Privacy Policy

Personal Information means information about an identifiable individual, as defined under PIPEDA. This includes your name, email address, phone number, and other data that can identify you.

Personal Health Information means information about your physical or mental health, including the reason for your eye exam appointment, as governed by PHIPA in Ontario.

Consent means your voluntary agreement to the collection, use, and disclosure of your personal information for the stated purposes.

Information you provide: When you book an appointment, we collect your name, email address, phone number, date of birth, and the reason for your visit. You may also provide insurance details or special requests.

Health-related information: The reason for your eye exam visit and any notes you provide to the clinic are considered personal health information under Ontario law.

Automatically collected information: When you visit our website, we may collect your IP address, browser type, device type, operating system, referring URL, and pages visited. This data is used to improve our services and ensure security.

Location data: With your permission on our website, we use your location to show nearby optometry clinics. You may also search by entering a location manually. Our mobile apps do not collect precise location in the current release.

Mobile application data: When you use the iSeeWell Clinic, Customer, or Admin mobile apps, we may collect account credentials (stored securely on your device), push notification tokens, device name, and in-app activity related to bookings and clinic management. The Clinic app may display patient contact details and appointment request information submitted through our platform.

Diagnostic data: Our mobile apps use Sentry for crash and error reporting. We configure Sentry not to send personally identifiable information by default. Diagnostic data helps us maintain app stability and security.

We collect and process your personal information in accordance with the ten fair information principles set out in Schedule 1 of PIPEDA:

• Accountability: We have designated a Privacy Officer responsible for our compliance with this policy.
• Identifying purposes: We identify the purposes for collection at or before the time of collection.
• Consent: We obtain your meaningful consent for the collection, use, and disclosure of your information. Where we rely on implied consent (e.g., providing your email to receive booking confirmations), the purpose is clear from context.
• Limiting collection: We collect only the information necessary for the stated purposes.
• Limiting use, disclosure, and retention: Your information is used only for the purposes for which it was collected, unless you provide further consent.

We use your personal information to:

• Facilitate and confirm your appointment bookings
• Communicate with you and the clinic about your appointment (confirmations, reminders, follow-ups)
• Provide customer support
• Improve our platform, services, and user experience
• Prevent fraud and ensure the security of our platform
• Comply with legal obligations
• With your express consent under Canada's Anti-Spam Legislation (CASL), send commercial electronic messages such as marketing communications

We do not sell your personal information to third parties.

We may share your personal information with:

• Optometry clinics: Your booking details are shared with the clinic you select so they can provide your appointment.
• Service providers: Trusted third parties who help us operate our platform (e.g., cloud hosting, SMS delivery, email delivery, error monitoring via Sentry, push notification delivery via Expo) under strict confidentiality agreements.
• Legal requirements: When required by law, court order, or to protect our legal rights.
• Business transfers: In connection with a merger, acquisition, or sale of assets, subject to confidentiality obligations.

iSeeWell offers mobile applications for clinic staff (Clinic app), patients (Customer app), and internal administrators (Admin app). This section describes data practices specific to those apps in addition to the website practices above.

Authentication and session data:When you sign in to a mobile app, we store session tokens and basic account information (such as your name, email, and role) in your device's secure storage (iOS Keychain / Android Keystore via Expo SecureStore). This keeps you signed in between app sessions.

Push notifications: If you enable notifications, we register a push token with Expo Push Notification Service so we can deliver alerts about new booking requests and account activity. We may also store a device name label to help clinic staff identify registered devices.

Clinic app — patient and booking data: Clinic staff using the Clinic app can view and manage appointment requests that patients submit through iSeeWell. This includes patient name, contact information, preferred appointment times, and the reason for the visit. This information is personal health information where applicable and is handled in accordance with PHIPA and PIPEDA.

Crash and diagnostic reporting: Our mobile apps use Sentry to collect crash logs and diagnostic information when errors occur. We configure Sentry with personally identifiable information disabled by default. Production error monitoring is enabled only when appropriate contractual safeguards (such as a Business Associate Agreement where required) are in place.

Data deletion: You may request deletion of your account and associated data by contacting our Privacy Officer (Section 15) or through in-app account deletion where available. See also our website deletion request process.

We use cookies and similar technologies as described in our Cookie Policy. You can manage your cookie preferences at any time through the cookie consent banner or the "Cookie Preferences" link in our website footer. When you consent to analytics cookies, we use Amplitude and Google Tag Manager (which may load Google Analytics 4) to understand how visitors use our website. Amplitude collects aggregated, anonymized usage data such as pages visited, referral source, browser type, and device type. Google Analytics may collect similar aggregated usage data via cookies such as _ga and _gid. We have configured Amplitude not to store your IP address, and we do not send any personally identifiable information (such as your name, email, or phone number) to these analytics services. Amplitude and Google process data in the United States, which is covered by our cross-border disclosure in Section 12 below. If you do not consent to analytics cookies, no analytics data is collected. You can withdraw your consent at any time through the Cookie Preferences link in our website footer.

We retain your personal information only as long as necessary to fulfill the purposes described in this policy and to comply with legal obligations. Specifically:

• Booking and contact information is retained for the duration of your use of the service and a reasonable period thereafter.
• Audit logs are retained for a configurable period (default 90 days; extended periods may apply for HIPAA-regulated deployments).
• Completed or cancelled appointments, inactive customer profiles, and messaging history are purged on automated schedules according to our retention configuration.
• When information is no longer needed, it is securely destroyed or de-identified.

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption of data in transit (TLS/HTTPS)
• Secure authentication with hashed passwords
• HttpOnly and Secure flags on authentication cookies
• Role-based access controls
• Audit logging of administrative actions
• Regular security reviews and updates

No method of transmission over the internet is completely secure. We cannot guarantee absolute security, but we take all reasonable steps to protect your data.

Under PIPEDA and applicable provincial legislation, you have the right to:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Withdrawal of consent: Withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal may affect our ability to provide certain services.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Complaint: File a complaint with the Office of the Privacy Commissioner of Canada (OPC) or the Information and Privacy Commissioner of Ontario (IPC).

To exercise any of these rights, contact our Privacy Officer using the information in Section 15 below.

Your personal information is stored and processed in Canada and the United States. Some of our service providers (including cloud hosting and communication services) may process data in the United States. In such cases, your information may be subject to U.S. laws, including the USA PATRIOT Act. We ensure that any cross-border transfers are subject to appropriate contractual safeguards and that service providers maintain security standards comparable to those required under Canadian law.

Our services are not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. Individuals between 13 and the age of majority in their province (18 in Ontario) may use the Platform with the consent of a parent or legal guardian. If you believe we have collected data from a child under 13 without proper consent, please contact us immediately and we will take steps to delete it.

In accordance with PIPEDA's mandatory breach notification requirements, if a breach of security safeguards involving your personal information creates a real risk of significant harm, we will:

• Notify you as soon as feasible with details of the breach and steps you can take to reduce the risk of harm
• Report the breach to the Office of the Privacy Commissioner of Canada
• Notify any other organizations or government institutions that may be able to reduce the risk of harm
• Maintain a record of all breaches for a minimum of 24 months

Our Privacy Officer is responsible for our compliance with this policy and PIPEDA. For privacy-related questions, to exercise your rights, or to report a concern, please contact us:

We will acknowledge your request within ten (10) business days and provide a substantive response within thirty (30) days.

If you are not satisfied with our response, you have the right to file a complaint with:

• Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca (1-800-282-1376)
• Information and Privacy Commissioner of Ontario (IPC): www.ipc.on.ca (1-800-387-0073)

We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be posted on this page with an updated "Last updated" date. Where required by law, we will provide notice and obtain consent before making material changes to how we handle your personal information.