Effective: February 24, 2026  |  Last updated: March 2026

Privacy Policy

This Privacy Policy describes how Health Assist AI (“we,” “our,” or “Provider”) collects, uses, discloses, and protects information in connection with our AI-enabled clinical documentation and patient intake platform. Questions? Contact us at info@health-assist.org.

1. Overview

Health Assist AI provides an AI-enabled clinical documentation and patient intake platform used by healthcare organizations (“Customers”). We are committed to the privacy, confidentiality, and security of all information processed through our platform.

2. Definitions

  • Personal Information: Any information about an identifiable individual.
  • PHI (Protected Health Information / Personal Health Information): Personal information relating to an individual’s health, collected in the course of providing healthcare services.
  • Customer Data: All data submitted to the platform by a Customer or its patients.
  • Controller / Organization: The healthcare organization that determines the purposes and means of processing personal information.
  • Processor / Service Provider: Health Assist AI, which processes personal information on behalf of the Controller.

3. Our Role: Service Provider / Data Processor

Health Assist AI acts as a service provider (data processor) on behalf of healthcare organizations. The healthcare organization — not Health Assist AI — determines what patient information is collected, for what purposes, and for how long it is retained. We process information only on the documented instructions of our Customers.

4. Information We Collect

Account & Organization Information: Names, email addresses, job titles, and credentials of authorized platform users.

Usage & Technical Data: IP addresses, access logs, device type, and anonymized analytics used for platform security and performance. PHI is excluded from logs and analytics.

Patient Information: Chief complaint, medical history, medications, allergies, family history, and optional voice recordings submitted by or on behalf of patients through the intake workflow. This information is submitted by the healthcare organization or its patients, not collected independently by Health Assist AI.

5. How Information Is Used

  • Operating the platform and delivering AI-assisted documentation features
  • Generating draft clinical intake summaries for physician review
  • Maintaining platform security, authentication, and audit trails
  • Providing customer support and resolving issues
  • Complying with applicable laws and regulations

We do not sell personal information or patient data. We do not use patient PHI to train public AI models.

6. Legal Bases for Processing

We process personal information on the basis of: (a) contract performance — to deliver the services our Customers have engaged us to provide; (b) legal compliance — where applicable law requires; and (c) legitimate interests — for platform security and fraud prevention. Where required by applicable law (including BC PIPA and PIPEDA), processing of patient health information occurs on the basis of the patient’s express consent, obtained by the healthcare organization.

7. AI Processing & Automation

Our AI assists with structuring and summarizing patient-reported information and generating draft clinical notes. All AI-generated content is reviewed and approved by the responsible healthcare professional before any clinical use. Clinical decisions remain solely with providers. Patient data is not used to train public or shared AI models.

8. Healthcare Compliance

Health Assist AI aligns its practices with applicable healthcare privacy legislation, including:

  • BC PIPA (BC’s Personal Information Protection Act) — the primary framework for private community clinics and physician offices in British Columbia.
  • PIPEDA (federal Personal Information Protection and Electronic Documents Act) — applies to federally regulated organizations and cross-border transfers.
  • PHIPA (Ontario’s Personal Health Information Protection Act) — for Ontario-based healthcare organizations.
  • HIPAA / HITECH (United States) — where applicable. We operate as a HIPAA Business Associate and execute Business Associate Agreements with US Customers.

We act as a service provider under BC PIPA and PIPEDA, and as a data processor under GDPR. Healthcare organizations retain accountability for their patients’ personal health information.

9. Data Security Safeguards

  • Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and multi-factor authentication
  • Comprehensive audit logging of all PHI access events
  • Network segmentation and private endpoints; no public database exposure
  • PHI excluded from application logs, error reporting, and analytics

10. Sub-Processors & Service Providers

We use the following sub-processors to deliver the platform. All are bound by contractual obligations that require protection of personal information at a standard comparable to applicable law:

Sub-ProcessorPurposeLocationMicrosoft AzureApp infrastructure, database, networkingCanada CentralMicrosoft Azure OpenAIAI processing (GPT-4o)East US 2 (USA) — see §14Microsoft Azure Cognitive ServicesSpeech-to-text / text-to-speechEast US 2 (USA) — see §14ResendTransactional email (OTP, invitations)No PHI in email body

11. Data Retention

Patient session PHI is automatically and permanently deleted at the end of the configured retention window. The default retention window is 3 years from session creation. Healthcare organizations may configure a longer window (up to 7 years) through their account settings.

Consent records and audit logs are retained for 7 years as required by applicable healthcare privacy legislation.

Account information is retained for the duration of the Customer relationship and deleted within 30 days of account termination, except where retention is required by law.

12. Individual Rights & Access Requests

Individuals have rights under applicable law including the right to access, correct, and request deletion of their personal information. Because Health Assist AI acts as a service provider to healthcare organizations, requests relating to patient health information should be directed to the healthcare organization (your clinic or physician). We will cooperate with Customers in responding to such requests.

For inquiries about account or contact information held by Health Assist AI directly, contact us at info@health-assist.org.

13. Breach Notification

In the event of an actual or reasonably suspected breach involving Customer PHI, we will notify the affected Customer within 48 hours of becoming aware of the incident, and will provide reasonable assistance to support the Customer’s own regulatory notification obligations.

14. International Data Processing & Cross-Border Transfers

Our application infrastructure (App Service, database, networking) is hosted in Microsoft Azure’s Canada Central region. However, AI processing (Azure OpenAI, GPT-4o) and speech services (Azure Cognitive Services) are operated in Microsoft’s East US 2 region in the United States.

This means that patient health information submitted through the platform is transferred to and processed in the United States when AI or speech features are used.

Contractual Safeguards: We have in place with Microsoft Corporation: (a) a Data Processing Agreement (DPA) governing Microsoft’s handling of personal information as a sub-processor; and (b) a HIPAA Business Associate Agreement (BAA). These agreements require Microsoft to implement safeguards comparable to those required under BC PIPA, PIPEDA, and HIPAA, and restrict Microsoft from using data for any purpose other than delivering the contracted services.

Transparency: As required by the federal Office of the Privacy Commissioner (OPC) cross-border transfer guidelines and by BC PIPA, we are transparent that information may be processed in a foreign jurisdiction and may be accessible by courts, law enforcement, or national security authorities under the laws of that jurisdiction (in this case, US law).

Healthcare organization responsibility: Private clinics and physician offices in BC using this platform remain accountable under BC PIPA for their patients’ personal health information even when transferred to a third party for processing. Clinics should ensure their own patient-facing privacy policy discloses that information may be transferred to and processed in the United States. Health Assist AI can provide copies of the applicable Microsoft DPA and BAA upon written request to support Privacy Impact Assessment documentation.

15. Cookies & Technical Tracking

We use essential session cookies for authentication and security only. We do not use behavioral advertising cookies, third-party tracking pixels, or cross-site analytics.

16. Children’s Privacy

The platform is designed for use by licensed healthcare professionals. We do not knowingly collect personal information from children except as part of an authorized patient intake workflow initiated by a healthcare provider.

17. Policy Updates

We may update this Privacy Policy periodically. We will notify Customers of material changes in advance by email or in-platform notice. Continued use of the platform after the effective date of an updated Policy constitutes acceptance of the changes.

18. Contact & Privacy Officer

For privacy inquiries, data access requests, or to request copies of our Microsoft DPA and BAA:

Health Assist AI
Privacy Officer
info@health-assist.org