PRIVACY NOTICE HIGHLIGHTS

By interacting with the website at easthma.ca (the “Site”), the web application at portal.easthma.ca (“WebApp”), the eAMS: Asthma Management System mobile applications (the “Mobile Apps”), and the Decision Support System, either as a visitor to the Site or a user of the Electronic Asthma Management System (“eAMS^TM”), you are agree to be bound by this Privacy Notice which are incorporated in the Terms And Conditions And End User License Agreement (the “Terms”).

This Privacy Notice helps visitors to our Site and Users of the Web App, Mobile Apps, and Decision Support System to better understand how we collect, use, and store Personally Identifiable Information and Personal Health Information in providing the Services.

The eAMS^TM assists Healthcare Providers to improve care for patients with asthma by using a Decision Support System to provide patient-tailored asthma advice, including an action plan, which, once approved by an authorized Healthcare Provider, is delivered to Patients through the WebApp or Mobile Apps (together the “Services”).

The Site, WebApp, Mobile Apps, Decision Support System and the eAMS^TM are owned and operated by EAPOC Inc. (“EAPOC”).

The terms "we", "our" and "us" mean EAPOC and the terms “you” and “your” mean the visitors to or Users of the Site and the Users of the WebApp, the Mobile Apps, and the eAMS^TM Services.

Below are highlights of our Personally Identifiable Information and Personal Health Information handling practices. Please refer to our Detailed Privacy Notice for a full description of our privacy and data security practices.

Capitalized words in these Privacy Notice Highlights are defined in the Detailed Privacy Notice.

We collect your Personally Identifiable Information (“PII”) and Personal Health Information (“PHI”) from the following sources:

If you have a privacy question or concern, please contact us at: privacy@easthma.ca.

Please review our Detailed Privacy Notice for more information about our practices.

Information We Collect
1. information you give us when you contact us through the Contact Us Page on our Site, open an Account or subscribe for Services, when you submit customer service inquiries, or when you submit customer feedback or reviews;
2. information that you provide in the course of receiving the Services or that we collect from third parties whom you authorized to share your information with us;
3. information we collect automatically when you Use our Site, WebApp, Mobile Apps, and the eAMS^TM Services such as information about your browser settings, operating system, and other information collected through cookies;
How We Use and Disclose Your Information
1. We use your PII and PHI that we or our service providers collect from you to provide the Services and to manage our business operations, such as to authenticate you when you sign into your Account, to prevent loss of data and fraud, to process your subscription payment (if applicable), and to monitor and improve the performance of our Site, WebApp, Mobile Apps and Services;
2. We may combine or aggregate your de-identified and pseudonymized PII and PHI, so that it will be unlikely to re-identify you from it, to monitor trends and provide and improve our respective products and services, and we may share and/or sell that information;
3. We may share with or transfer your PII and PHI to service providers who help us run our business. Those providers can only use the PII and PHI we transfer to them for the specific purpose of assisting us with providing the Services. If a service provider’s privacy and data security practices are inferior to ours, we will enter into a Data Protection Agreement to protect your information.
4. We may also disclose your PII and/or PHI if a court order requires us to do so.
5. With your consent, we may use your PII to contact you for marketing, promotional, or other purposes.
6. We may disclose, transfer or sell your PII and PHI without your consent in certain circumstances. If we merge or sell our business to another entity, or in the event of our insolvency or bankruptcy, your PII, PHI, and Account Record may be transferred to the new owner without your consent. Please refer to Section 5 of the Detailed Terms for further details.
Your Choices and Consent
1. You can change your communication preferences for marketing and advertising e-mails, participation in surveys, and to provide or withdraw consent for specific requests we or our service providers may make to collect and use your information by clicking the “Unsubscribe” link in our email correspondence.
2. You may withdraw your consent from our further use of your PII or PHI and you may close your Account. If you do so, we may still use your PII and PHI for the purposes to which you consented before you withdrew consent and we may keep information about you and your previous transactions with us for audit purposes, to ensure the integrity of our data, and to fulfill legal requirements.
How to Contact Us

DETAILED PRIVACY NOTICE

1. Background

By interacting with the website at easthma.ca (the “Site”), the web application at portal.easthma.ca (“WebApp”), the eAMS: Asthma Management System mobile applications (the “Mobile Apps”), and the Decision Support System either as a visitor to the Site or a User of the Electronic Asthma Management System (“eAMS^TM”), you are agree to be bound by this Privacy Notice, which is incorporated in the Terms And Conditions And End User License Agreement (the “Terms”).

The Site, WebApp, Mobile Apps, Decision Support System and the eAMS^TM are owned and operated by EAPOC Inc. (“EAPOC”).

2. Definitions

As used in this Policy Notice, capitalized terms not defined in this Privacy Notice here have the meaning assigned to them in the Terms:

“Personally-Identifiable Information” or “PII” means information that identifies you or could be combined by us or our service providers with other information to identify you. Examples of this type of information include your name, date of birth, medical record number, health card number, personal e-mail address, home telephone number, personal cellphone number, your internet provider (IP) address and other similar information when associated with you. PII may also include information about how you use the Site, the WebApp, the Mobile Apps, and the eAMS^TM Decision Support System if we can associate that PII with you. PII does not include your business title, your business e-mail and mailing address, or your business telephone number when we use that information to contact you in your business capacity.

“Personal Health Information” or “PHI” means information about you, while living or deceased, that relates to: your physical or mental health; any health or medical services you received; your medical examinations, tests, and surgeries; whether you donated any organs or fluids; and information collected in the course of, or related to, providing health services to you. PHI may be found in your medical records, treatment and examination notes, and communications between you and your healthcare providers.

"we", "us" or "our" means EAPOC Inc. and any of our Affiliates.

"you" or "your" means an individual Using the Site, the WebApp, the Mobile Apps, or the Content as a visitor, Patient or Healthcare Provider using the eAMS^TM Decision Support System.

3. Scope and Services

4. Accountability

We take the privacy of your PII and PHI seriously and are committed to safeguarding it. We developed and implemented policies, practices, and procedures to protect PII and PHI and we train our staff in our PII and PHI handling practices.

We comply with privacy and data security legislation including the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the Personal Health Information Protection Act (Ontario) (“PHIPA”) and are compliant with ISO/IEC 27002:2013 Code of practice for information security controls: 15.1: Information security in supplier relationships for both Canadian and American service providers.

We have appointed a Chief Privacy and Security Officer (“CPSO”) who is responsible for enforcing compliance with our privacy program including, by undertaking regular Privacy Impact Assessment (“PIA”) and Threat and Risk Assessments (“TRA”); adopting new policies and procedures or amending existing policies and procedures based on the results of the PIAs and TRAs.

If you have a question or complaint about our information handling practices, please contact us at privacy@easthma.ca.

5. Limiting Collection: What Information Do We Collect?

It is our policy to collect only PII and PHI necessary to allow visitors to the Site to interact with us and to provide Users with the eAMS^TM Services and to improve the performance of the eAMS^TM Services.

The ways we collect PII and PHI can be broadly categorized into:

We collect your PII and PHI when you open an Account and Use the eAMS^TM Services. For example, we will collect identification and contact information, such as your name, mailing address, date of birth, and demographic information to be able to properly identify you, to contact you, and if applicable, to process a payment for your subscription to our Services. We also collect PHI such as your medical conditions, treatment information, symptoms, allergies, and other information that is required to provide Decision Support as part eAMS^TM Services and may be used to determine if you are eligible for a Research Study.

If you do not wish to provide us with all or some of the PII or PHI required to open an Account and to receive the Services you do not have to, but it might mean you cannot receive our Services.

Patient Users: To register for the eAMS^TM Services and create an account, you must provide your first name, last name and email address to verify your account registration and so that we may contact you, as well as your health card number, date of birth and the name of the healthcare setting in which you receive health services (e.g., a clinic). The eAMS^TM Services also log the information you report related to your asthma, including your symptoms, triggers and medications. If your healthcare setting is registered for eAMS^TM Services, your account may be linked to your Healthcare Provider’s electronic medical record. Depending on how your Healthcare Provider uses the eAMS^TM Services, you may receive periodic reminder emails when your attention is requested by the eAMS^TM Services.

If you provide consent, you may also be emailed with an invitation to participate in future research studies about the eAMS^TM.

Healthcare Provider Users: When you register for an eAMS^TM Account you must provide your email address to complete your account registration. The eAMS^TM records your actions in the decision support window.

You may choose to set your web browser to refuse cookies, or to alert you when cookies are being sent. If you set your web browser to disable cookies, some parts of the Site, WebApp, Mobile Apps and the Decision Support System may not be accessible to you.

For Patient Users, the eAMS^TM Services use cookies in to help facilitate the login process, and authenticate Patient Users upon login. These cookies are automatically destroyed when a Patient User logs out of the eAMS^TM. For Healthcare Provider Users the eAMS^TM Services use cookies to authenticate Healthcare Provider Users when the Decision Support System is accessed. These cookies are automatically destroyed when a Healthcare Provider User exits the browser. For details about our cookie practices, please refer to our Cookie Policy.

Information you provide to us directly: When you visit or use parts of our Site, we might ask you to provide PII to us. For example, we may ask for your first and last name, email address and/or phone number on our Contact Us page so we can reply to a message you post there or to contact you by phone. We may also receive your contact information when you contact us directly at the contact email provided on the Site.
Information from other Sources: We may receive PII and PHI about you from other sources. For example, if you had a paid Account, we would receive PII from credit card processors regarding whether the credit card details you entered have been accepted or declined. We may also receive PII and PHI from sources you authorized to provide such information to us.
Information we collect automatically: We may automatically collect some technical information when you visit our Site, the WebApp, the Mobile Apps, or the Decision Support System that platforms like Google Analytics may collect about your interaction with our Platform. This includes the geographic location of your IP address, the IP address itself, device type, what pages you looked at, what links you clicked on, number of messages sent or received, your browser type and configuration, the date and time of use, language preferences, and cookie data. We use this information to detect problems, improve the navigation of our Site the WebApp, the Mobile Apps, or the Decision Support System so they are easier to use and to determine which aspects of our Services may interest you. We may record whether you looked for information about a particular topic or service to make inferences about other products and services in which you might be interested. If you consented to receive these types of communications from us, we may track whether you opened certain types of promotional e-mails.

6. Limiting Use: How Do We Use Your PII and PHI?

We use PII, PHI and non-personal information for the following purposes:

We may share such aggregated de-identified and pseudonymized PII and PHI (which makes it unlikely to identify you) and non-personal information with your Healthcare Provider and other members in your circle of care, our service providers, and third parties to help us improve the eAMS^TM Services.

To communicate with you. This may include: (i) providing you with information you requested from us or information we must send to you; (ii) operational communications, like information regarding your Account, or your subscription to our Services; (iii) changes to our Site, WebApp, or Mobile Apps, Decision Support System, or changes to this Privacy Notice, our Terms or our Cookie Policy; (iv) any questions, reminders, notifications related to your Account or your use of your Account or addressing customer service issues and troubleshooting problems with your Account; (v) to notify and alert you about data breaches, actual or potential fraud, identity theft and other fraud or security-related activities; and (vi) legal disclosures, communications about and related to any legal action, or otherwise required under our legal obligations; and any other reason notifications and alerts may be required by law.
To provide Services. We use your PII and PHI to provide the eAMS^TM Services and to manage our business operations such as to register your Account, to authenticate you when you log into your Account, to deliver the Services, and may use it to send you reminder emails for your clinic appointments.
To improve our Site, WebApp, and Services and develop new ones : We monitor how you use the Site, the WebApp, the Mobile Apps, and the Services so we can improve our offerings, user experience, and design new features. We may combine or aggregate your de-identified and pseudonymized PII and PHI (so that it will be unlikely to re-identify you from it) and non-personal information to monitor trends and provide and improve our products and services; including information we collect automatically (identified in Section 5), questionnaire responses (Patient Users), selections in the decision support window (Healthcare Provider Users), and action plans, chart notes and/or messages to the MRP generated by the eAMS^TM Services (Healthcare Provider Users).
To detect and prevent any fraudulent or malicious activity and to make sure that our Site, WebApp, Mobile Apps, Content, and Services are used according to our Terms and to protect the security or integrity of our Site, WebApp, Mobile Apps, our Services, and our business.
With your consent, to send you targeted advertisement such as general or personalized notices and promotional messages, or to send news about us.
To comply with any laws and regulations.

7. Disclosure: When Do We Disclose Your PII and PHI to Others?

We do not disclose or share your PI or PHI except as allowed by law and as outlined in this Privacy Notice.

We may share your PII and PHI with our service providers and our Affiliates who help us with our business operations. Some Patient Users’ PII and PHI may be disclosed to (i) Healthcare Provider Users who participate in the eAMS^TM Services, including the Patient User’s physician(s) and other Healthcare Provider(s), and may become a part of your medical record, (ii) individuals and companies managing those physicians and Healthcare Providers,

If you consented to receive marketing and promotional emails from us, we may share select PII with service providers who help us with marketing and promotional services.

We run our business with the assistance of third-party service providers who help us to provide the Services and other business operations such as marketing and promotional services. We engage our service providers on separate terms, either their own terms of service or separate agreements, as further detailed in Section 9. Those terms ensure the security of your information and limit the service provider’s use and disclosure of that information to the purpose for which we engaged each service provider, unless we or they obtain your explicit consent to use it for any other purpose.
We may sell aggregated de-identified and pseudonymized PII and PHI (which makes it is unlikely to identify you) and non-personal information related to usage data of the eAMS^TM such as choices in decision support screens, and the number and severity of asthma patients under care.
We will not rent your PII or PHI we collect directly from you or as part of our Services. Other than as identified in this Privacy Notice, we will not disclose, transfer, or sell your PII and/or PHI; however, you acknowledge and agree that we may disclose, transfer or sell (as applicable) your PII and PHI and your Account Record, without your explicit consent under the following limited circumstances:
If you do not wish to continue to receive services through the entity that acquires or with whom we may merge our business, you may close your account.
1. Transfer and/or disclose PII and/or PHI to our service providers who assist us to provide the Services and run our business;
2. Disclose PII to collect a debt from you or to prevent or investigate fraudulent or illegal activity on your Account;
3. Disclose PII and/or PHI to comply with an order, subpoena, warrant or other legal requirement issued by a court, tribunal, regulator or government body with competent jurisdiction to compel disclosure of your PII or PHI, including to meet national security or law enforcement requirements, to prevent, investigate, or take action against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms, this Privacy Notice, to protect the security of the Site, the WebApp, the Mobile Apps, our Services, and the security of your Account, or as otherwise required by law;
4. Disclose PII and/or PHI to establish or defend our legal rights. Where possible and appropriate, we will notify you;
5. Disclose and transfer PII and PHI to an actual or potential buyer of EAPOC (and its agents and advisers) in connection with an actual or proposed corporate reorganization, assignment, merger, or sale of any part of our business, including as part of insolvency or bankruptcy proceedings. In such case, your PII and PHI will be disclosed solely for the purposes related to the transaction, including during due diligence or to fulfill any audit requirements, and will be protected by security safeguards appropriate to the sensitivity of the information and contractual confidentiality obligations, including the return or destruction of confidential information (including PII and PHI) if the transaction fails to close. Your Account record may be transferred upon a change of corporate control.

8. Consent

When you provide PII or PHI to open an Account and receive Services, or to provide PII to complete a transaction by credit card, you consent to our collecting your PII and PHI required to complete these activities only.
You acknowledge and agree that by opening an Account we may contact you by email without your explicit consent for any purpose directly related to our legal rights, our obligations, and our ability to provide our Services to you such as: (i) providing you with information you requested from us or information we must send to you; (ii) operational communications about your Account or your subscription to the Services; (iii) changes to our Site or Platform, changes to this Privacy Notice or the Terms; (iv) any questions, reminders, notifications related to your account or your use of your Account or addressing customer service issues and troubleshooting problems with your account; (v) to notify and alert you about data breaches, and other fraud or security-related activities; and (vi) legal disclosures, communications about and arising from any manner of legal action; and any other reason notifications and alerts may be required by law.
We comply with Canada’s Anti-Spam Legislation (“CASL”). When you register your Account, you can provide your consent to receive marketing and promotional e-mails. We will ask for your explicit consent before we send you any marketing or promotional emails, newsletters, invitations to participate in surveys, or other reasons that are not central to providing the Services. You may withdraw your consent by using the “Unsubscribe” link available in any of our emails to you, or by contacting us at admin@easthma.ca.
YOU CAN WITHDRAW CONSENT FOR OUR USE OF YOUR PII OR PHI IN FUTURE USES WITHIN THE SCOPE OF YOUR CONSENT BUT YOU CANNOT WITHDRAW YOUR CONSENT FOR OUR USE OF YOUR PII OR PHI FOR USES THAT BEGAN BEFORE THE DATE ON WHICH YOU WITHDREW YOUR CONSENT. YOU WILL ALSO NOT BE ABLE TO WITHDRAW YOUR CONSENT WHERE OUR USE OR DISCLOSURE OF YOUR PII OR PHI IS AUTHORIZED OR REQUIRED BY LAW.

9. Safeguards: How Do We Protect Your PII and PHI?

We are committed to protecting your PII and PHI. Our staff understand the importance of keeping your information confidential and are expected to maintain the confidentiality of your Information.

We take administrative, technical and physical measures to safeguard your PII and PHI against unauthorized access, unauthorized disclosure, theft and misuse. This includes limiting access of staff to your PII and PHI with passwords and graduated levels of clearance. We do not publish all of our security measures online because this may reduce their effectiveness. We take reasonable precautions against breaches of our security systems; however, no company can fully eliminate the risks of unauthorized access to your information and no website or platform is completely secure.
Although we cannot guarantee that unauthorized access, hacking, data loss or breaches of our security systems will never occur, we try to minimize these risks by: (1) active monitoring: monitoring access to your PII and PHI through activity logs and regular audits to ensure that no unauthorized access attempts have been made, (2) secure storage: we store your PII and PHI over which we have custody and control in Canada in reputable data centers that are ISO 27001 and ISO Standard 27018:2019 (Code of Practice for personal identifiable information (PII) protection in public clouds acting as PII processors) certified and adhere to global privacy and data protection best practices, (3) network security: we implemented controls to protect against unauthorized access, including segregating our internal systems from our publicly-accessible systems, (4) end-to-end encryption: we encrypt all data transmissions and communications on the Site, WebApp, and Mobile Apps, and our Services from end-to-end using industry-standard transport layer security (“TLS”) or secure socket layer (“SSL”) encryption technology, and (5) training: we implemented policies, procedures that address and train our staff on the handling of PII and PHI. All our staff members and contractors are legally bound to confidentiality.
We expect our service providers to protect your PII and PHI that they collect from you directly. If our service provider’s data collection and security practices are inferior to ours, we will enter into separate Data Collection and Sharing Agreements to ensure that any PII or PHI we may need to share with them is protected.
For paid accounts, we do not store your credit card information. Payments are handled by a reputable direct payment gateway provider. The data they collect is encrypted according to the Payment Card Industry Data Security Standard (PCI-DSS) and they additional implement generally accepted industry standards.

10. Data Breach

We take precautions against breaches of our security systems, but you acknowledge and agree that no company can eliminate the risks of unauthorized access to your PII and PHI and no transmission over the internet is 100% secure. Therefore, you provide your PII and PHI to us and our service providers at your own risk.
Despite our rigorous precautions against data breaches, the risk of a data breach remains. In the event of a data breach, we will comply with the breach notification requirements outlined in PIPEDA.
IN THE EVENT OF A BREACH OF YOUR PII OR PHI THAT IS IN THE CUSTODY OR CONTROL OF ONE OF OUR SERVICE PROVIDERS, THEN THAT SERVICE PROVIDER’S BREACH POLICIES APPLY FIRST.

11. Data Storage and Transfer

As custodians, we remain responsible for the security and privacy of your PII and/or PHI at all times. EAPOC and our service providers do not store your information outside of Canada.
We expect our third-party service providers who are not bound by the same laws we are to provide comparable levels of data protection and security. We will enter into Data Protection Agreements with service providers whose data protection and security practices are inferior to those we outlined in this Privacy Notice.

12. Data Retention: How Long Do We Keep your PII and PHI?

We collect only PII and PHI for which we have a legitimate business need to provide the Services.

We maintain a records retention and destruction policy to destroy information when we no longer have a business need for it and are not required by law to keep it. PII and PHI collected with your consent by our service providers that is under their custody and control is subject to their data destruction policies and the data retention laws applicable in that provider’s jurisdiction.
For paid accounts, PII collected by our direct payment gateway provider to process a transaction is stored only as long as it is necessary to complete your transaction, then it is deleted. We do not collect or store any information related to your payment transactions.
We retain your Account Record in active use until you close your Account. We employ an automatic data backup and archiving system and a data retention and destruction schedule to ensure data security. Once you close your Account, your PHI in active use will be deleted within 30 days but PHI in rolling automatic backups will be stored until it is overwritten in accordance with our data retention and destruction schedule. We will keep limited PII and PHI for as long as we have a legal or legitimate business need to keep it, such as to comply with data retention laws, enforce our Terms, comply with audit requirements, and take other actions permitted by law.
We and our service providers may continue to store and use aggregated de-identified PII and PHI to improve our respective products and services.

13. Accounts and Credentials

Patient Users must be at least 16 years old to subscribe to open an Account to receive the Services and access the WebApp and the Mobile Apps.
Only Healthcare Providers who have been authorized by a qualified administrator at the healthcare setting using the eAMS^TM can Use the eAMS^TM Decision Support System and eAMS^TM Services.
The security of your Account depends on you keeping your Account login credentials safe and not sharing them with anyone else. If you believe that your login credentials have been compromised or misused, you must contact us immediately.

14. Accuracy: How Do You Modify Your Information?

We want to ensure that the PII and the PHI we collect from you and that is in our custody and control is accurate, complete, and up-to-date for the purpose of providing the Services and will destroy any information that is out-of-date.
We use reasonable means to ensure that the information in your Account record is accurate. You may update certain PII directly in your Account, while other information may need to be updated directly through your Healthcare Provider. If you have questions or identify any errors in your Account Record, please contact us at privacy@easthma.ca. We will strive to address any correction requests promptly. If we dispute a correction request, we will log the reason for the disagreement.

15. Access: Right to your Data

You may access your Account Record and port the information from us to another entity. If you request a copy of your Account Record, we will provide it to you at no charge. You can request access to your Account record by contacting us at privacy@easthma.ca.
Before we grant you access to your Account records we will first authenticate you to confirm your identity. We will handle all access requests promptly, subject to applicable privacy laws. We will provide you the legends for any special codes, acronyms or other similar information in the disclosed material, so your right of access is meaningful.

16. Account Closure: Data Deletion

To close your Account or to request that the PII or PHI we have about you be deleted, please email us at to admin@easthma.ca. Once we receive your request and authenticate your identity, we will remove your Account from active use and will delete your Account Record within 30 days, but we will keep some PII as described in Section 12.
To close your account please contact our Chief Privacy Officer at privacy@easthma.ca. Once we receive your request and authenticate you, we will close your account and delete your Customer Data within 30 days of receiving your request to terminate your subscription to the Services.

17. Governing Law

This Privacy Notice shall in all respects be governed by and interpreted, construed and enforced in accordance with the laws of the Province of Ontario and the laws of Canada applicable therein.

18. Third-Party Services and Links

We may provide links to third-party websites on our Site, the WebApp, Mobile Apps, and/or the Decision Support System. These links are provided for convenience only. We do not have control over those third-party websites, and they are not subject to this Privacy Notice or our Terms. Your use of hyperlinked websites is at your own risk and subject to the privacy notices of those websites.You acknowledge that these links may lead you to third-parties that may operate in a different jurisdiction than either yours or ours. If you provide your PII or PHI to these entities, then your information may become subject to the laws of the jurisdiction(s) in which that site operates or where its facilities are located.

19. Challenge Compliance

If you believe that we have not adhered to this Privacy Notice you may challenge our compliance with this Privacy Notice and our compliance with applicable privacy laws.

We are not responsible for the PII or PHI handling practices of third-party service providers to whom you consented to access your information, whether on our behalf or otherwise. If your complaint concerns the privacy practice of those providers, we will direct you to them.

Please notify our CPSO of your complaint by emailing at privacy@easthma.ca.

You can also reach us at:

EAPOC Inc.

30 Bond St, Rm-6044

Toronto, ON

Canada

M5B 1W8

We pledge to address your complaint promptly. If you are unsatisfied with the response you receive from us, we hope you would contact us to resolve the issue. If we cannot resolve your complaint to your satisfaction you can file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Ontario.

Privacy Notice