Privacy Policy

1. Introduction and Scope

FindYourDoctor.ca ("we," "our," "us," or the "Service") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information obtained through our Service, which provides a community-driven resource to help residents of Ontario, Canada, locate family practice clinics accepting new patients.

Our mission is to support Ontarians in their search for healthcare access during a significant healthcare crisis affecting approximately 2.5 million residents who lack primary care physicians. We recognise the sensitivity of healthcare-related information and are committed to handling all personal information with the highest standards of privacy protection.

This Privacy Policy applies to all users of FindYourDoctor.ca, including visitors browsing the clinic directory, registered users, Alert Service subscribers, Assisted Access programme participants, and clinic staff who claim their listings. By using our Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

2. PIPEDA Compliance Statement

FindYourDoctor.ca is committed to full compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy law governing the collection, use, and disclosure of personal information by private sector organisations.

We adhere to the ten fair information principles set forth in PIPEDA:

1. Accountability: We have designated a Privacy Officer responsible for our compliance with this Privacy Policy and PIPEDA.
2. Identifying Purposes: We identify the purposes for which personal information is collected at or before the time of collection.
3. Consent: We obtain your informed consent for the collection, use, and disclosure of your personal information.
4. Limiting Collection: We collect only the personal information necessary for the identified purposes.
5. Limiting Use, Disclosure, and Retention: We use and disclose personal information only for the purposes for which it was collected, and retain it only as long as necessary.
6. Accuracy: We maintain personal information that is accurate, complete, and up to date.
7. Safeguards: We protect personal information with security safeguards appropriate to its sensitivity.
8. Openness: We make information about our privacy policies and practices readily available.
9. Individual Access: We provide you with access to your personal information upon request.
10. Challenging Compliance: We provide mechanisms for you to challenge our compliance with these principles.

This Privacy Policy is designed to demonstrate our commitment to these principles and provide transparency about our privacy practices.

3. Definitions

For the purposes of this Privacy Policy, the following definitions apply:

• "Personal Information" means information about an identifiable individual, as defined under PIPEDA, including but not limited to name, email address, IP address, and any information that can be used alone or in combination with other information to identify an individual.
• "Sensitive Personal Information" means Personal Information that requires a heightened level of protection due to its nature, including health information, financial information, and information about individuals' economic circumstances (such as Assisted Access applications).
• "Service" means the FindYourDoctor.ca website, platform, applications, and all related services, features, and functionality.
• "User" or "you" means any individual or entity accessing or using the Service.
• "Account" means a registered user account created to access certain Service features.
• "Processing" means any operation performed on Personal Information, including collection, use, disclosure, retention, and disposal.
• "Third-Party Service Providers" means organisations that provide services on our behalf, such as payment processing, email delivery, and data storage.

4. Information We Collect

We collect various types of Personal Information to provide and improve our Service. Below is a comprehensive description of the information we collect, the purposes for collection, and the legal basis for processing:

Account Information

When you create an Account, we collect your email address and create a securely hashed password. We also record your account creation date and last login information.

Purpose: To create and maintain your Account, authenticate your identity, enable access to premium features, and communicate with you about your Account.

Alert Service Data

If you subscribe to the Alert Service, we collect and store the Ontario cities you wish to monitor, your specified search radius (in kilometres), language preferences, and accessibility feature requirements.

Purpose: To deliver personalised alert notifications matching your specified criteria and location preferences.

Assisted Access Application Data

When you apply for Assisted Access, we collect your email address, the city you wish to monitor, a brief written explanation of your circumstances, and your confirmation that the subscription fee represents a financial barrier. We also record your application submission date, approval status, programme expiry date, and renewal history.

Purpose: To administer the Assisted Access programme, grant appropriate access, manage renewals, and improve programme effectiveness. This information is handled with heightened confidentiality as it relates to individuals' economic circumstances.

Community Report Data

When you submit a Community Report about a clinic's patient acceptance status, we collect the status information you provide, any additional notes, the date and time of submission, and your IP address.

Purpose: To maintain current clinic information for community benefit and to prevent fraudulent or abusive reporting. IP address collection is necessary for security purposes and fraud prevention, consistent with PIPEDA's security safeguards principle.

Doctor Claiming Data

When healthcare providers claim their listings, we collect their email address, verification tokens (temporary codes sent via email), claim submission timestamps, and verification completion dates.

Purpose: To verify provider identity, prevent unauthorised claims, and enable providers to maintain accurate practice information.

Payment Information

For Alert Service subscribers, we store Stripe customer identifiers that link to your payment methods. We do not store complete payment card numbers, CVV codes, or other sensitive payment details on our servers. All payment information is securely stored by Stripe, our PCI DSS-compliant payment processor.

Purpose: To process subscription payments, manage billing, and facilitate refunds when applicable.

Search and Usage Data

We collect information about how you use the Service, including search queries (cities, postal codes), filters applied (languages, accessibility features), pages visited, features used, clicks, and interactions. We also collect device information such as device type, operating system, and browser type.

Purpose: To improve Service functionality, understand user needs, identify technical issues, and enhance user experience. This data helps us make the Service more effective for all users.

Location Data

When you search for doctors by city or postal code, or when you configure Alert Service monitoring, we use the Google Maps API to geocode your location queries into geographic coordinates (latitude and longitude).

Purpose: To provide location-based search functionality and calculate distances between your location and doctors' practices for service delivery.

Communications

When you contact us via email or through our support channels, we collect the contents of your communications, your email address, and the date and nature of your inquiry.

Purpose: To respond to your inquiries, provide customer support, resolve issues, and improve our Service based on user feedback.

Technical Data

We automatically collect certain technical information when you access the Service, including IP addresses, browser type and version, time zone settings, browser plug-in types and versions, operating system and platform, and other technology on devices used to access the Service.

Purpose: To ensure Service functionality, maintain security, diagnose technical problems, and analyse Service performance. We collect only the minimal technical data necessary for these purposes.

Analytics

We collect aggregated, anonymised usage patterns and statistics that do not identify individual users. This includes metrics such as total searches performed, popular search locations, most-viewed doctor listings, and feature usage rates.

Purpose: To understand aggregate usage trends, measure Service effectiveness, and make data-driven improvements that benefit all users. No personal identification is possible from this aggregated data.

5. How We Collect Information

We collect Personal Information through the following methods:

Direct Input with Consent

Most Personal Information is collected directly from you when you voluntarily provide it, such as when creating an Account, subscribing to the Alert Service, applying for Assisted Access, submitting Community Reports, or contacting us for support. We obtain your consent at or before the time of collection by clearly explaining the purposes for which information is being collected.

Automated Technologies with Notice

We automatically collect certain technical information through cookies and similar technologies when you visit the Service. We provide notice of this collection through this Privacy Policy and, where required, obtain consent for non-essential cookies.

Limited Third-Party Sources

In limited circumstances, we receive information from third-party service providers who assist in delivering the Service (such as payment confirmation from Stripe or geocoding data from Google Maps). These third parties are contractually obligated to handle information in accordance with applicable privacy laws.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on the Service. Our use of these technologies is minimal and focused on essential functionality.

Types of Cookies We Use

• Essential Cookies: Necessary for basic Service functionality, including authentication, session management, and security features. These cookies are required for the Service to work properly.
• Functional Cookies: Remember your preferences and settings to provide enhanced functionality and personalisation.
• Analytics Cookies: Help us understand how users interact with the Service through aggregated, anonymised data collection.

What We Do NOT Use: We do not use advertising cookies, tracking cookies for marketing purposes, or third-party cookies that track you across other websites. We do not sell data collected through cookies to any third party.

Managing Cookies

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse cookies or alert you when cookies are being sent. However, if you disable essential cookies, some features of the Service may not function properly.

7. Purposes and Legal Bases for Processing

We process your Personal Information only for identified purposes and in accordance with PIPEDA's fair information principles. Each processing activity is tied to a specific purpose:

• Provide and Maintain Service: To deliver the doctor directory, search functionality, mapping features, and all core Service features (implied consent based on use of Service).
• Process Payments and Subscriptions: To charge subscription fees, manage billing, process refunds, and maintain payment records (express consent obtained at subscription).
• Send Alert Emails: To deliver doctor acceptance notifications to Alert Service subscribers based on their specified criteria (express consent obtained in compliance with CASL).
• Verify Healthcare Provider Claims: To authenticate provider identity and enable direct practice information management (legitimate purpose of service integrity).
• Prevent Fraud and Abuse: To detect, prevent, and respond to fraudulent activity, security incidents, and abuse of the Service (security safeguards principle under PIPEDA).
• Improve Platform: To analyse usage patterns, identify areas for improvement, develop new features, and enhance user experience (implied consent, legitimate interest in service improvement).
• Comply with Canadian Legal Obligations: To meet legal and regulatory requirements, respond to lawful requests from authorities, and protect legal rights (legal obligation).
• Service Communications: To send transactional emails, account notifications, service updates, and respond to support inquiries (implied consent for transactional communications, express consent for marketing where applicable).

8. Consent and Withdrawal

Consent is fundamental to our privacy practices. We obtain your consent for the collection, use, and disclosure of Personal Information, and respect your right to withdraw consent.

How We Obtain Consent

Express Consent: For sensitive uses of Personal Information (such as processing Assisted Access applications or sending Alert Service notifications), we obtain your express consent through opt-in mechanisms, checkboxes, or explicit agreement to terms.

Implied Consent: For non-sensitive uses reasonably expected in the context of Service delivery (such as using your search query to display results), we rely on implied consent based on your voluntary use of the Service.

Withdrawing Consent

You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. To withdraw consent:

• For Alert Service: Cancel your subscription through your Account dashboard
• For marketing emails: Use the unsubscribe link in any email or contact us
• For Account and all associated data: Request Account deletion through our Privacy Officer

Consequences of Withdrawal

Withdrawing consent for certain processing may limit or prevent us from providing specific Service features. For example, cancelling the Alert Service means you will no longer receive notifications, and deleting your Account means you will lose access to all Account-based features. We will inform you of any such consequences before you withdraw consent.

9. Information Sharing and Disclosure

We engage in limited sharing of Personal Information only as necessary to provide the Service and in accordance with this Privacy Policy. We do not sell your Personal Information to third parties for their marketing purposes.

Service Providers

We share Personal Information with third-party service providers who perform services on our behalf under contractual obligations that require them to keep your information confidential and use it only for purposes we specify:

• Stripe (Payment Processing): Processes subscription payments securely; receives billing information necessary to complete transactions
• Resend (Email Delivery): Delivers alert notifications and account communications; receives email addresses and message content
• Google Maps (Geocoding and Mapping): Converts location queries to coordinates; receives search locations
• Supabase (Data Storage and Infrastructure): Provides secure data storage and backend services; stores all Service data

All service providers are bound by written agreements requiring them to implement appropriate safeguards and use Personal Information only for specified purposes.

Legal Requirements

We may disclose Personal Information to Canadian law enforcement, government agencies, courts, or other third parties when required by law, including in response to:

• Court orders, subpoenas, or other legal processes
• Legal or regulatory requirements
• Legitimate requests from government authorities
• Protection of our legal rights or the safety of users

Business Transfers

In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of assets, Personal Information may be transferred to successor entities. We will provide notice of such transfers and, where required by law, obtain consent before Personal Information becomes subject to different privacy practices.

Aggregated Data

We may share aggregated, non-identifiable statistics about Service usage, search patterns, and trends for analysis, reporting, and improvement purposes. This aggregated data cannot be used to identify individual users.

With Your Consent

We may share Personal Information for purposes not described in this Privacy Policy when we have obtained your explicit consent to do so.

Commitment: No Selling of Personal Information

We will never sell, rent, trade, or otherwise monetise your Personal Information for marketing purposes or provide it to third parties for their independent use. Your privacy is not a commodity to us.

10. Third-Party Service Providers

We carefully select third-party service providers and ensure they maintain adequate privacy protections. Below are details about our primary service providers and their roles:

Stripe (Payment Processing)

Stripe processes all payment transactions for Alert Service subscriptions. Stripe is PCI DSS Level 1 certified, the highest level of payment security certification. Stripe stores payment card information securely and processes payments in compliance with Canadian payment regulations. For more information, see Stripe's Privacy Policy at stripe.com/privacy.

Google Maps API (Location Services)

We use Google Maps API to provide mapping, geocoding, and location-based search functionality. When you use map features or search by location, Google may receive your search queries and location data. We implement data minimisation practices to limit information shared with Google. See Google's Privacy Policy for more information.

Resend (Email Delivery)

Resend delivers our alert notifications and transactional emails in compliance with Canada's Anti-Spam Legislation (CASL). Resend receives email addresses and message content necessary for delivery but does not use this information for any other purpose.

reCAPTCHA (Spam Prevention)

We use Google reCAPTCHA to prevent spam and abuse in our Assisted Access application form and other user-input areas. reCAPTCHA may collect limited technical information about your browser and interaction patterns. This data sharing is necessary for security purposes.

Supabase (Data Storage and Infrastructure)

Supabase provides our backend infrastructure, database, and authentication services. All Service data, including Personal Information, is stored on Supabase's secure servers with encryption at rest and in transit. Supabase implements enterprise-grade security measures and complies with applicable data protection standards.

Vetting Process: All third-party service providers are vetted to ensure they maintain adequate privacy protections, have appropriate technical and organisational security measures in place, and comply with applicable laws. We enter into written agreements with service providers that require them to protect Personal Information and use it only for specified purposes.

11. Data Security Safeguards

We implement security safeguards appropriate to the sensitivity of Personal Information we collect and process, in accordance with PIPEDA's safeguards principle. Our security measures include:

Technical Safeguards

• Encryption of data in transit using TLS/SSL protocols
• Encryption of sensitive data at rest in our databases
• Secure password hashing using industry-standard algorithms
• Regular security audits and vulnerability assessments
• Firewall protection and network security measures
• Automated backup systems with encryption

Administrative Safeguards

• Access controls limiting Personal Information access to authorised personnel only
• Employee training on privacy and security practices
• Privacy Officer oversight of compliance practices
• Incident response procedures for security breaches
• Regular review and updating of security measures

Physical Safeguards

Our third-party hosting providers implement physical security measures including secure data centres, restricted physical access, environmental controls, and redundant infrastructure.

Limitations

While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to maintaining security safeguards appropriate to the risk of harm from unauthorised access, use, or disclosure. We will notify you of any material security breaches as required by PIPEDA.

12. Data Retention and Disposal

We retain Personal Information only as long as necessary to fulfil the purposes for which it was collected and to meet legal, accounting, or reporting requirements. Below are our retention periods for different types of information:

• Account Information: Retained for the duration of your Account plus two (2) years after Account deletion to comply with legal obligations and handle disputes.
• Alert Service Subscription Data: Retained for the duration of your subscription plus seven (7) years for financial record-keeping requirements.
• Payment Records: Retained for seven (7) years in compliance with Canadian tax and financial reporting requirements.
• Assisted Access Applications: Retained for the duration of your participation plus three (3) years for programme administration and improvement.
• Community Reports: Retained indefinitely as they serve ongoing public benefit purposes, though personally identifying information (such as IP addresses) is deleted after two (2) years.
• Communications and Support Records: Retained for three (3) years to maintain service quality and resolve ongoing matters.
• Technical and Analytics Data: Aggregated analytics retained indefinitely; individual technical logs deleted after one (1) year.

Secure Disposal

When Personal Information is no longer required, we securely dispose of it through methods appropriate to the medium, including secure deletion of electronic records, de-identification, and irreversible anonymisation where retention for statistical purposes is necessary.

13. Your Privacy Rights Under Canadian Law

Under PIPEDA and applicable provincial privacy legislation, you have the following rights regarding your Personal Information:

Right to Access

You have the right to request access to the Personal Information we hold about you. We will provide access within thirty (30) days of receiving your written request, subject to limited exceptions permitted by law. You may request information about how your Personal Information has been used or disclosed in the previous year.

Right to Correction

You have the right to request correction of inaccurate or incomplete Personal Information. We will amend information as appropriate and notify relevant third parties who received the incorrect information, where required.

Right to Deletion

You may request deletion of your Personal Information (sometimes called the "right to be forgotten"), subject to legal and contractual retention requirements. We will delete Personal Information when it is no longer necessary for identified purposes and no legal obligation requires retention.

Right to Withdraw Consent

Where processing is based on your consent, you may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. We will inform you of the implications of withdrawing consent.

Right to Data Portability

You may request a copy of your Personal Information in a structured, commonly used, machine-readable format for transfer to another service provider where technically feasible.

Right to Object

You may object to certain types of processing, including processing for direct marketing purposes or processing based on legitimate interests.

Right to File a Complaint

You have the right to file a complaint with the Office of the Privacy Commissioner of Canada if you believe we have violated PIPEDA or mishandled your Personal Information.

Right to Challenge Compliance

You may challenge our compliance with this Privacy Policy and PIPEDA. We will investigate all complaints promptly and respond substantively.

Exercising Your Rights

To exercise any of these rights, contact our Privacy Officer at privacy@findyourdoctor.ca. We will verify your identity before fulfilling requests to protect your Personal Information from unauthorised access. We do not charge fees for reasonable access requests but may charge for excessive, repetitive, or manifestly unfounded requests.

14. Privacy Officer and Accountability

In accordance with PIPEDA's accountability principle, we have designated a Privacy Officer responsible for ensuring our compliance with this Privacy Policy and applicable privacy laws.

Privacy Officer Responsibilities

Our Privacy Officer oversees:

• Implementation and maintenance of privacy policies and procedures
• Training staff on privacy obligations
• Responding to privacy inquiries and complaints
• Managing data subject access requests
• Coordinating breach response activities
• Conducting privacy impact assessments
• Liaising with the Office of the Privacy Commissioner of Canada

Complaint Resolution Process

If you have a privacy complaint:

1. Submit your complaint in writing to privacy@findyourdoctor.ca
2. We will acknowledge receipt within five (5) business days
3. We will investigate the matter promptly
4. We will provide a substantive response within thirty (30) days
5. If you are unsatisfied with our response, you may escalate to the Office of the Privacy Commissioner of Canada

Contact Our Privacy Officer

Email: privacy@findyourdoctor.ca
Response time: Within thirty (30) days

15. Children's Privacy

Our Service is intended for individuals who have reached the age of majority in Ontario, which is eighteen (18) years of age. We do not knowingly collect Personal Information from individuals under eighteen (18) years of age without parental or guardian consent.

If we discover that we have collected Personal Information from an individual under eighteen (18) without appropriate parental or guardian consent, we will take steps to delete such information promptly.

If you are a parent or guardian and believe your child has provided Personal Information to us without your consent, please contact our Privacy Officer at privacy@findyourdoctor.ca so we can take appropriate action.

16. Data Storage and Residency

Your Personal Information is primarily stored on servers located in jurisdictions with adequate data protection laws. We take steps to ensure that Personal Information transferred outside Canada receives protection comparable to that required under PIPEDA.

Storage Locations

Personal Information may be stored in:

• Canada (where available and practical)
• United States (with appropriate safeguards)
• Other jurisdictions deemed to have adequate privacy protections

Cross-Border Transfer Safeguards

When Personal Information is transferred outside Canada, we implement safeguards including:

• Contractual protections requiring foreign service providers to provide privacy protection comparable to PIPEDA
• Selection of service providers in jurisdictions with strong privacy frameworks
• Technical security measures including encryption
• Regular compliance monitoring

Please note that when Personal Information is transferred to foreign jurisdictions, it may be subject to lawful access by courts, law enforcement, and national security authorities in those jurisdictions.

17. Automated Decision Making

We use automated systems to trigger alert notifications when doctors' acceptance status changes to match subscriber criteria. This automated processing does not involve significant automated decision-making that would materially affect your rights or produce legal effects.

Alert Triggering: Our alert system automatically compares doctor status changes against subscriber preferences (location, radius, languages, accessibility features) and sends email notifications when matches occur. This is a purely technical matching process that does not involve profiling or decisions affecting your substantive rights.

Assisted Access Approval: Assisted Access applications are approved automatically based on self-assessment without algorithmic scoring or automated decision-making about individual circumstances. This reflects our trust-based approach and commitment to removing barriers to access.

No Profiling: We do not engage in automated profiling, predictive analytics about individuals, or automated decision-making that would significantly affect you without human involvement.

18. Data Breach Notification

We maintain incident response procedures compliant with PIPEDA's mandatory breach reporting requirements, which came into effect on November 1, 2018.

Breach Response Procedures

In the event of a data breach involving Personal Information:

1. We will conduct a thorough investigation to determine the scope and impact
2. We will contain the breach and mitigate harm
3. We will assess whether the breach creates a real risk of significant harm
4. If significant harm risk exists, we will notify the Office of the Privacy Commissioner of Canada as soon as feasible
5. We will notify affected individuals as soon as feasible if significant harm risk exists
6. We will maintain records of all breaches as required by PIPEDA

Notification Content

Breach notifications to affected individuals will include:

• Description of the circumstances of the breach
• Date or time period of the breach
• Description of Personal Information involved
• Steps we are taking to reduce risk of harm
• Steps you can take to reduce risk of harm
• Contact information for inquiries

We are committed to transparency about security incidents while balancing investigative and remediation needs.

19. Account Deletion and Data Erasure

You have the right to request deletion of your Account and associated Personal Information at any time, subject to certain limitations.

Deletion Process

To request Account deletion:

1. If you have an Alert Service subscription, cancel it first through your Account dashboard or customer portal
2. Contact us at support@findyourdoctor.ca with your deletion request
3. We will verify your identity to prevent unauthorised deletion requests
4. We will process your deletion request within thirty (30) days

What Gets Deleted

Upon Account deletion, we will permanently delete:

• Your Account credentials and login information
• Alert Service preferences and subscription data
• Assisted Access application information
• Email addresses and contact information
• Personal preferences and settings

What May Be Retained

We may retain certain information when required by law or legitimate business purposes:

• Payment records (seven years for financial/tax compliance)
• Community Reports you submitted (anonymised and retained for public benefit)
• Records necessary to resolve disputes or enforce agreements
• Records required to comply with legal obligations
• Aggregated, anonymised data that cannot identify you

Retained records will be maintained securely and for no longer than necessary for the specified purpose.

20. Assisted Access Application Privacy

We recognise that Assisted Access applications contain Sensitive Personal Information related to individuals' economic circumstances. We treat this information with heightened confidentiality and care.

Enhanced Confidentiality Measures

• Assisted Access status is visible only in your private Account dashboard
• Application information is accessible only to authorised personnel with legitimate need
• We do not use Assisted Access information for marketing or any purpose other than programme administration
• Application data is stored with encryption and additional access controls
• We do not share Assisted Access status with third parties except where required by law

No Stigma Policy

Assisted Access users receive identical Alert Service functionality as paid subscribers. There is no visible difference in service level, features, or treatment. Your participation in the programme is treated with respect and dignity.

Limited Access

Only designated personnel responsible for programme administration can access Assisted Access application information. We maintain logs of access to this sensitive information and conduct regular audits.

21. Email Communications and CASL Compliance

We comply with Canada's Anti-Spam Legislation (CASL) in all commercial electronic messages (CEMs) we send. CASL is one of the strictest anti-spam laws in the world, and we take our obligations seriously.

Types of Emails We Send

Alert Notifications (Express Consent Required): Doctor acceptance notifications sent to Alert Service subscribers based on their specified preferences. You provide express consent when subscribing to the Alert Service.

Transactional Emails (CASL Exempt): Account-related messages including registration confirmation, password resets, subscription receipts, cancellation confirmation, and responses to your inquiries. These are exempt from CASL consent requirements as they facilitate requested transactions.

Service Updates (Implied or Express Consent): Important information about Service changes, policy updates, or security matters affecting your use of the Service.

CASL Compliance Features

All commercial electronic messages include:

• Clear identification of our organisation (FindYourDoctor.ca)
• Our contact information
• A functioning unsubscribe mechanism
• Clear indication of who is sending the message and on whose behalf

Unsubscribe Mechanisms

You can unsubscribe from:

• Alert notifications: Cancel your Alert Service subscription through your Account dashboard
• Service update emails: Use the unsubscribe link in each email or contact us at support@findyourdoctor.ca

We will process unsubscribe requests within ten (10) business days as required by CASL. Please note that you may continue to receive essential transactional emails related to your Account even after unsubscribing from marketing communications.

No Selling of Email Addresses

We will never sell, rent, trade, or provide your email address to third parties for their marketing purposes. Your email address is used solely to provide the Service you requested.

22. Accessibility of Privacy Information

In accordance with the Accessibility for Ontarians with Disabilities Act, 2005 (AODA), we are committed to ensuring that privacy information is accessible to all individuals, including those with disabilities.

This Privacy Policy is designed to be readable by screen readers and other assistive technologies. If you require this Privacy Policy in an alternative format (such as large print, audio, or other accessible formats), please contact us at accessibility@findyourdoctor.ca and we will provide it in a timely manner at no cost to you.

We welcome feedback about the accessibility of our privacy information and will work to accommodate accessibility needs to ensure everyone can understand how we handle Personal Information.

23. Provincial Privacy Laws

While PIPEDA is the primary federal privacy law governing our practices, we acknowledge that certain provincial privacy laws may apply in specific contexts, particularly where our activities involve provincial government institutions or fall under provincial jurisdiction.

In Ontario, certain sectors are governed by provincial privacy legislation such as the Personal Health Information Protection Act, 2004 (PHIPA). While FindYourDoctor.ca is not a healthcare provider or "health information custodian" under PHIPA, we recognise the importance of healthcare privacy principles and strive to implement privacy protections that respect the spirit of healthcare privacy laws.

24. Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this Privacy Policy.

Notice of Material Changes

For material changes that significantly affect how we collect, use, or disclose Personal Information, we will provide at least thirty (30) days' advance notice by:

• Posting a prominent notice on the Service
• Sending an email to the address associated with your Account (if applicable)
• Displaying a notification when you log in to your Account

Consent for Significant Changes

For changes that materially reduce your rights or expand our collection, use, or disclosure of Personal Information in ways not previously disclosed, we will obtain your explicit consent before implementing the changes. You will have the opportunity to accept or decline the changes.

Your continued use of the Service after the effective date of an updated Privacy Policy (following appropriate notice) constitutes your acceptance of the changes. If you do not agree to the updated Privacy Policy, you should discontinue use of the Service and may request deletion of your Account.

25. Office of the Privacy Commissioner

If you believe we have violated PIPEDA or mishandled your Personal Information, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC).

We encourage you to contact us first so we can address your concerns directly. However, you may file a complaint with the OPC at any time.

How to Contact the Privacy Commissioner

The OPC investigates complaints, conducts audits, and provides guidance on privacy matters. Complaints to the OPC are confidential and there is no fee for filing a complaint.

26. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer: