Privacy Policy

Last updated: January 10, 2025

HIPAA Compliant

PIPEDA Compliant

TGV Compliant

PHIPA Compliant

SOC 2 Type II

Our Commitment to Privacy

At BridgeSync Technologies Inc. ("BridgeSync", "we", "us", or "our"), we understand that healthcare data is among the most sensitive information you can entrust to a technology provider. This Privacy Policy explains how we collect, use, protect, and share information when you use our medical EMR synchronization platform.

We are committed to maintaining the highest standards of data protection and regulatory compliance across North American healthcare jurisdictions.

Information We Collect

Healthcare Information (PHI/PII)

As a healthcare technology provider, we process Protected Health Information (PHI) and Personal Health Information (PII) including:

Patient demographics and contact information
Medical records and clinical data
Appointment and scheduling information
Insurance and billing information
Treatment notes and care plans
Prescription and medication data

Account and Practice Information

Healthcare provider and staff contact details
Practice or organization information
User account credentials and preferences
Billing and subscription information

Technical Information

System logs and usage analytics
Device and browser information
IP addresses and connection data
Performance and error reporting data

How We Use Your Information

We use the information we collect solely for legitimate healthcare operations and service provision:

Primary Uses

Synchronizing data between your EMR system and patient engagement platforms
Facilitating patient appointment booking and management
Processing digital intake forms and questionnaires
Enabling secure patient-provider messaging
Supporting payment processing and billing operations
Sending automated appointment reminders and notifications

Secondary Uses

Providing customer support and technical assistance
Improving our services and developing new features
Ensuring system security and preventing fraud
Complying with legal and regulatory requirements
Generating anonymized analytics for service optimization

Data Protection and Security

Encryption and Security Measures

End-to-End Encryption: All data is encrypted in transit using TLS 1.3
At-Rest Encryption: Data is encrypted using AES-256 encryption when stored
Access Controls: Role-based access controls and multi-factor authentication
Network Security: Firewalls, intrusion detection, and monitoring systems
Regular Audits: SOC 2 Type II compliance with annual security assessments

Data Centers and Infrastructure

Canadian data centers for Canadian healthcare providers
U.S. data centers for American healthcare providers
ISO 27001 certified hosting facilities
Redundant systems and disaster recovery procedures
24/7 security monitoring and incident response

Regulatory Compliance

HIPAA Compliance (United States)

We serve as a Business Associate under HIPAA
Business Associate Agreements (BAAs) executed with all covered entities
Administrative, physical, and technical safeguards implemented
Staff training on HIPAA requirements and breach procedures
Incident response procedures for potential breaches

PIPEDA Compliance (Canada)

Consent obtained for collection, use, and disclosure of personal information
Information limited to purposes identified at time of collection
Retention periods established and data securely destroyed when no longer needed
Individual access rights to personal information maintained

PHIPA Compliance (Ontario)

Personal health information handled according to PHIPA requirements
Information and privacy agreements with health information custodians
Breach notification procedures aligned with Ontario requirements

Information Sharing and Disclosure

We do not sell, rent, or trade your healthcare information. We may share information only in the following circumstances:

Authorized Sharing

With Your Consent: When you explicitly authorize information sharing
Service Providers: With vetted third-party service providers under strict confidentiality agreements
Healthcare Operations: Between authorized users within your healthcare organization
Patient Access: With patients regarding their own healthcare information

Required Disclosures

Legal compliance and court orders
Public health and safety requirements
Regulatory investigations and audits
Law enforcement requests with proper authorization

Your Privacy Rights

Access and Control

Right to Access: Request copies of your information we maintain
Right to Correction: Request correction of inaccurate information
Right to Deletion: Request deletion of information (subject to legal requirements)
Right to Portability: Receive your data in a machine-readable format
Right to Restrict Processing: Limit how we use your information

Patient Rights

Patients may request access to their own health information

Patients may request amendments to their health records

Patients may request restrictions on use and disclosure

Patients may file complaints regarding privacy practices

Data Retention and Deletion

When information is no longer needed, we securely delete it using industry-standard data destruction methods. Upon account termination, we provide a 90-day grace period for data export before secure deletion.

Healthcare Data: Retained according to applicable medical record retention laws
Account Information: Retained for the duration of your subscription plus 7 years
Technical Logs: Retained for 2 years for security and troubleshooting purposes
Billing Records: Retained for 7 years for tax and accounting purposes

International Data Transfers

We maintain data sovereignty by storing Canadian healthcare data in Canadian data centers and U.S. healthcare data in U.S. data centers. Cross-border data transfers are limited and occur only when:

• Explicitly authorized by the healthcare provider

• Required for technical support or maintenance

• Necessary for legal compliance

• Protected by appropriate safeguards and agreements

Cookies and Tracking

We use cookies and similar technologies to enhance your experience with our Service:

Essential Cookies

Authentication and session management
Security and fraud prevention
Core functionality and preferences

Analytics Cookies

Service performance and usage analytics
Error tracking and diagnostic information
Feature usage and optimization data

Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will:

• Provide at least 30 days' notice of material changes

• Notify you via email and through our service

• Post the updated policy on our website

• Maintain previous versions for reference

Your continued use of our services after the effective date constitutes acceptance of the updated Privacy Policy.

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Privacy Officer: privacy@bridgesync.health

Phone: 1-800-BRIDGE-1

Mail: BridgeSync Technologies Inc., Attn: Privacy Officer, 123 Healthcare Drive, Toronto, ON M5V 3A8, Canada

Complaints:

If you believe we have not complied with this Privacy Policy or applicable privacy laws, you may file a complaint with:

• Canada: Office of the Privacy Commissioner of Canada

• United States: U.S. Department of Health and Human Services

• Ontario: Information and Privacy Commissioner of Ontario