Legal

Privacy Notice

EFFECTIVE DATE

This Privacy Notice is effective as of March 1, 2026.

BY INTERACTING WITHTHE WEBSITE WWW.VITALL.COM (THE “SITE”) AND/OR THE WEB APPLICATION AT APP.VITALL.COM (THE “WEB APP”), THE MEDLY SYSTEM (“MEDLY SYSTEM”) AND/OR THE VITALL SCAN APPLICATION (“SCAN APP”), EITHER AS A VISITOR OR AS A USER, YOU AGREE TO BE BOUND BY THE TERMS OF THIS PRIVACY NOTICE AND TO OUR Terms and Conditions.

This Privacy Notice applies to PII and Personal Health Information that Vitall Intelligence Inc. (“VITALL”), located at 2 Campbell Drive, Suite 706 Uxbridge Ontario L9P1H6 Canada, collects through its Site, its Web App, its Medly System, and its Scan App in providing its Services.

Privacy Notice Highlights

Capitalized words in these Privacy Notice Highlights are defined in the Detailed Privacy Notice.

Below are highlights of our PII and Personal Health Information handling practices

1. Information We Collect

We collect your Personally Identifiable Information (“PII”) and Personal Health Information (“PHI”) from the following sources:

The terms "we", "our" and "us" mean VITALL and the terms “you” and “your” mean the visitors or users of the Site, the Web App, the Medly System, and the Scan App.

a) information you give us when you contact us through the Contact Us Page, open an Account or subscribe for Services, when you submit customer service inquiries, or when you submit customer feedback or reviews;

b) information we collect automatically when you visit our Site, Web App, Medly System, and Scan App, such as information about your browser settings, operating system, and other information collected through cookies;

c) the information you provide to us during your Account setup; and

d) medical information that we collect or our service providers collect on our behalf with your consent from your health records or your smart health devices and/or connected apps;

2. How We Use and Disclose Your Information

a) We use your PII  and PHI that we or our service providers collect from you or on your behalf to provide the Services on our Web App, Medly System, and Scan App and to manage our business operations, such as to authenticate you when you sign into your Account, to prevent loss of dataand fraud, process your subscription payment, to translate your health records if they are not in English, and to monitor and improve the performance of our Site, Web App, Medly System, and Scan App;

b) We and our service providers may combine or aggregate your de-identified and pseudonymized PII and PHI, so that it will be unlikely to re-identify you from it, to monitor trends and provide and improve our respective products and services;

c) We may share or transfer your PII  and PHI that we or our service providers collect from you to our service providers or Affiliates who may be outside of the country from which you access or Services under a Data Processing Agreement, and that information may be subject to privacy laws that are different from those of the country from which  you access our Services.

d) We may also disclose your PII and/or PHI if a court order requires us to do so.

e) With your consent, we may use your PII to contact you for marketing, promotional, or other purposes.

3. Your Choices and Consent

a) You can change your communication preferences for marketing and advertising e-mails, participation in surveys, and to provide or withdraw consent for specific requests we or our service providers may make to collect and use your PII and PHI in the Consent portion of the Manage Account section within your Account.

b) You may withdraw your consent from our further use of your PII or PHI and you may close your Account. In that event, we may use your PII and PHI for the purposes to which you consented before you withdrew consent and we may keep information about you and your previous transactions with us for audit purposes, to ensure the integrity of our data, and to fulfill legal requirements.

c) If you consent to one of our service provider’s collection or use of your PII or PHI that they will share with us, you will be bound by their privacy policies and Terms and Conditions/use.

4. How to Contact Us

If you have a privacy question or concern, please contact us at: privacy@vitall.com.

Please review our Detailed Privacy Notice for more information about our practices.

DETAILED PRIVACY NOTICE:

1. BACKGROUND
2. SCOPE
3. ACCOUNTABILITY
4. LIMITING COLLECTION: WHAT INFORMATION DO WE COLLECT?
5. LIMITING USE: HOW DO WE USE YOUR PERSONAL INFORMATION?
6. DISCLOSURE: WHEN DO WE DISCLOSE YOUR PII AND PHI TO OTHERS?
7. SAFEGUARDS: HOW DO WE PROTECT YOUR PERSONAL INFORMATION?
8. DATA BREACH
9. DATA RETENTION: HOW LONG DO WE KEEP YOUR PII AND PHI?
10. DATA STORAGE AND TRANSFER
11. RESIDENTS OF THE EUROPEAN ECONOMIC AREA (“EEA”)
12. AGE AND CONSENT
13. THIRD-PARTY SERVICES AND LINKS
14. ACCURACY: HOW DO YOU MODIFY YOUR INFORMATION?
15. ACCESS: RIGHT TO YOUR DATA
16. ACCOUNT CLOSURE: DATA DELETION
17. App Specific Privacy Notices
18. CHALLENGE COMPLIANCE
19. CHANGES TO THIS PRIVACY NOTICE

1. Background

The website www.VITALL.com (the “Site”), the Web Application app.vitall.com (“WebApp”), the Medly System (“Medly System”) and the VITALL Scan App (“Scan App”)  are owned by Vitall Intelligence Inc. (“VITALL”).

VITALL is a digital health platform that connects patients, caregivers, and practitioners with meaningful health information. Through integrated applications (Web App, Medly System, and Scan App) and services, VITALL enables remote care management, provides health journey insights, and consolidates medical records and real-time health data in one place (the “Services”) — improving care when and where it matters.

As used in this Policy Notice capitalized terms not otherwise defined here have the meaning assigned to them in the Terms and Conditions, otherwise the following terms have the following meaning:

“Data Concerning Health” means, as related to a person in the European Union, personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

“Personal Data” means, as related to a person in the European Union, any information which is related to an identified or identifiable natural person.

“Personally-Identifiable Information” or “PII” means information that identifies you or could be combined by us or our service providers and Affiliates with other information to identify you. This information includes your personal date of birth, birth certificate information, social insurance number, social security number, the number of any government issued identification, medical record number, health card number, e-mail address, home mailing address, home telephone number, personal cellphone number, your internet provider (IP) address and other similar information when associated with you. PII may also include information about how you have used our Site, the Web App, Medly System, or the Scan App if we can associate that PII with you. If you interact with our Site, our Web App, Medly System, or the Scan App on behalf of a business, PII does not include your title, your business e-mail and mailing address, or your business telephone number when we use that information to contact you in your business capacity. For EU residents, your business contact information is considered “Personal Data”. Reference in this Notice to PII shall include Personal Data, where applicable.

“Personal Health Information” or “PHI” means information about you, while living or deceased, that relates to: your physical or mental health; any health or medical services you received; your medical examinations, tests, and surgeries; whether you donated any organs or fluids; and information collected in the course of, or related to, providing health services to you. PHI may be found in your medical records, treatment and examination notes, and communications between you and your healthcare providers. Reference in this Notice to PHI shall include Personal Data, where applicable.

"we", "us" or "our" means Vitall Intelligence Inc. (“Vitall”) and any of our Affiliates.

"you" or "your" means an individual Using the Site, the Web App, the Medly System, the Scan App, or the Content as a visitor, a prospective or current Client, a Caregiver, and any Person who has been granted temporary access to health records under an Account.

2. Scope

This Privacy Notice helps our visitors to our Site and Users of the Web App, Scan App and our Services to better understand how we collect, use and store your PII and PHI.

3. Accountability

We take the privacy of your PII and PHI seriously and are committed to safeguarding it. We developed and implemented policies, practices, and procedures to protect PII and PHI and we train our staff in our PII and PHI handling practices.

We commit not to rent or sell any of your PII or PHI we collect directly from you or as part of our Services. We limit the PII or PHI we share with our service providers and limit their use of the data we share with them through Data Processing Agreements. 

We and our service providers comply with privacy legislation including the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Personal Health Information Protection Act (Ontario) (“PHIPA”), the Health Insurance Portability and Accountability Act (“HIPAA”) and the European Union’s General Data Protection Regulation (“GDPR”), as applicable.

We have appointed a Chief Privacy Officer accountable for our PII and PHI handling practices. If you have a question or complaint about our information handling practices, please contact us at privacy@vitall.com.

4. Limiting Collection: What Information Do We Collect?

The ways we collect PII and PHI can be broadly categorized into:

a) Information you provide to us directly: When you visit or use parts of our Site, the Web App, the Medly System, Scan App or our Services, we might ask you to provide PII to us. For example, we may ask for your name and email address on our Contact Us page so we can reply to a message you post there. We may also receive your contact information when you contact us directly at the contact email provided on the Site. 

We collect your PII and PHI when you open an Account and Onboard to subscribe to our Services.  For example, we will collect identification and contact information, such as your name, mailing address, date of birth, your health insurance number, and demographic information to be able to properly identify you, to contact you, to process a credit card payment for your subscription to our Services, and to collect PHI from your health records. We will also collect PII and PHI at Onboarding, such as your medical conditions, treatment information, surgeries, allergies, blood type, and your family doctor’s contact information.  

If you do not wish to provide us with all or some of the PII or PHI required to open an Account and to receive the Services you do not have to, but it might mean you cannot use parts of our Site, Web App, the Medly System, Scan App or receive our Services.

b) Information from other Sources: We may receive PII and PHI about you from other sources. For example, we will receive PII from credit card processors regarding whether the credit card details you entered have been accepted or declined. We also receive PHI from the service providers we engage to collect, with your consent, your medical records and smart health device information from your current and former healthcare providers and the smart health devices and app that you designate, as well as from the Scan App so that we can provide our Services to you. 

c) Information we collect automatically: We may automaticallyc ollect some technical information when you visit our Site, the Web App, the Medly System, or the or the Scan App that platforms like Google Analytics may collect about your interaction with our Site. This includes the geographic location of your IP address, the IP address itself, device type, what pages you looked at, what links you clicked on, your browser type and configuration, the date and time of use, language preferences, and cookie data. We use this information to detect problems, improve the navigation of our Site, Web App, the Medly System, and Scan App so they are easier to use and to determine which aspects of our Services may interest you. If you consented to receive these types of communications from us, we may track whether you opened certain types of promotional e-mails. whether you sought information about a particular topic or service, or to make inferences about other products and services in which you might be interested. For details about our cookie practices, please refer to our Cookie Policy.

5. Limiting Use: How Do We Use Your Personal Information?

We collect and use PII, PHI and non-personal information for the following purposes:

a) To communicate with you. This may include: (i) providing you with information you requested from us or information we must send to you; (ii) operational communications, like information regarding your Account, or your subscription to our Services; (iii) changes to our Site, the Web App, or Scan App, or changes to this Privacy Notice, our Terms and Conditions or our Cookie Policy; (iv) any questions, reminders, notifications related to your Account or your use of your Account or addressing customer service issues and troubleshooting problems with your Account; (v) to notify and alert you about data breaches, actual or potential fraud, identity theft and other fraud or security-related activities; and (vi) legal disclosures, communications about and arising from any manner of legal action, or otherwise required under our legal obligations; and any other reason notifications and alerts may be required by law.

b) To provide Services. We use your PII and PHI to provide the Services and to manage our business operations such as to register your Account, to authenticate you when you log into your Account, to deliver the Services, and to protect the security or integrity of our Site, the Web App, the Medly System, the Scan App, the Content, our Services, and our business.

c) To improve our Site, Web App, the Medly System, Scan App, and Services and develop new ones: We monitor how you use the Site, the Web App, the Medly System, the Scan App, and the Services so we can improve our offerings, user experience, and design new features.

d) To detect and prevent any fraudulent or malicious activity and to make sure that our Site, Web App, Medly System, Scan Web App, Scan App Content, and Services are used fairly and according to our Terms and Conditions.

e) With your consent, to send you targeted advertisement such as general or personalized notices and promotional messages, or to send news about us;

f) With your consent, to use aggregated de-identified and pseudonymized PII and PHI and non-Personal Information, which we or our business partners may use to monitor trends, to improve our respective products and services;

g) To comply with any laws and regulations.

h) To process scans throughout the duration of the scan. Specifically, during a scan your device uses its camera to collect data from your face and/or your body and to process this data using computational models. The images and/or videos are processed by being converted into highly compressed binary payloads (blobs), which cannot be put back together to form an image or video. This data is not retained (is deleted) after the processing is completed and results are displayed/stored.

6. Disclosure: When Do We Disclose Your PII and PHI to Others?

With your consent, our service providers collect and store your PHI and the required PII to access your PHI from your health records held by your current and former healthcare providers, so we can provide you the Services. 

We may share your PII and PHI with our service providers and our Affiliates that help us with our business operations, such as translation services if your health records are not in English. If you consented to receive marketing and promotional emails from us, we may share select PII with service providers who provide us with marketing and promotional services. We enter into Data Processing Agreements with our service providers and Affiliates that impose standards for data protection and confidentiality, and prohibit disclosure or use of your information for any other purpose than the one for which we engaged them.

We may share with selected third-parties certain demographic and contact information about you, including name, date of birth and any email addresses or phone numbers to verify your identity. 

Through your Account, you may grant temporary access to your health records to the healthcare professionals involved in managing your care such as physicians, specialists, pharmacists, nutritionists or physical therapists.

We may share your PII or PHI, as applicable, without your explicit consent or notice to you:

a) To collect a debt from you or to prevent or investigate fraudulent or illegal activity on your Account.

b) To comply with an order, subpoena, warrant or other legal requirement issued by a court, tribunal, regulator or government body with competent jurisdiction to compel disclosure of your PII or PHI, including to meet national security or law enforcement requirements, to prevent, investigate, or take action against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms and Conditions,  this Privacy Notice, or as otherwise required by law.

c) To establish or defend our legal rights. Where possible and appropriate, we will notify you.

d) To an actual or potential buyer of VITALL (and its agents and advisers) in connection with an actual or proposed purchase, merger or acquisition of any part of our business. In such a case, your PII and PHI will be protected by security safeguards appropriate for the sensitivity of the information.

e) To other companies who assist us to process your payment for your Service subscription or any service providers on whom we rely to conduct our business with you.

f) To protect the security of the Site, Web App, the Medly System and Scan App, the Services, or the security of your Account. 

g) To process data collected during a scan. This de-identified data that is converted into highly compressed binary payloads may be securely transmitted by the app (off device) to a remote cloud service where they are individually processed by computational models.

We are responsible for all onward transfers of Personal Data and Data Concerning Health of any EU clients to third parties and we make such transfers under Data Collection and Sharing Agreements or by relying on their self-certification under the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework.

7. Safeguards: How Do We Protect Your Personal Information?

We take administrative, technical and physical measures to safeguard your PII and PHI against unauthorized access, unauthorized disclosure, theft and misuse. 

Although we cannot guarantee that unauthorized access, hacking, data loss or breaches of our security systems will never occur, we try to minimize these risks by: (1) active monitoring: monitoring access to your PII and PHI through activity logs and regular audits to ensure that no unauthorized access attempts have been made, (2) secure storage: we store your PII and PHI over which we have custody and control in Canada in data centers that are SOC2 and/or ISO 27001 certified and adhere to global privacy and data protection best practices, (3) network security: we implemented controls to protect against unauthorized access, including segregating our internal systems from our publicly-accessible systems, (4) end-to-end encryption: we encrypt all data transmissions and communications on the Site, Web App, the Medly System, Scan App, and our Services from end-to-end using industry-standard transport layer security (“TLS”) or secure socket layer (“SSL”) encryption technology, and (4) training: we implemented policies, procedures that address and train our staff on the handling of PII  and PHI. All our staff members and contractors are legally bound to confidentiality.

We do not store your credit card information. Payments are handled by Stripe, a reputable direct payment gateway provider.  The data they collect is encrypted according to the Payment Card Industry Data Security Standard (PCI-DSS) and implement additional generally accepted industry standards. 

We expect our Affiliates and service providers to protect your PII and PHI that they collect from you directly or that we shared with them, as provided in the Data Processing Agreements we have with them.

8. Data Breach

We take precautions against breaches of our security systems, but your acknowledge and agree that no company can eliminate the risks of unauthorized access to your PII and PHI and no transmission over the internet is 100% secure. Therefore, you provide your PII and PHI it to us and our service providers at your own risk.

Despite our rigorous precautions against data breaches, the risk of a breach remains. We have a well-developed data breach procedure and if a breach of your PII or PHI in our custody or control occurs we will comply with the stringent breach notification requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA).

IF A BREACH OF YOUR PII OR PHI THAT IS IN THE CUSTODY OR CONTROL OF ONE OF OUR SERVICE PROVIDERS TO WHOM YOU PROVIDED CONSENT TO COLLECT THAT INFORMATION, THEN THAT SERVICE PROVIDER’S BREACH POLICIES APPLY.

9. Data Retention: How Long Do We Keep your PII and PHI?

We keep your PII and PHI that is in our custody and control if we have a legal or legitimate business need to keep it, for example, to provide you the Services to which you subscribe or to comply with information retention requirements in Ontario or Canada. 

Once our relationship ends, we generally will continue to store archived copies of your PII and PHI in our custody and control for legitimate business purposes, such as to defend a contractual claim, for audit, and to comply with the law. We maintain a records retention and destruction policy to destroy information when we no longer have a business need for it and are not required by law to keep it.

PII and PHI collected with your consent by our service providers that is under their custody and control is subject to their data destruction policies and the data retention laws applicable in that provider’s jurisdiction. 

PII collected by our direct payment gateway provider to process a transaction on the Web App is stored only as long as it is necessary to complete your transaction, then it is deleted. We do not collect or store any information related to your payment transactions.

We and our service providers may continue to store and use aggregated de-identified PII and PHI to improve our respective products and services.

10. Data Storage And Transfer

The PII and PHI we or our service providers collect from or on behalf of our Canadian clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

The PII and PHI that our service providers collect from or on behalf of our American clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

The PII and PHI that our service providers collect from or on behalf of our European clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

We enter into Data Processing Agreements with our service providers that require them, among other things, to safeguard your PII and PHI. However, if your PII and PHI is used or stored outside your home country, these data will be subject to the laws of the country in which they are used or stored (processed), which may differ from and be less protective of PII than the privacy laws of your country

11. Residents of the European Economic Area (“EEA”)

If you (a “Data Subject”) are located in the EEA, the Personal Data and Data Concerning Health you provide to us in Canada may be transferred to other regions, including to the United States. To ensure that your Personal Data and Data Concerning Health is protected when transferred out of the EEA, we rely on Canada’s PIPEDA requirements, which are deemed equivalent to those of the GDPR. If we, or our service providers, transfer your Personal Data and Data Concerning Health to service providers in the United States, we do so under a Data Collection and Sharing Agreement or pursuant to their self-certified compliance with the EU-U.S. Privacy Shield Framework, regarding the collection, use, and retention of Personal Data and Data Concerning Health from data subjects in the EEA, and with the Swiss-U.S. Privacy Shield Framework regarding the collection, use and retention of Personal Information from data subjects in Switzerland.

Additionally, if you are in the EEA, we note we are generally processing your information to fulfill contracts we might have with you (for example to prove you our Services), or otherwise to pursue our legitimate business interests as outlined in Section 6, unless we are required by law to obtain your consent for a particular processing operation. When we process your Personal Data and Data Concerning Health to pursue these legitimate interests, we do so where the nature of the processing, the information being processed, and the technical and organisational measures employed to protect that information can help mitigate the risks to you, the Data Subject.

If you are in the EEA or in Switzerland and believe that your Personal Data has been used contrary to this Privacy Notice, please contact us using the information in Section 17.

If your complaint or dispute is about the use of your Personal Data and Data Concerning Health by one of our service providers in the United States, you may also contact the International Centre for Dispute Resolution. This organization provides independent dispute resolution services, at no charge to you. ICDR can be contacted at go.adr.org/privacyshield.html

If, after attempting to resolve a dispute through ICDR, you feel that your concerns about the handling practices of your Personal Data and Data Concerning Health by a service provider in the United States have not been resolved, please visit www.privacyshield.gov.

12. Age and Consent

Only individuals 18 years of age or older may subscribe to our Services and access the Web App and Scan App. 

A parent or a legal guardian of individuals under the age of 18 may register for an account on behalf of a minor. 

When you provide PII or PHI to open and Account and Onboard, or to provide PII to complete a transaction by credit card, you consent to VITALL collecting your PII and PHI required to complete these activities only. 

When you register your Account, you can provide your consent to receive marketing and promotional e-mails and to consent to our use of your PII and PHI in our custody and control (in aggregated and de-identified form) for Service improvement purposes, or other outlined purposes.

YOU CAN WITHDRAW CONSENT FOR OUR USE OF YOUR PII OR PHI IN FUTURE USES WITHIN THE SCOPE OF YOUR CONSENT BUT YOU CANNOT WITHDRAW YOUR CONSENT FOR OUR USE OF YOUR PII OR PHI FOR USES THAT BEGAN BEFORE THE DATE ON WHICH YOU WITHDREW YOUR CONSENT. YOU WILL ALSO NOT BE ABLE TO WITHDRAW YOUR CONSENT WHERE OUR USE OR DISCLOSURE OF YOUR PII OR PHI IS AUTHORIZED OR REQUIRED BY LAW. 

Our service providers whom you consented to collect and store your PII and PHI may use your information according to their respective privacy policies and terms service /use. If you wish to withdraw your consent from these entities, you must follow their consent withdrawal procedures. We will assist you in that process.       

Please visit the Consent section within your Account Settings or contact us at privacy@vitall.com if you wish to withdraw your consent for our use of your PII and/or PHI.

13. Third-Party Services and Links

You may access third-party websites through links available on our Site, the Web App, or the Scan Ap. These links are provided for convenience only. Once you leave our Site, Web App, or Scan App or are redirected to a third-party website or application, you are no longer governed by this Privacy Notice or our Terms and Conditions.

We have no control over those third-party websites, and you access them at your own risk. We recommend that you read the privacy policies of these third-party providers so you can understand how they handle your PII and PHI. 

You acknowledge that these links may lead you to third parties that may operate in a different jurisdiction than either yours or ours. If you provide your PII or PHI to these entities, then your information may become subject to the laws of the jurisdiction(s) in which that site operates or where its facilities are located.

Some third-party websites or applications accessible through our Site, Web App, or Scan App may use automated processing or artificial intelligence as part of their services. Where you choose to use such a tool or application, VITALL will treat that choice as your opt-in consent to the automated or AI-based processing performed by that third party. We recommend that you review the privacy policies of these third-party providers to understand how automated processing or AI may be applied to your PII or PHI.

When connecting third-party tools or services through our Site, Web App, or ScanApp, you are also subject to the privacy policies of those third parties, and we recommend that you review them carefully before connecting. You acknowledge that third-party providers may transfer your PII or PHI outside of Canada, where it may be subject to the laws of the jurisdiction in which it is stored or processed. VITALL is not responsible for the privacy practices of these third parties, and your use of any third-party tool or service is at your own risk.

14. Accuracy: How Do You Modify Your Information?

We want to ensure that the PII and the PHI we collect from you and that is in our custody and control is accurate, complete, and up-to-date for the purpose for which it is to be used and will destroy any information that is out-of-date or that is no longer required for the purpose for which it was collected, unless we must keep it to comply with Ontario or Canadian law. 

Our service providers who collected your PII and PHI with your consent have their own policies about data accuracy, retention, and destruction. 

We use reasonable means to ensure that information in your Account record is accurate. You may update certain PII and PHI directly in your Account and you may also request access to your Account. 

If you have questions or identify any errors in your Account you can notify us by using the Report feature or you can contact us at privacy@vitall.com. We will strive to address any correction requests promptly. If we dispute a correction request, we will log the reason for the disagreement.

15. Access: Right to your data

You may access your Account and request for your data and information to be exported for the purpose of porting to another entity. If you make such a request, we will provide it to you at no charge. You can request this export by contacting us at privacy@vitall.com.

Before we grant you access to your Account records we will first authenticate you to confirm your identity. We will handle all access requests promptly, subject to applicable privacy laws.

16. Account Closure: Data Deletion

EU residents have the right, in certain circumstances, to have your Personal Data erased (the “Right to be Forgotten”). Non-EU residents may also elect to exercise the Right to be Forgotten.

To close your Account or to request that the PII, PHI, or Personal Data, as applicable, we have about you be deleted, please request for your account to be Deactivated within the Account Settings section. In addition to this, please email us at to privacy@vitall.com. Once we receive your request and authenticate your identity we will remove your Account from active use. If you do not re-activate your Account within 12 months, we will delete your Account Record, but we will keep some PII as described in Section 9. If you wish to delete your Account Record immediately, but subject to Section 9, indicate so in your email to us.

17. App Specific Privacy Notices

This section provides specific privacy notices governing the use of the Medly System, which includes mobile apps (“Medly App”) for mobile devices used by patients (Patient Users); as well as the use of the Practitioner Dashboard (“Dashboard”) for web browsers used by practitioners (Practitioner Users). The Medly System was created through a partnership between VITALL, the University Health Network, Centre for Digital Therapeutics. 

The Medly App is a smartphone app designed to help patients manage their chronic condition by monitoring symptoms, tracking important measurements and providing self-care guidance. The Dashboard is a web-based tool designed to help clinicians monitor and share information with their patients and includes a messenger service designed to help clinicians exchange messages with their patients.

Based on the data you enter and the status of your health, you will get feedback and self-care instructions. Your health care team will be informed of any critical changes and will follow up as necessary. Your hospital may also share personal information such as lab results and medications directly to the Medly System.

The goal of Medly App is to help patients better understand their conditions, guide self-improvement and enhance communication with your healthcare team. It is not intended to replace your current care, but to supplement it with additional support. The goal of Dashboard is to facilitate remote monitoring of patients as well as enable clinicians to share information and messages with their patients.

What information does the Application collect and how is it used?

User Provided Information

The Application obtains the information you provide when you download and register the Application.

When you register with us and use the Application, you generally provide (a) your name, email address, age, user name, password and other registration information; (b) information about your chronic condition, including symptom information, self-care activities, weight, blood pressure, heart rate, and blood sugar levels; and (c) information you provideus when you contact us for help. We may also use the information you providedus to contact you from time to time to provide you with important information, required notices and preventative care information.

Automatically Collected Information

In addition, the Application may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile devices unique device ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browsers you use, and information about the way you use the Application.

Does the Application collect precise real time location information of the device?

This Application does not collect precise information about the location of your mobile device.

Do third parties see and/or have access to information obtained by the Application?

Only aggregated, anonymized data is periodically transmitted to external services to help us improve the Application and ourservice. We will share your information with third parties only in theways that are described in this privacy statement.

We may disclose User Provided and Automatically Collected Information:

·      as required by law, such as to comply with asubpoena, or similar legal process;

·      with our trusted services providers who work on our behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement and the Personal Health Information Protection Act, 2004 and any subsequent amendments.

Use of your Information by your Health Care Team

·      By using this app, your health care team will look at your personal health information and collect only the information they need for providing you with care.

·      Your information will only be shared with your health care team at the hospital where you were enrolled and will be used to help them provide care for you.

·      The information you share through the app will be kept in your clinical file which can only be shared outside of your clinic if it is needed for your clinical care.

What are my rights?

·      You can stop all collection of information by the Application easily by uninstalling the Application. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace or network.

·      To see, copy, or correct information collected by the app, ask one of your clinicians to review your record with you at your next appointment.

Data Retention Policy, Managing Your Information

We will retain User Provided data for as long as you use the Application:

·      When a patient is discharged from the program, records will be retained per your hospital policy.

·      When a patient is under the age of majority, records will be retained past the age of majority per your hospital policy.

Security

We are concerned about safeguarding the confidentiality of your information. We provide physical, electronic, and procedural safeguards to protect information we process and maintain. For example, we limit access to this information to authorized employees and contractors who need to know that information in order to operate, develop or improve our Application.

18. Challenge Compliance

If you believe that we have not adhered to this Privacy Notice you may challenge our compliance with this Privacy Notice and our compliance with privacy laws applicable to it.

We are not responsible for the PII, PHI, or Personal Data (as applicable) handling practices of third-party service providers to whom you consented to access your information, whether on our behalf or otherwise. If your complaint has to do with the privacy practice of those providers, we will direct you to them. Links to the privacy policies and terms of use/service of our service providers are available in the Consent Center.

Please notify our Chief Privacy Officer of your complaint by emailing at privacy@vitall.com.

You can also reach us at:

Vitall Intelligence Inc.

2 Campbell Drive, Suite 706

Uxbridge, Ontario, L9P1H6

Canada

We pledge to address your complaint promptly. If we cannot resolve your complaint to your satisfaction you can file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Ontario.

If you are unhappy with the response you receive from us, we hope you would contact us to resolve the issue, but you may also lodge a complaint with the data protection authority in your home country. They can advise you how to submit a complaint.

19. Changes to This Privacy Notice

We may change or update this Privacy Notice from time to time. All changes and updates are logged in the CHANGE LOG section below. 

When our Privacy Notice changes, the Site will display a notice prompting you to review the changes. 

If we make changes to this Privacy Notice, then in addition to displaying a notice on the Site, we may also notify you by email at the email address associated with your Account. 

The changes to the Privacy Notice will take effect on the date on which they were made or on the date provided in the notice.

LAST UPDATED on March 1, 2026.

CHANGE LOG: 

CMarch 1, 2026

• added specific notices regarding the Medly System
• added notice about the use of Third-Party services as a VITALL user

September 20, 2024:

• added reference to the Scan App throughout the notice
• changed “fitness applications” to “smart health devices and connections”
• added specific information about what we collect, how we process, and what we disclose with regards to Scan App data
• updated where we store data to correctly reflect VITALL’s business operations
• updated instructions for how to modify or export data and/or deactivate your account to reflect new user experience workflows
• changed our requirements for the method of updating users regarding changes to this notice

July 15, 2020: 

• Added references to transfer of PII and PHI for translation purposes (Section 6).

‍

By continuing to use the Site, the WebApp, the Medly System, the Scan App, or the Services after you receive the notice you implicitly consent to be bound by the Privacy Notice terms in effect on that date on which you visit the Site, the Web App, the Medly System, or the Scan App.

DETAILED PRIVACY NOTICE:

1. BACKGROUND
2. SCOPE
3. ACCOUNTABILITY
4. LIMITING COLLECTION: WHAT INFORMATION DO WE COLLECT?
5. LIMITING USE: HOW DO WE USE YOUR PERSONAL INFORMATION?
6. DISCLOSURE: WHEN DO WE DISCLOSE YOUR PII AND PHI TO OTHERS?
7. SAFEGUARDS: HOW DO WE PROTECT YOUR PERSONAL INFORMATION?
8. DATA BREACH
9. DATA RETENTION: HOW LONG DO WE KEEP YOUR PII AND PHI?
10. DATA STORAGE AND TRANSFER
11. RESIDENTS OF THE EUROPEAN ECONOMIC AREA (“EEA”)
12. AGE AND CONSENT
13. THIRD-PARTY SERVICES AND LINKS
14. ACCURACY: HOW DO YOU MODIFY YOUR INFORMATION?
15. ACCESS: RIGHT TO YOUR DATA
16. ACCOUNT CLOSURE: DATA DELETION
17. CHALLENGE COMPLIANCE
18. CHANGES TO THIS PRIVACY NOTICE

1. Background

The website www.VITALL.com (the “Site”), the Web Application app.vitall.com (“WebApp”), the Medly System (“Medly System”) and the VITALL Scan App (“Scan App”)  are owned by Vitall Intelligence Inc. (“VITALL”).

VITALL is a digital health platform that connects patients, caregivers, and practitioners with meaningful health information. Through integrated applications (Web App, Medly System, and Scan App) and services, VITALL enables remote care management, provides health journey insights, and consolidates medical records and real-time health data in one place (the “Services”) — improving care when and where it matters.

As used in this Policy Notice capitalized terms not otherwise defined here have the meaning assigned to them in the Terms and Conditions, otherwise the following terms have the following meaning:

“Data Concerning Health” means, as related to a person in the European Union, personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

“Personal Data” means, as related to a person in the European Union, any information which is related to an identified or identifiable natural person.

“Personally-Identifiable Information” or “PII” means information that identifies you or could be combined by us or our service providers and Affiliates with other information to identify you. This information includes your personal date of birth, birth certificate information, social insurance number, social security number, the number of any government issued identification, medical record number, health card number, e-mail address, home mailing address, home telephone number, personal cellphone number, your internet provider (IP) address and other similar information when associated with you. PII may also include information about how you have used our Site, the Web App, Medly System, or the Scan App if we can associate that PII with you. If you interact with our Site, our Web App, Medly System, or the Scan App on behalf of a business, PII does not include your title, your business e-mail and mailing address, or your business telephone number when we use that information to contact you in your business capacity. For EU residents, your business contact information is considered “Personal Data”. Reference in this Notice to PII shall include Personal Data, where applicable.

“Personal Health Information” or “PHI” means information about you, while living or deceased, that relates to: your physical or mental health; any health or medical services you received; your medical examinations, tests, and surgeries; whether you donated any organs or fluids; and information collected in the course of, or related to, providing health services to you. PHI may be found in your medical records, treatment and examination notes, and communications between you and your healthcare providers. Reference in this Notice to PHI shall include Personal Data, where applicable.

"we", "us" or "our" means Vitall Intelligence Inc. (“Vitall”) and any of our Affiliates.

"you" or "your" means an individual Using the Site, the Web App, the Medly System, the Scan App, or the Content as a visitor, a prospective or current Client, a Caregiver, and any Person who has been granted temporary access to health records under an Account.

2. Scope

This Privacy Notice helps our visitors to our Site and Users of the Web App, Scan App and our Services to better understand how we collect, use and store your PII and PHI.

3. Accountability

We take the privacy of your PII and PHI seriously and are committed to safeguarding it. We developed and implemented policies, practices, and procedures to protect PII and PHI and we train our staff in our PII and PHI handling practices.

We commit not to rent or sell any of your PII or PHI we collect directly from you or as part of our Services. We limit the PII or PHI we share with our service providers and limit their use of the data we share with them through Data Processing Agreements. 

We and our service providers comply with privacy legislation including the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Personal Health Information Protection Act (Ontario) (“PHIPA”), the Health Insurance Portability and Accountability Act (“HIPAA”) and the European Union’s General Data Protection Regulation (“GDPR”), as applicable.

We have appointed a Chief Privacy Officer accountable for our PII and PHI handling practices. If you have a question or complaint about our information handling practices, please contact us at privacy@vitall.com.

4. Limiting Collection: What Information Do We Collect?

The ways we collect PII and PHI can be broadly categorized into:

a) Information you provide to us directly: When you visit or use parts of our Site, the Web App, the Medly System, Scan App or our Services, we might ask you to provide PII to us. For example, we may ask for your name and email address on our Contact Us page so we can reply to a message you post there. We may also receive your contact information when you contact us directly at the contact email provided on the Site. 

We collect your PII and PHI when you open an Account and Onboard to subscribe to our Services.  For example, we will collect identification and contact information, such as your name, mailing address, date of birth, your health insurance number, and demographic information to be able to properly identify you, to contact you, to process a credit card payment for your subscription to our Services, and to collect PHI from your health records. We will also collect PII and PHI at Onboarding, such as your medical conditions, treatment information, surgeries, allergies, blood type, and your family doctor’s contact information.  

If you do not wish to provide us with all or some of the PII or PHI required to open an Account and to receive the Services you do not have to, but it might mean you cannot use parts of our Site, Web App, the Medly System, Scan App or receive our Services.

b) Information from other Sources: We may receive PII and PHI about you from other sources. For example, we will receive PII from credit card processors regarding whether the credit card details you entered have been accepted or declined. We also receive PHI from the service providers we engage to collect, with your consent, your medical records and smart health device information from your current and former healthcare providers and the smart health devices and app that you designate, as well as from the Scan App so that we can provide our Services to you. 

c) Information we collect automatically: We may automaticallyc ollect some technical information when you visit our Site, the Web App, the Medly System, or the or the Scan App that platforms like Google Analytics may collect about your interaction with our Site. This includes the geographic location of your IP address, the IP address itself, device type, what pages you looked at, what links you clicked on, your browser type and configuration, the date and time of use, language preferences, and cookie data. We use this information to detect problems, improve the navigation of our Site, Web App, the Medly System, and Scan App so they are easier to use and to determine which aspects of our Services may interest you. If you consented to receive these types of communications from us, we may track whether you opened certain types of promotional e-mails. whether you sought information about a particular topic or service, or to make inferences about other products and services in which you might be interested. For details about our cookie practices, please refer to our Cookie Policy.

5. Limiting Use: How Do We Use Your Personal Information?

We collect and use PII, PHI and non-personal information for the following purposes:

a) To communicate with you. This may include: (i) providing you with information you requested from us or information we must send to you; (ii) operational communications, like information regarding your Account, or your subscription to our Services; (iii) changes to our Site, the Web App, or Scan App, or changes to this Privacy Notice, our Terms and Conditions or our Cookie Policy; (iv) any questions, reminders, notifications related to your Account or your use of your Account or addressing customer service issues and troubleshooting problems with your Account; (v) to notify and alert you about data breaches, actual or potential fraud, identity theft and other fraud or security-related activities; and (vi) legal disclosures, communications about and arising from any manner of legal action, or otherwise required under our legal obligations; and any other reason notifications and alerts may be required by law.

b) To provide Services. We use your PII and PHI to provide the Services and to manage our business operations such as to register your Account, to authenticate you when you log into your Account, to deliver the Services, and to protect the security or integrity of our Site, the Web App, the Medly System, the Scan App, the Content, our Services, and our business.

c) To improve our Site, Web App, the Medly System, Scan App, and Services and develop new ones: We monitor how you use the Site, the Web App, the Medly System, the Scan App, and the Services so we can improve our offerings, user experience, and design new features.

d) To detect and prevent any fraudulent or malicious activity and to make sure that our Site, Web App, Medly System, Scan Web App, Scan App Content, and Services are used fairly and according to our Terms and Conditions.

e) With your consent, to send you targeted advertisement such as general or personalized notices and promotional messages, or to send news about us;

f) With your consent, to use aggregated de-identified and pseudonymized PII and PHI and non-Personal Information, which we or our business partners may use to monitor trends, to improve our respective products and services;

g) To comply with any laws and regulations.

h) To process scans throughout the duration of the scan. Specifically, during a scan your device uses its camera to collect data from your face and/or your body and to process this data using computational models. The images and/or videos are processed by being converted into highly compressed binary payloads (blobs), which cannot be put back together to form an image or video. This data is not retained (is deleted) after the processing is completed and results are displayed/stored.

6. Disclosure: When Do We Disclose Your PII and PHI to Others?

With your consent, our service providers collect and store your PHI and the required PII to access your PHI from your health records held by your current and former healthcare providers, so we can provide you the Services. 

We may share your PII and PHI with our service providers and our Affiliates that help us with our business operations, such as translation services if your health records are not in English. If you consented to receive marketing and promotional emails from us, we may share select PII with service providers who provide us with marketing and promotional services. We enter into Data Processing Agreements with our service providers and Affiliates that impose standards for data protection and confidentiality, and prohibit disclosure or use of your information for any other purpose than the one for which we engaged them.

We may share with selected third-parties certain demographic and contact information about you, including name, date of birth and any email addresses or phone numbers to verify your identity. 

Through your Account, you may grant temporary access to your health records to the healthcare professionals involved in managing your care such as physicians, specialists, pharmacists, nutritionists or physical therapists.

We may share your PII or PHI, as applicable, without your explicit consent or notice to you:

a) To collect a debt from you or to prevent or investigate fraudulent or illegal activity on your Account.

b) To comply with an order, subpoena, warrant or other legal requirement issued by a court, tribunal, regulator or government body with competent jurisdiction to compel disclosure of your PII or PHI, including to meet national security or law enforcement requirements, to prevent, investigate, or take action against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms and Conditions,  this Privacy Notice, or as otherwise required by law.

c) To establish or defend our legal rights. Where possible and appropriate, we will notify you.

d) To an actual or potential buyer of VITALL (and its agents and advisers) in connection with an actual or proposed purchase, merger or acquisition of any part of our business. In such a case, your PII and PHI will be protected by security safeguards appropriate for the sensitivity of the information.

e) To other companies who assist us to process your payment for your Service subscription or any service providers on whom we rely to conduct our business with you.

f) To protect the security of the Site, Web App, the Medly System and Scan App, the Services, or the security of your Account. 

g) To process data collected during a scan. This de-identified data that is converted into highly compressed binary payloads may be securely transmitted by the app (off device) to a remote cloud service where they are individually processed by computational models.

We are responsible for all onward transfers of Personal Data and Data Concerning Health of any EU clients to third parties and we make such transfers under Data Collection and Sharing Agreements or by relying on their self-certification under the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework.

7. Safeguards: How Do We Protect Your Personal Information?

We take administrative, technical and physical measures to safeguard your PII and PHI against unauthorized access, unauthorized disclosure, theft and misuse. 

Although we cannot guarantee that unauthorized access, hacking, data loss or breaches of our security systems will never occur, we try to minimize these risks by: (1) active monitoring: monitoring access to your PII and PHI through activity logs and regular audits to ensure that no unauthorized access attempts have been made, (2) secure storage: we store your PII and PHI over which we have custody and control in Canada in data centers that are SOC2 and/or ISO 27001 certified and adhere to global privacy and data protection best practices, (3) network security: we implemented controls to protect against unauthorized access, including segregating our internal systems from our publicly-accessible systems, (4) end-to-end encryption: we encrypt all data transmissions and communications on the Site, Web App, the Medly System, Scan App, and our Services from end-to-end using industry-standard transport layer security (“TLS”) or secure socket layer (“SSL”) encryption technology, and (4) training: we implemented policies, procedures that address and train our staff on the handling of PII  and PHI. All our staff members and contractors are legally bound to confidentiality.

We do not store your credit card information. Payments are handled by Stripe, a reputable direct payment gateway provider.  The data they collect is encrypted according to the Payment Card Industry Data Security Standard (PCI-DSS) and implement additional generally accepted industry standards. 

We expect our Affiliates and service providers to protect your PII and PHI that they collect from you directly or that we shared with them, as provided in the Data Processing Agreements we have with them.

8. Data Breach

We take precautions against breaches of our security systems, but your acknowledge and agree that no company can eliminate the risks of unauthorized access to your PII and PHI and no transmission over the internet is 100% secure. Therefore, you provide your PII and PHI it to us and our service providers at your own risk.

Despite our rigorous precautions against data breaches, the risk of a breach remains. We have a well-developed data breach procedure and if a breach of your PII or PHI in our custody or control occurs we will comply with the stringent breach notification requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA).

IF A BREACH OF YOUR PII OR PHI THAT IS IN THE CUSTODY OR CONTROL OF ONE OF OUR SERVICE PROVIDERS TO WHOM YOU PROVIDED CONSENT TO COLLECT THAT INFORMATION, THEN THAT SERVICE PROVIDER’S BREACH POLICIES APPLY.

9. Data Retention: How Long Do We Keep your PII and PHI?

We keep your PII and PHI that is in our custody and control if we have a legal or legitimate business need to keep it, for example, to provide you the Services to which you subscribe or to comply with information retention requirements in Ontario or Canada. 

Once our relationship ends, we generally will continue to store archived copies of your PII and PHI in our custody and control for legitimate business purposes, such as to defend a contractual claim, for audit, and to comply with the law. We maintain a records retention and destruction policy to destroy information when we no longer have a business need for it and are not required by law to keep it.

PII and PHI collected with your consent by our service providers that is under their custody and control is subject to their data destruction policies and the data retention laws applicable in that provider’s jurisdiction. 

PII collected by our direct payment gateway provider to process a transaction on the Web App is stored only as long as it is necessary to complete your transaction, then it is deleted. We do not collect or store any information related to your payment transactions.

We and our service providers may continue to store and use aggregated de-identified PII and PHI to improve our respective products and services.

10. Data Storage And Transfer

The PII and PHI we or our service providers collect from or on behalf of our Canadian clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

The PII and PHI that our service providers collect from or on behalf of our American clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

The PII and PHI that our service providers collect from or on behalf of our European clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

We enter into Data Processing Agreements with our service providers that require them, among other things, to safeguard your PII and PHI. However, if your PII and PHI is used or stored outside your home country, these data will be subject to the laws of the country in which they are used or stored (processed), which may differ from and be less protective of PII than the privacy laws of your country

11. Residents of the European Economic Area (“EEA”)

If you (a “Data Subject”) are located in the EEA, the Personal Data and Data Concerning Health you provide to us in Canada may be transferred to other regions, including to the United States. To ensure that your Personal Data and Data Concerning Health is protected when transferred out of the EEA, we rely on Canada’s PIPEDA requirements, which are deemed equivalent to those of the GDPR. If we, or our service providers, transfer your Personal Data and Data Concerning Health to service providers in the United States, we do so under a Data Collection and Sharing Agreement or pursuant to their self-certified compliance with the EU-U.S. Privacy Shield Framework, regarding the collection, use, and retention of Personal Data and Data Concerning Health from data subjects in the EEA, and with the Swiss-U.S. Privacy Shield Framework regarding the collection, use and retention of Personal Information from data subjects in Switzerland.

Additionally, if you are in the EEA, we note we are generally processing your information to fulfill contracts we might have with you (for example to prove you our Services), or otherwise to pursue our legitimate business interests as outlined in Section 6, unless we are required by law to obtain your consent for a particular processing operation. When we process your Personal Data and Data Concerning Health to pursue these legitimate interests, we do so where the nature of the processing, the information being processed, and the technical and organisational measures employed to protect that information can help mitigate the risks to you, the Data Subject.

If you are in the EEA or in Switzerland and believe that your Personal Data has been used contrary to this Privacy Notice, please contact us using the information in Section 17.

If your complaint or dispute is about the use of your Personal Data and Data Concerning Health by one of our service providers in the United States, you may also contact the International Centre for Dispute Resolution. This organization provides independent dispute resolution services, at no charge to you. ICDR can be contacted at go.adr.org/privacyshield.html

If, after attempting to resolve a dispute through ICDR, you feel that your concerns about the handling practices of your Personal Data and Data Concerning Health by a service provider in the United States have not been resolved, please visit www.privacyshield.gov.

12. Age and Consent

Only individuals 18 years of age or older may subscribe to our Services and access the Web App and Scan App. 

A parent or a legal guardian of individuals under the age of 18 may register for an account on behalf of a minor. 

When you provide PII or PHI to open and Account and Onboard, or to provide PII to complete a transaction by credit card, you consent to VITALL collecting your PII and PHI required to complete these activities only. 

When you register your Account, you can provide your consent to receive marketing and promotional e-mails and to consent to our use of your PII and PHI in our custody and control (in aggregated and de-identified form) for Service improvement purposes, or other outlined purposes.

YOU CAN WITHDRAW CONSENT FOR OUR USE OF YOUR PII OR PHI IN FUTURE USES WITHIN THE SCOPE OF YOUR CONSENT BUT YOU CANNOT WITHDRAW YOUR CONSENT FOR OUR USE OF YOUR PII OR PHI FOR USES THAT BEGAN BEFORE THE DATE ON WHICH YOU WITHDREW YOUR CONSENT. YOU WILL ALSO NOT BE ABLE TO WITHDRAW YOUR CONSENT WHERE OUR USE OR DISCLOSURE OF YOUR PII OR PHI IS AUTHORIZED OR REQUIRED BY LAW. 

Our service providers whom you consented to collect and store your PII and PHI may use your information according to their respective privacy policies and terms service /use. If you wish to withdraw your consent from these entities, you must follow their consent withdrawal procedures. We will assist you in that process.       

Please visit the Consent section within your Account Settings or contact us at privacy@vitall.com if you wish to withdraw your consent for our use of your PII and/or PHI.

13. Third-Party Services and Links

You may access third-party websites through links available on our Site, the Web App, or the Scan Ap. These links are provided for convenience only. Once you leave our Site, Web App, or Scan App or are redirected to a third-party website or application, you are no longer governed by this Privacy Notice or our Terms and Conditions.

We have no control over those third-party websites, and you access them at your own risk. We recommend that you read the privacy policies of these third-party providers so you can understand how they handle your PII and PHI. 

You acknowledge that these links may lead you to third parties that may operate in a different jurisdiction than either yours or ours. If you provide your PII or PHI to these entities, then your information may become subject to the laws of the jurisdiction(s) in which that site operates or where its facilities are located.

Some third-party websites or applications accessible through our Site, Web App, or Scan App may use automated processing or artificial intelligence as part of their services. Where you choose to use such a tool or application, VITALL will treat that choice as your opt-in consent to the automated or AI-based processing performed by that third party. We recommend that you review the privacy policies of these third-party providers to understand how automated processing or AI may be applied to your PII or PHI.

When connecting third-party tools or services through our Site, Web App, or ScanApp, you are also subject to the privacy policies of those third parties, and we recommend that you review them carefully before connecting. You acknowledge that third-party providers may transfer your PII or PHI outside of Canada, where it may be subject to the laws of the jurisdiction in which it is stored or processed. VITALL is not responsible for the privacy practices of these third parties, and your use of any third-party tool or service is at your own risk.

14. Accuracy: How Do You Modify Your Information?

We want to ensure that the PII and the PHI we collect from you and that is in our custody and control is accurate, complete, and up-to-date for the purpose for which it is to be used and will destroy any information that is out-of-date or that is no longer required for the purpose for which it was collected, unless we must keep it to comply with Ontario or Canadian law. 

Our service providers who collected your PII and PHI with your consent have their own policies about data accuracy, retention, and destruction. 

We use reasonable means to ensure that information in your Account record is accurate. You may update certain PII and PHI directly in your Account and you may also request access to your Account. 

If you have questions or identify any errors in your Account you can notify us by using the Report feature or you can contact us at privacy@vitall.com. We will strive to address any correction requests promptly. If we dispute a correction request, we will log the reason for the disagreement.

15. Access: Right to your data

You may access your Account and request for your data and information to be exported for the purpose of porting to another entity. If you make such a request, we will provide it to you at no charge. You can request this export by contacting us at privacy@vitall.com.

Before we grant you access to your Account records we will first authenticate you to confirm your identity. We will handle all access requests promptly, subject to applicable privacy laws.

16. Account Closure: Data Deletion

EU residents have the right, in certain circumstances, to have your Personal Data erased (the “Right to be Forgotten”). Non-EU residents may also elect to exercise the Right to be Forgotten.

To close your Account or to request that the PII, PHI, or Personal Data, as applicable, we have about you be deleted, please request for your account to be Deactivated within the Account Settings section. In addition to this, please email us at to privacy@vitall.com. Once we receive your request and authenticate your identity we will remove your Account from active use. If you do not re-activate your Account within 12 months, we will delete your Account Record, but we will keep some PII as described in Section 9. If you wish to delete your Account Record immediately, but subject to Section 9, indicate so in your email to us.

17. App Specific Privacy Notices

This section provides specific privacy notices governing the use of the Medly System, which includes mobile apps (“Medly App”) for mobile devices used by patients (Patient Users); as well as the use of the Practitioner Dashboard (“Dashboard”) for web browsers used by practitioners (Practitioner Users). The Medly System was created through a partnership between VITALL, the University Health Network, Centre for Digital Therapeutics. 

The Medly App is a smartphone app designed to help patients manage their chronic condition by monitoring symptoms, tracking important measurements and providing self-care guidance. The Dashboard is a web-based tool designed to help clinicians monitor and share information with their patients and includes a messenger service designed to help clinicians exchange messages with their patients.

Based on the data you enter and the status of your health, you will get feedback and self-care instructions. Your health care team will be informed of any critical changes and will follow up as necessary. Your hospital may also share personal information such as lab results and medications directly to the Medly System.

The goal of Medly App is to help patients better understand their conditions, guide self-improvement and enhance communication with your healthcare team. It is not intended to replace your current care, but to supplement it with additional support. The goal of Dashboard is to facilitate remote monitoring of patients as well as enable clinicians to share information and messages with their patients.

What information does the Application collect and how is it used?

User Provided Information

The Application obtains the information you provide when you download and register the Application.

When you register with us and use the Application, you generally provide (a) your name, email address, age, user name, password and other registration information; (b) information about your chronic condition, including symptom information, self-care activities, weight, blood pressure, heart rate, and blood sugar levels; and (c) information you provideus when you contact us for help. We may also use the information you providedus to contact you from time to time to provide you with important information, required notices and preventative care information.

Automatically Collected Information

In addition, the Application may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile devices unique device ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browsers you use, and information about the way you use the Application.

Does the Application collect precise real time location information of the device?

This Application does not collect precise information about the location of your mobile device.

Do third parties see and/or have access to information obtained by the Application?

Only aggregated, anonymized data is periodically transmitted to external services to help us improve the Application and ourservice. We will share your information with third parties only in theways that are described in this privacy statement.

We may disclose User Provided and Automatically Collected Information:

·      as required by law, such as to comply with asubpoena, or similar legal process;

·      with our trusted services providers who work on our behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement and the Personal Health Information Protection Act, 2004 and any subsequent amendments.

Use of your Information by your Health Care Team

·      By using this app, your health care team will look at your personal health information and collect only the information they need for providing you with care.

·      Your information will only be shared with your health care team at the hospital where you were enrolled and will be used to help them provide care for you.

·      The information you share through the app will be kept in your clinical file which can only be shared outside of your clinic if it is needed for your clinical care.

What are my rights?

·      You can stop all collection of information by the Application easily by uninstalling the Application. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace or network.

·      To see, copy, or correct information collected by the app, ask one of your clinicians to review your record with you at your next appointment.

Data Retention Policy, Managing Your Information

We will retain User Provided data for as long as you use the Application:

·      When a patient is discharged from the program, records will be retained per your hospital policy.

·      When a patient is under the age of majority, records will be retained past the age of majority per your hospital policy.

Security

We are concerned about safeguarding the confidentiality of your information. We provide physical, electronic, and procedural safeguards to protect information we process and maintain. For example, we limit access to this information to authorized employees and contractors who need to know that information in order to operate, develop or improve our Application.

18. Challenge Compliance

If you believe that we have not adhered to this Privacy Notice you may challenge our compliance with this Privacy Notice and our compliance with privacy laws applicable to it.

We are not responsible for the PII, PHI, or Personal Data (as applicable) handling practices of third-party service providers to whom you consented to access your information, whether on our behalf or otherwise. If your complaint has to do with the privacy practice of those providers, we will direct you to them. Links to the privacy policies and terms of use/service of our service providers are available in the Consent Center.

Please notify our Chief Privacy Officer of your complaint by emailing at privacy@vitall.com.

You can also reach us at:

Vitall Intelligence Inc.

2 Campbell Drive, Suite 706

Uxbridge, Ontario, L9P1H6

Canada

We pledge to address your complaint promptly. If we cannot resolve your complaint to your satisfaction you can file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Ontario.

If you are unhappy with the response you receive from us, we hope you would contact us to resolve the issue, but you may also lodge a complaint with the data protection authority in your home country. They can advise you how to submit a complaint.

19. Changes to This Privacy Notice

We may change or update this Privacy Notice from time to time. All changes and updates are logged in the CHANGE LOG section below. 

When our Privacy Notice changes, the Site will display a notice prompting you to review the changes. 

If we make changes to this Privacy Notice, then in addition to displaying a notice on the Site, we may also notify you by email at the email address associated with your Account. 

The changes to the Privacy Notice will take effect on the date on which they were made or on the date provided in the notice.

LAST UPDATED on March 1, 2026.

CHANGE LOG: 

CMarch 1, 2026

• added specific notices regarding the Medly System
• added notice about the use of Third-Party services as a VITALL user

September 20, 2024:

• added reference to the Scan App throughout the notice
• changed “fitness applications” to “smart health devices and connections”
• added specific information about what we collect, how we process, and what we disclose with regards to Scan App data
• updated where we store data to correctly reflect VITALL’s business operations
• updated instructions for how to modify or export data and/or deactivate your account to reflect new user experience workflows
• changed our requirements for the method of updating users regarding changes to this notice

July 15, 2020: 

• Added references to transfer of PII and PHI for translation purposes (Section 6).

‍

By continuing to use the Site, the WebApp, the Medly System, the Scan App, or the Services after you receive the notice you implicitly consent to be bound by the Privacy Notice terms in effect on that date on which you visit the Site, the Web App, the Medly System, or the Scan App.

DETAILED PRIVACY NOTICE:

1. BACKGROUND
2. SCOPE
3. ACCOUNTABILITY
4. LIMITING COLLECTION: WHAT INFORMATION DO WE COLLECT?
5. LIMITING USE: HOW DO WE USE YOUR PERSONAL INFORMATION?
6. DISCLOSURE: WHEN DO WE DISCLOSE YOUR PII AND PHI TO OTHERS?
7. SAFEGUARDS: HOW DO WE PROTECT YOUR PERSONAL INFORMATION?
8. DATA BREACH
9. DATA RETENTION: HOW LONG DO WE KEEP YOUR PII AND PHI?
10. DATA STORAGE AND TRANSFER
11. RESIDENTS OF THE EUROPEAN ECONOMIC AREA (“EEA”)
12. AGE AND CONSENT
13. THIRD-PARTY SERVICES AND LINKS
14. ACCURACY: HOW DO YOU MODIFY YOUR INFORMATION?
15. ACCESS: RIGHT TO YOUR DATA
16. ACCOUNT CLOSURE: DATA DELETION
17. CHALLENGE COMPLIANCE
18. CHANGES TO THIS PRIVACY NOTICE

1. Background

The website www.VITALL.com (the “Site”), the Web Application app.vitall.com (“WebApp”), the Medly System (“Medly System”) and the VITALL Scan App (“Scan App”)  are owned by Vitall Intelligence Inc. (“VITALL”).

VITALL is a digital health platform that connects patients, caregivers, and practitioners with meaningful health information. Through integrated applications (Web App, Medly System, and Scan App) and services, VITALL enables remote care management, provides health journey insights, and consolidates medical records and real-time health data in one place (the “Services”) — improving care when and where it matters.

As used in this Policy Notice capitalized terms not otherwise defined here have the meaning assigned to them in the Terms and Conditions, otherwise the following terms have the following meaning:

“Data Concerning Health” means, as related to a person in the European Union, personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

“Personal Data” means, as related to a person in the European Union, any information which is related to an identified or identifiable natural person.

“Personally-Identifiable Information” or “PII” means information that identifies you or could be combined by us or our service providers and Affiliates with other information to identify you. This information includes your personal date of birth, birth certificate information, social insurance number, social security number, the number of any government issued identification, medical record number, health card number, e-mail address, home mailing address, home telephone number, personal cellphone number, your internet provider (IP) address and other similar information when associated with you. PII may also include information about how you have used our Site, the Web App, Medly System, or the Scan App if we can associate that PII with you. If you interact with our Site, our Web App, Medly System, or the Scan App on behalf of a business, PII does not include your title, your business e-mail and mailing address, or your business telephone number when we use that information to contact you in your business capacity. For EU residents, your business contact information is considered “Personal Data”. Reference in this Notice to PII shall include Personal Data, where applicable.

“Personal Health Information” or “PHI” means information about you, while living or deceased, that relates to: your physical or mental health; any health or medical services you received; your medical examinations, tests, and surgeries; whether you donated any organs or fluids; and information collected in the course of, or related to, providing health services to you. PHI may be found in your medical records, treatment and examination notes, and communications between you and your healthcare providers. Reference in this Notice to PHI shall include Personal Data, where applicable.

"we", "us" or "our" means Vitall Intelligence Inc. (“Vitall”) and any of our Affiliates.

"you" or "your" means an individual Using the Site, the Web App, the Medly System, the Scan App, or the Content as a visitor, a prospective or current Client, a Caregiver, and any Person who has been granted temporary access to health records under an Account.

2. Scope

This Privacy Notice helps our visitors to our Site and Users of the Web App, Scan App and our Services to better understand how we collect, use and store your PII and PHI.

3. Accountability

We take the privacy of your PII and PHI seriously and are committed to safeguarding it. We developed and implemented policies, practices, and procedures to protect PII and PHI and we train our staff in our PII and PHI handling practices.

We commit not to rent or sell any of your PII or PHI we collect directly from you or as part of our Services. We limit the PII or PHI we share with our service providers and limit their use of the data we share with them through Data Processing Agreements. 

We and our service providers comply with privacy legislation including the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Personal Health Information Protection Act (Ontario) (“PHIPA”), the Health Insurance Portability and Accountability Act (“HIPAA”) and the European Union’s General Data Protection Regulation (“GDPR”), as applicable.

We have appointed a Chief Privacy Officer accountable for our PII and PHI handling practices. If you have a question or complaint about our information handling practices, please contact us at privacy@vitall.com.

4. Limiting Collection: What Information Do We Collect?

The ways we collect PII and PHI can be broadly categorized into:

a) Information you provide to us directly: When you visit or use parts of our Site, the Web App, the Medly System, Scan App or our Services, we might ask you to provide PII to us. For example, we may ask for your name and email address on our Contact Us page so we can reply to a message you post there. We may also receive your contact information when you contact us directly at the contact email provided on the Site. 

We collect your PII and PHI when you open an Account and Onboard to subscribe to our Services.  For example, we will collect identification and contact information, such as your name, mailing address, date of birth, your health insurance number, and demographic information to be able to properly identify you, to contact you, to process a credit card payment for your subscription to our Services, and to collect PHI from your health records. We will also collect PII and PHI at Onboarding, such as your medical conditions, treatment information, surgeries, allergies, blood type, and your family doctor’s contact information.  

If you do not wish to provide us with all or some of the PII or PHI required to open an Account and to receive the Services you do not have to, but it might mean you cannot use parts of our Site, Web App, the Medly System, Scan App or receive our Services.

b) Information from other Sources: We may receive PII and PHI about you from other sources. For example, we will receive PII from credit card processors regarding whether the credit card details you entered have been accepted or declined. We also receive PHI from the service providers we engage to collect, with your consent, your medical records and smart health device information from your current and former healthcare providers and the smart health devices and app that you designate, as well as from the Scan App so that we can provide our Services to you. 

c) Information we collect automatically: We may automaticallyc ollect some technical information when you visit our Site, the Web App, the Medly System, or the or the Scan App that platforms like Google Analytics may collect about your interaction with our Site. This includes the geographic location of your IP address, the IP address itself, device type, what pages you looked at, what links you clicked on, your browser type and configuration, the date and time of use, language preferences, and cookie data. We use this information to detect problems, improve the navigation of our Site, Web App, the Medly System, and Scan App so they are easier to use and to determine which aspects of our Services may interest you. If you consented to receive these types of communications from us, we may track whether you opened certain types of promotional e-mails. whether you sought information about a particular topic or service, or to make inferences about other products and services in which you might be interested. For details about our cookie practices, please refer to our Cookie Policy.

5. Limiting Use: How Do We Use Your Personal Information?

We collect and use PII, PHI and non-personal information for the following purposes:

a) To communicate with you. This may include: (i) providing you with information you requested from us or information we must send to you; (ii) operational communications, like information regarding your Account, or your subscription to our Services; (iii) changes to our Site, the Web App, or Scan App, or changes to this Privacy Notice, our Terms and Conditions or our Cookie Policy; (iv) any questions, reminders, notifications related to your Account or your use of your Account or addressing customer service issues and troubleshooting problems with your Account; (v) to notify and alert you about data breaches, actual or potential fraud, identity theft and other fraud or security-related activities; and (vi) legal disclosures, communications about and arising from any manner of legal action, or otherwise required under our legal obligations; and any other reason notifications and alerts may be required by law.

b) To provide Services. We use your PII and PHI to provide the Services and to manage our business operations such as to register your Account, to authenticate you when you log into your Account, to deliver the Services, and to protect the security or integrity of our Site, the Web App, the Medly System, the Scan App, the Content, our Services, and our business.

c) To improve our Site, Web App, the Medly System, Scan App, and Services and develop new ones: We monitor how you use the Site, the Web App, the Medly System, the Scan App, and the Services so we can improve our offerings, user experience, and design new features.

d) To detect and prevent any fraudulent or malicious activity and to make sure that our Site, Web App, Medly System, Scan Web App, Scan App Content, and Services are used fairly and according to our Terms and Conditions.

e) With your consent, to send you targeted advertisement such as general or personalized notices and promotional messages, or to send news about us;

f) With your consent, to use aggregated de-identified and pseudonymized PII and PHI and non-Personal Information, which we or our business partners may use to monitor trends, to improve our respective products and services;

g) To comply with any laws and regulations.

h) To process scans throughout the duration of the scan. Specifically, during a scan your device uses its camera to collect data from your face and/or your body and to process this data using computational models. The images and/or videos are processed by being converted into highly compressed binary payloads (blobs), which cannot be put back together to form an image or video. This data is not retained (is deleted) after the processing is completed and results are displayed/stored.

6. Disclosure: When Do We Disclose Your PII and PHI to Others?

With your consent, our service providers collect and store your PHI and the required PII to access your PHI from your health records held by your current and former healthcare providers, so we can provide you the Services. 

We may share your PII and PHI with our service providers and our Affiliates that help us with our business operations, such as translation services if your health records are not in English. If you consented to receive marketing and promotional emails from us, we may share select PII with service providers who provide us with marketing and promotional services. We enter into Data Processing Agreements with our service providers and Affiliates that impose standards for data protection and confidentiality, and prohibit disclosure or use of your information for any other purpose than the one for which we engaged them.

We may share with selected third-parties certain demographic and contact information about you, including name, date of birth and any email addresses or phone numbers to verify your identity. 

Through your Account, you may grant temporary access to your health records to the healthcare professionals involved in managing your care such as physicians, specialists, pharmacists, nutritionists or physical therapists.

We may share your PII or PHI, as applicable, without your explicit consent or notice to you:

a) To collect a debt from you or to prevent or investigate fraudulent or illegal activity on your Account.

b) To comply with an order, subpoena, warrant or other legal requirement issued by a court, tribunal, regulator or government body with competent jurisdiction to compel disclosure of your PII or PHI, including to meet national security or law enforcement requirements, to prevent, investigate, or take action against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms and Conditions,  this Privacy Notice, or as otherwise required by law.

c) To establish or defend our legal rights. Where possible and appropriate, we will notify you.

d) To an actual or potential buyer of VITALL (and its agents and advisers) in connection with an actual or proposed purchase, merger or acquisition of any part of our business. In such a case, your PII and PHI will be protected by security safeguards appropriate for the sensitivity of the information.

e) To other companies who assist us to process your payment for your Service subscription or any service providers on whom we rely to conduct our business with you.

f) To protect the security of the Site, Web App, the Medly System and Scan App, the Services, or the security of your Account. 

g) To process data collected during a scan. This de-identified data that is converted into highly compressed binary payloads may be securely transmitted by the app (off device) to a remote cloud service where they are individually processed by computational models.

We are responsible for all onward transfers of Personal Data and Data Concerning Health of any EU clients to third parties and we make such transfers under Data Collection and Sharing Agreements or by relying on their self-certification under the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework.

7. Safeguards: How Do We Protect Your Personal Information?

We take administrative, technical and physical measures to safeguard your PII and PHI against unauthorized access, unauthorized disclosure, theft and misuse. 

Although we cannot guarantee that unauthorized access, hacking, data loss or breaches of our security systems will never occur, we try to minimize these risks by: (1) active monitoring: monitoring access to your PII and PHI through activity logs and regular audits to ensure that no unauthorized access attempts have been made, (2) secure storage: we store your PII and PHI over which we have custody and control in Canada in data centers that are SOC2 and/or ISO 27001 certified and adhere to global privacy and data protection best practices, (3) network security: we implemented controls to protect against unauthorized access, including segregating our internal systems from our publicly-accessible systems, (4) end-to-end encryption: we encrypt all data transmissions and communications on the Site, Web App, the Medly System, Scan App, and our Services from end-to-end using industry-standard transport layer security (“TLS”) or secure socket layer (“SSL”) encryption technology, and (4) training: we implemented policies, procedures that address and train our staff on the handling of PII  and PHI. All our staff members and contractors are legally bound to confidentiality.

We do not store your credit card information. Payments are handled by Stripe, a reputable direct payment gateway provider.  The data they collect is encrypted according to the Payment Card Industry Data Security Standard (PCI-DSS) and implement additional generally accepted industry standards. 

We expect our Affiliates and service providers to protect your PII and PHI that they collect from you directly or that we shared with them, as provided in the Data Processing Agreements we have with them.

8. Data Breach

We take precautions against breaches of our security systems, but your acknowledge and agree that no company can eliminate the risks of unauthorized access to your PII and PHI and no transmission over the internet is 100% secure. Therefore, you provide your PII and PHI it to us and our service providers at your own risk.

Despite our rigorous precautions against data breaches, the risk of a breach remains. We have a well-developed data breach procedure and if a breach of your PII or PHI in our custody or control occurs we will comply with the stringent breach notification requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA).

IF A BREACH OF YOUR PII OR PHI THAT IS IN THE CUSTODY OR CONTROL OF ONE OF OUR SERVICE PROVIDERS TO WHOM YOU PROVIDED CONSENT TO COLLECT THAT INFORMATION, THEN THAT SERVICE PROVIDER’S BREACH POLICIES APPLY.

9. Data Retention: How Long Do We Keep your PII and PHI?

We keep your PII and PHI that is in our custody and control if we have a legal or legitimate business need to keep it, for example, to provide you the Services to which you subscribe or to comply with information retention requirements in Ontario or Canada. 

Once our relationship ends, we generally will continue to store archived copies of your PII and PHI in our custody and control for legitimate business purposes, such as to defend a contractual claim, for audit, and to comply with the law. We maintain a records retention and destruction policy to destroy information when we no longer have a business need for it and are not required by law to keep it.

PII and PHI collected with your consent by our service providers that is under their custody and control is subject to their data destruction policies and the data retention laws applicable in that provider’s jurisdiction. 

PII collected by our direct payment gateway provider to process a transaction on the Web App is stored only as long as it is necessary to complete your transaction, then it is deleted. We do not collect or store any information related to your payment transactions.

We and our service providers may continue to store and use aggregated de-identified PII and PHI to improve our respective products and services.

10. Data Storage And Transfer

The PII and PHI we or our service providers collect from or on behalf of our Canadian clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

The PII and PHI that our service providers collect from or on behalf of our American clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

The PII and PHI that our service providers collect from or on behalf of our European clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

We enter into Data Processing Agreements with our service providers that require them, among other things, to safeguard your PII and PHI. However, if your PII and PHI is used or stored outside your home country, these data will be subject to the laws of the country in which they are used or stored (processed), which may differ from and be less protective of PII than the privacy laws of your country

11. Residents of the European Economic Area (“EEA”)

If you (a “Data Subject”) are located in the EEA, the Personal Data and Data Concerning Health you provide to us in Canada may be transferred to other regions, including to the United States. To ensure that your Personal Data and Data Concerning Health is protected when transferred out of the EEA, we rely on Canada’s PIPEDA requirements, which are deemed equivalent to those of the GDPR. If we, or our service providers, transfer your Personal Data and Data Concerning Health to service providers in the United States, we do so under a Data Collection and Sharing Agreement or pursuant to their self-certified compliance with the EU-U.S. Privacy Shield Framework, regarding the collection, use, and retention of Personal Data and Data Concerning Health from data subjects in the EEA, and with the Swiss-U.S. Privacy Shield Framework regarding the collection, use and retention of Personal Information from data subjects in Switzerland.

Additionally, if you are in the EEA, we note we are generally processing your information to fulfill contracts we might have with you (for example to prove you our Services), or otherwise to pursue our legitimate business interests as outlined in Section 6, unless we are required by law to obtain your consent for a particular processing operation. When we process your Personal Data and Data Concerning Health to pursue these legitimate interests, we do so where the nature of the processing, the information being processed, and the technical and organisational measures employed to protect that information can help mitigate the risks to you, the Data Subject.

If you are in the EEA or in Switzerland and believe that your Personal Data has been used contrary to this Privacy Notice, please contact us using the information in Section 17.

If your complaint or dispute is about the use of your Personal Data and Data Concerning Health by one of our service providers in the United States, you may also contact the International Centre for Dispute Resolution. This organization provides independent dispute resolution services, at no charge to you. ICDR can be contacted at go.adr.org/privacyshield.html

If, after attempting to resolve a dispute through ICDR, you feel that your concerns about the handling practices of your Personal Data and Data Concerning Health by a service provider in the United States have not been resolved, please visit www.privacyshield.gov.

12. Age and Consent

Only individuals 18 years of age or older may subscribe to our Services and access the Web App and Scan App. 

A parent or a legal guardian of individuals under the age of 18 may register for an account on behalf of a minor. 

When you provide PII or PHI to open and Account and Onboard, or to provide PII to complete a transaction by credit card, you consent to VITALL collecting your PII and PHI required to complete these activities only. 

When you register your Account, you can provide your consent to receive marketing and promotional e-mails and to consent to our use of your PII and PHI in our custody and control (in aggregated and de-identified form) for Service improvement purposes, or other outlined purposes.

YOU CAN WITHDRAW CONSENT FOR OUR USE OF YOUR PII OR PHI IN FUTURE USES WITHIN THE SCOPE OF YOUR CONSENT BUT YOU CANNOT WITHDRAW YOUR CONSENT FOR OUR USE OF YOUR PII OR PHI FOR USES THAT BEGAN BEFORE THE DATE ON WHICH YOU WITHDREW YOUR CONSENT. YOU WILL ALSO NOT BE ABLE TO WITHDRAW YOUR CONSENT WHERE OUR USE OR DISCLOSURE OF YOUR PII OR PHI IS AUTHORIZED OR REQUIRED BY LAW. 

Our service providers whom you consented to collect and store your PII and PHI may use your information according to their respective privacy policies and terms service /use. If you wish to withdraw your consent from these entities, you must follow their consent withdrawal procedures. We will assist you in that process.       

Please visit the Consent section within your Account Settings or contact us at privacy@vitall.com if you wish to withdraw your consent for our use of your PII and/or PHI.

13. Third-Party Services and Links

You may access third-party websites through links available on our Site, the Web App, or the Scan Ap. These links are provided for convenience only. Once you leave our Site, Web App, or Scan App or are redirected to a third-party website or application, you are no longer governed by this Privacy Notice or our Terms and Conditions.

We have no control over those third-party websites, and you access them at your own risk. We recommend that you read the privacy policies of these third-party providers so you can understand how they handle your PII and PHI. 

You acknowledge that these links may lead you to third parties that may operate in a different jurisdiction than either yours or ours. If you provide your PII or PHI to these entities, then your information may become subject to the laws of the jurisdiction(s) in which that site operates or where its facilities are located.

Some third-party websites or applications accessible through our Site, Web App, or Scan App may use automated processing or artificial intelligence as part of their services. Where you choose to use such a tool or application, VITALL will treat that choice as your opt-in consent to the automated or AI-based processing performed by that third party. We recommend that you review the privacy policies of these third-party providers to understand how automated processing or AI may be applied to your PII or PHI.

When connecting third-party tools or services through our Site, Web App, or ScanApp, you are also subject to the privacy policies of those third parties, and we recommend that you review them carefully before connecting. You acknowledge that third-party providers may transfer your PII or PHI outside of Canada, where it may be subject to the laws of the jurisdiction in which it is stored or processed. VITALL is not responsible for the privacy practices of these third parties, and your use of any third-party tool or service is at your own risk.

14. Accuracy: How Do You Modify Your Information?

We want to ensure that the PII and the PHI we collect from you and that is in our custody and control is accurate, complete, and up-to-date for the purpose for which it is to be used and will destroy any information that is out-of-date or that is no longer required for the purpose for which it was collected, unless we must keep it to comply with Ontario or Canadian law. 

Our service providers who collected your PII and PHI with your consent have their own policies about data accuracy, retention, and destruction. 

We use reasonable means to ensure that information in your Account record is accurate. You may update certain PII and PHI directly in your Account and you may also request access to your Account. 

If you have questions or identify any errors in your Account you can notify us by using the Report feature or you can contact us at privacy@vitall.com. We will strive to address any correction requests promptly. If we dispute a correction request, we will log the reason for the disagreement.

15. Access: Right to your data

You may access your Account and request for your data and information to be exported for the purpose of porting to another entity. If you make such a request, we will provide it to you at no charge. You can request this export by contacting us at privacy@vitall.com.

Before we grant you access to your Account records we will first authenticate you to confirm your identity. We will handle all access requests promptly, subject to applicable privacy laws.

16. Account Closure: Data Deletion

EU residents have the right, in certain circumstances, to have your Personal Data erased (the “Right to be Forgotten”). Non-EU residents may also elect to exercise the Right to be Forgotten.

To close your Account or to request that the PII, PHI, or Personal Data, as applicable, we have about you be deleted, please request for your account to be Deactivated within the Account Settings section. In addition to this, please email us at to privacy@vitall.com. Once we receive your request and authenticate your identity we will remove your Account from active use. If you do not re-activate your Account within 12 months, we will delete your Account Record, but we will keep some PII as described in Section 9. If you wish to delete your Account Record immediately, but subject to Section 9, indicate so in your email to us.

17. App Specific Privacy Notices

This section provides specific privacy notices governing the use of the Medly System, which includes mobile apps (“Medly App”) for mobile devices used by patients (Patient Users); as well as the use of the Practitioner Dashboard (“Dashboard”) for web browsers used by practitioners (Practitioner Users). The Medly System was created through a partnership between VITALL, the University Health Network, Centre for Digital Therapeutics. 

The Medly App is a smartphone app designed to help patients manage their chronic condition by monitoring symptoms, tracking important measurements and providing self-care guidance. The Dashboard is a web-based tool designed to help clinicians monitor and share information with their patients and includes a messenger service designed to help clinicians exchange messages with their patients.

Based on the data you enter and the status of your health, you will get feedback and self-care instructions. Your health care team will be informed of any critical changes and will follow up as necessary. Your hospital may also share personal information such as lab results and medications directly to the Medly System.

The goal of Medly App is to help patients better understand their conditions, guide self-improvement and enhance communication with your healthcare team. It is not intended to replace your current care, but to supplement it with additional support. The goal of Dashboard is to facilitate remote monitoring of patients as well as enable clinicians to share information and messages with their patients.

What information does the Application collect and how is it used?

User Provided Information

The Application obtains the information you provide when you download and register the Application.

When you register with us and use the Application, you generally provide (a) your name, email address, age, user name, password and other registration information; (b) information about your chronic condition, including symptom information, self-care activities, weight, blood pressure, heart rate, and blood sugar levels; and (c) information you provideus when you contact us for help. We may also use the information you providedus to contact you from time to time to provide you with important information, required notices and preventative care information.

Automatically Collected Information

In addition, the Application may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile devices unique device ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browsers you use, and information about the way you use the Application.

Does the Application collect precise real time location information of the device?

This Application does not collect precise information about the location of your mobile device.

Do third parties see and/or have access to information obtained by the Application?

Only aggregated, anonymized data is periodically transmitted to external services to help us improve the Application and ourservice. We will share your information with third parties only in theways that are described in this privacy statement.

We may disclose User Provided and Automatically Collected Information:

·      as required by law, such as to comply with asubpoena, or similar legal process;

·      with our trusted services providers who work on our behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement and the Personal Health Information Protection Act, 2004 and any subsequent amendments.

Use of your Information by your Health Care Team

·      By using this app, your health care team will look at your personal health information and collect only the information they need for providing you with care.

·      Your information will only be shared with your health care team at the hospital where you were enrolled and will be used to help them provide care for you.

·      The information you share through the app will be kept in your clinical file which can only be shared outside of your clinic if it is needed for your clinical care.

What are my rights?

·      You can stop all collection of information by the Application easily by uninstalling the Application. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace or network.

·      To see, copy, or correct information collected by the app, ask one of your clinicians to review your record with you at your next appointment.

Data Retention Policy, Managing Your Information

We will retain User Provided data for as long as you use the Application:

·      When a patient is discharged from the program, records will be retained per your hospital policy.

·      When a patient is under the age of majority, records will be retained past the age of majority per your hospital policy.

Security

We are concerned about safeguarding the confidentiality of your information. We provide physical, electronic, and procedural safeguards to protect information we process and maintain. For example, we limit access to this information to authorized employees and contractors who need to know that information in order to operate, develop or improve our Application.

18. Challenge Compliance

If you believe that we have not adhered to this Privacy Notice you may challenge our compliance with this Privacy Notice and our compliance with privacy laws applicable to it.

We are not responsible for the PII, PHI, or Personal Data (as applicable) handling practices of third-party service providers to whom you consented to access your information, whether on our behalf or otherwise. If your complaint has to do with the privacy practice of those providers, we will direct you to them. Links to the privacy policies and terms of use/service of our service providers are available in the Consent Center.

Please notify our Chief Privacy Officer of your complaint by emailing at privacy@vitall.com.

You can also reach us at:

Vitall Intelligence Inc.

2 Campbell Drive, Suite 706

Uxbridge, Ontario, L9P1H6

Canada

We pledge to address your complaint promptly. If we cannot resolve your complaint to your satisfaction you can file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Ontario.

If you are unhappy with the response you receive from us, we hope you would contact us to resolve the issue, but you may also lodge a complaint with the data protection authority in your home country. They can advise you how to submit a complaint.

19. Changes to This Privacy Notice

We may change or update this Privacy Notice from time to time. All changes and updates are logged in the CHANGE LOG section below. 

When our Privacy Notice changes, the Site will display a notice prompting you to review the changes. 

If we make changes to this Privacy Notice, then in addition to displaying a notice on the Site, we may also notify you by email at the email address associated with your Account. 

The changes to the Privacy Notice will take effect on the date on which they were made or on the date provided in the notice.

LAST UPDATED on March 1, 2026.

CHANGE LOG: 

CMarch 1, 2026

• added specific notices regarding the Medly System
• added notice about the use of Third-Party services as a VITALL user

September 20, 2024:

• added reference to the Scan App throughout the notice
• changed “fitness applications” to “smart health devices and connections”
• added specific information about what we collect, how we process, and what we disclose with regards to Scan App data
• updated where we store data to correctly reflect VITALL’s business operations
• updated instructions for how to modify or export data and/or deactivate your account to reflect new user experience workflows
• changed our requirements for the method of updating users regarding changes to this notice

July 15, 2020: 

• Added references to transfer of PII and PHI for translation purposes (Section 6).

‍

By continuing to use the Site, the WebApp, the Medly System, the Scan App, or the Services after you receive the notice you implicitly consent to be bound by the Privacy Notice terms in effect on that date on which you visit the Site, the Web App, the Medly System, or the Scan App.

DETAILED PRIVACY NOTICE:

1. BACKGROUND
2. SCOPE
3. ACCOUNTABILITY
4. LIMITING COLLECTION: WHAT INFORMATION DO WE COLLECT?
5. LIMITING USE: HOW DO WE USE YOUR PERSONAL INFORMATION?
6. DISCLOSURE: WHEN DO WE DISCLOSE YOUR PII AND PHI TO OTHERS?
7. SAFEGUARDS: HOW DO WE PROTECT YOUR PERSONAL INFORMATION?
8. DATA BREACH
9. DATA RETENTION: HOW LONG DO WE KEEP YOUR PII AND PHI?
10. DATA STORAGE AND TRANSFER
11. RESIDENTS OF THE EUROPEAN ECONOMIC AREA (“EEA”)
12. AGE AND CONSENT
13. THIRD-PARTY SERVICES AND LINKS
14. ACCURACY: HOW DO YOU MODIFY YOUR INFORMATION?
15. ACCESS: RIGHT TO YOUR DATA
16. ACCOUNT CLOSURE: DATA DELETION
17. CHALLENGE COMPLIANCE
18. CHANGES TO THIS PRIVACY NOTICE

1. Background

The website www.VITALL.com (the “Site”), the Web Application app.vitall.com (“WebApp”), the Medly System (“Medly System”) and the VITALL Scan App (“Scan App”)  are owned by Vitall Intelligence Inc. (“VITALL”).

VITALL is a digital health platform that connects patients, caregivers, and practitioners with meaningful health information. Through integrated applications (Web App, Medly System, and Scan App) and services, VITALL enables remote care management, provides health journey insights, and consolidates medical records and real-time health data in one place (the “Services”) — improving care when and where it matters.

As used in this Policy Notice capitalized terms not otherwise defined here have the meaning assigned to them in the Terms and Conditions, otherwise the following terms have the following meaning:

“Data Concerning Health” means, as related to a person in the European Union, personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

“Personal Data” means, as related to a person in the European Union, any information which is related to an identified or identifiable natural person.

“Personally-Identifiable Information” or “PII” means information that identifies you or could be combined by us or our service providers and Affiliates with other information to identify you. This information includes your personal date of birth, birth certificate information, social insurance number, social security number, the number of any government issued identification, medical record number, health card number, e-mail address, home mailing address, home telephone number, personal cellphone number, your internet provider (IP) address and other similar information when associated with you. PII may also include information about how you have used our Site, the Web App, Medly System, or the Scan App if we can associate that PII with you. If you interact with our Site, our Web App, Medly System, or the Scan App on behalf of a business, PII does not include your title, your business e-mail and mailing address, or your business telephone number when we use that information to contact you in your business capacity. For EU residents, your business contact information is considered “Personal Data”. Reference in this Notice to PII shall include Personal Data, where applicable.

“Personal Health Information” or “PHI” means information about you, while living or deceased, that relates to: your physical or mental health; any health or medical services you received; your medical examinations, tests, and surgeries; whether you donated any organs or fluids; and information collected in the course of, or related to, providing health services to you. PHI may be found in your medical records, treatment and examination notes, and communications between you and your healthcare providers. Reference in this Notice to PHI shall include Personal Data, where applicable.

"we", "us" or "our" means Vitall Intelligence Inc. (“Vitall”) and any of our Affiliates.

"you" or "your" means an individual Using the Site, the Web App, the Medly System, the Scan App, or the Content as a visitor, a prospective or current Client, a Caregiver, and any Person who has been granted temporary access to health records under an Account.

2. Scope

This Privacy Notice helps our visitors to our Site and Users of the Web App, Scan App and our Services to better understand how we collect, use and store your PII and PHI.

3. Accountability

We take the privacy of your PII and PHI seriously and are committed to safeguarding it. We developed and implemented policies, practices, and procedures to protect PII and PHI and we train our staff in our PII and PHI handling practices.

We commit not to rent or sell any of your PII or PHI we collect directly from you or as part of our Services. We limit the PII or PHI we share with our service providers and limit their use of the data we share with them through Data Processing Agreements. 

We and our service providers comply with privacy legislation including the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Personal Health Information Protection Act (Ontario) (“PHIPA”), the Health Insurance Portability and Accountability Act (“HIPAA”) and the European Union’s General Data Protection Regulation (“GDPR”), as applicable.

We have appointed a Chief Privacy Officer accountable for our PII and PHI handling practices. If you have a question or complaint about our information handling practices, please contact us at privacy@vitall.com.

4. Limiting Collection: What Information Do We Collect?

The ways we collect PII and PHI can be broadly categorized into:

a) Information you provide to us directly: When you visit or use parts of our Site, the Web App, the Medly System, Scan App or our Services, we might ask you to provide PII to us. For example, we may ask for your name and email address on our Contact Us page so we can reply to a message you post there. We may also receive your contact information when you contact us directly at the contact email provided on the Site. 

We collect your PII and PHI when you open an Account and Onboard to subscribe to our Services.  For example, we will collect identification and contact information, such as your name, mailing address, date of birth, your health insurance number, and demographic information to be able to properly identify you, to contact you, to process a credit card payment for your subscription to our Services, and to collect PHI from your health records. We will also collect PII and PHI at Onboarding, such as your medical conditions, treatment information, surgeries, allergies, blood type, and your family doctor’s contact information.  

If you do not wish to provide us with all or some of the PII or PHI required to open an Account and to receive the Services you do not have to, but it might mean you cannot use parts of our Site, Web App, the Medly System, Scan App or receive our Services.

b) Information from other Sources: We may receive PII and PHI about you from other sources. For example, we will receive PII from credit card processors regarding whether the credit card details you entered have been accepted or declined. We also receive PHI from the service providers we engage to collect, with your consent, your medical records and smart health device information from your current and former healthcare providers and the smart health devices and app that you designate, as well as from the Scan App so that we can provide our Services to you. 

c) Information we collect automatically: We may automaticallyc ollect some technical information when you visit our Site, the Web App, the Medly System, or the or the Scan App that platforms like Google Analytics may collect about your interaction with our Site. This includes the geographic location of your IP address, the IP address itself, device type, what pages you looked at, what links you clicked on, your browser type and configuration, the date and time of use, language preferences, and cookie data. We use this information to detect problems, improve the navigation of our Site, Web App, the Medly System, and Scan App so they are easier to use and to determine which aspects of our Services may interest you. If you consented to receive these types of communications from us, we may track whether you opened certain types of promotional e-mails. whether you sought information about a particular topic or service, or to make inferences about other products and services in which you might be interested. For details about our cookie practices, please refer to our Cookie Policy.

5. Limiting Use: How Do We Use Your Personal Information?

We collect and use PII, PHI and non-personal information for the following purposes:

a) To communicate with you. This may include: (i) providing you with information you requested from us or information we must send to you; (ii) operational communications, like information regarding your Account, or your subscription to our Services; (iii) changes to our Site, the Web App, or Scan App, or changes to this Privacy Notice, our Terms and Conditions or our Cookie Policy; (iv) any questions, reminders, notifications related to your Account or your use of your Account or addressing customer service issues and troubleshooting problems with your Account; (v) to notify and alert you about data breaches, actual or potential fraud, identity theft and other fraud or security-related activities; and (vi) legal disclosures, communications about and arising from any manner of legal action, or otherwise required under our legal obligations; and any other reason notifications and alerts may be required by law.

b) To provide Services. We use your PII and PHI to provide the Services and to manage our business operations such as to register your Account, to authenticate you when you log into your Account, to deliver the Services, and to protect the security or integrity of our Site, the Web App, the Medly System, the Scan App, the Content, our Services, and our business.

c) To improve our Site, Web App, the Medly System, Scan App, and Services and develop new ones: We monitor how you use the Site, the Web App, the Medly System, the Scan App, and the Services so we can improve our offerings, user experience, and design new features.

d) To detect and prevent any fraudulent or malicious activity and to make sure that our Site, Web App, Medly System, Scan Web App, Scan App Content, and Services are used fairly and according to our Terms and Conditions.

e) With your consent, to send you targeted advertisement such as general or personalized notices and promotional messages, or to send news about us;

f) With your consent, to use aggregated de-identified and pseudonymized PII and PHI and non-Personal Information, which we or our business partners may use to monitor trends, to improve our respective products and services;

g) To comply with any laws and regulations.

h) To process scans throughout the duration of the scan. Specifically, during a scan your device uses its camera to collect data from your face and/or your body and to process this data using computational models. The images and/or videos are processed by being converted into highly compressed binary payloads (blobs), which cannot be put back together to form an image or video. This data is not retained (is deleted) after the processing is completed and results are displayed/stored.

6. Disclosure: When Do We Disclose Your PII and PHI to Others?

With your consent, our service providers collect and store your PHI and the required PII to access your PHI from your health records held by your current and former healthcare providers, so we can provide you the Services. 

We may share your PII and PHI with our service providers and our Affiliates that help us with our business operations, such as translation services if your health records are not in English. If you consented to receive marketing and promotional emails from us, we may share select PII with service providers who provide us with marketing and promotional services. We enter into Data Processing Agreements with our service providers and Affiliates that impose standards for data protection and confidentiality, and prohibit disclosure or use of your information for any other purpose than the one for which we engaged them.

We may share with selected third-parties certain demographic and contact information about you, including name, date of birth and any email addresses or phone numbers to verify your identity. 

Through your Account, you may grant temporary access to your health records to the healthcare professionals involved in managing your care such as physicians, specialists, pharmacists, nutritionists or physical therapists.

We may share your PII or PHI, as applicable, without your explicit consent or notice to you:

a) To collect a debt from you or to prevent or investigate fraudulent or illegal activity on your Account.

b) To comply with an order, subpoena, warrant or other legal requirement issued by a court, tribunal, regulator or government body with competent jurisdiction to compel disclosure of your PII or PHI, including to meet national security or law enforcement requirements, to prevent, investigate, or take action against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms and Conditions,  this Privacy Notice, or as otherwise required by law.

c) To establish or defend our legal rights. Where possible and appropriate, we will notify you.

d) To an actual or potential buyer of VITALL (and its agents and advisers) in connection with an actual or proposed purchase, merger or acquisition of any part of our business. In such a case, your PII and PHI will be protected by security safeguards appropriate for the sensitivity of the information.

e) To other companies who assist us to process your payment for your Service subscription or any service providers on whom we rely to conduct our business with you.

f) To protect the security of the Site, Web App, the Medly System and Scan App, the Services, or the security of your Account. 

g) To process data collected during a scan. This de-identified data that is converted into highly compressed binary payloads may be securely transmitted by the app (off device) to a remote cloud service where they are individually processed by computational models.

We are responsible for all onward transfers of Personal Data and Data Concerning Health of any EU clients to third parties and we make such transfers under Data Collection and Sharing Agreements or by relying on their self-certification under the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework.

7. Safeguards: How Do We Protect Your Personal Information?

We take administrative, technical and physical measures to safeguard your PII and PHI against unauthorized access, unauthorized disclosure, theft and misuse. 

Although we cannot guarantee that unauthorized access, hacking, data loss or breaches of our security systems will never occur, we try to minimize these risks by: (1) active monitoring: monitoring access to your PII and PHI through activity logs and regular audits to ensure that no unauthorized access attempts have been made, (2) secure storage: we store your PII and PHI over which we have custody and control in Canada in data centers that are SOC2 and/or ISO 27001 certified and adhere to global privacy and data protection best practices, (3) network security: we implemented controls to protect against unauthorized access, including segregating our internal systems from our publicly-accessible systems, (4) end-to-end encryption: we encrypt all data transmissions and communications on the Site, Web App, the Medly System, Scan App, and our Services from end-to-end using industry-standard transport layer security (“TLS”) or secure socket layer (“SSL”) encryption technology, and (4) training: we implemented policies, procedures that address and train our staff on the handling of PII  and PHI. All our staff members and contractors are legally bound to confidentiality.

We do not store your credit card information. Payments are handled by Stripe, a reputable direct payment gateway provider.  The data they collect is encrypted according to the Payment Card Industry Data Security Standard (PCI-DSS) and implement additional generally accepted industry standards. 

We expect our Affiliates and service providers to protect your PII and PHI that they collect from you directly or that we shared with them, as provided in the Data Processing Agreements we have with them.

8. Data Breach

We take precautions against breaches of our security systems, but your acknowledge and agree that no company can eliminate the risks of unauthorized access to your PII and PHI and no transmission over the internet is 100% secure. Therefore, you provide your PII and PHI it to us and our service providers at your own risk.

Despite our rigorous precautions against data breaches, the risk of a breach remains. We have a well-developed data breach procedure and if a breach of your PII or PHI in our custody or control occurs we will comply with the stringent breach notification requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA).

IF A BREACH OF YOUR PII OR PHI THAT IS IN THE CUSTODY OR CONTROL OF ONE OF OUR SERVICE PROVIDERS TO WHOM YOU PROVIDED CONSENT TO COLLECT THAT INFORMATION, THEN THAT SERVICE PROVIDER’S BREACH POLICIES APPLY.

9. Data Retention: How Long Do We Keep your PII and PHI?

We keep your PII and PHI that is in our custody and control if we have a legal or legitimate business need to keep it, for example, to provide you the Services to which you subscribe or to comply with information retention requirements in Ontario or Canada. 

Once our relationship ends, we generally will continue to store archived copies of your PII and PHI in our custody and control for legitimate business purposes, such as to defend a contractual claim, for audit, and to comply with the law. We maintain a records retention and destruction policy to destroy information when we no longer have a business need for it and are not required by law to keep it.

PII and PHI collected with your consent by our service providers that is under their custody and control is subject to their data destruction policies and the data retention laws applicable in that provider’s jurisdiction. 

PII collected by our direct payment gateway provider to process a transaction on the Web App is stored only as long as it is necessary to complete your transaction, then it is deleted. We do not collect or store any information related to your payment transactions.

We and our service providers may continue to store and use aggregated de-identified PII and PHI to improve our respective products and services.

10. Data Storage And Transfer

The PII and PHI we or our service providers collect from or on behalf of our Canadian clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

The PII and PHI that our service providers collect from or on behalf of our American clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

The PII and PHI that our service providers collect from or on behalf of our European clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

We enter into Data Processing Agreements with our service providers that require them, among other things, to safeguard your PII and PHI. However, if your PII and PHI is used or stored outside your home country, these data will be subject to the laws of the country in which they are used or stored (processed), which may differ from and be less protective of PII than the privacy laws of your country

11. Residents of the European Economic Area (“EEA”)

If you (a “Data Subject”) are located in the EEA, the Personal Data and Data Concerning Health you provide to us in Canada may be transferred to other regions, including to the United States. To ensure that your Personal Data and Data Concerning Health is protected when transferred out of the EEA, we rely on Canada’s PIPEDA requirements, which are deemed equivalent to those of the GDPR. If we, or our service providers, transfer your Personal Data and Data Concerning Health to service providers in the United States, we do so under a Data Collection and Sharing Agreement or pursuant to their self-certified compliance with the EU-U.S. Privacy Shield Framework, regarding the collection, use, and retention of Personal Data and Data Concerning Health from data subjects in the EEA, and with the Swiss-U.S. Privacy Shield Framework regarding the collection, use and retention of Personal Information from data subjects in Switzerland.

Additionally, if you are in the EEA, we note we are generally processing your information to fulfill contracts we might have with you (for example to prove you our Services), or otherwise to pursue our legitimate business interests as outlined in Section 6, unless we are required by law to obtain your consent for a particular processing operation. When we process your Personal Data and Data Concerning Health to pursue these legitimate interests, we do so where the nature of the processing, the information being processed, and the technical and organisational measures employed to protect that information can help mitigate the risks to you, the Data Subject.

If you are in the EEA or in Switzerland and believe that your Personal Data has been used contrary to this Privacy Notice, please contact us using the information in Section 17.

If your complaint or dispute is about the use of your Personal Data and Data Concerning Health by one of our service providers in the United States, you may also contact the International Centre for Dispute Resolution. This organization provides independent dispute resolution services, at no charge to you. ICDR can be contacted at go.adr.org/privacyshield.html

If, after attempting to resolve a dispute through ICDR, you feel that your concerns about the handling practices of your Personal Data and Data Concerning Health by a service provider in the United States have not been resolved, please visit www.privacyshield.gov.

12. Age and Consent

Only individuals 18 years of age or older may subscribe to our Services and access the Web App and Scan App. 

A parent or a legal guardian of individuals under the age of 18 may register for an account on behalf of a minor. 

When you provide PII or PHI to open and Account and Onboard, or to provide PII to complete a transaction by credit card, you consent to VITALL collecting your PII and PHI required to complete these activities only. 

When you register your Account, you can provide your consent to receive marketing and promotional e-mails and to consent to our use of your PII and PHI in our custody and control (in aggregated and de-identified form) for Service improvement purposes, or other outlined purposes.

YOU CAN WITHDRAW CONSENT FOR OUR USE OF YOUR PII OR PHI IN FUTURE USES WITHIN THE SCOPE OF YOUR CONSENT BUT YOU CANNOT WITHDRAW YOUR CONSENT FOR OUR USE OF YOUR PII OR PHI FOR USES THAT BEGAN BEFORE THE DATE ON WHICH YOU WITHDREW YOUR CONSENT. YOU WILL ALSO NOT BE ABLE TO WITHDRAW YOUR CONSENT WHERE OUR USE OR DISCLOSURE OF YOUR PII OR PHI IS AUTHORIZED OR REQUIRED BY LAW. 

Our service providers whom you consented to collect and store your PII and PHI may use your information according to their respective privacy policies and terms service /use. If you wish to withdraw your consent from these entities, you must follow their consent withdrawal procedures. We will assist you in that process.       

Please visit the Consent section within your Account Settings or contact us at privacy@vitall.com if you wish to withdraw your consent for our use of your PII and/or PHI.

13. Third-Party Services and Links

You may access third-party websites through links available on our Site, the Web App, or the Scan Ap. These links are provided for convenience only. Once you leave our Site, Web App, or Scan App or are redirected to a third-party website or application, you are no longer governed by this Privacy Notice or our Terms and Conditions.

We have no control over those third-party websites, and you access them at your own risk. We recommend that you read the privacy policies of these third-party providers so you can understand how they handle your PII and PHI. 

You acknowledge that these links may lead you to third parties that may operate in a different jurisdiction than either yours or ours. If you provide your PII or PHI to these entities, then your information may become subject to the laws of the jurisdiction(s) in which that site operates or where its facilities are located.

Some third-party websites or applications accessible through our Site, Web App, or Scan App may use automated processing or artificial intelligence as part of their services. Where you choose to use such a tool or application, VITALL will treat that choice as your opt-in consent to the automated or AI-based processing performed by that third party. We recommend that you review the privacy policies of these third-party providers to understand how automated processing or AI may be applied to your PII or PHI.

When connecting third-party tools or services through our Site, Web App, or ScanApp, you are also subject to the privacy policies of those third parties, and we recommend that you review them carefully before connecting. You acknowledge that third-party providers may transfer your PII or PHI outside of Canada, where it may be subject to the laws of the jurisdiction in which it is stored or processed. VITALL is not responsible for the privacy practices of these third parties, and your use of any third-party tool or service is at your own risk.

14. Accuracy: How Do You Modify Your Information?

We want to ensure that the PII and the PHI we collect from you and that is in our custody and control is accurate, complete, and up-to-date for the purpose for which it is to be used and will destroy any information that is out-of-date or that is no longer required for the purpose for which it was collected, unless we must keep it to comply with Ontario or Canadian law. 

Our service providers who collected your PII and PHI with your consent have their own policies about data accuracy, retention, and destruction. 

We use reasonable means to ensure that information in your Account record is accurate. You may update certain PII and PHI directly in your Account and you may also request access to your Account. 

If you have questions or identify any errors in your Account you can notify us by using the Report feature or you can contact us at privacy@vitall.com. We will strive to address any correction requests promptly. If we dispute a correction request, we will log the reason for the disagreement.

15. Access: Right to your data

You may access your Account and request for your data and information to be exported for the purpose of porting to another entity. If you make such a request, we will provide it to you at no charge. You can request this export by contacting us at privacy@vitall.com.

Before we grant you access to your Account records we will first authenticate you to confirm your identity. We will handle all access requests promptly, subject to applicable privacy laws.

16. Account Closure: Data Deletion

EU residents have the right, in certain circumstances, to have your Personal Data erased (the “Right to be Forgotten”). Non-EU residents may also elect to exercise the Right to be Forgotten.

To close your Account or to request that the PII, PHI, or Personal Data, as applicable, we have about you be deleted, please request for your account to be Deactivated within the Account Settings section. In addition to this, please email us at to privacy@vitall.com. Once we receive your request and authenticate your identity we will remove your Account from active use. If you do not re-activate your Account within 12 months, we will delete your Account Record, but we will keep some PII as described in Section 9. If you wish to delete your Account Record immediately, but subject to Section 9, indicate so in your email to us.

17. App Specific Privacy Notices

This section provides specific privacy notices governing the use of the Medly System, which includes mobile apps (“Medly App”) for mobile devices used by patients (Patient Users); as well as the use of the Practitioner Dashboard (“Dashboard”) for web browsers used by practitioners (Practitioner Users). The Medly System was created through a partnership between VITALL, the University Health Network, Centre for Digital Therapeutics. 

The Medly App is a smartphone app designed to help patients manage their chronic condition by monitoring symptoms, tracking important measurements and providing self-care guidance. The Dashboard is a web-based tool designed to help clinicians monitor and share information with their patients and includes a messenger service designed to help clinicians exchange messages with their patients.

Based on the data you enter and the status of your health, you will get feedback and self-care instructions. Your health care team will be informed of any critical changes and will follow up as necessary. Your hospital may also share personal information such as lab results and medications directly to the Medly System.

The goal of Medly App is to help patients better understand their conditions, guide self-improvement and enhance communication with your healthcare team. It is not intended to replace your current care, but to supplement it with additional support. The goal of Dashboard is to facilitate remote monitoring of patients as well as enable clinicians to share information and messages with their patients.

What information does the Application collect and how is it used?

User Provided Information

The Application obtains the information you provide when you download and register the Application.

When you register with us and use the Application, you generally provide (a) your name, email address, age, user name, password and other registration information; (b) information about your chronic condition, including symptom information, self-care activities, weight, blood pressure, heart rate, and blood sugar levels; and (c) information you provideus when you contact us for help. We may also use the information you providedus to contact you from time to time to provide you with important information, required notices and preventative care information.

Automatically Collected Information

In addition, the Application may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile devices unique device ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browsers you use, and information about the way you use the Application.

Does the Application collect precise real time location information of the device?

This Application does not collect precise information about the location of your mobile device.

Do third parties see and/or have access to information obtained by the Application?

Only aggregated, anonymized data is periodically transmitted to external services to help us improve the Application and ourservice. We will share your information with third parties only in theways that are described in this privacy statement.

We may disclose User Provided and Automatically Collected Information:

·      as required by law, such as to comply with asubpoena, or similar legal process;

·      with our trusted services providers who work on our behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement and the Personal Health Information Protection Act, 2004 and any subsequent amendments.

Use of your Information by your Health Care Team

·      By using this app, your health care team will look at your personal health information and collect only the information they need for providing you with care.

·      Your information will only be shared with your health care team at the hospital where you were enrolled and will be used to help them provide care for you.

·      The information you share through the app will be kept in your clinical file which can only be shared outside of your clinic if it is needed for your clinical care.

What are my rights?

·      You can stop all collection of information by the Application easily by uninstalling the Application. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace or network.

·      To see, copy, or correct information collected by the app, ask one of your clinicians to review your record with you at your next appointment.

Data Retention Policy, Managing Your Information

We will retain User Provided data for as long as you use the Application:

·      When a patient is discharged from the program, records will be retained per your hospital policy.

·      When a patient is under the age of majority, records will be retained past the age of majority per your hospital policy.

Security

We are concerned about safeguarding the confidentiality of your information. We provide physical, electronic, and procedural safeguards to protect information we process and maintain. For example, we limit access to this information to authorized employees and contractors who need to know that information in order to operate, develop or improve our Application.

18. Challenge Compliance

If you believe that we have not adhered to this Privacy Notice you may challenge our compliance with this Privacy Notice and our compliance with privacy laws applicable to it.

We are not responsible for the PII, PHI, or Personal Data (as applicable) handling practices of third-party service providers to whom you consented to access your information, whether on our behalf or otherwise. If your complaint has to do with the privacy practice of those providers, we will direct you to them. Links to the privacy policies and terms of use/service of our service providers are available in the Consent Center.

Please notify our Chief Privacy Officer of your complaint by emailing at privacy@vitall.com.

You can also reach us at:

Vitall Intelligence Inc.

2 Campbell Drive, Suite 706

Uxbridge, Ontario, L9P1H6

Canada

We pledge to address your complaint promptly. If we cannot resolve your complaint to your satisfaction you can file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Ontario.

If you are unhappy with the response you receive from us, we hope you would contact us to resolve the issue, but you may also lodge a complaint with the data protection authority in your home country. They can advise you how to submit a complaint.

19. Changes to This Privacy Notice

We may change or update this Privacy Notice from time to time. All changes and updates are logged in the CHANGE LOG section below. 

When our Privacy Notice changes, the Site will display a notice prompting you to review the changes. 

If we make changes to this Privacy Notice, then in addition to displaying a notice on the Site, we may also notify you by email at the email address associated with your Account. 

The changes to the Privacy Notice will take effect on the date on which they were made or on the date provided in the notice.

By continuing to use the Site, the WebApp, the Medly System, the Scan App, or the Services after you receive the notice you implicitly consent to be bound by the Privacy Notice terms in effect on that date on which you visit the Site, the Web App, the Medly System, or the Scan App.

LAST UPDATED on March 1, 2026.

CHANGE LOG: 

CMarch 1, 2026

• added specific notices regarding the Medly System
• added notice about the use of Third-Party services as a VITALL user

September 20, 2024:

• added reference to the Scan App throughout the notice
• changed “fitness applications” to “smart health devices and connections”
• added specific information about what we collect, how we process, and what we disclose with regards to Scan App data
• updated where we store data to correctly reflect VITALL’s business operations
• updated instructions for how to modify or export data and/or deactivate your account to reflect new user experience workflows
• changed our requirements for the method of updating users regarding changes to this notice

July 15, 2020: 

• Added references to transfer of PII and PHI for translation purposes (Section 6).

‍

DETAILED PRIVACY NOTICE:

1. BACKGROUND
2. SCOPE
3. ACCOUNTABILITY
4. LIMITING COLLECTION: WHAT INFORMATION DO WE COLLECT?
5. LIMITING USE: HOW DO WE USE YOUR PERSONAL INFORMATION?
6. DISCLOSURE: WHEN DO WE DISCLOSE YOUR PII AND PHI TO OTHERS?
7. SAFEGUARDS: HOW DO WE PROTECT YOUR PERSONAL INFORMATION?
8. DATA BREACH
9. DATA RETENTION: HOW LONG DO WE KEEP YOUR PII AND PHI?
10. DATA STORAGE AND TRANSFER
11. RESIDENTS OF THE EUROPEAN ECONOMIC AREA (“EEA”)
12. AGE AND CONSENT
13. THIRD-PARTY SERVICES AND LINKS
14. ACCURACY: HOW DO YOU MODIFY YOUR INFORMATION?
15. ACCESS: RIGHT TO YOUR DATA
16. ACCOUNT CLOSURE: DATA DELETION
17. CHALLENGE COMPLIANCE
18. CHANGES TO THIS PRIVACY NOTICE

1. Background

The website www.VITALL.com (the “Site”), the Web Application app.vitall.com (“WebApp”), the Medly System (“Medly System”) and the VITALL Scan App (“Scan App”)  are owned by Vitall Intelligence Inc. (“VITALL”).

VITALL is a digital health platform that connects patients, caregivers, and practitioners with meaningful health information. Through integrated applications (Web App, Medly System, and Scan App) and services, VITALL enables remote care management, provides health journey insights, and consolidates medical records and real-time health data in one place (the “Services”) — improving care when and where it matters.

As used in this Policy Notice capitalized terms not otherwise defined here have the meaning assigned to them in the Terms and Conditions, otherwise the following terms have the following meaning:

“Data Concerning Health” means, as related to a person in the European Union, personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

“Personal Data” means, as related to a person in the European Union, any information which is related to an identified or identifiable natural person.

“Personally-Identifiable Information” or “PII” means information that identifies you or could be combined by us or our service providers and Affiliates with other information to identify you. This information includes your personal date of birth, birth certificate information, social insurance number, social security number, the number of any government issued identification, medical record number, health card number, e-mail address, home mailing address, home telephone number, personal cellphone number, your internet provider (IP) address and other similar information when associated with you. PII may also include information about how you have used our Site, the Web App, Medly System, or the Scan App if we can associate that PII with you. If you interact with our Site, our Web App, Medly System, or the Scan App on behalf of a business, PII does not include your title, your business e-mail and mailing address, or your business telephone number when we use that information to contact you in your business capacity. For EU residents, your business contact information is considered “Personal Data”. Reference in this Notice to PII shall include Personal Data, where applicable.

“Personal Health Information” or “PHI” means information about you, while living or deceased, that relates to: your physical or mental health; any health or medical services you received; your medical examinations, tests, and surgeries; whether you donated any organs or fluids; and information collected in the course of, or related to, providing health services to you. PHI may be found in your medical records, treatment and examination notes, and communications between you and your healthcare providers. Reference in this Notice to PHI shall include Personal Data, where applicable.

"we", "us" or "our" means Vitall Intelligence Inc. (“Vitall”) and any of our Affiliates.

"you" or "your" means an individual Using the Site, the Web App, the Medly System, the Scan App, or the Content as a visitor, a prospective or current Client, a Caregiver, and any Person who has been granted temporary access to health records under an Account.

2. Scope

This Privacy Notice helps our visitors to our Site and Users of the Web App, Scan App and our Services to better understand how we collect, use and store your PII and PHI.

3. Accountability

We take the privacy of your PII and PHI seriously and are committed to safeguarding it. We developed and implemented policies, practices, and procedures to protect PII and PHI and we train our staff in our PII and PHI handling practices.

We commit not to rent or sell any of your PII or PHI we collect directly from you or as part of our Services. We limit the PII or PHI we share with our service providers and limit their use of the data we share with them through Data Processing Agreements. 

We and our service providers comply with privacy legislation including the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Personal Health Information Protection Act (Ontario) (“PHIPA”), the Health Insurance Portability and Accountability Act (“HIPAA”) and the European Union’s General Data Protection Regulation (“GDPR”), as applicable.

We have appointed a Chief Privacy Officer accountable for our PII and PHI handling practices. If you have a question or complaint about our information handling practices, please contact us at privacy@vitall.com.

4. Limiting Collection: What Information Do We Collect?

The ways we collect PII and PHI can be broadly categorized into:

a) Information you provide to us directly: When you visit or use parts of our Site, the Web App, the Medly System, Scan App or our Services, we might ask you to provide PII to us. For example, we may ask for your name and email address on our Contact Us page so we can reply to a message you post there. We may also receive your contact information when you contact us directly at the contact email provided on the Site. 

We collect your PII and PHI when you open an Account and Onboard to subscribe to our Services.  For example, we will collect identification and contact information, such as your name, mailing address, date of birth, your health insurance number, and demographic information to be able to properly identify you, to contact you, to process a credit card payment for your subscription to our Services, and to collect PHI from your health records. We will also collect PII and PHI at Onboarding, such as your medical conditions, treatment information, surgeries, allergies, blood type, and your family doctor’s contact information.  

If you do not wish to provide us with all or some of the PII or PHI required to open an Account and to receive the Services you do not have to, but it might mean you cannot use parts of our Site, Web App, the Medly System, Scan App or receive our Services.

b) Information from other Sources: We may receive PII and PHI about you from other sources. For example, we will receive PII from credit card processors regarding whether the credit card details you entered have been accepted or declined. We also receive PHI from the service providers we engage to collect, with your consent, your medical records and smart health device information from your current and former healthcare providers and the smart health devices and app that you designate, as well as from the Scan App so that we can provide our Services to you. 

c) Information we collect automatically: We may automaticallyc ollect some technical information when you visit our Site, the Web App, the Medly System, or the or the Scan App that platforms like Google Analytics may collect about your interaction with our Site. This includes the geographic location of your IP address, the IP address itself, device type, what pages you looked at, what links you clicked on, your browser type and configuration, the date and time of use, language preferences, and cookie data. We use this information to detect problems, improve the navigation of our Site, Web App, the Medly System, and Scan App so they are easier to use and to determine which aspects of our Services may interest you. If you consented to receive these types of communications from us, we may track whether you opened certain types of promotional e-mails. whether you sought information about a particular topic or service, or to make inferences about other products and services in which you might be interested. For details about our cookie practices, please refer to our Cookie Policy.

5. Limiting Use: How Do We Use Your Personal Information?

We collect and use PII, PHI and non-personal information for the following purposes:

a) To communicate with you. This may include: (i) providing you with information you requested from us or information we must send to you; (ii) operational communications, like information regarding your Account, or your subscription to our Services; (iii) changes to our Site, the Web App, or Scan App, or changes to this Privacy Notice, our Terms and Conditions or our Cookie Policy; (iv) any questions, reminders, notifications related to your Account or your use of your Account or addressing customer service issues and troubleshooting problems with your Account; (v) to notify and alert you about data breaches, actual or potential fraud, identity theft and other fraud or security-related activities; and (vi) legal disclosures, communications about and arising from any manner of legal action, or otherwise required under our legal obligations; and any other reason notifications and alerts may be required by law.

b) To provide Services. We use your PII and PHI to provide the Services and to manage our business operations such as to register your Account, to authenticate you when you log into your Account, to deliver the Services, and to protect the security or integrity of our Site, the Web App, the Medly System, the Scan App, the Content, our Services, and our business.

c) To improve our Site, Web App, the Medly System, Scan App, and Services and develop new ones: We monitor how you use the Site, the Web App, the Medly System, the Scan App, and the Services so we can improve our offerings, user experience, and design new features.

d) To detect and prevent any fraudulent or malicious activity and to make sure that our Site, Web App, Medly System, Scan Web App, Scan App Content, and Services are used fairly and according to our Terms and Conditions.

e) With your consent, to send you targeted advertisement such as general or personalized notices and promotional messages, or to send news about us;

f) With your consent, to use aggregated de-identified and pseudonymized PII and PHI and non-Personal Information, which we or our business partners may use to monitor trends, to improve our respective products and services;

g) To comply with any laws and regulations.

h) To process scans throughout the duration of the scan. Specifically, during a scan your device uses its camera to collect data from your face and/or your body and to process this data using computational models. The images and/or videos are processed by being converted into highly compressed binary payloads (blobs), which cannot be put back together to form an image or video. This data is not retained (is deleted) after the processing is completed and results are displayed/stored.

6. Disclosure: When Do We Disclose Your PII and PHI to Others?

With your consent, our service providers collect and store your PHI and the required PII to access your PHI from your health records held by your current and former healthcare providers, so we can provide you the Services. 

We may share your PII and PHI with our service providers and our Affiliates that help us with our business operations, such as translation services if your health records are not in English. If you consented to receive marketing and promotional emails from us, we may share select PII with service providers who provide us with marketing and promotional services. We enter into Data Processing Agreements with our service providers and Affiliates that impose standards for data protection and confidentiality, and prohibit disclosure or use of your information for any other purpose than the one for which we engaged them.

We may share with selected third-parties certain demographic and contact information about you, including name, date of birth and any email addresses or phone numbers to verify your identity. 

Through your Account, you may grant temporary access to your health records to the healthcare professionals involved in managing your care such as physicians, specialists, pharmacists, nutritionists or physical therapists.

We may share your PII or PHI, as applicable, without your explicit consent or notice to you:

a) To collect a debt from you or to prevent or investigate fraudulent or illegal activity on your Account.

b) To comply with an order, subpoena, warrant or other legal requirement issued by a court, tribunal, regulator or government body with competent jurisdiction to compel disclosure of your PII or PHI, including to meet national security or law enforcement requirements, to prevent, investigate, or take action against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms and Conditions,  this Privacy Notice, or as otherwise required by law.

c) To establish or defend our legal rights. Where possible and appropriate, we will notify you.

d) To an actual or potential buyer of VITALL (and its agents and advisers) in connection with an actual or proposed purchase, merger or acquisition of any part of our business. In such a case, your PII and PHI will be protected by security safeguards appropriate for the sensitivity of the information.

e) To other companies who assist us to process your payment for your Service subscription or any service providers on whom we rely to conduct our business with you.

f) To protect the security of the Site, Web App, the Medly System and Scan App, the Services, or the security of your Account. 

g) To process data collected during a scan. This de-identified data that is converted into highly compressed binary payloads may be securely transmitted by the app (off device) to a remote cloud service where they are individually processed by computational models.

We are responsible for all onward transfers of Personal Data and Data Concerning Health of any EU clients to third parties and we make such transfers under Data Collection and Sharing Agreements or by relying on their self-certification under the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework.

7. Safeguards: How Do We Protect Your Personal Information?

We take administrative, technical and physical measures to safeguard your PII and PHI against unauthorized access, unauthorized disclosure, theft and misuse. 

Although we cannot guarantee that unauthorized access, hacking, data loss or breaches of our security systems will never occur, we try to minimize these risks by: (1) active monitoring: monitoring access to your PII and PHI through activity logs and regular audits to ensure that no unauthorized access attempts have been made, (2) secure storage: we store your PII and PHI over which we have custody and control in Canada in data centers that are SOC2 and/or ISO 27001 certified and adhere to global privacy and data protection best practices, (3) network security: we implemented controls to protect against unauthorized access, including segregating our internal systems from our publicly-accessible systems, (4) end-to-end encryption: we encrypt all data transmissions and communications on the Site, Web App, the Medly System, Scan App, and our Services from end-to-end using industry-standard transport layer security (“TLS”) or secure socket layer (“SSL”) encryption technology, and (4) training: we implemented policies, procedures that address and train our staff on the handling of PII  and PHI. All our staff members and contractors are legally bound to confidentiality.

We do not store your credit card information. Payments are handled by Stripe, a reputable direct payment gateway provider.  The data they collect is encrypted according to the Payment Card Industry Data Security Standard (PCI-DSS) and implement additional generally accepted industry standards. 

We expect our Affiliates and service providers to protect your PII and PHI that they collect from you directly or that we shared with them, as provided in the Data Processing Agreements we have with them.

8. Data Breach

We take precautions against breaches of our security systems, but your acknowledge and agree that no company can eliminate the risks of unauthorized access to your PII and PHI and no transmission over the internet is 100% secure. Therefore, you provide your PII and PHI it to us and our service providers at your own risk.

Despite our rigorous precautions against data breaches, the risk of a breach remains. We have a well-developed data breach procedure and if a breach of your PII or PHI in our custody or control occurs we will comply with the stringent breach notification requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA).

IF A BREACH OF YOUR PII OR PHI THAT IS IN THE CUSTODY OR CONTROL OF ONE OF OUR SERVICE PROVIDERS TO WHOM YOU PROVIDED CONSENT TO COLLECT THAT INFORMATION, THEN THAT SERVICE PROVIDER’S BREACH POLICIES APPLY.

9. Data Retention: How Long Do We Keep your PII and PHI?

We keep your PII and PHI that is in our custody and control if we have a legal or legitimate business need to keep it, for example, to provide you the Services to which you subscribe or to comply with information retention requirements in Ontario or Canada. 

Once our relationship ends, we generally will continue to store archived copies of your PII and PHI in our custody and control for legitimate business purposes, such as to defend a contractual claim, for audit, and to comply with the law. We maintain a records retention and destruction policy to destroy information when we no longer have a business need for it and are not required by law to keep it.

PII and PHI collected with your consent by our service providers that is under their custody and control is subject to their data destruction policies and the data retention laws applicable in that provider’s jurisdiction. 

PII collected by our direct payment gateway provider to process a transaction on the Web App is stored only as long as it is necessary to complete your transaction, then it is deleted. We do not collect or store any information related to your payment transactions.

We and our service providers may continue to store and use aggregated de-identified PII and PHI to improve our respective products and services.

10. Data Storage And Transfer

The PII and PHI we or our service providers collect from or on behalf of our Canadian clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

The PII and PHI that our service providers collect from or on behalf of our American clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

The PII and PHI that our service providers collect from or on behalf of our European clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

We enter into Data Processing Agreements with our service providers that require them, among other things, to safeguard your PII and PHI. However, if your PII and PHI is used or stored outside your home country, these data will be subject to the laws of the country in which they are used or stored (processed), which may differ from and be less protective of PII than the privacy laws of your country

11. Residents of the European Economic Area (“EEA”)

If you (a “Data Subject”) are located in the EEA, the Personal Data and Data Concerning Health you provide to us in Canada may be transferred to other regions, including to the United States. To ensure that your Personal Data and Data Concerning Health is protected when transferred out of the EEA, we rely on Canada’s PIPEDA requirements, which are deemed equivalent to those of the GDPR. If we, or our service providers, transfer your Personal Data and Data Concerning Health to service providers in the United States, we do so under a Data Collection and Sharing Agreement or pursuant to their self-certified compliance with the EU-U.S. Privacy Shield Framework, regarding the collection, use, and retention of Personal Data and Data Concerning Health from data subjects in the EEA, and with the Swiss-U.S. Privacy Shield Framework regarding the collection, use and retention of Personal Information from data subjects in Switzerland.

Additionally, if you are in the EEA, we note we are generally processing your information to fulfill contracts we might have with you (for example to prove you our Services), or otherwise to pursue our legitimate business interests as outlined in Section 6, unless we are required by law to obtain your consent for a particular processing operation. When we process your Personal Data and Data Concerning Health to pursue these legitimate interests, we do so where the nature of the processing, the information being processed, and the technical and organisational measures employed to protect that information can help mitigate the risks to you, the Data Subject.

If you are in the EEA or in Switzerland and believe that your Personal Data has been used contrary to this Privacy Notice, please contact us using the information in Section 17.

If your complaint or dispute is about the use of your Personal Data and Data Concerning Health by one of our service providers in the United States, you may also contact the International Centre for Dispute Resolution. This organization provides independent dispute resolution services, at no charge to you. ICDR can be contacted at go.adr.org/privacyshield.html

If, after attempting to resolve a dispute through ICDR, you feel that your concerns about the handling practices of your Personal Data and Data Concerning Health by a service provider in the United States have not been resolved, please visit www.privacyshield.gov.

12. Age and Consent

Only individuals 18 years of age or older may subscribe to our Services and access the Web App and Scan App. 

A parent or a legal guardian of individuals under the age of 18 may register for an account on behalf of a minor. 

When you provide PII or PHI to open and Account and Onboard, or to provide PII to complete a transaction by credit card, you consent to VITALL collecting your PII and PHI required to complete these activities only. 

When you register your Account, you can provide your consent to receive marketing and promotional e-mails and to consent to our use of your PII and PHI in our custody and control (in aggregated and de-identified form) for Service improvement purposes, or other outlined purposes.

YOU CAN WITHDRAW CONSENT FOR OUR USE OF YOUR PII OR PHI IN FUTURE USES WITHIN THE SCOPE OF YOUR CONSENT BUT YOU CANNOT WITHDRAW YOUR CONSENT FOR OUR USE OF YOUR PII OR PHI FOR USES THAT BEGAN BEFORE THE DATE ON WHICH YOU WITHDREW YOUR CONSENT. YOU WILL ALSO NOT BE ABLE TO WITHDRAW YOUR CONSENT WHERE OUR USE OR DISCLOSURE OF YOUR PII OR PHI IS AUTHORIZED OR REQUIRED BY LAW. 

Our service providers whom you consented to collect and store your PII and PHI may use your information according to their respective privacy policies and terms service /use. If you wish to withdraw your consent from these entities, you must follow their consent withdrawal procedures. We will assist you in that process.       

Please visit the Consent section within your Account Settings or contact us at privacy@vitall.com if you wish to withdraw your consent for our use of your PII and/or PHI.

13. Third-Party Services and Links

You may access third-party websites through links available on our Site, the Web App, or the Scan Ap. These links are provided for convenience only. Once you leave our Site, Web App, or Scan App or are redirected to a third-party website or application, you are no longer governed by this Privacy Notice or our Terms and Conditions.

We have no control over those third-party websites, and you access them at your own risk. We recommend that you read the privacy policies of these third-party providers so you can understand how they handle your PII and PHI. 

You acknowledge that these links may lead you to third parties that may operate in a different jurisdiction than either yours or ours. If you provide your PII or PHI to these entities, then your information may become subject to the laws of the jurisdiction(s) in which that site operates or where its facilities are located.

Some third-party websites or applications accessible through our Site, Web App, or Scan App may use automated processing or artificial intelligence as part of their services. Where you choose to use such a tool or application, VITALL will treat that choice as your opt-in consent to the automated or AI-based processing performed by that third party. We recommend that you review the privacy policies of these third-party providers to understand how automated processing or AI may be applied to your PII or PHI.

When connecting third-party tools or services through our Site, Web App, or ScanApp, you are also subject to the privacy policies of those third parties, and we recommend that you review them carefully before connecting. You acknowledge that third-party providers may transfer your PII or PHI outside of Canada, where it may be subject to the laws of the jurisdiction in which it is stored or processed. VITALL is not responsible for the privacy practices of these third parties, and your use of any third-party tool or service is at your own risk.

14. Accuracy: How Do You Modify Your Information?

We want to ensure that the PII and the PHI we collect from you and that is in our custody and control is accurate, complete, and up-to-date for the purpose for which it is to be used and will destroy any information that is out-of-date or that is no longer required for the purpose for which it was collected, unless we must keep it to comply with Ontario or Canadian law. 

Our service providers who collected your PII and PHI with your consent have their own policies about data accuracy, retention, and destruction. 

We use reasonable means to ensure that information in your Account record is accurate. You may update certain PII and PHI directly in your Account and you may also request access to your Account. 

If you have questions or identify any errors in your Account you can notify us by using the Report feature or you can contact us at privacy@vitall.com. We will strive to address any correction requests promptly. If we dispute a correction request, we will log the reason for the disagreement.

15. Access: Right to your data

You may access your Account and request for your data and information to be exported for the purpose of porting to another entity. If you make such a request, we will provide it to you at no charge. You can request this export by contacting us at privacy@vitall.com.

Before we grant you access to your Account records we will first authenticate you to confirm your identity. We will handle all access requests promptly, subject to applicable privacy laws.

16. Account Closure: Data Deletion

EU residents have the right, in certain circumstances, to have your Personal Data erased (the “Right to be Forgotten”). Non-EU residents may also elect to exercise the Right to be Forgotten.

To close your Account or to request that the PII, PHI, or Personal Data, as applicable, we have about you be deleted, please request for your account to be Deactivated within the Account Settings section. In addition to this, please email us at to privacy@vitall.com. Once we receive your request and authenticate your identity we will remove your Account from active use. If you do not re-activate your Account within 12 months, we will delete your Account Record, but we will keep some PII as described in Section 9. If you wish to delete your Account Record immediately, but subject to Section 9, indicate so in your email to us.

17. App Specific Privacy Notices

This section provides specific privacy notices governing the use of the Medly System, which includes mobile apps (“Medly App”) for mobile devices used by patients (Patient Users); as well as the use of the Practitioner Dashboard (“Dashboard”) for web browsers used by practitioners (Practitioner Users). The Medly System was created through a partnership between VITALL, the University Health Network, Centre for Digital Therapeutics. 

The Medly App is a smartphone app designed to help patients manage their chronic condition by monitoring symptoms, tracking important measurements and providing self-care guidance. The Dashboard is a web-based tool designed to help clinicians monitor and share information with their patients and includes a messenger service designed to help clinicians exchange messages with their patients.

Based on the data you enter and the status of your health, you will get feedback and self-care instructions. Your health care team will be informed of any critical changes and will follow up as necessary. Your hospital may also share personal information such as lab results and medications directly to the Medly System.

The goal of Medly App is to help patients better understand their conditions, guide self-improvement and enhance communication with your healthcare team. It is not intended to replace your current care, but to supplement it with additional support. The goal of Dashboard is to facilitate remote monitoring of patients as well as enable clinicians to share information and messages with their patients.

What information does the Application collect and how is it used?

User Provided Information

The Application obtains the information you provide when you download and register the Application.

When you register with us and use the Application, you generally provide (a) your name, email address, age, user name, password and other registration information; (b) information about your chronic condition, including symptom information, self-care activities, weight, blood pressure, heart rate, and blood sugar levels; and (c) information you provideus when you contact us for help. We may also use the information you providedus to contact you from time to time to provide you with important information, required notices and preventative care information.

Automatically Collected Information

In addition, the Application may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile devices unique device ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browsers you use, and information about the way you use the Application.

Does the Application collect precise real time location information of the device?

This Application does not collect precise information about the location of your mobile device.

Do third parties see and/or have access to information obtained by the Application?

Only aggregated, anonymized data is periodically transmitted to external services to help us improve the Application and ourservice. We will share your information with third parties only in theways that are described in this privacy statement.

We may disclose User Provided and Automatically Collected Information:

·      as required by law, such as to comply with asubpoena, or similar legal process;

·      with our trusted services providers who work on our behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement and the Personal Health Information Protection Act, 2004 and any subsequent amendments.

Use of your Information by your Health Care Team

·      By using this app, your health care team will look at your personal health information and collect only the information they need for providing you with care.

·      Your information will only be shared with your health care team at the hospital where you were enrolled and will be used to help them provide care for you.

·      The information you share through the app will be kept in your clinical file which can only be shared outside of your clinic if it is needed for your clinical care.

What are my rights?

·      You can stop all collection of information by the Application easily by uninstalling the Application. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace or network.

·      To see, copy, or correct information collected by the app, ask one of your clinicians to review your record with you at your next appointment.

Data Retention Policy, Managing Your Information

We will retain User Provided data for as long as you use the Application:

·      When a patient is discharged from the program, records will be retained per your hospital policy.

·      When a patient is under the age of majority, records will be retained past the age of majority per your hospital policy.

Security

We are concerned about safeguarding the confidentiality of your information. We provide physical, electronic, and procedural safeguards to protect information we process and maintain. For example, we limit access to this information to authorized employees and contractors who need to know that information in order to operate, develop or improve our Application.

18. Challenge Compliance

If you believe that we have not adhered to this Privacy Notice you may challenge our compliance with this Privacy Notice and our compliance with privacy laws applicable to it.

We are not responsible for the PII, PHI, or Personal Data (as applicable) handling practices of third-party service providers to whom you consented to access your information, whether on our behalf or otherwise. If your complaint has to do with the privacy practice of those providers, we will direct you to them. Links to the privacy policies and terms of use/service of our service providers are available in the Consent Center.

Please notify our Chief Privacy Officer of your complaint by emailing at privacy@vitall.com.

You can also reach us at:

Vitall Intelligence Inc.

2 Campbell Drive, Suite 706

Uxbridge, Ontario, L9P1H6

Canada

We pledge to address your complaint promptly. If we cannot resolve your complaint to your satisfaction you can file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Ontario.

If you are unhappy with the response you receive from us, we hope you would contact us to resolve the issue, but you may also lodge a complaint with the data protection authority in your home country. They can advise you how to submit a complaint.

19. Changes to This Privacy Notice

We may change or update this Privacy Notice from time to time. All changes and updates are logged in the CHANGE LOG section below. 

When our Privacy Notice changes, the Site will display a notice prompting you to review the changes. 

If we make changes to this Privacy Notice, then in addition to displaying a notice on the Site, we may also notify you by email at the email address associated with your Account. 

The changes to the Privacy Notice will take effect on the date on which they were made or on the date provided in the notice.

By continuing to use the Site, the WebApp, the Medly System, the Scan App, or the Services after you receive the notice you implicitly consent to be bound by the Privacy Notice terms in effect on that date on which you visit the Site, the Web App, the Medly System, or the Scan App.

LAST UPDATED on March 1, 2026.

CHANGE LOG: 

CMarch 1, 2026

• added specific notices regarding the Medly System
• added notice about the use of Third-Party services as a VITALL user

September 20, 2024:

• added reference to the Scan App throughout the notice
• changed “fitness applications” to “smart health devices and connections”
• added specific information about what we collect, how we process, and what we disclose with regards to Scan App data
• updated where we store data to correctly reflect VITALL’s business operations
• updated instructions for how to modify or export data and/or deactivate your account to reflect new user experience workflows
• changed our requirements for the method of updating users regarding changes to this notice

July 15, 2020: 

• Added references to transfer of PII and PHI for translation purposes (Section 6).

‍

DETAILED PRIVACY NOTICE:

1. BACKGROUND
2. SCOPE
3. ACCOUNTABILITY
4. LIMITING COLLECTION: WHAT INFORMATION DO WE COLLECT?
5. LIMITING USE: HOW DO WE USE YOUR PERSONAL INFORMATION?
6. DISCLOSURE: WHEN DO WE DISCLOSE YOUR PII AND PHI TO OTHERS?
7. SAFEGUARDS: HOW DO WE PROTECT YOUR PERSONAL INFORMATION?
8. DATA BREACH
9. DATA RETENTION: HOW LONG DO WE KEEP YOUR PII AND PHI?
10. DATA STORAGE AND TRANSFER
11. RESIDENTS OF THE EUROPEAN ECONOMIC AREA (“EEA”)
12. AGE AND CONSENT
13. THIRD-PARTY SERVICES AND LINKS
14. ACCURACY: HOW DO YOU MODIFY YOUR INFORMATION?
15. ACCESS: RIGHT TO YOUR DATA
16. ACCOUNT CLOSURE: DATA DELETION
17. CHALLENGE COMPLIANCE
18. CHANGES TO THIS PRIVACY NOTICE

1. Background

The website www.VITALL.com (the “Site”), the Web Application app.vitall.com (“WebApp”), the Medly System (“Medly System”) and the VITALL Scan App (“Scan App”)  are owned by Vitall Intelligence Inc. (“VITALL”).

VITALL is a digital health platform that connects patients, caregivers, and practitioners with meaningful health information. Through integrated applications (Web App, Medly System, and Scan App) and services, VITALL enables remote care management, provides health journey insights, and consolidates medical records and real-time health data in one place (the “Services”) — improving care when and where it matters.

As used in this Policy Notice capitalized terms not otherwise defined here have the meaning assigned to them in the Terms and Conditions, otherwise the following terms have the following meaning:

“Data Concerning Health” means, as related to a person in the European Union, personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

“Personal Data” means, as related to a person in the European Union, any information which is related to an identified or identifiable natural person.

“Personally-Identifiable Information” or “PII” means information that identifies you or could be combined by us or our service providers and Affiliates with other information to identify you. This information includes your personal date of birth, birth certificate information, social insurance number, social security number, the number of any government issued identification, medical record number, health card number, e-mail address, home mailing address, home telephone number, personal cellphone number, your internet provider (IP) address and other similar information when associated with you. PII may also include information about how you have used our Site, the Web App, Medly System, or the Scan App if we can associate that PII with you. If you interact with our Site, our Web App, Medly System, or the Scan App on behalf of a business, PII does not include your title, your business e-mail and mailing address, or your business telephone number when we use that information to contact you in your business capacity. For EU residents, your business contact information is considered “Personal Data”. Reference in this Notice to PII shall include Personal Data, where applicable.

“Personal Health Information” or “PHI” means information about you, while living or deceased, that relates to: your physical or mental health; any health or medical services you received; your medical examinations, tests, and surgeries; whether you donated any organs or fluids; and information collected in the course of, or related to, providing health services to you. PHI may be found in your medical records, treatment and examination notes, and communications between you and your healthcare providers. Reference in this Notice to PHI shall include Personal Data, where applicable.

"we", "us" or "our" means Vitall Intelligence Inc. (“Vitall”) and any of our Affiliates.

"you" or "your" means an individual Using the Site, the Web App, the Medly System, the Scan App, or the Content as a visitor, a prospective or current Client, a Caregiver, and any Person who has been granted temporary access to health records under an Account.

2. Scope

This Privacy Notice helps our visitors to our Site and Users of the Web App, Scan App and our Services to better understand how we collect, use and store your PII and PHI.

3. Accountability

We take the privacy of your PII and PHI seriously and are committed to safeguarding it. We developed and implemented policies, practices, and procedures to protect PII and PHI and we train our staff in our PII and PHI handling practices.

We commit not to rent or sell any of your PII or PHI we collect directly from you or as part of our Services. We limit the PII or PHI we share with our service providers and limit their use of the data we share with them through Data Processing Agreements. 

We and our service providers comply with privacy legislation including the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Personal Health Information Protection Act (Ontario) (“PHIPA”), the Health Insurance Portability and Accountability Act (“HIPAA”) and the European Union’s General Data Protection Regulation (“GDPR”), as applicable.

We have appointed a Chief Privacy Officer accountable for our PII and PHI handling practices. If you have a question or complaint about our information handling practices, please contact us at privacy@vitall.com.

4. Limiting Collection: What Information Do We Collect?

The ways we collect PII and PHI can be broadly categorized into:

a) Information you provide to us directly: When you visit or use parts of our Site, the Web App, the Medly System, Scan App or our Services, we might ask you to provide PII to us. For example, we may ask for your name and email address on our Contact Us page so we can reply to a message you post there. We may also receive your contact information when you contact us directly at the contact email provided on the Site. 

We collect your PII and PHI when you open an Account and Onboard to subscribe to our Services.  For example, we will collect identification and contact information, such as your name, mailing address, date of birth, your health insurance number, and demographic information to be able to properly identify you, to contact you, to process a credit card payment for your subscription to our Services, and to collect PHI from your health records. We will also collect PII and PHI at Onboarding, such as your medical conditions, treatment information, surgeries, allergies, blood type, and your family doctor’s contact information.  

If you do not wish to provide us with all or some of the PII or PHI required to open an Account and to receive the Services you do not have to, but it might mean you cannot use parts of our Site, Web App, the Medly System, Scan App or receive our Services.

b) Information from other Sources: We may receive PII and PHI about you from other sources. For example, we will receive PII from credit card processors regarding whether the credit card details you entered have been accepted or declined. We also receive PHI from the service providers we engage to collect, with your consent, your medical records and smart health device information from your current and former healthcare providers and the smart health devices and app that you designate, as well as from the Scan App so that we can provide our Services to you. 

c) Information we collect automatically: We may automaticallyc ollect some technical information when you visit our Site, the Web App, the Medly System, or the or the Scan App that platforms like Google Analytics may collect about your interaction with our Site. This includes the geographic location of your IP address, the IP address itself, device type, what pages you looked at, what links you clicked on, your browser type and configuration, the date and time of use, language preferences, and cookie data. We use this information to detect problems, improve the navigation of our Site, Web App, the Medly System, and Scan App so they are easier to use and to determine which aspects of our Services may interest you. If you consented to receive these types of communications from us, we may track whether you opened certain types of promotional e-mails. whether you sought information about a particular topic or service, or to make inferences about other products and services in which you might be interested. For details about our cookie practices, please refer to our Cookie Policy.

5. Limiting Use: How Do We Use Your Personal Information?

We collect and use PII, PHI and non-personal information for the following purposes:

a) To communicate with you. This may include: (i) providing you with information you requested from us or information we must send to you; (ii) operational communications, like information regarding your Account, or your subscription to our Services; (iii) changes to our Site, the Web App, or Scan App, or changes to this Privacy Notice, our Terms and Conditions or our Cookie Policy; (iv) any questions, reminders, notifications related to your Account or your use of your Account or addressing customer service issues and troubleshooting problems with your Account; (v) to notify and alert you about data breaches, actual or potential fraud, identity theft and other fraud or security-related activities; and (vi) legal disclosures, communications about and arising from any manner of legal action, or otherwise required under our legal obligations; and any other reason notifications and alerts may be required by law.

b) To provide Services. We use your PII and PHI to provide the Services and to manage our business operations such as to register your Account, to authenticate you when you log into your Account, to deliver the Services, and to protect the security or integrity of our Site, the Web App, the Medly System, the Scan App, the Content, our Services, and our business.

c) To improve our Site, Web App, the Medly System, Scan App, and Services and develop new ones: We monitor how you use the Site, the Web App, the Medly System, the Scan App, and the Services so we can improve our offerings, user experience, and design new features.

d) To detect and prevent any fraudulent or malicious activity and to make sure that our Site, Web App, Medly System, Scan Web App, Scan App Content, and Services are used fairly and according to our Terms and Conditions.

e) With your consent, to send you targeted advertisement such as general or personalized notices and promotional messages, or to send news about us;

f) With your consent, to use aggregated de-identified and pseudonymized PII and PHI and non-Personal Information, which we or our business partners may use to monitor trends, to improve our respective products and services;

g) To comply with any laws and regulations.

h) To process scans throughout the duration of the scan. Specifically, during a scan your device uses its camera to collect data from your face and/or your body and to process this data using computational models. The images and/or videos are processed by being converted into highly compressed binary payloads (blobs), which cannot be put back together to form an image or video. This data is not retained (is deleted) after the processing is completed and results are displayed/stored.

6. Disclosure: When Do We Disclose Your PII and PHI to Others?

With your consent, our service providers collect and store your PHI and the required PII to access your PHI from your health records held by your current and former healthcare providers, so we can provide you the Services. 

We may share your PII and PHI with our service providers and our Affiliates that help us with our business operations, such as translation services if your health records are not in English. If you consented to receive marketing and promotional emails from us, we may share select PII with service providers who provide us with marketing and promotional services. We enter into Data Processing Agreements with our service providers and Affiliates that impose standards for data protection and confidentiality, and prohibit disclosure or use of your information for any other purpose than the one for which we engaged them.

We may share with selected third-parties certain demographic and contact information about you, including name, date of birth and any email addresses or phone numbers to verify your identity. 

Through your Account, you may grant temporary access to your health records to the healthcare professionals involved in managing your care such as physicians, specialists, pharmacists, nutritionists or physical therapists.

We may share your PII or PHI, as applicable, without your explicit consent or notice to you:

a) To collect a debt from you or to prevent or investigate fraudulent or illegal activity on your Account.

b) To comply with an order, subpoena, warrant or other legal requirement issued by a court, tribunal, regulator or government body with competent jurisdiction to compel disclosure of your PII or PHI, including to meet national security or law enforcement requirements, to prevent, investigate, or take action against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms and Conditions,  this Privacy Notice, or as otherwise required by law.

c) To establish or defend our legal rights. Where possible and appropriate, we will notify you.

d) To an actual or potential buyer of VITALL (and its agents and advisers) in connection with an actual or proposed purchase, merger or acquisition of any part of our business. In such a case, your PII and PHI will be protected by security safeguards appropriate for the sensitivity of the information.

e) To other companies who assist us to process your payment for your Service subscription or any service providers on whom we rely to conduct our business with you.

f) To protect the security of the Site, Web App, the Medly System and Scan App, the Services, or the security of your Account. 

g) To process data collected during a scan. This de-identified data that is converted into highly compressed binary payloads may be securely transmitted by the app (off device) to a remote cloud service where they are individually processed by computational models.

We are responsible for all onward transfers of Personal Data and Data Concerning Health of any EU clients to third parties and we make such transfers under Data Collection and Sharing Agreements or by relying on their self-certification under the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework.

7. Safeguards: How Do We Protect Your Personal Information?

We take administrative, technical and physical measures to safeguard your PII and PHI against unauthorized access, unauthorized disclosure, theft and misuse. 

Although we cannot guarantee that unauthorized access, hacking, data loss or breaches of our security systems will never occur, we try to minimize these risks by: (1) active monitoring: monitoring access to your PII and PHI through activity logs and regular audits to ensure that no unauthorized access attempts have been made, (2) secure storage: we store your PII and PHI over which we have custody and control in Canada in data centers that are SOC2 and/or ISO 27001 certified and adhere to global privacy and data protection best practices, (3) network security: we implemented controls to protect against unauthorized access, including segregating our internal systems from our publicly-accessible systems, (4) end-to-end encryption: we encrypt all data transmissions and communications on the Site, Web App, the Medly System, Scan App, and our Services from end-to-end using industry-standard transport layer security (“TLS”) or secure socket layer (“SSL”) encryption technology, and (4) training: we implemented policies, procedures that address and train our staff on the handling of PII  and PHI. All our staff members and contractors are legally bound to confidentiality.

We do not store your credit card information. Payments are handled by Stripe, a reputable direct payment gateway provider.  The data they collect is encrypted according to the Payment Card Industry Data Security Standard (PCI-DSS) and implement additional generally accepted industry standards. 

We expect our Affiliates and service providers to protect your PII and PHI that they collect from you directly or that we shared with them, as provided in the Data Processing Agreements we have with them.

8. Data Breach

We take precautions against breaches of our security systems, but your acknowledge and agree that no company can eliminate the risks of unauthorized access to your PII and PHI and no transmission over the internet is 100% secure. Therefore, you provide your PII and PHI it to us and our service providers at your own risk.

Despite our rigorous precautions against data breaches, the risk of a breach remains. We have a well-developed data breach procedure and if a breach of your PII or PHI in our custody or control occurs we will comply with the stringent breach notification requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA).

IF A BREACH OF YOUR PII OR PHI THAT IS IN THE CUSTODY OR CONTROL OF ONE OF OUR SERVICE PROVIDERS TO WHOM YOU PROVIDED CONSENT TO COLLECT THAT INFORMATION, THEN THAT SERVICE PROVIDER’S BREACH POLICIES APPLY.

9. Data Retention: How Long Do We Keep your PII and PHI?

We keep your PII and PHI that is in our custody and control if we have a legal or legitimate business need to keep it, for example, to provide you the Services to which you subscribe or to comply with information retention requirements in Ontario or Canada. 

Once our relationship ends, we generally will continue to store archived copies of your PII and PHI in our custody and control for legitimate business purposes, such as to defend a contractual claim, for audit, and to comply with the law. We maintain a records retention and destruction policy to destroy information when we no longer have a business need for it and are not required by law to keep it.

PII and PHI collected with your consent by our service providers that is under their custody and control is subject to their data destruction policies and the data retention laws applicable in that provider’s jurisdiction. 

PII collected by our direct payment gateway provider to process a transaction on the Web App is stored only as long as it is necessary to complete your transaction, then it is deleted. We do not collect or store any information related to your payment transactions.

We and our service providers may continue to store and use aggregated de-identified PII and PHI to improve our respective products and services.

10. Data Storage And Transfer

The PII and PHI we or our service providers collect from or on behalf of our Canadian clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

The PII and PHI that our service providers collect from or on behalf of our American clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

The PII and PHI that our service providers collect from or on behalf of our European clients will be stored in Canada by default, however their PII and PHI may be used or stored (processed) by our service providers outside of Canada. 

We enter into Data Processing Agreements with our service providers that require them, among other things, to safeguard your PII and PHI. However, if your PII and PHI is used or stored outside your home country, these data will be subject to the laws of the country in which they are used or stored (processed), which may differ from and be less protective of PII than the privacy laws of your country

11. Residents of the European Economic Area (“EEA”)

If you (a “Data Subject”) are located in the EEA, the Personal Data and Data Concerning Health you provide to us in Canada may be transferred to other regions, including to the United States. To ensure that your Personal Data and Data Concerning Health is protected when transferred out of the EEA, we rely on Canada’s PIPEDA requirements, which are deemed equivalent to those of the GDPR. If we, or our service providers, transfer your Personal Data and Data Concerning Health to service providers in the United States, we do so under a Data Collection and Sharing Agreement or pursuant to their self-certified compliance with the EU-U.S. Privacy Shield Framework, regarding the collection, use, and retention of Personal Data and Data Concerning Health from data subjects in the EEA, and with the Swiss-U.S. Privacy Shield Framework regarding the collection, use and retention of Personal Information from data subjects in Switzerland.

Additionally, if you are in the EEA, we note we are generally processing your information to fulfill contracts we might have with you (for example to prove you our Services), or otherwise to pursue our legitimate business interests as outlined in Section 6, unless we are required by law to obtain your consent for a particular processing operation. When we process your Personal Data and Data Concerning Health to pursue these legitimate interests, we do so where the nature of the processing, the information being processed, and the technical and organisational measures employed to protect that information can help mitigate the risks to you, the Data Subject.

If you are in the EEA or in Switzerland and believe that your Personal Data has been used contrary to this Privacy Notice, please contact us using the information in Section 17.

If your complaint or dispute is about the use of your Personal Data and Data Concerning Health by one of our service providers in the United States, you may also contact the International Centre for Dispute Resolution. This organization provides independent dispute resolution services, at no charge to you. ICDR can be contacted at go.adr.org/privacyshield.html

If, after attempting to resolve a dispute through ICDR, you feel that your concerns about the handling practices of your Personal Data and Data Concerning Health by a service provider in the United States have not been resolved, please visit www.privacyshield.gov.

12. Age and Consent

Only individuals 18 years of age or older may subscribe to our Services and access the Web App and Scan App. 

A parent or a legal guardian of individuals under the age of 18 may register for an account on behalf of a minor. 

When you provide PII or PHI to open and Account and Onboard, or to provide PII to complete a transaction by credit card, you consent to VITALL collecting your PII and PHI required to complete these activities only. 

When you register your Account, you can provide your consent to receive marketing and promotional e-mails and to consent to our use of your PII and PHI in our custody and control (in aggregated and de-identified form) for Service improvement purposes, or other outlined purposes.

YOU CAN WITHDRAW CONSENT FOR OUR USE OF YOUR PII OR PHI IN FUTURE USES WITHIN THE SCOPE OF YOUR CONSENT BUT YOU CANNOT WITHDRAW YOUR CONSENT FOR OUR USE OF YOUR PII OR PHI FOR USES THAT BEGAN BEFORE THE DATE ON WHICH YOU WITHDREW YOUR CONSENT. YOU WILL ALSO NOT BE ABLE TO WITHDRAW YOUR CONSENT WHERE OUR USE OR DISCLOSURE OF YOUR PII OR PHI IS AUTHORIZED OR REQUIRED BY LAW. 

Our service providers whom you consented to collect and store your PII and PHI may use your information according to their respective privacy policies and terms service /use. If you wish to withdraw your consent from these entities, you must follow their consent withdrawal procedures. We will assist you in that process.       

Please visit the Consent section within your Account Settings or contact us at privacy@vitall.com if you wish to withdraw your consent for our use of your PII and/or PHI.

13. Third-Party Services and Links

You may access third-party websites through links available on our Site, the Web App, or the Scan Ap. These links are provided for convenience only. Once you leave our Site, Web App, or Scan App or are redirected to a third-party website or application, you are no longer governed by this Privacy Notice or our Terms and Conditions.

We have no control over those third-party websites, and you access them at your own risk. We recommend that you read the privacy policies of these third-party providers so you can understand how they handle your PII and PHI. 

You acknowledge that these links may lead you to third parties that may operate in a different jurisdiction than either yours or ours. If you provide your PII or PHI to these entities, then your information may become subject to the laws of the jurisdiction(s) in which that site operates or where its facilities are located.

Some third-party websites or applications accessible through our Site, Web App, or Scan App may use automated processing or artificial intelligence as part of their services. Where you choose to use such a tool or application, VITALL will treat that choice as your opt-in consent to the automated or AI-based processing performed by that third party. We recommend that you review the privacy policies of these third-party providers to understand how automated processing or AI may be applied to your PII or PHI.

When connecting third-party tools or services through our Site, Web App, or ScanApp, you are also subject to the privacy policies of those third parties, and we recommend that you review them carefully before connecting. You acknowledge that third-party providers may transfer your PII or PHI outside of Canada, where it may be subject to the laws of the jurisdiction in which it is stored or processed. VITALL is not responsible for the privacy practices of these third parties, and your use of any third-party tool or service is at your own risk.

14. Accuracy: How Do You Modify Your Information?

We want to ensure that the PII and the PHI we collect from you and that is in our custody and control is accurate, complete, and up-to-date for the purpose for which it is to be used and will destroy any information that is out-of-date or that is no longer required for the purpose for which it was collected, unless we must keep it to comply with Ontario or Canadian law. 

Our service providers who collected your PII and PHI with your consent have their own policies about data accuracy, retention, and destruction. 

We use reasonable means to ensure that information in your Account record is accurate. You may update certain PII and PHI directly in your Account and you may also request access to your Account. 

If you have questions or identify any errors in your Account you can notify us by using the Report feature or you can contact us at privacy@vitall.com. We will strive to address any correction requests promptly. If we dispute a correction request, we will log the reason for the disagreement.

15. Access: Right to your data

You may access your Account and request for your data and information to be exported for the purpose of porting to another entity. If you make such a request, we will provide it to you at no charge. You can request this export by contacting us at privacy@vitall.com.

Before we grant you access to your Account records we will first authenticate you to confirm your identity. We will handle all access requests promptly, subject to applicable privacy laws.

16. Account Closure: Data Deletion

EU residents have the right, in certain circumstances, to have your Personal Data erased (the “Right to be Forgotten”). Non-EU residents may also elect to exercise the Right to be Forgotten.

To close your Account or to request that the PII, PHI, or Personal Data, as applicable, we have about you be deleted, please request for your account to be Deactivated within the Account Settings section. In addition to this, please email us at to privacy@vitall.com. Once we receive your request and authenticate your identity we will remove your Account from active use. If you do not re-activate your Account within 12 months, we will delete your Account Record, but we will keep some PII as described in Section 9. If you wish to delete your Account Record immediately, but subject to Section 9, indicate so in your email to us.

17. App Specific Privacy Notices

This section provides specific privacy notices governing the use of the Medly System, which includes mobile apps (“Medly App”) for mobile devices used by patients (Patient Users); as well as the use of the Practitioner Dashboard (“Dashboard”) for web browsers used by practitioners (Practitioner Users). The Medly System was created through a partnership between VITALL, the University Health Network, Centre for Digital Therapeutics. 

The Medly App is a smartphone app designed to help patients manage their chronic condition by monitoring symptoms, tracking important measurements and providing self-care guidance. The Dashboard is a web-based tool designed to help clinicians monitor and share information with their patients and includes a messenger service designed to help clinicians exchange messages with their patients.

Based on the data you enter and the status of your health, you will get feedback and self-care instructions. Your health care team will be informed of any critical changes and will follow up as necessary. Your hospital may also share personal information such as lab results and medications directly to the Medly System.

The goal of Medly App is to help patients better understand their conditions, guide self-improvement and enhance communication with your healthcare team. It is not intended to replace your current care, but to supplement it with additional support. The goal of Dashboard is to facilitate remote monitoring of patients as well as enable clinicians to share information and messages with their patients.

What information does the Application collect and how is it used?

User Provided Information

The Application obtains the information you provide when you download and register the Application.

When you register with us and use the Application, you generally provide (a) your name, email address, age, user name, password and other registration information; (b) information about your chronic condition, including symptom information, self-care activities, weight, blood pressure, heart rate, and blood sugar levels; and (c) information you provideus when you contact us for help. We may also use the information you providedus to contact you from time to time to provide you with important information, required notices and preventative care information.

Automatically Collected Information

In addition, the Application may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile devices unique device ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browsers you use, and information about the way you use the Application.

Does the Application collect precise real time location information of the device?

This Application does not collect precise information about the location of your mobile device.

Do third parties see and/or have access to information obtained by the Application?

Only aggregated, anonymized data is periodically transmitted to external services to help us improve the Application and ourservice. We will share your information with third parties only in theways that are described in this privacy statement.

We may disclose User Provided and Automatically Collected Information:

·      as required by law, such as to comply with asubpoena, or similar legal process;

·      with our trusted services providers who work on our behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement and the Personal Health Information Protection Act, 2004 and any subsequent amendments.

Use of your Information by your Health Care Team

·      By using this app, your health care team will look at your personal health information and collect only the information they need for providing you with care.

·      Your information will only be shared with your health care team at the hospital where you were enrolled and will be used to help them provide care for you.

·      The information you share through the app will be kept in your clinical file which can only be shared outside of your clinic if it is needed for your clinical care.

What are my rights?

·      You can stop all collection of information by the Application easily by uninstalling the Application. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace or network.

·      To see, copy, or correct information collected by the app, ask one of your clinicians to review your record with you at your next appointment.

Data Retention Policy, Managing Your Information

We will retain User Provided data for as long as you use the Application:

·      When a patient is discharged from the program, records will be retained per your hospital policy.

·      When a patient is under the age of majority, records will be retained past the age of majority per your hospital policy.

Security

We are concerned about safeguarding the confidentiality of your information. We provide physical, electronic, and procedural safeguards to protect information we process and maintain. For example, we limit access to this information to authorized employees and contractors who need to know that information in order to operate, develop or improve our Application.

18. Challenge Compliance

If you believe that we have not adhered to this Privacy Notice you may challenge our compliance with this Privacy Notice and our compliance with privacy laws applicable to it.

We are not responsible for the PII, PHI, or Personal Data (as applicable) handling practices of third-party service providers to whom you consented to access your information, whether on our behalf or otherwise. If your complaint has to do with the privacy practice of those providers, we will direct you to them. Links to the privacy policies and terms of use/service of our service providers are available in the Consent Center.

Please notify our Chief Privacy Officer of your complaint by emailing at privacy@vitall.com.

You can also reach us at:

Vitall Intelligence Inc.

2 Campbell Drive, Suite 706

Uxbridge, Ontario, L9P1H6

Canada

We pledge to address your complaint promptly. If we cannot resolve your complaint to your satisfaction you can file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Ontario.

If you are unhappy with the response you receive from us, we hope you would contact us to resolve the issue, but you may also lodge a complaint with the data protection authority in your home country. They can advise you how to submit a complaint.

19. Changes to This Privacy Notice

We may change or update this Privacy Notice from time to time. All changes and updates are logged in the CHANGE LOG section below. 

When our Privacy Notice changes, the Site will display a notice prompting you to review the changes. 

If we make changes to this Privacy Notice, then in addition to displaying a notice on the Site, we may also notify you by email at the email address associated with your Account. 

The changes to the Privacy Notice will take effect on the date on which they were made or on the date provided in the notice.

By continuing to use the Site, the WebApp, the Medly System, the Scan App, or the Services after you receive the notice you implicitly consent to be bound by the Privacy Notice terms in effect on that date on which you visit the Site, the Web App, the Medly System, or the Scan App.

LAST UPDATED on March 1, 2026.

CHANGE LOG: 

CMarch 1, 2026

• added specific notices regarding the Medly System
• added notice about the use of Third-Party services as a VITALL user

September 20, 2024:

• added reference to the Scan App throughout the notice
• changed “fitness applications” to “smart health devices and connections”
• added specific information about what we collect, how we process, and what we disclose with regards to Scan App data
• updated where we store data to correctly reflect VITALL’s business operations
• updated instructions for how to modify or export data and/or deactivate your account to reflect new user experience workflows
• changed our requirements for the method of updating users regarding changes to this notice

July 15, 2020: 

• Added references to transfer of PII and PHI for translation purposes (Section 6).

‍