Privacy Policy
Effective Date: January 28, 2026 | Last Updated: January 28, 2026
Northern Health Innovations Inc. ("NORHI", "we", "us", or "our") is committed to protecting your privacy and safeguarding your personal information. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you interact with our websites, customer portals, and administrative services.
We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Ontario's Personal Health Information Protection Act (PHIPA), and other applicable Canadian privacy laws.
By using our services or providing us with your personal information, you consent to the practices described in this Privacy Policy. You may withdraw your consent at any time as described below.
Scope of This Policy
This Privacy Policy applies to personal information collected through:
- Our corporate websites (norhi.ca, pay.norhi.ca, and related domains)
- Customer account registration and management
- Sales, billing, and support interactions
- Administrative and business communications
NORHI's Role as a Data Processor
NORHI is not a Health Information Custodian. When healthcare organizations use our platforms and devices to process personal health information (PHI), NORHI acts as a data processor on behalf of those organizations, who remain the Health Information Custodians under PHIPA. The custodian organization—not NORHI—determines the purposes for which PHI is collected, used, and disclosed, and is responsible for compliance with applicable health privacy laws.
This Privacy Policy does not govern the personal health information processed through our platforms on behalf of custodians. That information is governed by the custodian's own privacy policies and our Data Processing Agreements with those organizations.
1. Information We Collect
We collect only the information necessary to provide our services and meet our legal obligations. The type of information we collect depends on how you interact with us.
1.1 Information You Provide Directly
| Category | Examples |
|---|---|
| Contact Information | Name, email address, mailing address, phone number |
| Business Information | Organization name, job title, healthcare organization affiliation |
| Account Credentials | Username, password (stored in hashed form) |
| Payment Information | Billing address; payment card details are processed by our payment processor (Helcim) and not stored by NORHI |
| Communications | Information you provide when contacting support or completing forms |
1.2 Information Collected Automatically
| Category | Examples |
|---|---|
| Usage Data | Device type, browser, IP address, pages visited |
| Website Analytics | Aggregated and anonymized interaction data |
1.3 Information We Do Not Collect
NORHI does not routinely collect, access, or store personal health information (PHI) processed through our platforms by healthcare custodians. Such data remains under the control of the custodian organization and is governed by their privacy policies and our Data Processing Agreements.
We do not sell personal information and do not collect more data than necessary to provide our services.
2. How We Use Your Information
We use personal information for the following purposes:
- Service Delivery: To provide and maintain our products and services, process orders, and deliver software updates
- Account Management: To create and manage your account and authenticate users
- Billing: To process payments, send invoices, and manage subscriptions
- Communications: To respond to inquiries, provide technical support, and send service-related notices
- Security: To monitor for and prevent fraud, unauthorized access, and other security threats
- Improvement: To analyze usage patterns (in aggregate) and improve our products and services
- Legal Compliance: To meet our legal, regulatory, and contractual obligations
- Marketing: To send you marketing communications only with your consent (you may opt out at any time)
We will not use personal information for purposes other than those identified above without your consent or as required by law.
3. Consent
We obtain consent before collecting, using, or disclosing your personal information, unless the law allows otherwise. Consent may be:
- Express: You clearly agree, such as by checking a box, signing a form, or verbally agreeing
- Implied: Reasonably understood from your actions, such as providing information to complete a purchase
You may withdraw your consent at any time by contacting us. Please note that withdrawing consent may limit our ability to provide certain services to you.
4. Sharing and Disclosure
We share personal information only in limited circumstances:
4.1 Service Providers
We use trusted third-party service providers to help deliver our services, including payment processing (Helcim Inc.), Canadian cloud infrastructure, email and notification services, and anonymized analytics. These providers are contractually bound to protect your information and may only use it to provide services on our behalf.
4.2 Legal Requirements
We may disclose information if required to comply with applicable laws, regulations, or legal processes; respond to lawful requests from government authorities; protect the rights, privacy, safety, or property of NORHI, our customers, or others; or enforce our agreements and policies.
4.3 Business Transactions
In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the acquiring entity under appropriate confidentiality safeguards.
4.4 With Your Consent
We may share information with third parties when you have given us explicit permission to do so.
5. Data Location and Sovereignty
All NORHI systems and infrastructure are located in Canada. We do not transfer personal information outside of Canada except where explicitly required for a specific service and with appropriate safeguards in place.
6. Data Security
We protect your personal information using technical, administrative, and physical security measures, including:
- Encryption: TLS 1.3 for data in transit; encrypted storage for sensitive data
- Access Controls: Role-based access, multi-factor authentication, principle of least privilege
- Network Security: Firewalls, intrusion detection, secure VPN connections
- Monitoring: Continuous system monitoring, security logging, and audit trails
- Physical Security: Secure data center facilities with controlled access
- Personnel: Employee confidentiality agreements and security training
While no system is completely secure, NORHI continuously evaluates and strengthens its security measures to protect against unauthorized access, disclosure, or loss.
Privacy Breach Response
In the event of a privacy breach that poses a real risk of significant harm, we will notify affected individuals as soon as feasible, report the breach to the Office of the Privacy Commissioner of Canada and other relevant authorities as required by law, and take steps to mitigate harm and prevent future breaches.
7. Data Retention
We retain personal information only for as long as necessary to fulfill the purposes outlined in this Policy or as required by law. When information is no longer needed, it is securely deleted, anonymized, or destroyed.
| Data Type | Retention Period |
|---|---|
| Account Information | Duration of active account plus 2 years after closure |
| Transaction Records | 7 years (legal/tax requirements) |
| Support Communications | 3 years from resolution |
| Website Analytics | 26 months (anonymized) |
8. Your Rights
Under Canadian privacy law, you have the right to:
- Access: Request access to the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Withdrawal of Consent: Withdraw your consent to our collection, use, or disclosure of your information
- Information: Receive an explanation of how your data has been used or disclosed
- Complaint: File a complaint about our privacy practices
To exercise these rights, contact our Privacy Officer (see "Contact Us" below). We will verify your identity and respond within 30 days. In some cases, we may need to extend this period, in which case we will notify you. We will not charge a fee for access requests except in limited circumstances permitted by law.
9. Cookies and Analytics
Our websites use cookies and similar technologies to improve functionality and understand usage patterns.
Types of Cookies We Use
- Essential Cookies: Required for basic website functionality (e.g., session management, security)
- Analytics Cookies: Help us understand how visitors interact with our website
- Preference Cookies: Remember your settings and preferences
You can control cookies through your browser settings. Disabling certain cookies may affect website functionality. Our analytics tools collect aggregated, anonymized data and do not identify you personally.
10. Third-Party Links
Our websites and services may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party sites you visit.
11. Children's Privacy
Our products and services are intended for business use and are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make significant changes, we will post a notice on our website and update the "Last Updated" date at the top of this Policy. For material changes affecting existing customers, we will provide direct notice via email. Your continued use of our services after such updates constitutes acceptance of the revised Policy.
13. Complaints
If you have concerns about our privacy practices, please contact our Privacy Officer first. We will investigate and respond to your complaint.
If you are not satisfied with our response, you may contact:
Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
Website: www.priv.gc.ca
For complaints related to personal health information in Ontario:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400, Toronto, Ontario M4W 1A8
Toll-free: 1-800-387-0073
Website: www.ipc.on.ca
14. Contact Us
For questions about this Privacy Policy or to exercise your privacy rights, please contact:
Privacy Officer – Northern Health Innovations Inc.
5600-100 King Street West
Toronto, Ontario M5X 1A9, Canada
Email: privacy@norhi.ca
Phone: (647) 601-5499
Toll-free: (844) 283-3615