of unencrypted USB drives
  • Mobile device security policies

7.4 Client-Side Security Requirements

We require clients to:

Data Transmission:

  • Use our secure file transfer portal or encrypted email
  • Never send unencrypted PHI via regular email
  • Verify recipient before sending sensitive data
  • Use strong passwords for shared access

Access Credentials:

  • Maintain confidentiality of passwords and access credentials
  • Not share login credentials
  • Report suspected compromises immediately
  • Use secure methods for credential sharing

Incident Reporting:

  • Report suspected security incidents within 24 hours
  • Cooperate with incident investigations
  • Maintain their own incident response procedures

7.5 Ongoing Security Improvements

We continuously enhance security through:

  • Monitoring emerging threats and vulnerabilities
  • Adopting new security technologies and best practices
  • Participating in healthcare security communities
  • Regular security awareness training updates
  • Lessons learned from incident reviews

8. Data Retention and Disposal

8.1 Retention Periods

Business Contact Information:

  • Retained while relationship is active and for 7 years after last contact
  • Newsletter subscribers until unsubscribe requested

Client Engagement Records:

  • Service agreements and contracts: 7 years after project completion
  • Financial records: 7 years per CRA requirements
  • Project communications: Duration of project plus 1 year

Personal Health Information:

  • Retained only as long as necessary to complete services
  • Default: 90 days after project completion and final deliverable delivery
  • Extended retention only with explicit client authorization
  • Minimum retention may be required by research ethics boards or regulations

De-identified Data:

  • May be retained indefinitely for methodology development and quality improvement
  • No re-identification attempted or possible

Website Logs:

  • Access logs: 90 days
  • Security logs: 1 year

8.2 Secure Disposal

When information is no longer needed:

Digital Data:

  • Cryptographic erasure (encryption key destruction)
  • NIST 800-88 compliant secure deletion
  • Physical destruction of storage media when decommissioned
  • Certificates of destruction available upon request

Physical Records:

  • Cross-cut shredding or secure disposal service
  • Documented destruction for sensitive materials

Backup Data:

  • Removed from backup systems within 90 days of scheduled deletion
  • Encrypted backups remain encrypted until purged

8.3 Client-Requested Deletion

Clients may request early deletion of their data:

  • Requests processed within 30 days
  • Confirmation provided upon completion
  • Exceptions: Legal holds, regulatory requirements, or dispute-related data

9. International Data Transfers

9.1 Primary Data Location

We prioritize storing data within Canada:

  • Canadian data centers used when possible
  • Cloud services configured for Canadian regions

9.2 Cross-Border Transfers

When data may be transferred outside Canada:

  • Only to jurisdictions with adequate privacy protections
  • Under contractual protections (Standard Contractual Clauses)
  • With client knowledge and consent
  • Primarily: United States (for certain cloud services)

Important for PHI: Cross-border transfers of PHI are minimized and occur only when:

  • Necessary for service delivery
  • Authorized by the client
  • Subject to contractual safeguards
  • In compliance with PHIPA requirements

Clients are informed of data locations in service agreements.

10. Your Privacy Rights

10.1 Rights Under PIPEDA and PHIPA

Access: You have the right to request access to your personal information we hold.

Correction: You may request correction of inaccurate or incomplete information.

Withdrawal of Consent: Where processing is based on consent, you may withdraw consent (subject to legal or contractual restrictions).

Information About Use and Disclosure: You may request information about how your information has been used and disclosed.

File a Complaint: You may file a complaint with our Privacy Officer or with regulatory authorities.

10.2 How to Exercise Rights

For Business Contacts:

  • Email: hello@vivologix.com
  • Subject line: “Privacy Rights Request”
  • We will respond within 30 days

For Individuals Whose Data We Process on Behalf of Clients:

  • Contact the organization that originally collected your information (our client)
  • They will coordinate with us as necessary
  • If you contact us directly, we will refer you to the appropriate organization

10.3 Verification

To protect your privacy, we verify identity before fulfilling requests:

  • May require government-issued ID or other verification
  • May ask security questions
  • May contact you at registered contact information

10.4 Fees

Access requests are generally free. However, we may charge reasonable fees for:

  • Extensive requests requiring significant resources
  • Requests for copies of large volumes of information
  • Repeated requests for the same information

Fees will be disclosed before processing requests.

10.5 Limitations on Rights

Rights may be limited when:

  • Disclosure would reveal confidential commercial information
  • Information is subject to solicitor-client privilege
  • Disclosure would compromise security or investigations
  • Information cannot be separated from information about others
  • Required or permitted by law

We will explain any limitations and inform you of your right to complain to regulators.

11. Cookies and Website Technologies

11.1 What We Use

Essential Cookies:

  • Session management
  • Security features
  • Load balancing

Analytics Cookies:

  • Google Analytics (IP anonymization enabled)
  • Website performance monitoring
  • User behavior analysis

Functional Cookies:

  • Language preferences
  • Form auto-fill assistance

11.2 Your Choices

Browser Controls:

  • Configure browser to refuse cookies
  • Delete cookies already stored
  • Receive notifications when cookies are set

Opt-Out Tools:

Impact of Refusing Cookies:

  • Essential cookies: Website may not function properly
  • Analytics cookies: No impact on functionality

11.3 Do Not Track

Our website does not currently respond to Do Not Track signals, as there is no industry standard for how to respond.

12. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of external sites. We encourage you to review their privacy policies.

13. Children’s Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children. If we learn we have collected information from a child, we will delete it promptly.

Note: When processing health data, age restrictions do not apply as we process data on behalf of healthcare organizations with appropriate legal authority.

14. Privacy Breach Notification

14.1 Our Obligations

If a privacy breach occurs involving a real risk of significant harm:

To Affected Individuals:

  • Notification as soon as feasible
  • Description of the breach
  • Steps being taken
  • Mitigation recommendations
  • Contact information for inquiries

To Regulators:

  • Notification to the Privacy Commissioner of Canada (if PIPEDA applies)
  • Notification to the Information and Privacy Commissioner of Ontario (if PHIPA applies)
  • Notification to other regulators as required

To Clients:

  • Immediate notification if client data affected
  • Details sufficient for client to meet their own notification obligations

14.2 What We Include

Breach notifications contain:

  • Date and nature of breach
  • Personal information involved
  • What we’re doing to mitigate
  • What you can do to protect yourself
  • Our contact information

14.3 Breach Prevention

We maintain:

  • Incident response plan (tested annually)
  • Breach investigation procedures
  • Root cause analysis processes
  • Corrective action tracking
  • Lessons learned documentation

15. Updates to This Policy

15.1 Change Notification

We may update this Privacy Policy periodically:

  • Material changes: 30 days’ advance notice via email and website
  • Non-material changes: Notification on website
  • Effective date updated at top of policy

15.2 Continued Use

Continued use of our services after changes take effect constitutes acceptance. If you do not agree, please discontinue use and contact us to discuss.

15.3 Client Notification

For service contracts, material privacy changes require:

  • Direct written notification to clients
  • Opportunity to review and discuss
  • Right to terminate if changes are unacceptable

16. Contact Us

16.1 Privacy Officer

Name: Dr. Urooj Fatima
Email: hello@vivologix.com
Address: Ontario, Canada

16.2 General Inquiries

For questions about this Privacy Policy or our privacy practices:

16.3 Privacy Complaints

If you believe we have not complied with privacy obligations:

Step 1: Contact our Privacy Officer (contact above)

  • We will acknowledge receipt within 5 business days
  • We will investigate and respond within 30 days

Step 2: If unsatisfied with our response, you may file complaints with:

Privacy Commissioner of Canada (PIPEDA):

Information and Privacy Commissioner of Ontario (PHIPA/FIPPA):

17. Definitions

Personal Information: Information about an identifiable individual, as defined by PIPEDA.

Personal Health Information: Identifying information about an individual relating to their health, as defined by PHIPA.

Health Information Custodian: Organizations with legal obligations to protect health information under PHIPA (typically our clients).

Agent: A person or entity that processes PHI on behalf of a health information custodian (our role in many projects).

De-identification: Removal of identifying information such that a reasonable person would not expect the information could identify an individual.

Anonymization: Irreversible de-identification such that re-identification is not possible.

Last Reviewed: October 31, 2025

Acknowledgment: By using our services or website, you acknowledge that you have read and understood this Privacy Policy.