Privacy Policy

OXIQ ("OXIQ", "we", "our", "us") is an advanced technology company headquartered in Canada that designs and delivers impactful, AI-powered products for industries where intelligence, privacy, and precision matter. Our mission is to apply artificial intelligence in ways that make real work measurably easier — starting with healthcare.

Our flagship product, ACR (AI Clinical Record), is a Software-as-a-Service application that assists licensed health practitioners with clinical documentation through ambient audio recording and applied AI — freeing clinicians from paperwork so they can focus on patient care.

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use ACR, available at acr.oxiq.ca and the OXIQ corporate website at oxiq.ca.

By using ACR you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of our services.

Account & Identity Information

• Full name and email address (provided via Google Sign-In or direct registration)
• Profile photo (if provided via Google)
• Professional designation and clinic affiliation
• Organisation and clinic identifiers

Clinical Session Data

• Audio recordings of clinical sessions (consented by the practitioner on behalf of the patient)
• Transcripts generated from audio recordings
• AI-generated clinical notes (SOAP notes, assessments, progress reports)
• Session metadata (date, time, duration, activity type)
• Patient-identifiable information entered by the clinician (name, date of birth, relevant clinical history)

Usage & Technical Data

• Log data (IP address, browser type, pages visited, timestamps)
• Device information (operating system, screen resolution)
• Session identifiers and authentication tokens
• Error logs and performance diagnostics

Information We Do Not Collect

• Payment or billing information (handled externally)
• Social media profile data beyond what Google provides for authentication
• Location data beyond what is inferred from IP address

We use collected information exclusively to provide and improve ACR. Specifically:

• Authentication: To verify your identity and manage secure access to your account
• Clinical documentation: To process audio recordings and generate clinical notes on your behalf
• Service delivery: To store, retrieve, and display your session history and generated documents
• Platform improvement: Aggregated, de-identified usage patterns to improve AI accuracy and platform performance
• Security & compliance: To detect and prevent fraud, abuse, or unauthorised access
• Communication: To send service-related notifications, security alerts, and support responses

When you sign in to ACR using Google, we receive the following from Google:

• Your name, email address, and profile photo
• A unique Google account identifier

This information is used solely for authentication — to create and manage your ACR account and to verify your identity on each login. We do not share Google user data with third parties except as required to operate the authentication flow (e.g., Google Firebase Authentication). We do not use Google user data for any secondary purpose including advertising or analytics beyond basic session management.

We share information only with the following categories of third parties, each under appropriate data processing agreements:

Infrastructure & Storage

• Google Cloud Platform (Canada regions) — Firestore (database), Cloud Storage (audio/files), Cloud Run (compute), Identity Platform (authentication). Data residency is within Canada where available.

AI Processing

• Anthropic (Claude API) — Audio transcripts are sent to Anthropic's Claude API for clinical note generation. Anthropic does not train its models on API inputs by default. Data is transmitted securely and not retained by Anthropic beyond the API call.

Calendar & Scheduling

• Google Calendar API — If you connect your calendar, appointment data is synced. This requires explicit OAuth consent and can be revoked at any time.

Legal Disclosure

We may disclose information if required by law, court order, or regulatory authority, or to protect the safety, rights, or property of OXIQ, our users, or the public.

Business Transfer

In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will provide notice before personal information is transferred and becomes subject to a different privacy policy.

All data is hosted on Google Cloud Platform in Canadian data centres. We implement the following security measures:

• Encryption in transit: All data is transmitted over TLS 1.2 or higher
• Encryption at rest: All data is encrypted using AES-256 via Google Cloud KMS (Customer-Managed Encryption Keys)
• Access controls: Role-based access control limits data access to authorised personnel only
• Authentication: Multi-factor authentication is available and encouraged for all accounts
• Audit logging: Access to clinical data is logged and monitored
• Vulnerability management: Regular security assessments and dependency audits

While we implement industry-standard safeguards, no system is 100% secure. We encourage you to use strong passwords and report any suspected security issues to info@oxiq.ca.

We retain your data for as long as your account is active or as needed to provide services. Specifically:

• Audio recordings: Retained for the duration of the subscription plus up to 90 days after account closure, then deleted
• Clinical notes and transcripts: Retained for the duration of your subscription. Upon account closure, data is available for export for 30 days, then permanently deleted
• Account information: Retained for the duration of the account and up to 7 years thereafter as required by Canadian health records legislation
• Log data: Retained for 90 days for security and debugging purposes

You may request deletion of your data at any time by contacting us at info@oxiq.ca, subject to legal retention obligations.

Under PIPEDA and applicable provincial privacy legislation, you have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Withdrawal of consent: Withdraw consent to our use of your information (may affect your ability to use ACR)
• Deletion: Request deletion of your personal information, subject to legal retention requirements
• Data portability: Request a machine-readable export of your clinical notes and account data
• Complaint: File a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca)

To exercise any of these rights, contact us at info@oxiq.ca. We will respond within 30 days.

ACR is used by regulated health practitioners and may process Protected Health Information (PHI) as defined under HIPAA and Personal Health Information (PHI) under applicable Canadian provincial legislation (including Ontario's Personal Health Information Protection Act (PHIPA), Alberta's Health Information Act (HIA), and BC's E-Health (Personal Health Information Access and Protection of Privacy) Act).

In this context, OXIQ acts as a technology service provider / Business Associate to the regulated health practitioner (the data controller). The practitioner is responsible for:

• Obtaining valid patient consent for audio recording prior to using ACR
• Informing patients that an AI system is used to process session recordings
• Ensuring their use of ACR complies with their regulatory obligations
• Reviewing and verifying AI-generated notes before inclusion in the official health record

OXIQ complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Our data practices are based on the 10 principles of PIPEDA:

1. Accountability
2. Identifying purposes
3. Consent
4. Limiting collection
5. Limiting use, disclosure, and retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual access
10. Challenging compliance

OXIQ's Privacy Officer can be reached at info@oxiq.ca for any privacy-related inquiries or complaints. If we are unable to resolve your concern, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.

For users or covered entities subject to the US Health Insurance Portability and Accountability Act (HIPAA), OXIQ acknowledges the following:

• OXIQ functions as a Business Associate where PHI is processed on behalf of covered entities
• We implement the required administrative, physical, and technical safeguards under the HIPAA Security Rule
• We will execute a Business Associate Agreement (BAA) upon request from covered entities
• We do not use or disclose PHI except as permitted by HIPAA and the applicable BAA
• We support the rights of individuals under the HIPAA Privacy Rule, including the right to access and amend their health information

To request a BAA or raise a HIPAA compliance inquiry, contact info@oxiq.ca.

ACR is not directed at individuals under the age of 18 and is intended for use by licensed health practitioners only. We do not knowingly collect personal information from minors. If we become aware that a minor's information has been collected without appropriate consent, we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do, we will update the "Last updated" date at the top of this page and, where the changes are material, notify registered users by email or in-app notification.

Your continued use of ACR after changes are posted constitutes your acceptance of the revised Privacy Policy.

For privacy inquiries, data access requests, or concerns, please reach out to our Privacy Officer: