Back

Privacy Policy

Last updated: April 10, 2026

1. Overview

Sociara ("we", "us", "our") is committed to protecting the privacy and security of your personal information and personal health information ("PHI"). This Privacy Policy explains how we collect, use, store, and disclose information when you use our clinical consultation platform.

We comply with the Personal Information Protection Act (PIPA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and the Health Insurance Portability and Accountability Act (HIPAA).

2. Information We Collect

2.1 Personal Information

  • Full name, email address, phone number
  • Date of birth, sex at birth
  • Mailing address
  • Emergency contact information
  • BC Personal Health Number

2.2 Personal Health Information (PHI)

  • Consultation notes, summaries, and reasons for visit
  • Chat messages exchanged during consultations
  • Clinical documentation generated by healthcare providers
  • AI-generated summaries (if you opt in to AI features)

2.3 Technical Information

  • IP address (for audit logging and security purposes)
  • Browser type and session identifiers
  • Timestamps of account activity

3. How We Protect Your Data

3.1 Encryption

All PHI is encrypted at rest using AES-256-GCM with versioned encryption keys managed through AWS Secrets Manager. All data in transit is protected by TLS 1.2 or higher. Encryption keys are stored separately from the data they protect and are never written to disk or logged.

3.2 Data Residency

All PHI is stored exclusively in AWS ca-west-1 (Calgary, Alberta, Canada). Your health data never leaves Canadian infrastructure. Our frontend application runs in ca-central-1 (Montreal) but never processes or stores PHI — it serves as a rendering shell only.

3.3 Access Controls

Access to PHI is strictly controlled through role-based access controls. Patients can only access their own data. Healthcare providers can only access data for patients at their clinic(s). All PHI access is logged to an immutable, append-only audit trail.

3.4 Audit Logging

Every access to PHI is recorded in an immutable audit log, including who accessed the data, when, from what IP address, and which fields were viewed. The audit log cannot be modified or deleted.

4. How We Use Your Information

We use your information to:

  • Provide the clinical consultation service between you and your healthcare providers
  • Verify your identity and manage your account
  • Communicate with you about appointments and consultations
  • Generate AI-assisted clinical documentation (only if you opt in — see our AI Consent Policy)
  • Comply with legal and regulatory obligations under healthcare legislation
  • Maintain system security and prevent unauthorized access

5. Information Sharing

We do not sell, rent, or trade your personal information or PHI. We may share information only in these circumstances:

  • With your healthcare providers: Your assigned healthcare team at registered clinics can access your PHI as required to deliver care.
  • Service infrastructure: We use AWS (Amazon Web Services) for hosting. AWS acts as a data processor under a Business Associate Agreement (BAA) and does not access your data.
  • Legal requirements: We may disclose information if required by law, regulation, court order, or governmental authority.

6. Data Retention

PHI is retained in accordance with applicable healthcare record retention requirements. In British Columbia, medical records must be retained for a minimum of 16 years after the last entry (or until the patient reaches age 27 for minors). Audit logs are retained indefinitely as required for compliance evidence.

7. Your Rights

Under applicable privacy legislation, you have the right to:

  • Access your personal information and PHI held by Sociara
  • Request correction of inaccurate personal information
  • Withdraw consent for optional data processing (such as AI features)
  • File a complaint with the Office of the Information and Privacy Commissioner for British Columbia

8. Cookies and Tracking

Sociara uses only essential cookies required for authentication (httpOnly refresh token cookie). We do not use analytics cookies, advertising trackers, or third-party tracking scripts.

9. Children's Privacy

Sociara is not intended for individuals under 18 years of age. We do not knowingly collect information from minors. If you believe a minor has provided information through our Service, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact Us

For privacy inquiries, data access requests, or complaints, contact our Privacy Officer at privacy@sociara.com.