Privacy Policy

1. Introduction

This Privacy Policy explains how CHeCS Canada (“we,” “our,” or “us”) collects, uses, discloses, and protects Personal Information in connection with the CHeCS website at https://checs.ca (the “Site”) and the CHeCS compliance management platform and related services (collectively, the “Service”). This Policy is intended for prospective customers, customers, Authorized Users of the Service, and other visitors to the Site.

We are a Canadian healthcare technology company providing compliance management software to Long-Term Care home operators in Ontario and other Canadian jurisdictions. The Service is designed to support our customers in meeting their legal and regulatory obligations under provincial and federal healthcare and privacy laws. Because we handle health information on behalf of regulated healthcare providers, we maintain a higher standard of privacy and security than is typical for general business software.

This Policy explains our practices in plain language. Section 3 (Glossary) defines key terms; the table in Section 18 lists the privacy laws that apply to our activities.

2. Scope of this Policy

This Policy applies to three categories of Personal Information:

Information about Site visitors. When you visit our Site (whether or not you become a customer or an Authorized User), we may collect limited Personal Information about you, including the technical and behavioural data described in Section 4.4. This information is collected and used under the Personal Information Protection and Electronic Documents Act (PIPEDA).

Information about Authorized Users of the Service. Authorized Users are individuals our customers authorize to use the Service. This typically includes administrators, directors of care, compliance officers, nurses, personal support workers, and other staff. Information about Authorized Users (such as account credentials, role, organization, and Service usage) is processed by us in the course of providing the Service to our customers. This information is governed by PIPEDA.

Personal Health Information about residents and others. When our customers use the Service, they may upload, enter, or generate Personal Health Information about Long-Term Care residents, their substitute decision-makers, family members, and others (collectively, “PHI”). This PHI is owned and controlled by our customers, who are Health Information Custodians under provincial health privacy legislation. We process this PHI strictly on the instructions of our customers, in accordance with our written agreements with them, including the Data Processing Addendum that forms part of our contracts. This Policy does not establish independent rights or obligations between us and individuals whose PHI is processed in the Service; those rights are exercised through our customer (the Health Information Custodian) under the applicable provincial health privacy law.

We have written this Policy to cover all three categories, but we have organized each section to make clear which category applies.

3. Glossary

The following defined terms are used in this Policy.

• Authorized User: an individual whom a customer of CHeCS has authorized to access and use the Service on the customer’s behalf.
• Customer: a Long-Term Care home operator or other organization that has entered into a written agreement with CHeCS to use the Service.
• Health Information Custodian or HIC: a person or organization with custody or control of Personal Health Information under the Personal Health Information Protection Act, 2004 (Ontario) (“PHIPA”) or analogous provincial legislation.
• Electronic Service Provider or ESP: a person or organization providing services to a Health Information Custodian that include the supply of electronic means to enable the HIC to collect, use, modify, disclose, retain, or dispose of Personal Health Information, as described in section 10(4) of PHIPA and section 6 of Ontario Regulation 329/04.
• Personal Information or PI: information about an identifiable individual, other than business contact information used solely for business communications, as defined by PIPEDA and provincial privacy legislation.
• Personal Health Information or PHI: identifying information about an individual that relates to their physical or mental health, the provision of health care to the individual, payments or eligibility for health care, the donation of body parts or substances, the individual’s health number, or the identification of their substitute decision-maker, as defined by PHIPA and analogous provincial legislation.
• Process, Processing, or Processed: any operation performed on Personal Information or Personal Health Information, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• Sub-processor: a third party engaged by CHeCS to Process Personal Health Information in connection with providing the Service to customers.

4. Personal Information we collect

4.1 Information we collect from Site visitors

When you visit the Site, we may collect:

• Contact information you provide voluntarily through our demo request form, including your name, work email address, and the name of your organization.
• Information about how you interact with the Site (described in Section 4.4 and Section 6).

4.2 Information we collect from customers and Authorized Users

When a customer engages CHeCS and Authorized Users access the Service, we may collect:

• Customer contact information (organization name, billing contact, technical contact, legal contact, addresses, telephone numbers, email addresses).
• Authorized User identifiers (full name, work email address, role within the customer’s organization, organization unit or home assignment, professional licence number where collected by the customer for compliance purposes).
• Authentication identifiers (single sign-on identifiers issued by the customer’s identity provider; we do not collect or store passwords).
• Information generated by Authorized User activity in the Service (Service interactions, content created or uploaded, audit log entries described in Section 4.4).

4.3 Personal Health Information processed in the Service

Our customers, acting as Health Information Custodians, determine what PHI is collected, used, and disclosed through the Service. We process PHI on customer instructions under our written agreements with customers, including the Data Processing Addendum. We do not access PHI except as necessary to provide, support, and maintain the Service.

The categories of PHI that customers may upload, enter, or generate through the Service include:

• Identifying information about Long-Term Care residents (name, date of birth, health number, contact information, family member contact information, substitute decision-maker information).
• Records of resident incidents, investigations, complaints, and corrective actions.
• Information about staff training, attestations, and compliance activities, which may include identifying information about individual staff members.
• Records of inspections, audits, and regulatory submissions, which may contain PHI.

We do not own this PHI and have no independent legal basis to use it for any purpose other than providing the Service. Individuals whose PHI is processed in the Service exercise their PHIPA rights (including the right of access and correction) through the relevant Health Information Custodian (our customer), as described in Section 13.

4.4 Information collected automatically

When you visit the Site or use the Service, we and our service providers may automatically collect certain technical and behavioural information through cookies, server logs, and similar technologies. This includes:

• Device and network information (IP address, browser type and version, operating system, device identifiers, language preference, time zone).
• Site interaction information (pages visited, time spent, links clicked, referring URL).
• Service interaction information (the activity log described in our security documentation, which records authentication events, data access, write operations, and file operations, along with the actor, the resource affected, the request method and path, the duration of the request, the client IP address, and parsed geolocation and device metadata).
• Cookie identifiers and similar tracking identifiers.

We describe our use of cookies and similar technologies in Section 6 and in our Cookie Policy.

5. How we use Personal Information

We use Personal Information for the following purposes:

5.1 To provide and operate the Service

• To create and manage customer accounts and Authorized User accounts.
• To deliver the Service in accordance with our agreements with customers.
• To process PHI strictly on customer instructions, as described in Section 4.3 and in the Data Processing Addendum.
• To respond to customer support requests.
• To monitor Service availability, performance, and security.
• To maintain audit logs of access to and use of the Service.

5.2 To communicate with you

• To respond to demo requests, sales inquiries, support requests, and other communications.
• To send service-related communications (notices about updates, maintenance, security, billing, and changes to our agreements or policies).
• To send marketing communications about CHeCS and related services, where permitted by law and consistent with your communication preferences. We describe how to opt out of marketing communications in Section 12.

5.3 To improve our Service and our business

• To analyze how Authorized Users interact with the Service (using identifier hygiene measures described in Section 6) so that we can improve features and address usability issues.
• To analyze how visitors interact with the Site so that we can improve our messaging and content.
• To produce aggregated and de-identified statistics about Service use. We do not use identifiable PHI for product analytics or model training.

5.4 To comply with law and protect rights

• To comply with applicable laws, regulations, court orders, and lawful requests from regulators and law enforcement.
• To investigate and respond to suspected violations of our Acceptable Use Policy, suspected fraud, or threats to the security or integrity of the Service.
• To establish, exercise, or defend legal claims.
• To enforce our agreements with customers and Authorized Users.

6. Cookies and tracking technologies

We use cookies and similar technologies on the Site and within the Service. Cookies are small text files stored on your device when you visit a website. We use them for the following purposes:

• Strictly necessary cookies: required for core functionality, including authentication, session management, and security. These cookies cannot be disabled without breaking the Site or Service.
• Functional cookies: remember your preferences and personalize your experience.
• Analytics cookies: help us understand how visitors interact with the Site so that we can improve content and design.
• Marketing cookies: used to measure the effectiveness of our marketing communications and, in limited contexts, to deliver advertisements relevant to your interests.

Our Site implements consent management with default-denied storage for analytics, advertising, functional, and personalization cookies. Only strictly necessary security-related storage is enabled by default. Our tag management framework loads on every page, but the tags it controls do not store cookies, set identifiers, or transmit identifiable analytics or marketing data until you grant consent through our cookie banner. To change your cookie preferences after providing initial consent, you may use the “Cookie Settings” link in the Site footer to re-open the cookie banner, clear your browser’s site storage for the Site (which will also cause the banner to reappear on your next visit), or contact our Privacy Officer at the address in Section 16.

Within the Service, our application diagnostic logs and product analytics are configured to support our customers’ PHIPA obligations. Specifically, we do not enable session replay, we normalize URLs to remove identifying parameters, we hash user identifiers used in analytics, and we maintain an allowlist of event properties so that PHI is not transmitted to analytics services.

For more information about how we use cookies, please see our Cookie Policy.

7. Artificial intelligence and automated processing

The Service includes features that use artificial intelligence and large language model technology to assist Authorized Users with compliance documentation, summarization, and related tasks. We disclose the use of these features and the safeguards we apply as follows:

• The AI features in the Service are provided through a third-party large language model provider with operations in the United States. Inference requests are transmitted to that provider for processing and the model output is returned to the Service.
• Our engagement with that provider is subject to contractual restrictions that prohibit the use of our customer content (including any PHI processed via API) to train the provider’s foundation models.
• Our API configuration uses Zero Data Retention, meaning the provider does not retain prompts or model outputs beyond the duration necessary to process each inference request. No PHI transmitted via API is retained at rest on the provider’s systems.
• AI features are designed to assist Authorized Users with their work; outputs are presented as drafts for human review and are not a substitute for professional clinical, legal, or regulatory judgment, as described in our Acceptable Use Policy.
• The Service does not make automated decisions that produce legal or similarly significant effects on individuals without human review.

We describe our overall approach to automated processing in our agreements with customers, including the Automated Processing section of the Data Processing Addendum.

8. How we share Personal Information

We do not sell, rent, or trade your Personal Information. We share Personal Information only in the limited circumstances described in this Section.

8.1 Sub-processors that Process PHI

We engage Sub-processors to support specific aspects of the Service that involve Processing of PHI. These typically include cloud infrastructure for data storage and computation, and large language model providers for AI features. The current list of Sub-processors, including their categories of Processing and the jurisdictions in which they operate, is set out in our Data Processing Addendum, which forms part of our agreement with each customer.

We require all Sub-processors that Process PHI to be bound by contractual obligations that are no less protective than our obligations to our customers, including obligations relating to confidentiality, security, limits on use, and (where applicable) data retention. We provide customers with notice of new Sub-processors that Process PHI and an opportunity to object in accordance with our Data Processing Addendum.

8.2 Other service providers

We use additional service providers that do not Process PHI but that support our operations. These typically include providers of network security and content delivery, uptime monitoring of public endpoints, email delivery, customer relationship management, marketing tools, and payment processing. Where these providers may incidentally receive Personal Information about Site visitors or Authorized Users (for example, the IP address of a Site visitor), we require them to maintain appropriate contractual, technical, and organizational measures to protect that information.

8.3 Disclosures required or permitted by law

We may disclose Personal Information when we believe in good faith that disclosure is required or permitted by law, including:

• In response to a valid court order, subpoena, search warrant, or other legal process.
• To comply with regulatory obligations or requests from regulators with jurisdiction over us or our customers.
• To establish or defend our legal rights, or to respond to claims against us.
• To protect the safety, rights, or property of our customers, Authorized Users, the public, or our personnel.
• To respond to an emergency that we believe in good faith requires us to disclose information to prevent harm.

Where a government request relates to PHI processed in the Service on behalf of a customer, we will, to the extent permitted by law, notify the customer and give the customer a reasonable opportunity to seek a protective order or other appropriate remedy. We do not voluntarily disclose customer content to government authorities. The full terms of our commitments in this area are set out in our Data Processing Addendum.

8.4 Business reorganizations

If we are involved in a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy, Personal Information may be transferred to the surviving or acquiring entity. We will provide notice to customers and to affected individuals where required by law, and the recipient will be bound to honour the commitments of this Policy with respect to information transferred.

8.5 With your consent

We may share Personal Information for other purposes with your consent or at your direction.

9. Cross-border data transfers

We store Personal Information at rest within Canada. PHI and other Client Data is stored in Canadian data centres maintained by our cloud infrastructure provider, with geographically paired replication within Canada. We do not store PHI at rest outside of Canada.

Certain Processing of Personal Information may involve transfer to the United States or other jurisdictions, as follows:

• AI features: as described in Section 7, inference requests for AI features are transmitted to a large language model provider in the United States. Under our Zero Data Retention configuration, prompts and model outputs are not retained at rest by that provider.
• Site analytics and marketing tools: where you provide consent through our cookie banner, certain Site analytics and marketing tools may process Site visitor information from servers located in the United States or other jurisdictions.
• Corporate operations: certain corporate functions (for example, email or customer relationship management) may involve service providers with operations outside Canada.

When Personal Information is transferred outside Canada, we ensure appropriate contractual safeguards are in place, including data processing terms aligned with PIPEDA and applicable provincial laws. We recognize that Personal Information transferred outside Canada may be accessible to the courts, law enforcement, and national security authorities of the receiving jurisdiction. We address this risk through contractual commitments, technical safeguards (including encryption in transit, encryption at rest where applicable, and the Zero Data Retention configuration for AI features described in Section 7), and operational practices including challenging overly broad government requests where we reasonably believe we have grounds to do so.

10. Security

We maintain technical and organizational measures designed to protect Personal Information against loss, unauthorized access, disclosure, alteration, and destruction. These measures include encryption in transit and at rest, role-based access controls, multi-factor authentication for personnel and supported for Authorized Users, multi-tenant isolation enforced at both application and database layers, network protections including a web application firewall, vulnerability management and security testing, audit logging, and incident response procedures.

A more detailed description of our technical and organizational security measures is available to customers and prospective customers on reasonable written request, in accordance with our agreements with customers and the Data Processing Addendum.

No method of transmission over the Internet or method of electronic storage is fully secure. While we strive to use commercially reasonable means to protect Personal Information, we cannot guarantee absolute security.

11. Retention

We retain Personal Information for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal and regulatory obligations, to resolve disputes, and to enforce our agreements.

The following retention periods apply:

• Site visitor information (form submissions and Site analytics): retained for up to twenty-four (24) months from the date of collection, except where you have requested earlier deletion or where we are required to retain the information for legal or regulatory purposes.
• Customer and Authorized User account information: retained for the duration of the customer’s agreement with us, and for up to seven (7) years thereafter for legal, regulatory, and dispute-resolution purposes.
• Activity log records: retained for a default period of seven (7) years following the date of the recorded event, subject to customer-specific retention configuration.
• Personal Health Information: returned or destroyed in accordance with the Data Processing Addendum, typically within thirty (30) days following termination of the customer’s agreement, subject to limited retention exceptions described in the Data Processing Addendum.
• Marketing contacts: retained until you opt out of marketing communications or request deletion, subject to retention of unsubscribe records for compliance with anti-spam law.

Where it is not practicable to delete Personal Information at the end of its retention period (for example, because the information is contained in backups that are overwritten on a rolling basis), we will continue to apply the protections described in this Policy and our Data Processing Addendum until the information is destroyed in the ordinary course.

12. Marketing communications and your choices

We may send you marketing communications about our products and services with your express or implied consent, as permitted by Canada’s Anti-Spam Legislation and PIPEDA. Our marketing communications will identify CHeCS as the sender, provide a valid return address, and include an unsubscribe mechanism. You may unsubscribe from marketing communications at any time by:

• Clicking the unsubscribe link in any marketing email we send you.
• Contacting our Privacy Officer at the address in Section 16.

Unsubscribing from marketing communications does not affect our ability to send you transactional or service-related communications relating to your use of the Service.

13. Your privacy rights

Depending on your relationship with us and the applicable law, you may have the following rights with respect to your Personal Information:

13.1 Rights of Site visitors and Authorized Users

Under PIPEDA, individuals have the following rights with respect to Personal Information we hold about them:

• Access: the right to request access to your Personal Information and to be informed about how we use and disclose it.
• Correction: the right to request correction of inaccurate or incomplete Personal Information.
• Withdrawal of consent: the right to withdraw consent for collection, use, or disclosure of Personal Information based on consent, subject to legal and contractual restrictions.
• Complaint: the right to lodge a complaint with the Office of the Privacy Commissioner of Canada, as described in Section 15.

13.2 Rights of individuals whose PHI is processed in the Service

Individuals whose PHI is processed in the Service (including Long-Term Care residents, substitute decision-makers, and family members) have rights under PHIPA and analogous provincial legislation, including the right of access (PHIPA section 52) and the right of correction (PHIPA section 55). These rights are exercised through the relevant Health Information Custodian (the Long-Term Care home operator), who is responsible for responding to access and correction requests under PHIPA.

If you are an individual whose PHI is processed in the Service and you contact us directly with a request for access or correction, we will refer you to the relevant Health Information Custodian. We will support the Health Information Custodian in responding to your request in accordance with our agreements with our customers.

13.3 How to exercise your rights

To exercise your rights as a Site visitor or Authorized User, please contact our Privacy Officer at the address in Section 16. We will respond to your request within thirty (30) days, or such other period as required by applicable law. We may request information to verify your identity before responding to your request. We may decline to act on requests that are unreasonable, repetitive, manifestly unfounded, or that we are legally entitled to refuse.

Where we cannot act on your request in full (for example, because of legal retention obligations), we will explain our reasons and inform you of your right to complain to a privacy regulator.

14. Children’s privacy

The Site and the Service are intended for use by adults. We do not knowingly collect Personal Information directly from children under the age of eighteen (18) through the Site. The Service is designed for use by professional Authorized Users in healthcare settings; we do not provide consumer-facing functionality to children.

PHI processed in the Service on customer instructions may, in limited circumstances, include information about Long-Term Care residents who are minors. Such PHI is processed under the same safeguards as all other PHI, in accordance with the Health Information Custodian’s instructions and applicable health privacy law.

15. Complaints to a privacy regulator

If you have a concern about how we have handled your Personal Information, we encourage you to contact our Privacy Officer first (Section 16) so that we can investigate and resolve your concern.

You also have the right to lodge a complaint with the relevant privacy regulator:

• Office of the Privacy Commissioner of Canada (federal regulator under PIPEDA): https://www.priv.gc.ca (opens in new window)
• Information and Privacy Commissioner of Ontario (provincial regulator under PHIPA and other Ontario legislation): https://www.ipc.on.ca (opens in new window)
• Similar provincial privacy regulators in other Canadian jurisdictions.

We will cooperate fully with privacy regulators in connection with any inquiry, investigation, or complaint.

16. Privacy Officer and contact information

We have designated a Privacy Officer with responsibility for our compliance with this Policy and applicable privacy law. To contact our Privacy Officer, to exercise your rights under this Policy, or to ask any question about our privacy practices, please contact us:

• Privacy Officer: legal@checs.ca
• Security incidents and vulnerability reports: security@checs.ca
• General inquiries: hello@checs.ca
• Mailing address:
  CHeCS Canada
  Attention: Privacy Officer
  33 Main Street West, Unit 17
  Grimsby, Ontario L3M 1R6
  Canada

17. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, our Service, our service providers, or applicable law. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice to customers and Authorized Users through the Service or by email. We encourage you to review this Policy periodically.

For customers, additional commitments regarding notice of changes to our privacy and security practices are set out in our agreements, including the Data Processing Addendum.

18. Applicable privacy laws

The following laws govern the Personal Information and Personal Health Information we Process, depending on the jurisdiction of the customer, Authorized User, or other individual:

This list is not exhaustive and may not capture all laws that apply to a particular Processing activity. Where a more protective law applies, we comply with that law.

19. Related documents

• Acceptable Use Policy
• Terms of Service
• Cookie Policy
• CHeCS Status Page (opens in new window)
• Software as a Service Agreement and Data Processing Addendum: available to customers from their account administrator or by contacting us.