Privacy Policy – The Healthiest You

Doctors On Site Inc. Privacy Policy

Introduction

Doctors On Site (“DOS”, “we”, “us”) mission is to provide exceptional health care to people living in our community. As a multi-disciplinary team we are dedicated to providing quality patient care and improving the health of our community. As part of our values, we are committed to respecting each person’s right to privacy and protecting the security and confidentiality of the health information we hold about you. In Ontario, there is legislation that protects Personal Health Information (PHI) (a definition of PHI is found within the legislation at https://www.ontario.ca/laws/statute/04p03#BK1).

The doctors and DOS are health information custodians under the personal health information protection act, 2004 (PHIPA) in relation to PHI held under their custody or control. (A definition of health information custodian is found within the legislation: https://www.ontario.ca/laws/statute/04p03#BK1.)

This would include PHI collected and stored in any form of media, where that media is owned by the physician/family health organization/ network or hospital (e.g., electronic medical records, film, digital systems, and paper charts).

For the purpose of privacy obligations related to PHI held in the custody or control of the physicians, DOS and our staff are agents of these physicians. (A definition of “agent” is found within the legislation: https://www.ontario.ca/laws/statute/04p03#BK1)

Doctors On Site Inc. offers two kinds of services: Healthcare Services and optional Wellness Services. When you register with DOS as a User, you become eligible to use our Healthcare Services. You also become eligible to sign up separately for one or more of our Wellness Services, should you wish to.

Please read this Privacy Policy carefully. It describes how DOS will collect, use, store, disclose and protect your information and PHI in relation to our Healthcare Services and our Wellness Services.

Definition

The following provides the meaning of certain terms used in this Policy. If not defined below, the capitalized words and phrases in this Policy have the same meaning as in DOS’s Terms of Use.

“DOS Platform” means, collectively, the hardware, software, applications, websites, Content, products and services owned, licensed and/or operated by us to enable the provision of remote Healthcare Services to Users, among other purposes.

“Information” means, collectively, “Personal Information” (information about an identifiable User as further defined in Applicable Law) and “Personal Health Information” or “PHI” (information about an identifiable User’s health or healthcare as further defined in Applicable Law).

A “User” is an individual registered to use the DOS Platform, including, unless otherwise specified, as part of a customized program provided by a third party.

Health professionals (“Authorized Providers”) are, collectively, “Authorized Physicians” (physicians registered to practice medicine in a province or territory of Canada) and “Authorized Non-Physician Providers” (regulated health professionals other than physicians registered to practice in a province or territory of Canada) who are registered to use the DOS Platform to provide “Healthcare Services” within their scope of practice to Users. An Authorized Provider provides Healthcare Services through a “Consultation,” which includes a review by the Authorized Provider to determine if the Healthcare Services requested by the Users are ones that can be provided on the DOS Platform.

“Applicable Law,” in relation to DOS, Authorized Providers, or Users, means the laws and regulations, including privacy laws and regulations, to which each is subject.

“Content” means general information about health-related topics posted on the DOS Platform, access to which is not the delivery of Healthcare Services and does not replace and cannot be relied upon as Healthcare Services.

Your agreement with DOS

If you are an Authorized Provider, your arrangement with DOS – your rights and obligations and those of DOS – is set out in the agreement between you and DOS.

If you are a User, the arrangement between you and DOS – your rights and obligations and those of DOS – is set out in the Terms of Use and, where applicable, supplementary Terms.

Application of this policy

This Policy describes DOS’s management of Information, including the purposes for which we collect, use and disclose Information and the safeguards we use to protect Information.

The DOS platform and how we collect and use information

The following is an overview of how the DOS Platform generally functions and how DOS collects and uses Information. The details of how the DOS Platform functions may vary by Consultation and Authorized Provider.

Healthcare Services

Authorized Providers collect Information about you (or any Registered Dependent, as defined below) that you provide before or during a Consultation. They may collect this Information in different ways, including through discussions with you during the Consultation, via text messages with you before the Consultation, or when you enter or upload Information to the DOS Platform before the Consultation. Authorized Providers also have access to other Information about you through the DOS Platform. This includes Information that you provide in your consultation request; Information you’ve entered or uploaded to profiles and medical records; Information created during your earlier interactions through the DOS Platform with other Authorized Providers; the name, email address, phone number, gender identity, date of birth and province/territory that you provided when you registered with DOS; and your emergency contact’s name and contact information (if you have chosen to add an emergency contact to your account). Authorized Providers use this Information to provide you with Healthcare Services. As noted above, they must comply with the privacy legislation and medical record-keeping obligations to which they are subject. Authorized Providers may create Information in the DOS Platform, such as prescriptions, sick notes and notes about your Consultation. They may export or print copies of your Information.

Authorized Providers may, but are not required to, email or text your emergency contact if they believe that you are presenting with a healthcare emergency. You are responsible for advising your emergency contact that you are providing their name and contact information to DOS and Authorized Providers, and for obtaining any necessary consent from your emergency contact for the provision and use of that information in connection with the DOS Platform.

Wellness Services

You have the option to sign up to receive Wellness Services from DOS. If you sign up to receive one or more of our Wellness Services, you will be invited to provide Information about yourself (or any Registered Dependent) as part of your DOS Health Profile. This may include, for example, Information about your health and wellness interests, your demographic data, and your health history. DOS will collect this Information and use it to provide you with any Wellness Services for which you sign up. The data created through your use of our Wellness Services is used to further enhance and tailor your experience by suggesting similar Wellness Services to you that you may be interested in. For example, if a User who chooses to receive a Wellness Service related to dermatology, we may recommend other dermatology-related Wellness Services to them.

Other Services

DOS provides services that support the provision of Healthcare Services. These services may include receiving, reviewing, and scanning or otherwise uploading laboratory test results to the DOS Platform; faxing prescriptions to pharmacies; obtaining referrals for consultations with specialists; and collecting Information required for scheduled appointments (such as health card numbers or information from referral letters). DOS provides some of these services to Authorized Providers (for example, the receipt and preliminary review of laboratory results) and some to Users (for example, faxing prescriptions and arranging referral to specialists). These services require the use of Information.

DOS may also provide services through the DOS Platform that are healthcare-related but not Healthcare Services (such as navigational services to assist you to access Healthcare Services on the DOS Platform). Unless otherwise advised, DOS Personnel will deliver these services. DOS Personnel receive privacy and security training and commit to complying with DOS’s obligations in connection with Information, as described below in the section on Safeguarding Information.

Other Collections and Uses of Information

DOS uses Information to the extent necessary to develop, evaluate, improve, provide, and support the DOS Platform and its various services. We may also use Information for loss prevention, to prevent fraud, and to comply with legal requirements. We do not collect or use Information if non-identifying information will suffice.

Third party service providers

DOS uses third-party software and service providers for a variety of services, such technical, operational, and marketing services. We require our third party service providers to limit their use of Information to what is necessary for their services. We also require them to have security measures in place that are appropriate for the protection of Information

DOS disclosure of Information

Emergency contacts. We may disclose Information to emergency contacts as described above.

Third parties, on consent. We may disclose Information to third parties with User consent. For instance, we may disclose Information to the extent needed to an insurer or other Third Party Payer for the purpose of facilitating payments and benefits plans.

Compliance, Fraud Prevention. We disclose Information to the extent required to comply with Applicable Law, including to respond to a subpoena, order, or similar obligation to produce information; and to establish or exercise DOS’s legal rights, including to defend against legal claims and to detect, investigate, suppress, prevent or take action regarding illegal or prohibited activities, such as suspected fraud and threats to the reputation or safety of any person.

Business transactions. We may disclose Information for the purposes of conducting required due diligence or the completion of a business transaction such as a merger, acquisition or asset sale. We will comply with any applicable legal requirements, including agreements and notice requirements that apply to the disclosure of Information for such transactions.

DOS retention/deletion of information

Unless we notify you otherwise, we will retain your Information on the DOS Platform until you (or DOS) close your Account. On termination, for a limited time, you will be able to print or copy your Information held in the DOS Platform, except for any private notes of Authorized Providers.

Retention/deletion of information

After the time period during which you may print or copy your Information has ended, we will securely delete the Information associated with your Account, except for any Information that DOS is required to retain under Applicable Law or Information required by an Authorized Provider in connection with Healthcare Services. DOS will delete the latter once the Authorized Provider makes a copy of the Information or terminates their account with DOS. When Information is deleted, it is removed from our active database. Any Information that remains in our backup is securely stored and isolated from any further processing until deletion is possible.

Accessing and correcting information

You can access your Information or that of your Registered Dependents by logging in to your Account at <INSET TELUS URL>

You may update or otherwise correct your Information at any time, except Information that an Authorized Provider has viewed or created. Any request to update or correct Information that an Authorized Provider has viewed or created should be made directly to us at support [@] doctorsonsite.ca.

Privacy Settings

The DOS Platform enables you to make choices to enhance the protection of your privacy. For example:

You may enable two-factor authentication on your Account to help prevent unauthorized access. If you enable two-factor authentication, then to log into your Account, in addition to entering your password, you will have to enter a code that we send separately to your mobile number. This added security means that a third party would need both your login information and your mobile phone to access your Account.
You have the option of using audio, chat, or video for your Consultations.
When requesting a Consultation, you may choose to withhold Information, for example Information contained in your healthcare records, from the Authorized Provider. Please be aware that Authorized Providers may be unable to provide you with Healthcare Services as a result. They will advise you of the implications of your choice.
You may choose whether to receive communications from DOS by email or SMS.
You can check your login history when you access the DOS Platform.

Please contact us directly at support [@] doctorsonsite.ca if you require assistance with these options or more generally have questions about how to use the DOS Platform. To protect your privacy, we may request information to verify your identity when you contact us.

Safeguarding Information

We permit DOS personnel (“Personnel,” which includes our employees, contractors and subcontractors) to access Information only to the extent necessary to perform their designated functions. We require Personnel to complete privacy and security training and to commit to protecting Information by complying with our policies, procedures and Applicable Law.

We store your information in electronic format within Canada, using computer systems with restricted access and that are housed in facilities using physical security measures.

More generally, we have in place appropriate physical, technological, and organizational safeguards, including access controls, to protect Information against loss, theft, and unauthorized access, use and disclosure. Notwithstanding the safeguards we employ and our commitment to protecting Information, we cannot guarantee the security or error-free transmission or storage of Information. There are risks inherent in the use of electronic means to transmit and hold information in electronic format. These risks can be minimized but not eliminated by the use of appropriate security measures, such as the measures DOS employs. These risks include interception, loss, corruption, unauthorized access to, use and disclosure of Information, and delay in the availability of Information.

You play an important role in protecting and the privacy of your Information. We ask you to do the following.

Create a strong and unique password for your Account using DOS’s password strength estimator and update your password periodically.
Do not share your Account or password with anyone. We will never ask you for your password, including in any unsolicited communication such as letters, phone calls or email messages, so please do not provide it and contact us if you receive such a request.
Log out of your Account as soon as you finish using it, especially if you share the device you use to access the DOS Platform with anyone else.
Password-protect your device with a strong and unique password.
Choose a quiet, private location from which to receive Healthcare Services.

DOS Collection and use of non-identifiable data

DOS obtains the authorization of Authorized Providers to collect and use non-identifiable data about their use of the DOS Platform (“Data”). This may include, for example, non-identifiable information about the number of consults carried out by Authorized Providers on the DOS Platform or the symptoms most commonly treated by Authorized Providers using the DOS Platform. DOS may use Data to monitor the compliance of Users and Authorized Providers with the DOS Platform terms of use, to make the use of the DOS Platform more accessible and enhance the DOS Platform experience for Users and Authorized Providers, and to design optional surveys for Users. We may also use or disclose Data for internal product development purposes or for duly approved research projects. We will not use Data to re-identify Users or for any other purpose prohibited by Applicable Law.

Cookies and other technology

The DOS Platform and DOS’s email messages and marketing materials use “cookies” and other technologies such as pixel tags and web beacons. We use these technologies to better understand the use of the DOS Platform, analyze trends, and administer, personalize and improve the DOS Platform user experience for Users and Authorized Providers. For more information about our use of cookies and your ability to accept or decline our use of cookies, please refer to our Cookie Policy, posted at https://www.doctorsonsite.ca/cookie-policy/.

Links to third party websites

The DOS Platform may contain links to websites that we do not own or operate. The provision of these links is not an endorsement of or referral to the linked websites. We provide the links solely for your convenience. We strongly encourage you to review the privacy policies and terms of use applicable to any website you visit. This Policy does not apply to linked sites or pages and we are not responsible for the content or privacy practices applicable to them or used by their operators.

Amendments to this policy

DOS last updated this Privacy Policy (“Policy”) on October 1, 2024. We post the current version of the Policy at www.doctorsonsite.ca/privacy. We reserve the right to amend the Policy at any time to account for changes in Applicable Law, our practices and the DOS Platform. Please check to see if we have amended the Policy since you last used the DOS Platform to ensure you are aware of (and agree to) our current privacy practices.

Contact Us

If you have any questions, concerns or suggestions about our privacy practices, please contact our Chief Compliance Officer. Please include your name and contact information if you would like us to respond to you.

Doctors On Site Inc.

ATTN: Sasha Fried — Chief Compliance Officer

Support [ @ ] doctorsonsite.ca

More information on how we collect and use your information:

The following table gives you more information on how and for what purposes DOS collects and uses Information when Users create their DOS accounts, use DOS’s Healthcare Services, or use DOS’s Wellness Services.

When you create your DOS Account:

Information	Purpose
First and Last Name	DOS will collect, use, and store your first and last name to create your DOS account, personalize your experience within the DOS Platform, contact you via email, and provide you with personalized customer support. DOS may also provide your first and last name to a Third Party Payer if applicable (see below).
Email Address	DOS will collect, use, and store your email address to create your DOS account and authenticate you during future visits. We use your email address to send you service announcements, including information about our latest products and updates to our policies, Terms of Use and software (“Essential Communications”). We use your email address to send you newsletters or information about upcoming events that we believe may be of interest or apply to you (“Non-Essential Communications”). You may opt-out of receiving Non-Essential Communications at any time by logging into your User Account and updating your preferences. We use your email address to contact you via email and provide you with personalized customer support. We may also provide your email address to a Third Party Payer if applicable (see below).
Date of Birth	DOS will collect, use, and store your date of birth to confirm your eligibility to use the DOS Platform.
Province of Residence	DOS will collect, use, and store your province or territory of residence to confirm your eligibility to use the DOS Platform.
Phone Number	DOS will collect, use, and store your phone number to create your DOS account and contact you via SMS.
Technical Information, such as: IP address Device information Browser information Click IDs	DOS will collect, use, and store technical information for security purposes, such as monitoring for malicious activity, displaying recent login activity in your account settings, improving the DOS Platform, and understanding and enhancing the user experience on the DOS Platform.

Healthcare Services

Information	Purpose
Sex Assigned at Birth	DOS will collect and store your sex assigned at birth on behalf of your Authorized Providers, who require this Information to provide you with Healthcare Services.
Gender Identity	If you choose to provide your gender identity, DOS will collect and store this information on behalf of your Authorized Providers, who will use this Information to provide you with Healthcare Services.
Provincial Health Number	If you receive Healthcare Services that are insured by your provincial health plan, DOS will collect and store your provincial health number on behalf of your Authorized Providers, and disclose the number to your provincial health plan for the purpose of billing for insured services on behalf of your Authorized Providers.
Health Profile	If you choose to fill out your DOS Profile, you will provide, and DOS will collect and store on behalf of your Authorized Providers, Information such as your height, weight, allergies, or medical records (these could be records that you create or that are created by your Authorized Providers). Your Authorized Providers will use this information to provide you with Healthcare Services.
Requests for Healthcare Services, which will include: The reason for the request, such as your symptoms, or your need for a prescription renewal or sick note Your age, sex assigned at birth, and gender identity (if you have added your gender identity to your DOS account) and may include: Your name The name, age, sex assigned at birth, and gender of your Registered Dependent	When you submit a request for Healthcare Services, we pass along some of the Information you provide in your request to your Authorized Provider, to enable them to determine whether your request is for Healthcare Services that they can deliver through the DOS Platform. The Information we pass along may include the reason for your request for Healthcare Services (such as your symptoms, or your need for a prescription renewal or sick note), your age, your gender identity (should you choose to provide it), and, in some cases, your name). If the Authorized Provider confirms that your request is eligible, we identify the Authorized Provider to you and send the Authorized Provider the Information in your request, your name, and, where applicable, the name of your Registered Dependent. Unless you have elected to withhold access to Information held in the DOS Platform about you (or your Registered Dependent), the Authorized Provider will also be able to view that Information, such as clinical records created during your previous Consultations and medical records you create. If, based on the Information provided, the reviewing Authorized Provider believes that you need emergency services, DOS reserves the right to use any of the contact information you have provided to contact you or your emergency contact, to inform you that an Authorized Provider has viewed and declined your request for a Consultation because your symptoms suggest you are experiencing a healthcare emergency.
Medical Records Created by Authorized Providers	If you receive Healthcare Services, we will store the records created during your Consultation so you and your Authorized Providers can access them in the future as needed. At your request, we will use this information to support your Healthcare Services, such as by faxing a prescription to a pharmacy. Depending on your request, this may require DOS to disclose the medical records to a third-party.
Personal information of Registered Dependents, such as: First and last name Date of birth Sex assigned at birth Relationship to you	If you choose to have a Registered Dependent on your DOS account, DOS will collect and store the Information of your Registered Dependents to confirm your eligibility to obtain Healthcare Services for your Registered Dependents, and their eligibility to receive Healthcare Services. Authorized Providers will also use this Information for the purpose of providing the Registered Dependent with Healthcare Services.
Location Data Collected Through GPS technology	DOS may collect and use location data collected through GPS technology to identify the province or territory in which you are located, to ensure that we connect you to an Authorized Provider that is licensed or authorized to provide services in your province or territory and, if applicable, to connect you to a pharmacy near you.

Wellness Services

In addition to receiving DOS’s Healthcare Services, you have the option to sign up to receive Wellness Services from DOS, such as our Recommendations service, which sends you preventative health recommendations based on your health profile. If you sign up for a Wellness Service, your Information will be used as described below. If you do not sign up for any Wellness Services, this chart does not apply to you.

Information	Purpose
Health Profile	If you sign up for our Wellness Services, DOS will use the Information you provided when you created your account, such as your age, and sex assigned at birth and any Information that you enter into your Health Profile, such as height, weight, allergies, and medication, to provide you with your Wellness Services.
Information Created from Your Use of Healthcare Services	If you sign up for any of our Wellness Services and choose to include Information from your use of Healthcare Services, such as your diagnosis and treatment details, in your Health Profile, DOS will use this Information to provide you with suggestions for similar Wellness Services that may be of interest to you.