Privacy Policy

ElderCare Companion Inc. ("ElderCare Companion", "we", "us", or "our") provides a home-care management platform consisting of a web dashboard and a mobile application for iOS and Android (together, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect personal information — including personal health information — when you use the Service.

We comply with the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") and with applicable provincial health privacy laws in the provinces where we operate, including An Act Respecting the Health Information Privacy and Management Act in New Brunswick, the Personal Health Information Act (PHIA) in Nova Scotia, the Health Information Act in Prince Edward Island, and the Personal Health Information Act (PHIA) in Newfoundland and Labrador.

Roles under privacy law. When a home-care agency, long-term care facility, or government client uses ElderCare Companion to manage care for its clients or residents (the "Customer"), the Customer is the data controller / "custodian" of the personal health information stored in their tenant. ElderCare Companion acts as a service provider / processor on the Customer's behalf, under a written data processing agreement. If you are a caregiver, family member, or patient interacting with the Service, you should also consult the Customer's own privacy notice — they decide what information is collected and how it is used.

1. Information We Collect

Account information. Name, email address, phone number, role (e.g. PSW, nurse, family member, administrator), language preference, and the organization you belong to. We also store a hashed password and, if you enable it, a TOTP secret used for multi-factor authentication.

Personal health information ("PHI") about patients/clients. Where authorized caregivers enter information into the Service on behalf of a patient, this may include name, date of birth, address, medical history, medication schedules, allergies, care plans, vital signs, incident reports, care notes, and photographs taken during incident reporting.

Location information (mobile app only). When a caregiver clocks in or out of a shift, we collect their precise GPS coordinates at that moment to verify attendance at the patient's location. Location is collected only at the moment the caregiver presses "Clock In" or "Clock Out" — we do not track location continuously and we do not collect location in the background. GPS coordinates are encrypted at rest using AES-256-GCM. If a caregiver uses the GPS-override feature (for example, when reception is poor), we record the override reason and notify the supervisor.

Camera and photos (mobile app only). If you choose to attach a photo to an incident report, the photo is uploaded and stored within the Customer's tenant. We never access your camera or photo library without you initiating an upload.

Push notifications (mobile app only). If you grant permission, we register a push token (Expo Push) so we can deliver shift reminders, medication alerts, and care-team messages. You may revoke this permission at any time in your device settings.

Device and log information. IP address, device type, operating system version, app version, and timestamps of API requests. We use this for security monitoring (e.g. account lockout after repeated failed logins), debugging, and abuse prevention. Errors and stack traces are reported to Sentry with personal identifiers stripped before transmission.

Audit logs. Every read, create, update, and delete operation against patient data is recorded in an append-only audit log. The log captures the responsible user, the action, the resource, the IP address, the user agent, and the timestamp. Audit logs are retained for the same period as the underlying records (see Section 6).

Billing information (administrators only). We use Stripe to process subscription payments. Stripe collects card details directly from the administrator's browser and returns a tokenized reference to us; we never store or transmit raw payment card numbers.

What we do not collect. We do not collect advertising identifiers, biometric identifiers, browsing history outside the Service, social media handles, contacts, or microphone audio. We do not run any third-party advertising or behavioural tracking on the Service.

2. Why We Collect This Information (PIPEDA Principle 2)

• Provide the Service: deliver care management, scheduling, medication tracking, and family-portal features.
• Verify caregiver attendance: confirm that a caregiver was at the patient's location at clock-in / clock-out, in support of payroll integrity and regulatory inspection requirements.
• Generate compliance reports: produce the audit trails and incident reports required by provincial health authorities.
• Communicate: deliver shift reminders, medication alerts, and operational messages from your care team.
• Secure the Service: detect unauthorized access, throttle abusive traffic, investigate incidents, and maintain audit trails.
• Comply with law: respond to lawful requests from regulators, courts, or health authorities.

We do not use personal information for advertising. We do not sell personal information to anyone. We do not use personal health information to train machine-learning models.

3. Legal Basis for Processing (PIPEDA Principle 3 — Consent)

We process personal information on the following bases:

• Express consent from each registered user at account creation, and from each Customer organization at the data-processing-agreement step of onboarding (the "PIPEDA Acknowledgement" recorded against the organization record).
• Implied consent for the operational use of personal health information within the Customer's care delivery, provided the Customer has obtained the patient's (or substitute decision-maker's) consent in accordance with their own privacy obligations.
• Legal obligation where applicable laws require retention or disclosure.

You may withdraw consent at any time by contacting your organization administrator or our Privacy Officer (Section 11). Withdrawal of consent does not apply retroactively, and may require us to terminate your access to the Service if we cannot lawfully provide it without the withdrawn information.

4. How We Share Information

We disclose personal information only as follows:

Within your Customer organization. Personal information is visible to other users of the same Customer organization to the extent permitted by their assigned role. For example: PSWs see their own assigned shifts and patients; supervisors and administrators see all patients in the organization; family members see only patients to whom they have been explicitly linked.

Service providers (sub-processors). We rely on the following third parties to operate the Service. Each is bound by a written data-processing agreement that requires confidentiality, security, and processing only on our documented instructions:

Sub-processor	Purpose	Data location
DigitalOcean App Platform	Application hosting (FastAPI app, ARQ worker), Redis cache	Canada (Toronto)
DigitalOcean Managed PostgreSQL	Primary application database	Canada (Toronto)
Vercel	Marketing site (no personal data)	Global CDN
Stripe	Subscription billing	United States & Canada
Sentry	Error monitoring (PII scrubbed before transmission)	United States
Expo (EAS)	Mobile build pipeline and push notification routing	United States
Apple / Google	App distribution and platform push delivery (APNs / FCM)	Global

When required by law. We may disclose personal information to comply with a valid legal obligation — for example, a court order, statutory reporting duty, or lawful request by a regulator. Where permitted, we will notify the affected Customer first.

To prevent harm. We may disclose information to prevent imminent serious harm to a person or to investigate suspected fraud or security incidents.

Business transactions. If ElderCare Companion is acquired, merged, or reorganized, personal information may be transferred to the successor entity, which will remain bound by this Privacy Policy or an equivalent.

We do not share personal information with advertising networks, data brokers, or any party for marketing purposes.

5. Cross-Border Transfers

Application data — including personal health information — is hosted in Canada on DigitalOcean's Toronto (TOR1) region; the primary PostgreSQL database is also a DigitalOcean Managed Database in the same region. Some sub-processors listed in Section 4 (Stripe, Sentry, Expo, Apple, Google) process limited categories of data outside Canada, primarily in the United States. Where data is transferred outside Canada it remains subject to contractual commitments equivalent to PIPEDA and may, while it is outside Canada, be accessible to foreign law enforcement under the laws of that jurisdiction. By using the Service you acknowledge these transfers.

Customers on Enterprise or Government plans may configure stricter data-residency settings through their DataResidencyConfig, including a primary region and backup region constrained to Canada.

6. How Long We Keep Information

Personal health information is retained for the longer of: (a) the period required by the applicable provincial health-records law (typically 10 years from the date of the last service for adults, longer for minors), or (b) the retention period configured by the Customer. The default data_retention_days setting is 3,653 days (10 years).

Account information for caregivers and family members is retained while the account is active. When an account is deactivated, the user record is soft-deleted (the row is preserved with is_active = false) so that the audit trail of historical care activity remains intact, as required by health-records retention law. The user's email address is replaced with a non-identifying value upon deletion request.

Audit logs are retained for the same period as the underlying records they describe.

Backups are retained for 30 days and are then overwritten. A deletion request will result in the data being purged from primary storage immediately and from backups within 30 days.

Billing records are retained for seven (7) years to comply with Canadian tax and corporate record-keeping requirements.

7. Security Safeguards (PIPEDA Principle 7)

We implement administrative, physical, and technical safeguards proportionate to the sensitivity of personal health information:

• AES-256-GCM encryption at rest for all PHI fields (medical info, GPS coordinates, care notes, health log values), with a per-record random 96-bit nonce.
• TLS 1.2+ with HSTS enforced on all network traffic.
• JWT access tokens (1-hour TTL) and refresh tokens (7-day TTL) with rotation and revocation on logout.
• Multi-factor authentication (TOTP, RFC 6238) available to all users and required for administrators.
• Account lockout after 5 failed login attempts within a 15-minute window.
• Rate limiting on authentication and general API endpoints.
• Multi-tenant isolation at the database query layer; cross-tenant access is architecturally prevented.
• Role-based access control across PSW, nurse, supervisor, administrator, scheduler, and family roles.
• Append-only audit logs recording every access and mutation of PHI.
• Vulnerability monitoring via dependency scanning, static analysis, and a designated security contact for responsible disclosure.

No system is perfectly secure. If we suffer a breach involving personal information that creates a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada and affected individuals as soon as feasible, in accordance with PIPEDA's Breach of Security Safeguards Regulations.

8. Your Rights (PIPEDA Principle 9)

Subject to limitations under PIPEDA and provincial law, you have the right to:

• Access the personal information we hold about you.
• Correct personal information that is inaccurate or incomplete.
• Withdraw consent for our collection, use, or disclosure of your information, subject to legal or contractual restrictions.
• Request deletion of your account and personal information, subject to health-records retention obligations described in Section 6.
• Receive a copy of your data in a structured, machine-readable format. Caregivers, supervisors, administrators, and assigned family members can trigger a data export from within the Service. Patients (or substitute decision-makers) may exercise this right by contacting their care provider or our Privacy Officer.
• Lodge a complaint with our Privacy Officer or with the Office of the Privacy Commissioner of Canada.

Account deletion. You can delete your account from inside the app at any time: Settings → Privacy & Data → Delete My Account. Deletion is immediate; you will be signed out on every device. Your name, email, and any stored authentication factors are removed right away. Records of care you authored (shifts, notes, audit log entries) are retained but pseudonymized — they remain in the system for the period required by PIPEDA and provincial health-records law (typically ten years), but can no longer be linked back to you. If you cannot access the app, email privacy@eldercare-companion.com; we respond within 30 days.

9. Children

The Service is intended for use by adult caregivers, healthcare professionals, organization administrators, and family members aged 16 or older. We do not knowingly collect personal information from children under 16 as registered users. The Service may, on behalf of a Customer, hold information about minor patients receiving care; that information is governed by the Customer's privacy obligations to those patients and their legal guardians.

10. Mobile-App Permissions

The mobile app requests the following device permissions. Each is optional and used only for the listed purpose:

• Location (precise, foreground only). Used at clock-in and clock-out to verify attendance at the patient's address. We do not request background location.
• Camera and photo library. Used only when you attach a photo to an incident report.
• Notifications. Used to deliver shift reminders, medication alerts, and care-team messages.

You may revoke any of these permissions at any time in your device's system settings.

11. Privacy Officer & Contact

ElderCare Companion's Privacy Officer is responsible for compliance with this policy and with PIPEDA. To exercise any of your rights under Section 8, ask a question, or file a complaint:

Privacy Officer: [PRIVACY OFFICER NAME — please complete]
Email: privacy@eldercare-companion.com
Mail: ElderCare Companion Inc., [REGISTERED ADDRESS — please complete]
Web: Contact Form

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca or 1-800-282-1376, or your provincial privacy commissioner.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in the Service, in our sub-processors, or in applicable law. The "Last updated" date at the top of this page will reflect the most recent version. For material changes — for example, the addition of a new category of information or a new sub-processor — we will notify Customers in-app and by email at least thirty (30) days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Disclosures Required by App Stores

Apple App Store. The data collected by the Service and how it is used is also summarized in the App Privacy section of our App Store listing. The two summaries are intended to be consistent; if a discrepancy exists, this Privacy Policy is authoritative.

Google Play. The same information is reported in the Play Console Data Safety form. Categories disclosed include "Personal info", "Health and fitness", "Location", "Photos and videos", "App activity", and "App info and performance".

We do not share data with advertisers, do not collect data for ad personalisation, and do not use Apple's IDFA or Google's AAID.