Compliance

AivaMD handles health information as defined under the Alberta Health Information Act (HIA), RSA 2000, c H-5.

Health information you enter - including encounter notes, patient names, health card numbers, and diagnosis codes - is used solely to generate billing codes and claims on your behalf.

AivaMD does not sell, share, or disclose health information to third parties except as required to deliver the service (see Third-Party Processors below) or as required by law.

All production servers are hosted in Canada: backend infrastructure on Fly.io (yyz - Toronto, ON) and database on Supabase (ca-central-1 - Montreal, QC). No patient health information leaves Canada except as required for the services listed under Third-Party Processors.

As a healthcare provider using AivaMD, you remain the custodian of your patients' health information under HIA and are responsible for ensuring your use of the platform complies with your obligations under HIA and the College of Physicians and Surgeons of Alberta (CPSA) standards.

AivaMD acts as an information manager under HIA s.66 pursuant to a written Information Manager Agreement (IMA) executed with each custodian (physician or clinic). The Terms of Service set out the permitted purposes, use restrictions, security requirements, and data-handling obligations incorporated into that agreement.

AivaMD complies with the Alberta Personal Information Protection Act (PIPA), SA 2003, c P-6.5, which is the primary applicable private-sector privacy law for provincially regulated activities in Alberta.

AivaMD also complies with the Personal Information Protection and Electronic Documents Act (PIPEDA), SC 2000, c 5, which applies to interprovincial activities and transfers of personal information outside Alberta (for example, to third-party processors such as Anthropic and Stripe).

We collect only the personal information necessary to provide the service: name, email address, Practitioner ID, practice details, and health information you submit.

You may request access to, correction of, or deletion of your personal information at any time by contacting support@aivamd.ca.

We do not use personal information for purposes beyond what is disclosed in our Privacy Policy without obtaining additional consent.

H-Link is Alberta Health's electronic claim submission system. AivaMD has completed H-Link accreditation through Alberta Health and is authorized to submit claims electronically on behalf of registered physicians.

Claims are submitted via secure SFTP to Alberta Health in the H-Link EDI format as specified by the Electronic Claims Submission Specifications Manual (Version 3.1, January 2016). All transmissions are encrypted in transit.

AivaMD's H-Link submitter credentials (prefix AVM, User AVMa) are issued by Alberta Health and are used exclusively for authorized claim submission on behalf of AivaMD-registered providers.

AivaMD does not guarantee that claims submitted to Alberta Health will be accepted. Claim acceptance is governed by Alberta Health policies and your compliance with the Schedule of Medical Benefits (SOMB).

AivaMD uses the Anthropic Claude API to analyze encounter notes and extract billing codes. Encounter text is sent to Anthropic's API for processing. AivaMD has a Data Processing Agreement (DPA) with Anthropic governing this data handling.

Under Anthropic's API terms and the DPA, customer data submitted via the API is not used to train Anthropic's models.

AivaMD does not train AI models on individual patient records or provider billing data.

Aggregated, anonymized usage data may be used internally to improve extraction accuracy.

All data is encrypted in transit using TLS 1.2 or higher.

Data at rest is encrypted using AES-256.

Access to health information is restricted to authenticated providers. Each API endpoint enforces provider-level isolation - you can only access your own claims and data.

Authentication is managed by Clerk using industry-standard JWT tokens verified on every API request.

We conduct regular security reviews and follow OWASP guidelines for web application security.

Deepgram (USA): When you use the voice recording feature, encounter audio is streamed to Deepgram's nova-2-medical API for real-time transcription. Raw audio is not retained after transcription. You must obtain patient consent before recording any encounter.

Anthropic (USA): Encounter note text is sent to Anthropic's Claude API for billing code extraction. Governed by Anthropic's API Data Processing Agreement. Anthropic does not use API inputs to train models.

Clerk (USA): User authentication and session management. No patient health information (PHI) is transmitted to Clerk.

Stripe (USA): Payment processing for subscriptions under Stripe's own PCI-DSS compliance program. No PHI is transmitted to Stripe.

Fly.io (Canada - Toronto, ON): Backend API server hosting. Health information transits and is processed here. DPA signed June 2026.

Supabase (Canada - Montreal, QC): PostgreSQL database hosting. Health information is stored here, encrypted at rest.

Vercel (USA): Frontend application hosting (static assets and server-side rendering). No PHI is stored on Vercel.

Alberta Health (Canada): Claim data is submitted to Alberta Health via H-Link EDI as part of the authorized billing process.

Service providers outside Canada: as contemplated by PIPA Alberta s.13.1, you may request our current list of service providers, their roles, and the jurisdictions in which they operate, and contact our Privacy Officer at support@aivamd.ca with any questions about personal information handled by service providers outside Canada.

In the event of a privacy breach involving health information, AivaMD will notify affected users and, where required, the Office of the Information and Privacy Commissioner of Alberta (OIPC) in accordance with HIA breach notification requirements.

Under PIPA Alberta, AivaMD will also notify the OIPC of breaches that create a real risk of significant harm to individuals.

Notification will be provided as soon as practicable after the breach is discovered.

To report a suspected breach or security vulnerability, contact support@aivamd.ca immediately.

Privacy Officer: Cole Patola, AivaMD Inc. For compliance inquiries, Privacy Impact Assessments, or to report a concern: support@aivamd.ca.

For complaints under PIPA Alberta or HIA: Office of the Information and Privacy Commissioner of Alberta (OIPC) - oipc.ab.ca - 1-888-878-4044.

For complaints under PIPEDA (federal): Office of the Privacy Commissioner of Canada - priv.gc.ca - 1-800-282-1376.

AivaMD Inc. is incorporated in Alberta, Canada (Corporation Number 2029239404).

Effective date: June 2026.