Privacy Policy

Last Updated

Introduction

BookHealth AI Inc. ("BookHealth", "we", "us", or "our") is committed to protecting the privacy and security of personal information and personal health information entrusted to us. This Privacy Policy describes how we collect, use, disclose, store, and protect information in connection with our AI-powered front office automation platform (the "Services").

BookHealth is a healthcare technology company incorporated in Canada, headquartered at 18 King Street East, Suite 1400, Toronto, Ontario, M5C 1C4. We provide administrative and operational automation tools for healthcare providers across Canada.

This Privacy Policy applies to:

  • Healthcare providers, clinics, and care facilities that use our Services ("Customers")

  • Employees and authorized staff of our Customers ("Authorized Users")

  • Patients whose information is processed through the Services on behalf of our Customers ("Patients")

  • Visitors to our website at bookhealth.ai ("Website Visitors")

By using our Services or visiting our website, you acknowledge that you have read and understood this Privacy Policy.

Applicable Privacy Legislation

BookHealth is designed to support compliance with applicable Canadian privacy legislation, including:

  • Personal Health Information Protection Act, 2004 (PHIPA) -- Ontario's health-specific privacy legislation governing the collection, use, and disclosure of personal health information by health information custodians and their agents.

  • Personal Information Protection and Electronic Documents Act (PIPEDA) and its successor, the Consumer Privacy Protection Act (CPPA) -- Canada's federal privacy legislation governing the collection, use, and disclosure of personal information in the course of commercial activities.

  • Equivalent provincial health privacy legislation in jurisdictions where our Customers operate, including Alberta's Health Information Act (HIA), British Columbia's Personal Information Protection Act (PIPA), and Quebec's Act Respecting the Protection of Personal Information in the Private Sector (as amended by Law 25).

Where our Customers are Health Information Custodians under PHIPA, BookHealth acts as an agent or information technology service provider. Our Customers retain their obligations as custodians of personal health information and are responsible for obtaining appropriate consents and providing required notices to patients.

Information We Collect

Information Processed on Behalf of Customers (Personal Health Information)

When healthcare providers use our Services, we process information on their behalf. This may include:

  • Patient demographics: Name, date of birth, address, phone number, email address, health card number (OHIP, provincial health insurance), and other identifying information.

  • Clinical information: Referral details, physician orders, lab results, prescription information, diagnostic reports, clinical notes, and care plans as contained in faxes, documents, and communications processed through the Services.

  • Insurance and coverage information: OHIP eligibility, WSIB coverage, private insurance details, and coverage verification results.

  • Communication records: Records of phone calls handled by our voice AI (Rachel), SMS messages, email communications, and patient outreach interactions managed through the Services.

  • Scheduling information: Appointment bookings, confirmations, cancellations, no-show records, and recall information.

  • Operational data: Staffing schedules, shift records, and workforce management information processed through the Services.

This information is processed solely on behalf of and at the direction of our Customers. BookHealth does not determine the purposes for which personal health information is collected -- our Customers do.

Information Collected from Customers and Authorized Users

When healthcare providers sign up for and use our Services, we collect:

  • Account information: Contact name, email address, phone number, clinic name, clinic address, and billing information.

  • Login credentials: Username and password (passwords are encrypted and not stored in plain text).

  • Usage data: Information about how Authorized Users interact with the Services, including features used, actions taken, and session duration.

  • Communication with us: Records of support requests, demo inquiries, and correspondence with our team.

Information Collected from Website Visitors

When you visit our website, we may collect:

  • Device and browser information: IP address, browser type, operating system, and device identifiers.

  • Usage information: Pages visited, links clicked, time spent on pages, and referring URLs.

  • Cookies and similar technologies: We use cookies and similar technologies as described in our Cookie Policy.

How We Use Information

Personal Health Information (Processed on Behalf of Customers)

We use personal health information solely to provide the Services as directed by our Customers. Specific uses include:

  • Document processing: Reading, classifying, and extracting structured data from inbound faxes, referrals, lab results, and other clinical documents.

  • EMR integration: Syncing extracted and verified data to our Customers' electronic medical record systems (Accuro, OSCAR Pro, Telus PS Suite, PointClickCare, MEDITECH, Jane App).

  • Patient outreach: Sending appointment confirmations, reminders, follow-up messages, and recall communications on behalf of our Customers via SMS, phone, and email.

  • Voice reception: Answering inbound phone calls, scheduling appointments, handling inquiries, and routing calls on behalf of our Customers.

  • Coverage verification: Verifying OHIP, WSIB, and private insurance eligibility on behalf of our Customers.

  • Human-in-the-loop review: Presenting AI-processed information to Customer staff for verification before it is committed to patient records.

We do not use personal health information for any purpose other than providing the Services as directed by our Customers, unless required by law.

Customer and Authorized User Information

We use information collected from Customers and Authorized Users to:

  • Provide, maintain, and improve the Services.

  • Process payments and manage billing.

  • Communicate about account status, service updates, and technical support.

  • Ensure the security and integrity of the Services.

  • Comply with legal obligations.

Website Visitor Information

We use information collected from website visitors to:

  • Operate and improve our website.

  • Analyze website traffic and usage patterns.

  • Respond to inquiries submitted through our website.

Aggregated and De-identified Data

We may create aggregated, anonymized, and de-identified datasets derived from the use of our Services for the purposes of:

  • Improving the accuracy and performance of our AI models.

  • Developing new features and capabilities.

  • Generating industry benchmarks and research insights.

Such datasets are created in accordance with applicable privacy legislation and do not identify any individual Customer, Authorized User, or Patient. De-identified data cannot be re-identified, and we maintain administrative, technical, and contractual safeguards to prevent re-identification.

AI-Specific Privacy Practices

BookHealth uses artificial intelligence, including large language models, vision-language models, and speech processing models, to provide the Services. We are committed to transparency about how AI processes personal information:

How AI Processes Personal Health Information

  • Document AI (Natalie): Uses optical character recognition and vision-language models to read, classify, and extract structured data from scanned documents, faxes, and digital files. The AI processes document images to identify patient demographics, clinical details, and referral information.

  • Voice AI (Rachel): Uses real-time speech-to-text, natural language understanding, and text-to-speech models to handle inbound phone calls. Voice interactions are transcribed and processed to understand caller intent and take appropriate action (scheduling, routing, information provision).

  • Outreach AI (Barry): Uses orchestration logic and communication APIs to send automated messages and make outbound calls on behalf of Customers. Patient communication preferences and response history are used to optimize outreach timing and channel.

AI Decision-Making

  • The Services use AI to assist with administrative and operational decisions (document classification, call routing, scheduling). These are not clinical decisions.

  • All AI outputs that affect patient records are subject to human review by Customer staff before being finalized.

  • Customers retain full control over which AI actions require human approval and which may proceed automatically, based on their configured workflow rules.

  • We do not use AI to make decisions that have legal or significant effects on individuals without human oversight.

AI Model Training

  • We do not use identifiable personal health information from individual Customers to train AI models that serve other Customers.

  • AI model improvements are based on aggregated, de-identified data or synthetic data that cannot be traced back to any individual patient or Customer.

  • Customers may opt out of contributing de-identified data to model improvement by contacting us at hello@bookhealth.ai.

How We Share Information

We do not sell personal information or personal health information.

We may share information in the following limited circumstances:

Service Providers

We engage trusted third-party service providers to assist in delivering the Services, including cloud infrastructure providers, communication platforms (SMS, voice, email), and payment processors. These service providers:

  • Are contractually obligated to protect information in accordance with this Privacy Policy and applicable law.

  • May only process information on our behalf and at our direction.

  • Are subject to confidentiality obligations.

  • Are selected based on their ability to provide adequate privacy and security protections.

EMR Vendors

When Customers authorize integration with their EMR systems, information is exchanged between BookHealth and the applicable EMR vendor (Accuro, OSCAR Pro, Telus PS Suite, PointClickCare, MEDITECH, Jane App) as necessary to provide the Services. This exchange occurs at the direction and under the authority of the Customer.

Legal Requirements

We may disclose information where required by law, regulation, court order, or governmental authority, including in response to lawful requests by public authorities. Where permitted by law, we will provide notice to the affected Customer before making such disclosure.

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, information may be transferred as part of the transaction. We will provide notice to Customers before information is transferred and becomes subject to a different privacy policy.

Data Storage and Security

Canadian Data Residency

All personal health information and Customer Data is stored and processed within Canada. Our primary infrastructure is hosted on Canadian data centres (AWS ca-central-1 in Montreal and/or Azure Canada Central in Toronto).

We do not transfer personal health information outside of Canada without Customer's prior written consent, except where required by law.

Security Measures

We implement and maintain administrative, technical, and physical safeguards designed to protect information, including:

  • Encryption: Data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.

  • Access controls: Role-based access controls ensure that only authorized personnel can access information, and only to the extent necessary for their role.

  • Authentication: Multi-factor authentication is available for all Authorized User accounts.

  • Audit logging: All access to and modifications of personal health information are logged and auditable.

  • Vulnerability management: Regular security assessments, penetration testing, and vulnerability scanning are conducted.

  • Incident response: We maintain an incident detection and response plan to identify, contain, and remediate security incidents.

  • Employee training: All BookHealth personnel receive privacy and security training, including training specific to Canadian healthcare privacy legislation.

Data Retention

We retain personal health information processed on behalf of Customers for as long as necessary to provide the Services and as directed by the Customer. Upon termination of a Customer's account:

  • Customer Data is made available for export for thirty (30) days.

  • After the export period, Customer Data is securely deleted in accordance with our data retention policies.

  • Backups containing Customer Data are purged within ninety (90) days of account termination.

De-identified and aggregated data may be retained indefinitely for the purposes described in this Privacy Policy.

Your Rights

Rights of Customers and Authorized Users

Customers and Authorized Users have the right to:

  • Access: Request access to the personal information we hold about them.

  • Correction: Request correction of inaccurate or incomplete personal information.

  • Deletion: Request deletion of personal information, subject to legal and contractual obligations.

  • Data portability: Request export of their data in a structured, commonly used format.

  • Withdraw consent: Withdraw consent for certain processing activities, subject to contractual and legal limitations.

Rights of Patients

Patients whose personal health information is processed through the Services should direct privacy inquiries and access requests to their healthcare provider (our Customer), who is the Health Information Custodian responsible for their information under PHIPA. Healthcare providers can use the tools within the Services to respond to patient access and correction requests.

If a Patient believes that their personal health information has been handled improperly through the Services, they may also contact BookHealth directly at hello@bookhealth.ai and we will work with the applicable Customer to address the concern.

Exercising Your Rights

To exercise any of these rights, please contact us at:

Email: hello@bookhealth.ai Mail: BookHealth AI Inc., 18 King Street East, Suite 1400, Toronto, ON M5C 1C4

We will respond to requests within thirty (30) days or as required by applicable law.

Breach Notification

In the event of a security breach involving personal health information, BookHealth will:

  • Notify the affected Customer without unreasonable delay upon becoming aware of the breach.

  • Provide sufficient information to enable the Customer to assess the breach and fulfill its notification obligations under PHIPA, PIPEDA/CPPA, and other applicable legislation.

  • Cooperate with the Customer and applicable regulatory authorities in investigating and remediating the breach.

  • Take reasonable steps to contain the breach and prevent further unauthorized access.

Under PHIPA, Health Information Custodians (our Customers) are responsible for notifying affected individuals and the Information and Privacy Commissioner of Ontario where required. BookHealth will support Customers in meeting these obligations.

Children's Privacy

The Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. Where personal health information of minors is processed through the Services, it is processed on behalf of and at the direction of the Customer (healthcare provider) in accordance with applicable healthcare and privacy legislation.

Third-Party Links and Services

Our website and Services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to third-party websites or services. We encourage you to review the privacy policies of any third-party services you access.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will provide notice of material changes by:

  • Posting the updated Privacy Policy on our website with a revised "Last updated" date.

  • Notifying Customers via email or through the Services for material changes that affect the processing of personal health information.

Your continued use of the Services after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our privacy practices, please contact us:

BookHealth AI Inc. Privacy Officer 18 King Street East, Suite 1400 Toronto, ON M5C 1C4 Canada

General inquiries: hello@bookhealth.ai Phone: Available upon request

Regulatory Authorities

If you are not satisfied with our response to a privacy concern, you may contact:

BookHealth AI Inc. is a healthcare technology company, not a healthcare provider, insurer, or medical professional. The Services are designed to support clinic administrative operations and do not constitute medical advice, diagnosis, or treatment.

The AI Front Office for Canadian Healthcare.

hello@bookhealth.ai

18 King Street East, Toronto, ON M5C 1C4

@ 2026 BookHealth AI Inc. All rights reserved.

BookHealth AI Inc. is a healthcare technology company, not a healthcare provider, insurer, or medical professional. The services provided by BookHealth are intended to support clinic administrative operations and do not constitute medical advice, diagnosis, or treatment. BookHealth's tools are designed to enhance front-office automation, referral management, and patient communications, and should not be interpreted as a substitute for professional medical judgment.

Access to the BookHealth platform is subject to our Terms of Use and Privacy Policy. All patient data is processed in accordance with PIPEDA, PHIPA, and applicable provincial privacy legislation, and is stored using enterprise-grade security protocols within Canada. BookHealth does not make any representations regarding clinical outcomes or regulatory compliance resulting from use of the platform.

BookHealth AI Inc. is a corporation registered in Canada. For questions related to platform usage, licensing, or data security, please contact hello@bookhealth.ai.

The AI Front Office for Canadian Healthcare.

hello@bookhealth.ai

18 King Street East, Toronto, ON M5C 1C4

@ 2026 BookHealth AI Inc. All rights reserved.

BookHealth AI Inc. is a healthcare technology company, not a healthcare provider, insurer, or medical professional. The services provided by BookHealth are intended to support clinic administrative operations and do not constitute medical advice, diagnosis, or treatment. BookHealth's tools are designed to enhance front-office automation, referral management, and patient communications, and should not be interpreted as a substitute for professional medical judgment.

Access to the BookHealth platform is subject to our Terms of Use and Privacy Policy. All patient data is processed in accordance with PIPEDA, PHIPA, and applicable provincial privacy legislation, and is stored using enterprise-grade security protocols within Canada. BookHealth does not make any representations regarding clinical outcomes or regulatory compliance resulting from use of the platform.

BookHealth AI Inc. is a corporation registered in Canada. For questions related to platform usage, licensing, or data security, please contact hello@bookhealth.ai.

The AI Front Office for Canadian Healthcare.

hello@bookhealth.ai

18 King Street East, Toronto, ON M5C 1C4

@ 2026 BookHealth AI Inc. All rights reserved.

BookHealth AI Inc. is a healthcare technology company, not a healthcare provider, insurer, or medical professional. The services provided by BookHealth are intended to support clinic administrative operations and do not constitute medical advice, diagnosis, or treatment. BookHealth's tools are designed to enhance front-office automation, referral management, and patient communications, and should not be interpreted as a substitute for professional medical judgment.

Access to the BookHealth platform is subject to our Terms of Use and Privacy Policy. All patient data is processed in accordance with PIPEDA, PHIPA, and applicable provincial privacy legislation, and is stored using enterprise-grade security protocols within Canada. BookHealth does not make any representations regarding clinical outcomes or regulatory compliance resulting from use of the platform.

BookHealth AI Inc. is a corporation registered in Canada. For questions related to platform usage, licensing, or data security, please contact hello@bookhealth.ai.