Privacy Policy

Account information: name, email address, and practice details you provide during registration.

Provider information: Practitioner ID (PRACID), clinic name, province, and contact details.

Health information: encounter notes, billing codes, diagnosis codes, and patient health card numbers that you enter into the platform.

Usage data: API request logs, feature usage, and session information for service improvement.

Payment information: processed securely by Stripe. AivaMD does not store your full credit card number.

To provide the AivaMD service: AI billing analysis, claim creation, H-Link EDI generation, and claim tracking.

To authenticate your account via Clerk and maintain your session.

To process subscription payments via Stripe.

To improve our AI models and billing code accuracy (only with anonymized, aggregated data — never individual patient records).

To communicate service updates, billing notices, and support responses.

AivaMD handles health information as defined under the Alberta Health Information Act (HIA), RSA 2000, c H-5. The primary applicable private-sector privacy law is the Alberta Personal Information Protection Act (PIPA), SA 2003, c P-6.5. PIPEDA (SC 2000, c 5) also applies to interprovincial transfers of personal information, such as data sent to US-based third-party processors.

AivaMD acts as an information manager under HIA s.66 and enters into a written Information Manager Agreement (IMA) with each custodian (physician or clinic) governing how AivaMD handles health information on their behalf. Our Terms of Service set out the baseline data-handling commitments incorporated into that agreement.

Health information you enter is used solely to generate billing codes and claims on your behalf. It is not sold, shared with third parties for marketing, or used to train AI models without express consent.

All production servers are hosted in Canada: backend on Fly.io (Toronto, ON) and database on Supabase (Montreal, QC). No patient health information leaves Canada except as disclosed under Third-Party Data Processors below.

You retain ownership of all health information entered into AivaMD. You may request deletion of your data at any time through your account settings or by contacting support@aivamd.ca.

As a healthcare provider, you remain responsible for ensuring your use of AivaMD complies with your professional obligations under CPSA and HIA, including obtaining patient consent before recording encounters.

Deepgram (voice transcription): When you use the voice recording feature, raw audio of physician-patient encounters is streamed to Deepgram's API (deepgram.com) for real-time transcription using their nova-2-medical model. Deepgram is a US-based company. You are responsible for obtaining patient consent before recording any encounter. AivaMD does not retain raw audio after transcription.

Anthropic Claude API (billing code extraction): Encounter text, patient names, PHNs, dates of birth, and diagnosis descriptions are sent to Anthropic's Claude API (anthropic.com) to extract billing codes and generate clinical notes. Anthropic is a US-based company. AivaMD has a Data Processing Agreement (DPA) with Anthropic. Anthropic does not use API inputs to train models under the DPA and their API terms.

Clerk (authentication): Manages user authentication and session tokens. No patient health information (PHI) is sent to Clerk.

Stripe (payments): Payment processing only. Stripe receives billing and subscription information. No PHI is sent to Stripe. Stripe is PCI-DSS compliant.

Fly.io (backend hosting, Canada - Toronto): Backend API server. Health information transits and is processed here in Canada.

Supabase (database, Canada - Montreal): PostgreSQL database. Health information is stored here, encrypted at rest with AES-256.

Vercel (frontend hosting): Serves the web application interface. No PHI is stored on Vercel.

Alberta Health (H-Link): Claim data is submitted to Alberta Health via H-Link EDI as part of the authorized billing process. This is required to bill Alberta Health.

We do not sell your data to any third party.

Service providers outside Canada: some processors above (for example Anthropic, Deepgram, Clerk, Stripe, and Vercel) operate in the United States. As contemplated by PIPA Alberta s.13.1, you may request our current list of service providers, their roles, and the countries in which they operate, and you may contact our Privacy Officer at support@aivamd.ca with any questions about the collection, use, or disclosure of personal information by service providers outside Canada.

Account data is retained for the duration of your subscription plus 7 years, as required for medical billing records under Alberta regulations.

You may delete your account at any time through your account settings. Note that certain records may be retained to comply with legal obligations.

Backups are retained for up to 30 days.

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

Access to health information is restricted to authenticated providers using Clerk JWTs.

API endpoints enforce provider-level isolation — you can only access your own claims and data.

We conduct regular security reviews and follow OWASP guidelines.

Access: You may request a copy of the information we hold about you.

Correction: You may request correction of inaccurate data through your account settings.

Deletion: You may delete your account and all associated data directly from your account settings. This permanently removes your provider profile, claims, patients, and encounter notes.

Portability: You may download an export of all your data as a JSON file from your account settings.

To exercise these rights or ask questions, email support@aivamd.ca.

AivaMD has designated a Privacy Officer accountable for compliance with PIPEDA and PIPA Alberta: Cole Patola, Privacy Officer, AivaMD Inc.

To contact the Privacy Officer with questions, access requests, correction requests, or complaints: support@aivamd.ca.

If you are not satisfied with our response to a privacy concern, you may escalate to the applicable regulator.

For complaints under PIPA Alberta or the Health Information Act (HIA): Office of the Information and Privacy Commissioner of Alberta (OIPC) - oipc.ab.ca - 1-888-878-4044.

For complaints under PIPEDA (federal): Office of the Privacy Commissioner of Canada - priv.gc.ca - 1-800-282-1376.

We encourage you to contact us first at support@aivamd.ca so we can attempt to resolve your concern directly.

If you have questions about this Privacy Policy or our data practices, contact us at support@aivamd.ca.

AivaMD Inc. is incorporated in Alberta, Canada (Corporation Number 2029239404).

Effective date: June 2026. We will notify users of material changes via email.