Privacy Policy

Version 2.0 · Effective 2026-02-15

Privacy Policy

1. Introduction

Proactives Health (“Proactives”, “we”, “us”, or “our”) operates the Proactives Health platform at proactives.ai. This Privacy Policy describes how we collect, use, disclose, and protect your personal information and personal health information when you use our service. We are committed to protecting your privacy in compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Ontario's Personal Health Information Protection Act (PHIPA).

2. Information We Collect

Account Information:

• Name and email address
• Password (stored as a one-way hash; we cannot read your password)
• Authentication method (email/password or Google OAuth)

Health Documents:

• Medical records, lab results, imaging reports, and other health documents you upload
• Information extracted from those documents by our AI systems
• Health summaries, insights, and trends generated from your documents

Usage Data:

• Log data (IP address, browser type, pages visited)
• Feature usage patterns (which features you use, not the content you view)
• Error and performance data to improve the service

3. How We Use Your Information

• Health record organization: Extracting, categorizing, and summarizing your uploaded documents
• AI analysis: Generating health insights, trends, and educational information from your de-identified records
• Chat functionality: Allowing you to ask questions about your health records using AI
• Account management: Authentication, account recovery, and service communications
• Service improvement: Analyzing aggregated, anonymized usage patterns to improve features

4. AI Services & Third-Party Processors

We use the following third-party AI services to analyze and organize your health information. All personal health information is de-identified before being sent to these providers:

• OpenAI (GPT models) — Document analysis, health summarization, and chat
• Anthropic (Claude models) — Document analysis, health summarization, and chat
• Google (Gemini models) — Document analysis and health summarization
• Microsoft Azure AI (Azure OpenAI Service, Azure Document Intelligence) — Document processing, OCR, and AI analysis

5. De-Identification Process

Before any document content is transmitted to a third-party AI provider, our system applies automated de-identification that removes or masks the following identifiers:

• Full names, initials, and signatures
• Dates of birth, admission/discharge dates, and appointment dates
• Addresses, postal codes, and phone numbers
• Health card numbers (OHIP, etc.) and other government identifiers
• Medical record numbers (MRN) and account numbers
• Email addresses and device identifiers

Only de-identified clinical content (e.g., lab values, medication names, diagnoses) is transmitted for AI processing. Your original documents with full identifiers remain encrypted within your account and are never shared with third parties.

6. Data Residency

All user data is stored on Microsoft Azure Canada Central (Toronto) infrastructure. This includes:

• Account information and authentication data
• Uploaded documents (encrypted at rest)
• Extracted health data and AI-generated summaries
• Chat history and user preferences

De-identified content sent to AI providers for processing may be transmitted to data centers outside Canada, but this content contains no personally identifiable information and cannot be linked back to any individual.

7. PHIPA & PIPEDA Compliance

We comply with applicable Canadian privacy legislation by:

• Obtaining informed consent before collecting and processing personal health information
• De-identifying health data before any third-party AI processing
• Storing all identifiable data in Canada
• Implementing encryption at rest and in transit
• Maintaining access controls and audit logs
• Providing users with access to, correction of, and deletion of their data
• Appointing a privacy officer responsible for compliance

8. Data Retention & Deletion

We retain your personal information and health data for as long as your account is active. You may at any time:

• Delete individual documents from your account
• Export your data in a portable format
• Delete your entire account, which permanently removes all your data from our systems within 30 days

Upon account deletion, we remove all personal data, health records, and AI-generated content. Anonymized, aggregated analytics data that cannot identify any individual may be retained.

9. Data Security

• Encryption at rest: All stored data is encrypted using AES-256
• Encryption in transit: All connections use TLS 1.2 or higher
• Access controls: Role-based access with audit logging
• Authentication: Secure password hashing (bcrypt), optional passkey/biometric support
• Infrastructure: Azure-managed security, DDoS protection, and network isolation

10. Your Rights

Under PIPEDA and PHIPA, you have the right to:

• Access your personal information and health data held by us
• Correct inaccurate personal information
• Delete your account and all associated data
• Data portability — export your health records
• Withdraw consent for data processing (which may require account closure)
• File a complaint with the Office of the Privacy Commissioner of Canada or the Ontario Information and Privacy Commissioner

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the version number and effective date at the top of this page
• Notify registered users by email of significant changes
• Provide a summary of what changed

Continued use of the service after changes take effect constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or want to file a complaint, please contact us:

• Email: privacy@proactives.org
• Organization: Proactives Health, Toronto, Ontario, Canada