Privacy Policy

• Clinic (Controller/HIC/Covered Entity): determines purposes of processing; owns PHI.
• PatientQ (Processor/Agent/Business Associate): processes data on behalf of Clinics under contract.
• Personal Information (PI): info related to an identifiable individual.
• PHI: health/medical info tied to care, treatment, or payment.
• Subprocessor: third-party provider under contract to support the Services.

• Clinic & Staff: account details, roles, settings.
• PHI: demographics, clinical notes, consents, appointments, billing, files, images.
• Usage & Device: performance metrics, logs, IP, browser/OS.
• Cookies: essential, performance, optional analytics (configurable).

• Deliver core EMR functions and support services.
• Operate, secure, and improve PatientQ.
• Comply with HIPAA/PHIPA and legal obligations.
• Provide service announcements and product updates.

We do not sell personal information or PHI.

• HIPAA: Business Associate to Clinics; BAA required; Security & Privacy Rule safeguards.
• PHIPA: Agent/Service Provider to HICs; safeguards, logging, and Clinic direction required.

Clinics own and control their PHI and content. PatientQ does not claim ownership. Clinics manage access, retention, export, and deletion subject to law.

• Subprocessors under contract and safeguards.
• Clinic-directed integrations or disclosures.
• Legal requirements when lawfully compelled.
• Business transfers with equivalent protections.

No sale of PI or PHI.

Data is hosted and processed in North America. Contractual and technical safeguards apply to any cross-border support operations.

• Encryption in transit (TLS) and at rest (e.g., AES-256 storage layers).
• Role-based access control, least-privilege, audit logs.
• Backups, redundancy, disaster recovery.
• Secure development, monitoring, incident response.

Clinics define PHI retention. PatientQ retains data during subscription and for legally required periods. Upon request or termination, PatientQ deletes or returns data within a commercially reasonable period, subject to backup cycles and legal duties.

• Access and corrections (typically via your Clinic).
• Exports and portability (Clinic-initiated).
• Restriction/objection to non-essential uses.
• Complaints to regulators (e.g., HHS OCR, Ontario IPC).

PatientQ is not marketed to children. Clinics may process minors’ data where lawful; guardians’ rights and consents are managed by the Clinic.

• Operational messages (security, maintenance).
• Patient notifications at Clinic direction (appointments, consents).
• Opt out of non-essential marketing at any time.

We use essential, functional, and optional analytics cookies. Clinics may request restrictions for patient flows. Browser settings may also limit non-essential cookies.

PatientQ engages vetted subprocessors under confidentiality and security obligations. We can provide a current list upon request from Clinics and notify of material changes where contractually required.

Integrations used at a Clinic’s direction are governed by those third parties’ terms. Clinics must ensure appropriate notices and consents.

We do not respond to browser DNT signals; we honor applicable consent and opt-out mechanisms as required by law.

If a breach or impermissible disclosure occurs that triggers notification duties, we will notify Clinics without undue delay, consistent with HIPAA/PHIPA.

We may update this Policy from time to time. Material changes will be communicated appropriately. Continued use after changes indicates acceptance.

PatientQ Inc.
Toronto, Canada
support@patientQ.com