Privacy Policy – Physicare.ai

1. Scope

This Privacy Policy explains how Physicare.ai collects, uses, discloses, transfers, retains, and protects personal information and personal data in connection with the Services.

This Privacy Policy applies to:

• visitors to the website
• professional users, clinic administrators, and organizational customers
• patients invited to use customer-enabled features
• prospective customers, partners, and business contacts

This Privacy Policy does not replace any separate Data Processing Agreement, master services agreement, order form, or customer-specific notice that may apply.

2. Privacy Roles

For Customer Data processed on behalf of a clinic, practice, employer, or regulated healthcare professional in connection with the provision of care or related operations, the relevant customer generally acts as the controller, custodian, trustee, or equivalent primary decision-maker under applicable law.

In relation to that Customer Data, Physicare.ai acts as a processor, service provider, agent, affiliate, information manager, or equivalent service role, depending on the applicable law and contractual arrangement.

Physicare.ai acts as an independent controller only with respect to Business Data it processes for its own legitimate business purposes, including account administration, billing, authentication, security, fraud prevention, legal compliance, support, and service communications.

If you are a patient whose healthcare provider uses Physicare.ai, your healthcare provider remains the primary point of contact for requests relating to your clinical record, except where applicable law requires or permits Physicare.ai to respond directly.

3. Categories of Information We Process

Physicare.ai may process the following categories of information:

4. Sources of Information

Physicare.ai collects information:

• directly from users and customers
• from customers who submit information about patients, staff, or other authorized users
• automatically from devices, browsers, and systems that interact with the Services
• from service providers such as payment processors, hosting providers, analytics providers, and support tools
• from business contacts and prospective customers during commercial interactions

5. Purposes of Processing

Physicare.ai processes information for the following purposes:

• to provide, host, operate, maintain, and support the Services
• to authenticate users and manage accounts
• to deliver transcription, documentation, workflow, and AI-assisted features on customer instructions
• to manage subscriptions, billing, invoicing, and collections
• to monitor security, detect fraud, prevent abuse, and investigate incidents
• to maintain logs, backups, and service reliability
• to communicate with customers and users about service, support, product updates, or legal notices
• to comply with legal, regulatory, contractual, and corporate governance obligations
• to perform limited analytics and product improvement activities
• to carry out optional uses where consent is required and has been obtained

6. Legal Bases for Processing

Where Physicare.ai acts as an independent controller and GDPR applies, Physicare.ai relies on one or more of the following legal bases:

• performance of a contract
• compliance with a legal obligation
• legitimate interests, including service security, fraud prevention, support, internal administration, and proportionate service improvement
• consent, where required, including for optional cookies or optional product improvement initiatives

Where special category data under GDPR is processed through the Services on behalf of a healthcare customer, the relevant customer remains responsible for establishing an appropriate Article 9 condition for processing. Physicare.ai processes such data only on documented instructions, except where otherwise required by law.

Where Canadian law applies, Physicare.ai processes personal information in accordance with applicable federal and provincial privacy laws. Where Physicare.ai acts on behalf of a healthcare customer, that customer remains responsible for ensuring that any required notices, consents, authorizations, or other lawful grounds are in place.

7. AI-Assisted Features

The Services may include AI-assisted features that generate transcriptions, summaries, draft notes, structured outputs, documentation suggestions, administrative suggestions, or other assistive content.

AI-generated outputs are assistive only. They may be incomplete, inaccurate, outdated, biased, or inappropriate for a given patient, context, or jurisdiction.

Physicare.ai does not make solely automated decisions that produce legal effects or similarly significant effects on individuals through the Services.

Unless expressly stated otherwise in a separate written agreement or lawful program, Physicare.ai does not use identifiable Customer Data to train generalized third-party AI models.

Where Physicare.ai uses de-identified or anonymized data for analytics, product improvement, or research, it does so only where permitted by applicable law and subject to appropriate safeguards.

8. Disclosures of Information

Physicare.ai may disclose information:

• to subprocessors and service providers that support hosting, infrastructure, payments, analytics, authentication, security, support, and AI-enabled functionality
• to the relevant customer organization and its authorized users
• where required by law, regulation, court order, legal process, or competent authority
• where necessary to protect the rights, safety, security, or integrity of Physicare.ai, its users, customers, or third parties
• in connection with a merger, financing, acquisition, restructuring, sale of assets, or similar corporate transaction, subject to appropriate confidentiality safeguards

Physicare.ai does not sell personal information.

9. Subprocessors and International Transfers

Physicare.ai may use third-party subprocessors and service providers to support the delivery of the Services.

Physicare.ai primarily hosts production data in Canada. Certain service providers may process limited categories of information outside Quebec or outside Canada, including in the United States.

Where required, Physicare.ai implements appropriate safeguards for such transfers, which may include:

• contractual protections
• transfer impact assessments
• standard contractual clauses
• supplementary technical and organizational measures

Information processed in another jurisdiction may be subject to lawful access requests by courts, regulators, law enforcement, or national security authorities in that jurisdiction.

A current list of material subprocessors should be maintained separately by Physicare.ai and made available as required.

10. Security Safeguards

Physicare.ai maintains administrative, technical, and physical safeguards designed to protect information appropriate to its sensitivity and the nature of the Services.

These safeguards may include:

• encryption in transit and at rest
• role-based access controls
• least-privilege access management
• authentication controls
• system monitoring and logging
• secure hosting practices
• backup and recovery processes
• employee confidentiality obligations
• internal access restrictions
• security review and incident response procedures

No system or method of transmission can be guaranteed to be completely secure.

11. Data Retention

Physicare.ai retains information only for as long as necessary for the purposes described in this Privacy Policy, as required by contract, and as required or permitted by applicable law.

Customer Data is retained in accordance with the applicable customer agreement, customer instructions, legal obligations, and backup or deletion schedules.

Account, billing, audit, security, and legal records may be retained for longer periods where reasonably necessary for tax, accounting, dispute resolution, enforcement, fraud prevention, security investigation, or legal compliance purposes.

Where Physicare.ai acts only as a processor or service provider in relation to Customer Data, the return, export, retention, deletion, and destruction of that data are governed primarily by the applicable customer agreement and lawful customer instructions.

12. Rights and Requests

Depending on the applicable law, individuals may have rights relating to their personal information, including:

• access
• correction or rectification
• withdrawal of consent, where processing is based on consent
• deletion or erasure
• restriction of processing
• objection to certain processing
• portability
• complaint to a competent privacy or data protection authority

Where Physicare.ai processes information on behalf of a clinic, practice, employer, or other customer, Physicare.ai may direct the request to that customer or require that the request be submitted to that customer first.

Physicare.ai will assist its customers in responding to lawful requests to the extent required by law or contract.

To submit a request relating to information for which Physicare.ai acts as controller, contact privacy@physicare.ai. Physicare.ai may require reasonable verification of identity before responding.

13. Breach and Incident Response

Physicare.ai maintains processes to identify, investigate, document, and respond to security and confidentiality incidents.

Where Physicare.ai acts on behalf of a customer and becomes aware of a breach affecting Customer Data, Physicare.ai will notify the customer without undue delay and provide information reasonably necessary to support the customer's legal and regulatory obligations.

Where Physicare.ai is independently required by applicable law to notify individuals, regulators, or authorities, it will do so in accordance with that law.

14. Cookies and Website Analytics

Physicare.ai uses strictly necessary cookies required for the operation and security of the website and Services.

Physicare.ai may also use optional analytics cookies or similar technologies where permitted by law and, where required, only with prior consent.

Users may manage cookie preferences through the website's consent tools where available.

15. Children and Minors

The Services are not directed to children as independent users, except where a healthcare customer uses the Services in connection with the care of minors.

In such cases, the relevant healthcare customer remains responsible for obtaining any required authority, notice, or consent under applicable law.

16. EEA and UK Addendum

Where GDPR or UK GDPR applies:

• Physicare.ai processes personal data only on a valid legal basis
• where Physicare.ai acts as processor, the customer remains responsible for Articles 6 and 9 legal bases and associated transparency obligations
• transfers of personal data outside the EEA or United Kingdom are subject to an appropriate transfer mechanism, which may include the European Commission's Standard Contractual Clauses or the UK International Data Transfer Addendum, together with supplementary measures where required
• where required by Article 27 GDPR, Physicare.ai will designate an EU representative or document the basis on which Article 27 does not apply

17. Changes to this Privacy Policy

Physicare.ai may update this Privacy Policy from time to time.

If a change materially affects rights or obligations, Physicare.ai will provide reasonable notice by email, through the Services, or by other appropriate means.

The "Last updated" date at the top of this Privacy Policy indicates when it was last revised.

18. Contact Information and Complaints

Individuals may also lodge a complaint with the competent privacy or data protection authority in their jurisdiction.