Privacy policy

Last update : September 2024

Purpose and scope

ELNA Medical Group Inc.ELNA, "the The company, " " We are, "or We") is committed to the highest standards of privacy and protection of the personal data and information entrusted to us. We recognise our role as a trusted manager in the collection and management of sensitive information. We value your right to full transparency about how we handle data and are committed to integrating privacy protection into all aspects of our services and systems.

In this policy, we explain how we collect, use, disclose and protect information, ensuring that you are fully aware of your rights and of the steps we take to ensure the confidentiality and security of your information. The principles set out in this policy apply throughout your relationship with us.

Whether you are accessing this website, using the ELNA mobile application, submitting personal information of any kind to us, discussing your care and treatment with our medical team or engaging with services provided by ELNA, you can be assured that your personal information is treated with the appropriate protection afforded by Canadian law, provincial legislation and this policy. This policy informs visitors and regular users elnamedical.com (the "Website").

ELNA further ensures that all of its business partners, third party affiliates and subsidiaries are aware of their obligation to act in accordance with this policy, their own similar policies or other relevant ELNA policies. ELNA encourages the review of all ELNA affiliates' and subsidiaries' privacy policies and procedures, as well as website, mobile or cloud service standards.

By accessing, using or submitting your personal information or personal health information to us through our services, you indicate that you understand, accept and consent to the privacy practices described in this policy.

Applicable legislation

This policy is developed in accordance with the amendments made by the Government of Quebec's Bill 25 to the Act respecting the protection of personal information in the private sector and to the Act respecting the exchange of certain health-related information, and in anticipation of the requirements of Bill 3, An Act respecting information relating to health services and social services. However, the language and reporting process have been drafted with ELNA's national privacy obligations in mind. The legislative authority for this policy may extend to the Government of Canada's Personal Information Protection and Electronic Documents Act (2000), the Government of Ontario's Personal Health Information Protection Act (2004) and the Government of Alberta's Health Information Act (2000).

Definitions

Personal information

Personal information is any information that relates to a natural person and enables that person to be identified. All personal information is considered confidential and must be treated in accordance with current legislation.

Personal health information

Personal health information is a form of personal information and includes all information relating to registration, diagnosis, treatment, health services and care, obtained in any form whatsoever (oral or recorded) and enabling a person to be identified directly or indirectly, whether living or deceased. Personal health information is highly confidential information and may include, but is not limited to, the following

• Any information relating to the individual's physical or mental health, including the family's medical history.
• Any personal information contained in a file containing health information is considered to be personal health information.
• Records, in any form, relating to any aspect of a health services programme for the individual.
• Any material, biological or otherwise, taken from the individual.
• Individual identifiers, including health card number, payment coverage or substitute decision-makers.

Information life cycle

The information life cycle ("life cycle") refers to any aspect of the collection, use, storage, retention, transfer, disclosure, accuracy, correction, disposal or destruction of personal information and personal health information.

Aggregated / de-identified / anonymised information

Aggregate" information is when your information is grouped with a collection of other information large enough to make it virtually impossible to identify you. Aggregated data is commonly referred to as statistical data.

Information is "de-identified" if it can no longer be used to directly identify the person concerned.

Information is "anonymised" if, at any time, it is reasonably foreseeable in the circumstances that it will no longer allow the individual to be identified directly or indirectly in an irreversible manner. In the case of de-identified/anonymised data, steps must be taken to follow best practice and to take reasonable steps to avoid re-identification. While ELNA respects and complies with the definition of these terms in each relevant jurisdiction, for the purposes of this policy, the Quebec definitions are used.

Profiling

Profiling" is the use of technology to identify, locate or profile an individual. Profiling" means the collection and use of personal data to evaluate certain characteristics of an individual, in particular with a view to analysing his or her professional performance, economic situation, health, personal preferences, interests or behaviour.

Collection and consent

ELNA may only collect, use or disclose your personal data and your personal health data with your consent. ELNA must ensure that the consent you give is clear, free and informed, and that it is given for specific purposes. Specific purposes are those that are necessary for ELNA to fulfil its mission, carry out its activities, provide you with services or create new programmes. Your consent must be requested for each specific purpose and presented in clear and simple language. Consent is valid only for the time necessary to achieve the purposes for which it was requested.

Your consent may be obtained, subject to legislative requirements, either implicitly or explicitly. There are exceptions where consent is not required. ELNA will be transparent and explain to you why such an exception may be invoked. You may withdraw your consent at any time, subject to legal and contractual restrictions and reasonable notice.

This policy applies to information that we collect, use or disclose about our customers, visitors and website users as follows :

• On the website, including when you interact with us via registration or booking forms, and newsletter subscription forms;
• through virtual care services such as those listed under the "Services" tab on the website;
• On the patient portal ;
• in e-mails, texts and other electronic messages exchanged between you and ELNA ;
• Where you choose to participate in website-related activities, such as discussion forums, surveys, subscription to our newsletter and marketing or promotional materials, you understand that you are not obliged to provide us with any personal information; however, this may limit your ability to use certain features or to request certain services or information from us; and
• when you interact with our advertisements and applications on third-party websites and services, if these applications or advertisements include links to this policy.

For greater certainty, this policy does not apply to in the following circumstances:

• When you use our virtual care services and provide personal information, including personal health information, we will ask for your explicit consent to collect, use and disclose this information for the purpose of providing you access to these services.
• Your use of our virtual care services is subject to the terms of use and privacy policy of the platform or website to which you may be redirected. We encourage you to carefully read the terms of use and privacy policy of each platform before using or registering with it; and
• When you register for a patient account under the "Patient Portal" tab on our website, you will be directed to our trusted electronic health record providers whose privacy policies have been reviewed by ELNA to ensure that the provider's policies you are accepting are substantially similar to, but not subject to, this Privacy Policy or other ELNA policies.
• When you click on an icon or link on our website, such as " ", you are redirected to external sites. External sites that are not represented as our "website" as defined in this policy are responsible for their own privacy policies. When you are redirected from our website, this privacy policy does not apply.

Information we collect about you

When you use our services or website, we may collect personal information about you directly from you, including, but not limited to, in connection with surveys, research requests or fill-in forms you submit on the website, or when you communicate with us by any means.

The following personal information may be collected about you:

• Identifiers, such as name, initials and date of birth;
• Contact details, such as your e-mail address, telephone number or home address;
• Demographic information, including your gender and age;
• Payment information, such as bank account numbers, credit cards, etc;
• Your areas of interest in our activities;
• Information available to the public, including personal information contained in a publication such as a magazine or newspaper, where such collection is permitted by law;
• Personal health information, as defined in this policy, such as your medical records, personal and family medical history, health card information, payment information, health insurance information, records relating to your visits to the company and the care you have received; and
• Information on the application, if you decide to apply for a position within the company, including the information contained in your curriculum vitae and covering letter as well as any information you decide to share with us as part of the application procedure;

In addition, we automatically obtain certain information about you when you register to use our Wi-Fi or use our website, through automated technologies, including cookies or other tracking technologies deployed by our third party advertisers. This information includes

• technical information such as connection information, the hardware and software you use to interact with our website, device identifiers, language, mobile network information, the settings you use on our website, your network location, your IP address and your location; and
• Information on the use of the website, such as the searches carried out on the website, the services you choose, the links consulted, the reference page, the pages visited and the time spent on each page;

When ELNA collects your personal data, you will be informed of the following

• the purposes, means and right of access or rectification of the information collected; and
• Your rights regarding the withdrawal of your personal information.

and you have the right to request

• the personal information we have collected about you; and
• The categories of people who have access to your personal data.

The information we automatically collect is used to help us improve our website and provide better and more personalized services throughout the ELNA ecosystem. Our technology products are subject to ELNA's privacy policy and we ensure that the default settings for these products offer the highest level of privacy.

Information collected in the province of Quebec may be held, disclosed or used outside the province of Quebec. The collection of information in Quebec that is subsequently held, disclosed or used outside of Quebec by ELNA, our business partners, third party affiliates and subsidiaries is subject to mandatory Privacy Impact Assessments (PIAs).

Each PIA will assess whether the information will receive "adequate protection" compared to the protection it would receive if the data were held in Quebec. If, following this assessment, ELNA is not satisfied that the standard of adequate protection is met, it must and will refuse to disclose the information.

How we use your information

We may use your personal information for the following purposes:

• Communication. We use your ID and contact information to communicate with you, including to notify you of upcoming appointments, provide you with information you request, notify you of changes to our website or services, or keep you informed of company activities. We also use aggregated demographic information to help us communicate more effectively;
• Payment processing. We use your payment information to process payment for your treatment and virtual care;
• Availability of the website. We use technical information to present the website and its content to you, including interactive functions, questionnaires, social media or similar website functions;
• Providing care and services. We use your personal information to provide virtual care and administrative services;
• Improve our website. We may use information relating to the use of your website to improve our website or our services.
• Improve our services. We may use your identifiers, demographic information and interests to improve our marketing or customer relationships and experiences;
• Analysis. We may use your personal information for internal analysis to help execute ELNA's strategic vision of creating an integrated care ecosystem for our customers.
• Research objectives. We may use your personal information to generate de-identified, aggregated or anonymised data. The de-identification/anonymisation process will be carried out in accordance with recognised industry best practice to minimise any risk of re-identification. We may then use and disclose this de-identified or anonymised data for research purposes, for activities to improve the quality of care or to evaluate our services, to the extent permitted by applicable law and in compliance with applicable privacy laws. We may also seek your interest and consent to participate in research projects and activities;
• Strategic use of data. We may use your personal information to generate aggregated, de-identified or anonymous data. The de-identification or anonymisation process will be carried out in accordance with recognised industry best practice in order to eliminate the risk of re-identification. We may then use, internally or with third parties, this transformed data to support the expansion and improvement of telehealth or digital health initiatives, to refine the services ELNA provides to you, or to contribute to the development and expansion of the ethical, responsible and evidence-based application of artificial intelligence technologies in healthcare.
• When authorised or required by law. We may use your personal information to comply with legal requirements, to exercise and enforce our rights or for other purposes authorised or required by law.

ELNA will inform you of any use of your personal data that results in a decision concerning your care or services based solely on automated data processing. You have the right to comment on the automated processing decision.

Sharing your information

Your personal information or personal health information may be disclosed to doctors, healthcare professionals and staff directly involved in your healthcare with your consent. In addition, the company may disclose your personal information in the following circumstances:

• providers of payment collection services, where this is necessary to establish and collect payments;
• Detect, prevent or deal with fraud, security or technical problems;
• Facilitating a merger, acquisition, reorganisation or sale of all or part of the company's assets;
• when you have expressly consented to disclosure;
• When your IP or PHI are completely transformed into anonymous data or are no longer considered as personal information; or
• if the law requires or authorises it to do so without your consent.

We may also use certain third party service providers or agents to provide services to us, including information technology services. To the extent that these service providers have access to your personal information, we require them to protect your personal information with a level of security similar to that offered by us.

Quebec Residents: Before sharing your personal information outside of Quebec, ELNA is required to conduct a privacy impact assessment to ensure that your information will be adequately protected in the province or state in which the information will be shared.

All ELNA customers may contact our Privacy Officer at the contact information below to obtain written information about our policies and practices regarding service providers and affiliates outside of Canada, or to ask questions about the use, disclosure or storage of personal information by such service providers and affiliates outside of Canada.

Securing your personal data

ELNA has an ethical and legal responsibility to ensure the proper handling, protection, use, retention, disposal and safeguarding of all personal information and personal health information in its custody. ELNA's Privacy Governance Program establishes a framework of accountability encompassing the entire life cycle of data collected by the company.

We have also put in place appropriate physical, technical, organisational and administrative safeguards to protect the personal information we collect from or about our users, such as controlled access to premises and workstation security. In addition, our patient information system uses passwords and firewalls to prevent inappropriate access, our patient portal accounts are password protected and sensitive information is secured, wherever possible or practical, by encryption technologies. ELNA monitors, records, notifies the appropriate authorities and makes every effort to rectify any suspected or discovered compromise of information. We conduct privacy impact assessments, where required by law, for new projects and partnerships.

You understand that no method of communicating personal information, whether personal or technological, can be guaranteed to be 100% secure. ELNA's information system safeguards are, however, structured with privacy as a central principle to ensure that we have taken all appropriate and reasonable steps to protect your personal information.

If you have any questions about security or if you have any reason to believe that your interaction with us is no longer secure, we encourage you to notify us immediately using the contact details below.

Retention

We will retain your personal information to fulfil our contractual and care obligations to you, while any account you activate on or through the Website is operational, and for as long as is necessary to comply with our legal and ethical obligations, resolve disputes and enforce our agreements. We retain personal health information for at least the minimum retention period required by provincial medical regulatory bodies. Once the purposes for collecting your personal information have been met, it is securely destroyed, permanently anonymized or de-identified as required or permitted by applicable privacy laws.

Exercising your data protection rights

Access and rectification rights

You have the right to know what personal information we hold about you, the right to have this information provided to you in a structured and intelligible format, the right to challenge the accuracy of the information held about you and the right to have inaccuracies rectified.

Please contact us using the details below (10. Contact us) to request access to your personal information or to change your preferences.

We will request documentation to confirm your identity before granting access to personal information, and we may not grant access in all circumstances (for example, where granting access would risk revealing another party's personal information and the file is not divisible). If the personal information is of a sensitive medical nature, we may grant access through a medical practitioner. If you have made a request and are not satisfied with our decision, you may make a formal complaint to the Privacy Commissioner in your country, who may be able to review our decision.

Withdrawal of consent

Where you have given us consent to process your personal information, you may have the legal right to withdraw your consent, subject to reasonable notice and certain restrictions. Certain personal health information cannot be withdrawn as it is essential to the provision of healthcare services.

If you wish to withdraw your consent, please contact us using the contact details below. Please note that if you withdraw your consent, we may not be able to provide you with a particular product or service. We will explain the impact of this decision at the time to help you make your decision.

Do not follow

Some web browsers have a "Do Not Track" function. This function allows you to indicate to the websites you visit that you do not wish your online activity to be tracked over time and from one website to another. These functions are not yet uniform in all browsers. The website is not currently configured to respond to these signals.

Other rights

Depending on your jurisdiction, you may also have other rights, which you can exercise by contacting the relevant contact details below. These rights may include

• The right to complain to us;
• The right to lodge a complaint with a privacy commissioner ;
• The right to request the deletion of your personal information;
• the right to refuse marketing communications; and
• The right to request a portable copy of your personal information.

Links to other websites

The Website may include links to third party websites or resources, or third party information referencing or linking to third party websites or resources. Clicking on these links or activating these connections may allow the third party to collect or share information about you. If you follow a link to a third party website or activate a third party plugin, please note that these third parties have their own privacy policies and that the company accepts no responsibility for these policies. We do not control these third-party websites and encourage you to read the privacy policy of each website you visit.

Changes to this privacy protection policy

We reserve the right to change this Policy from time to time at our sole discretion. If we do so, we will also revise the "last updated" date at the top of this policy. We encourage you to periodically review this policy to ensure that you are aware of our data protection practices.

Contact us

If you have any questions or concerns about this policy, our information handling practices or any other aspect of the privacy and security of your personal information, or if you wish to make a complaint about the protection of your personal information, please contact us at the following address:

ATTN: Privacy Officer
ELNA Medical Group Inc.
5990 Ch. de la Côte-des-Neiges
Montréal, QC
H3S 1Z6
PrivacyOfficer@elnamedical.com

For more information about your privacy rights, you can also contact the following privacy commissioners, depending on your jurisdiction. Their contact details are available on their respective websites.

• Office of the Privacy Commissioner of Canada
• Office of the Information and Privacy Commissioner of Alberta
• Information and Privacy Commissioner of Saskatchewan
• Manitoba Ombudsman
• Information and Privacy Commissioner of Ontario
• Commission d'accès à l'information du Québec