Privacy Policy

Privacy Policy for BioSport Health Inc.

1. Introduction

BioSport Health Inc. (“we,” “our,” or “us”) is committed to protecting the privacy and security of our users’ personal data. This Privacy Policy outlines our practices regarding the collection, use, storage, and sharing of patient data in compliance with applicable data protection regulations, including but not limited to the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and other relevant laws in the United States, Canada, the Middle East, and Europe. This policy applies globally, including within Alberta, Canada, the United States, and all jurisdictions where we conduct business.

2. Data Collection

2.1 Methods of Collection:

We collect patient data through various methods, including:

Direct Interactions: Information provided by patients during consultations, via our website, or through our mobile applications.

Automated Technologies: Data collected through cookies, web beacons, and other tracking technologies when patients interact with our digital services.

Third-Party Sources: Information received from healthcare providers, insurers, and other partners.

2.2 Types of Data Collected:

Personal Identification Information: Name, address, email, phone number, date of birth, gender, nationality.

Health Information: Medical history, treatment records, diagnostic data, prescription information, health insurance information, physician notes, and lifestyle information (e.g., diet, exercise).

Technical Data: IP address, browser type, operating system, device information, and usage data from our website and applications.

Financial Information: Payment details, billing address, transaction history.

3. Use of Data

We use patient data for the following purposes:

3.1 Healthcare Services:

Treatment and Care Management: To provide and manage patient care, including diagnostics, treatment plans, and follow-up services.

Health Monitoring: To monitor patient health conditions and manage chronic diseases.

3.2 Communication:

Patient Communication: To communicate with patients regarding their treatment, appointments, follow-ups, and general health advice.

Service Updates: To inform patients about updates to our services, including changes to our privacy policy.

3.3 Research and Development:

Research: To conduct research and analysis aimed at improving our healthcare services and understanding health trends.

Innovation: To develop new healthcare services and products.

3.4 Legal and Regulatory Compliance:

Regulatory Requirements: To comply with legal and regulatory requirements, including reporting obligations.

Legal Proceedings: To respond to legal processes and protect our legal rights.

3.5 Marketing and Promotions:

Promotional Communications: To send marketing materials and promotions related to our services, with patient consent where required.

4. Data Storage and Security

4.1 Data Storage:

Location: Data is stored securely in data centers located within jurisdictions that provide adequate data protection.

Retention: Patient data is retained for as long as necessary to fulfill the purposes outlined in this policy, comply with legal obligations, and resolve disputes. Specific retention periods by jurisdiction are as follows:

European Union (GDPR)
Generally retained for up to 10 years after the last patient interaction unless a longer period is required by law.

Retained for at least 6 years from the date of creation or the date it was last in effect, whichever is later.

Retained for as long as necessary to fulfill the purposes outlined in this policy, typically up to 10 years, unless otherwise required by law.

Retained for as long as necessary to fulfill the purposes outlined in this policy, generally up to 10 years, unless otherwise required by law.

Retention periods vary by country but generally data is retained for up to 10 years unless a longer period is required by local law.


Generally retained for up to 10 years unless otherwise required by law.


Retained for up to 7 years from the last patient interaction unless otherwise required by law.


Retained for as long as necessary to fulfill the purposes outlined in this policy, typically up to 10 years, unless otherwise required by law.


Retained for as long as necessary to fulfill the purposes outlined in this policy, typically up to 10 years, unless otherwise required by law.

4.2 Data Security:

We implement robust security measures to protect patient data from unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption: Sensitive data is encrypted both in transit and at rest.

Access Controls: Secure access controls and authentication mechanisms are in place to limit access to authorized personnel only.

Security Audits: Regular security audits and risk assessments are conducted to identify and mitigate potential vulnerabilities.

Training: Employees receive regular training on data protection and confidentiality obligations.

5. Data Sharing

5.1 With Healthcare Providers

Care Coordination: Data is shared with healthcare providers and professionals involved in the patients’ care to ensure coordinated treatment.

5.2 With Service Providers:

Third-Party Services: We share data with third-party service providers who assist us in operating our business and delivering services, such as cloud storage providers, IT support, and payment processors.

5.3 Legal Requirements:

Compliance: Data may be shared when required by law or regulation, such as in response to a court order or legal process.

5.4 With Patient Consent:

Authorized Sharing: Data is shared with third parties for purposes not covered by this policy only with patient consent.

6. Compliance with Global Privacy Regulations

6.1 GDPR Compliance (European Union):

Lawful Basis for Processing: We process personal data based on consent, performance of a contract, legal obligations, and legitimate interests. Explicit consent is obtained for sensitive data processing.

Data Subject Rights: Patients have the right to access, rectify, erase, restrict, or object to the processing of their personal data, and to data portability. Requests can be made by contacting our Data Protection Officer at dpo@thebiosport.com.

Data Protection Impact Assessments (DPIAs): Conducted for high-risk processing activities to identify and mitigate risks to data subjects.

Data Protection Officer (DPO): Appointed to oversee compliance and address data protection issues.

6.2 HIPAA Compliance (United States):

Protected Health Information (PHI): We adhere to HIPAA requirements for the protection and confidential handling of PHI.

Notice of Privacy Practices: We provide patients with a notice detailing our HIPAA practices and their rights under HIPAA.

Business Associate Agreements (BAAs): Executed with third parties that handle PHI on our behalf to ensure compliance with HIPAA.

Breach Notification: We notify affected individuals and relevant authorities of any breaches involving PHI.

6.3 CCPA Compliance (California, USA):

Consumer Rights: California residents have the right to know what personal information is collected, to whom it is disclosed, and to request the deletion of their personal information. They also have the right to opt-out of the sale of their personal information.

Non-Discrimination: We do not discriminate against California residents who exercise their CCPA rights.

Do Not Sell My Personal Information: We provide a clear mechanism for California residents to opt-out of the sale of their personal information.

Data Access Requests: Processed within 45 days, extendable to 90 days, if necessary, with a clear communication plan for any delays.

6.4 PIPEDA Compliance (Canada):

Fair Information Principles: We adhere to PIPEDA’s principles, including accountability, identifying purposes, consent, limiting collection, limiting use, disclosure, and retention, accuracy, safeguards, openness, individual access, and challenging compliance.

Access and Correction: Patients can request access to and correction of their personal information by contacting our Data Protection Officer at dpo@thebiosport.com.

Breach Notification: We notify affected individuals and the Office of the Privacy Commissioner of Canada (OPC) of any data breaches that pose a real risk of significant harm.

6.5 Middle East Compliance

Local Regulations: We comply with local data protection regulations in Middle Eastern countries where we operate, ensuring data protection practices align with regional laws and cultural expectations.

Data Sovereignty: Personal data may be stored within the respective country to comply with local data sovereignty laws.

Consent: Explicit consent is obtained for data collection, especially for sensitive health information.

6.6 Other Global Regulations:

Brazil (LGPD): Compliance with the Lei Geral de Proteção de Dados (LGPD), ensuring lawful basis for processing, data subject rights, and data breach notifications.

Australia (Privacy Act 1988): Adherence to the Australian Privacy Principles (APPs) for the collection, use, and disclosure of personal information.

China (PIPL): Compliance with the Personal Information Protection Law (PIPL), including data localization requirements and obtaining explicit consent for processing sensitive personal information.

Japan (APPI): Adherence to the Act on the Protection of Personal Information (APPI), ensuring proper handling of personal data, including notification and consent requirements.

6.7 International Data Transfers:

Standard Contractual Clauses (SCCs): Used for data transfers from the EU to third countries to ensure adequate protection.

Binding Corporate Rules (BCRs): Implemented for intra-group data transfers to ensure compliance with GDPR.

Adequacy Decisions: We rely on adequacy decisions for data transfers to countries recognized by the EU as providing adequate data protection.

Use of Data in AI algorithms

7.1 Purpose of using AI algorithms:

We use AI algorithms to enhance our healthcare services through:

Diagnostics and Treatment: Improving diagnostic accuracy and developing personalized treatment plans.

Predictive Analytics: Predicting patient health outcomes and identifying potential health risks.

Operational Efficiency: Streamlining administrative processes and improving service delivery.

7.2 Data Anonymization:

Before using patient data in AI algorithms, we ensure that data is anonymized where feasible. Anonymized data is stripped of personal identifiers, making it impossible to trace back to individual patients. This enhances privacy and reduces the risk of re-identification.

7.3 Patient Consent for AI Data Use:

Explicit Consent: We obtain explicit consent from patients before using their data in AI algorithms. This consent is documented and can be withdrawn at any time.

Informed Consent: Patients are informed about the specific purposes for which their data will be used in AI algorithms, including the benefits and potential risks.

Opt-Out Option: Patients have the option to opt-out of their data being used in AI algorithms without affecting their access to our healthcare services.

7.4 Data Security for AI Algorithms:

We implement stringent security measures to protect data used in AI algorithms, including:

Encryption: Encrypting data both in transit and at rest.

Access Controls: Restricting access to authorized personnel only.

Regular Audits: Conducting regular audits to ensure compliance with security protocols.

7.5 Transparency and Accountability:

We are committed to transparency and accountability in our use of AI algorithms. This includes:

Algorithmic Audits: Conducting regular audits of AI algorithms to ensure they operate as intended and do not result in biased or unfair outcomes.

Explanation of AI Decisions: Providing patients with explanations of how AI-generated decisions are made, particularly in clinical contexts.

7.6 Data Subject Rights:

Patients have the following rights concerning their data used in AI algorithms:

Access: Request access to data used in AI algorithms.

Correction: Request corrections to any inaccurate data used in AI algorithms.

Deletion: Request the deletion of their data from AI algorithms, subject to certain legal or contractual restrictions.

Objection: Object to the processing of their data in AI algorithms.

Portability: Request the transfer of their data to another organization in a structured, commonly used, and machine-readable format.

Withdraw Consent: Withdraw consent for the use of their data in AI algorithms at any time.

8. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify patients of any significant changes by posting the updated policy on our website and, where appropriate, through other communication channels.

9. Contact Us

If you have any questions or concerns about this Privacy Policy or our data protection practices, please contact our Data Protection Officer at:

Data Protection Officer

We use AI algorithms to enhance our healthcare services through:

Email:
dpo@thebiosport.com

Phone Number:
+1 (587) 215-1277

Mailing Address:
1020-330 5 AVE SW, Calgary,
Alberta, Canada
T2P0L4