Privacy · Health-E-Now · Health-E-Now

Health-E-Now is a Canadian virtual healthcare service. We hold your personal health information (PHI) in trust on your behalf. Under Ontario's Personal Health Information Protection Act, 2004 (PHIPA), we are a Health Information Custodian — and you have rights about how your information is collected, used, and shared. This page explains what those rights are, in plain language, with the legal references you can cite.

Who we are

"Health-E-Now," "we," "us," and "our" refer to Health-E-Now Inc., an Ontario corporation operating health-e-now.com. The treating physicians who provide care through our platform are independent CPSO-registered Ontario physicians; they are joint custodians of the PHI related to your visits.

What we collect

Identity — legal name, date of birth, address, phone, email.
Government identification — verified through Stripe Identity once at signup; we keep the verification result and date but not your ID images. CPSO requires identity verification before a virtual visit.
Health information — your visit history, AI-assisted intake chart, doctor's notes (subjective, objective, assessment, plan), prescriptions, sick notes, lab requisitions, and referrals.
Billing — payment method (stored only as a tokenized reference with our payment processor — Stripe — never as a raw card number on our servers).
Technical data — IP address, device, and browser logs needed for security and service reliability. Retained 30 days unless required for an audit.

How we use it

We collect and use your PHI only to:

Provide your medical visits, prescriptions, and follow-up care.
Send the documents you authorize (Rx, sick note, lab requisition, referral) to the recipient you choose (your pharmacy, employer, lab, specialist).
Maintain a complete medical record for the period required by Ontario law (10 years from your last visit, per CPSO and Ontario regulation).
Bill you for your visits, and remit applicable taxes.
Comply with our legal obligations (e.g., reportable conditions to public health, suspected child abuse, court orders) — only as required by law.

Where your data lives

In Canada. Our database is hosted in Toronto on infrastructure operated by Supabase (deployed on AWS Canada Central). Backups are encrypted and also stored in Canada. We do not transfer PHI to the United States or any other country. Some operational metadata (logs, analytics) may transit through global CDNs but is never readable PHI.

One exception: AI-assisted intake and AI Scribe note generation use Anthropic's Claude API. Inputs to Claude are de-identified where possible, are never used to train Anthropic's models (per our zero-retention API agreement), and are processed in Anthropic's North American region.

Who we share with

We share your PHI only:

With your treating physician for the visit.
With recipients you specify — pharmacy of choice, employer for a sick note, specialist for a referral, lab for a requisition.
With our service providers bound by contract to keep your data confidential and process it only on our instructions: Supabase (database), Stripe (billing + identity verification), Daily.co (video), Anthropic (AI).
When required by law — court order, subpoena, public-health reporting obligation. We notify you unless legally prohibited.

We do not sell your data. We do not share PHI with advertisers, data brokers, or social platforms.

Your rights under PHIPA

Access — request a copy of your PHI. From your account, go to Account → Privacy → Download my data. You can also email us; we'll respond within 30 days.
Correction — ask us to correct anything you believe is wrong.
Withdraw consent — for any specific use beyond what's strictly required for your care.
Lock-box — restrict who within Health-E-Now can see your record (note: this may limit our ability to provide care).
Complaint — to us first, and if unresolved, to the Information and Privacy Commissioner of Ontario.
Account closure — close your account from Account → Privacy. Your medical record is retained per CPSO's 10-year rule but no new PHI is collected.

Security

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access to PHI is restricted by Row-Level Security at the database — your data is queryable only by you, your treating physician, and (for B2B visits) the requesting paramedical clinic. All staff with system access are bound by confidentiality agreements and multi-factor authentication.

If we ever experience a privacy breach affecting your PHI, we will notify you and (where required) the Information and Privacy Commissioner of Ontario without unreasonable delay.

Cookies + analytics

We use only the essential cookies needed for sign-in (Supabase session, Stripe payment session). We do not run marketing pixels, retargeting, or third-party analytics on logged-in pages. The marketing site uses privacy-respecting page counts (no cross-site tracking).

Children

We provide care to children only with the explicit consent of a parent or legal guardian, who must be the account holder and must add the child as a dependent from Account → Family. Children 12+ in Ontario have additional rights to consent to their own care under PHIPA — please contact us if you'd like to set that up.

Changes to this policy

We will email you any material change at least 30 days before it takes effect. The current version is always at this URL with a "last updated" date.

Contact us

Privacy Officer
Health-E-Now Inc.
Email: privacy@health-e-now.com
Phone: 1-833-HEN-CARE

This page is provided as plain-language guidance and is not a substitute for the full PHIPA statute. The full Act is available at ontario.ca/laws/statute/04p03.

Privacy Policy