BioSport Health Inc. (“we,” “our,” or “us”) is committed to protecting the privacy and security of our users’ personal data. This Privacy Policy outlines our practices regarding the collection, use, storage, and sharing of patient data in compliance with applicable data protection regulations, including but not limited to the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and other relevant laws in the United States, Canada, the Middle East, and Europe. This policy applies globally, including within Alberta, Canada, the United States, and all jurisdictions where we conduct business.
We collect patient data through various methods, including:
Direct Interactions: Information provided by patients during consultations, via our website, or through our mobile applications.
Automated Technologies: Data collected through cookies, web beacons, and other tracking technologies when patients interact with our digital services.
Third-Party Sources: Information received from healthcare providers, insurers, and other partners.
Personal Identification Information: Name, address, email, phone number, date of birth, gender, nationality.
Health Information: Medical history, treatment records, diagnostic data, prescription information, health insurance information, physician notes, and lifestyle information (e.g., diet, exercise).
Technical Data: IP address, browser type, operating system, device information, and usage data from our website and applications.
Financial Information: Payment details, billing address, transaction history.
Treatment and Care Management: To provide and manage patient care, including diagnostics, treatment plans, and follow-up services.
Health Monitoring: To monitor patient health conditions and manage chronic diseases.
Patient Communication: To communicate with patients regarding their treatment, appointments, follow-ups, and general health advice.
Service Updates: To inform patients about updates to our services, including changes to our privacy policy.
Research: To conduct research and analysis aimed at improving our healthcare services and understanding health trends.
Innovation: To develop new healthcare services and products.
Regulatory Requirements: To comply with legal and regulatory requirements, including reporting obligations.
Legal Proceedings: To respond to legal processes and protect our legal rights.
Promotional Communications: To send marketing materials and promotions related to our services, with patient consent where required.
Location: Data is stored securely in data centers located within jurisdictions that provide adequate data protection.
Retention: Patient data is retained for as long as necessary to fulfill the purposes outlined in this policy, comply with legal obligations, and resolve disputes. Specific retention periods by jurisdiction are as follows:
European Union (GDPR)
Generally retained for up to 10 years after the last patient interaction unless a longer period is required by law.
Retained for at least 6 years from the date of creation or the date it was last in effect, whichever is later.
Retained for as long as necessary to fulfill the purposes outlined in this policy, typically up to 10 years, unless otherwise required by law.
Retained for as long as necessary to fulfill the purposes outlined in this policy, generally up to 10 years, unless otherwise required by law.
Retention periods vary by country but generally data is retained for up to 10 years unless a longer period is required by local law.
Generally retained for up to 10 years unless otherwise required by law.
Retained for up to 7 years from the last patient interaction unless otherwise required by law.
Retained for as long as necessary to fulfill the purposes outlined in this policy, typically up to 10 years, unless otherwise required by law.
Retained for as long as necessary to fulfill the purposes outlined in this policy, typically up to 10 years, unless otherwise required by law.
We implement robust security measures to protect patient data from unauthorized access, alteration, disclosure, or destruction. These measures include:
Encryption: Sensitive data is encrypted both in transit and at rest.
Access Controls: Secure access controls and authentication mechanisms are in place to limit access to authorized personnel only.
Security Audits: Regular security audits and risk assessments are conducted to identify and mitigate potential vulnerabilities.
Training: Employees receive regular training on data protection and confidentiality obligations.
Care Coordination: Data is shared with healthcare providers and professionals involved in the patients’ care to ensure coordinated treatment.
Third-Party Services: We share data with third-party service providers who assist us in operating our business and delivering services, such as cloud storage providers, IT support, and payment processors.
Compliance: Data may be shared when required by law or regulation, such as in response to a court order or legal process.
Authorized Sharing: Data is shared with third parties for purposes not covered by this policy only with patient consent.
Lawful Basis for Processing: We process personal data based on consent, performance of a contract, legal obligations, and legitimate interests. Explicit consent is obtained for sensitive data processing.
Data Subject Rights: Patients have the right to access, rectify, erase, restrict, or object to the processing of their personal data, and to data portability. Requests can be made by contacting our Data Protection Officer at dpo@thebiosport.com.
Data Protection Impact Assessments (DPIAs): Conducted for high-risk processing activities to identify and mitigate risks to data subjects.
Data Protection Officer (DPO): Appointed to oversee compliance and address data protection issues.
Protected Health Information (PHI): We adhere to HIPAA requirements for the protection and confidential handling of PHI.
Notice of Privacy Practices: We provide patients with a notice detailing our HIPAA practices and their rights under HIPAA.
Business Associate Agreements (BAAs): Executed with third parties that handle PHI on our behalf to ensure compliance with HIPAA.
Breach Notification: We notify affected individuals and relevant authorities of any breaches involving PHI.
Consumer Rights: California residents have the right to know what personal information is collected, to whom it is disclosed, and to request the deletion of their personal information. They also have the right to opt-out of the sale of their personal information.
Non-Discrimination: We do not discriminate against California residents who exercise their CCPA rights.
Do Not Sell My Personal Information: We provide a clear mechanism for California residents to opt-out of the sale of their personal information.
Data Access Requests: Processed within 45 days, extendable to 90 days, if necessary, with a clear communication plan for any delays.
Fair Information Principles: We adhere to PIPEDA’s principles, including accountability, identifying purposes, consent, limiting collection, limiting use, disclosure, and retention, accuracy, safeguards, openness, individual access, and challenging compliance.
Access and Correction: Patients can request access to and correction of their personal information by contacting our Data Protection Officer at dpo@thebiosport.com.
Breach Notification: We notify affected individuals and the Office of the Privacy Commissioner of Canada (OPC) of any data breaches that pose a real risk of significant harm.
Local Regulations: We comply with local data protection regulations in Middle Eastern countries where we operate, ensuring data protection practices align with regional laws and cultural expectations.
Data Sovereignty: Personal data may be stored within the respective country to comply with local data sovereignty laws.
Consent: Explicit consent is obtained for data collection, especially for sensitive health information.
Brazil (LGPD): Compliance with the Lei Geral de Proteção de Dados (LGPD), ensuring lawful basis for processing, data subject rights, and data breach notifications.
Australia (Privacy Act 1988): Adherence to the Australian Privacy Principles (APPs) for the collection, use, and disclosure of personal information.
China (PIPL): Compliance with the Personal Information Protection Law (PIPL), including data localization requirements and obtaining explicit consent for processing sensitive personal information.
Japan (APPI): Adherence to the Act on the Protection of Personal Information (APPI), ensuring proper handling of personal data, including notification and consent requirements.
Standard Contractual Clauses (SCCs): Used for data transfers from the EU to third countries to ensure adequate protection.
Binding Corporate Rules (BCRs): Implemented for intra-group data transfers to ensure compliance with GDPR.
Adequacy Decisions: We rely on adequacy decisions for data transfers to countries recognized by the EU as providing adequate data protection.
We use AI algorithms to enhance our healthcare services through:
Diagnostics and Treatment: Improving diagnostic accuracy and developing personalized treatment plans.
Predictive Analytics: Predicting patient health outcomes and identifying potential health risks.
Operational Efficiency: Streamlining administrative processes and improving service delivery.
Before using patient data in AI algorithms, we ensure that data is anonymized where feasible. Anonymized data is stripped of personal identifiers, making it impossible to trace back to individual patients. This enhances privacy and reduces the risk of re-identification.
Explicit Consent: We obtain explicit consent from patients before using their data in AI algorithms. This consent is documented and can be withdrawn at any time.
Informed Consent: Patients are informed about the specific purposes for which their data will be used in AI algorithms, including the benefits and potential risks.
Opt-Out Option: Patients have the option to opt-out of their data being used in AI algorithms without affecting their access to our healthcare services.
We implement stringent security measures to protect data used in AI algorithms, including:
Encryption: Encrypting data both in transit and at rest.
Access Controls: Restricting access to authorized personnel only.
Regular Audits: Conducting regular audits to ensure compliance with security protocols.
We are committed to transparency and accountability in our use of AI algorithms. This includes:
Algorithmic Audits: Conducting regular audits of AI algorithms to ensure they operate as intended and do not result in biased or unfair outcomes.
Explanation of AI Decisions: Providing patients with explanations of how AI-generated decisions are made, particularly in clinical contexts.
Patients have the following rights concerning their data used in AI algorithms:
Access: Request access to data used in AI algorithms.
Correction: Request corrections to any inaccurate data used in AI algorithms.
Deletion: Request the deletion of their data from AI algorithms, subject to certain legal or contractual restrictions.
Objection: Object to the processing of their data in AI algorithms.
Portability: Request the transfer of their data to another organization in a structured, commonly used, and machine-readable format.
Withdraw Consent: Withdraw consent for the use of their data in AI algorithms at any time.
We use AI algorithms to enhance our healthcare services through:
Email:
dpo@thebiosport.com
Phone Number:
+1 (587) 215-1277
Mailing Address:
1020-330 5 AVE SW, Calgary,
Alberta, Canada
T2P0L4
copyright © 2024 BioSport Health Inc. All rights reserved.