Thanks for visiting https://www.stenoa.com/ (our “Website”). We are Stenoa Inc. (“Stenoa,” “we,” “our,” or “us”).
If you have any questions regarding this Policy, please contact us by email at firstname.lastname@example.org.
We organized this Policy based on the following questions. You can use these links to jump to a specific section.
This Policy applies to the use of our web and mobile applications along with any related services such as technical support (collectively, our “Services”), which we make available to entities who have subscribed to our Services through a free trial or a paid subscription (“Health Institutions”), and their authorized users (including hub and spoke employees, agents and other health professionals, or care providers (collectively, “End Users”)). This Policy governs our treatment of End Users’ Personal Data as well as patient protected health information (“PHI”) collected by End Users.
Our Services may contain links towards external services which are not part of the Services, such as links to online websites which provide you with more explanations on certain health conditions. These external services are not covered by this Policy. This means that your use of these external services is subject to their respective privacy policies.
When we deliver our Services to Health Institutions, we process Personal Data on their behalf. This Policy does not apply when you use third-party websites, applications, or services. For example, if you click on a link to other websites from our Services, then these websites are subject to their own privacy practices, and not this Policy. Health Institutions also have their own policies or transparency notices describing how they collect, use, and disclose your Personal Data.
If you require information about how a Health Institution collects or processes Personal Data, we recommend that you consult their respective transparency notice.
In this Policy, when we use the term “Personal Data,” we mean any information that relates to an identified or identifiable natural person. This includes a name, home address, email address, phone number, birth date, professional license number, and PHI. It also includes any data which is not personal on its own, but which becomes personal when associated with other data that allows us to identify you indirectly.
This Policy is for transparency purposes. You should note that some of the data we identify as Personal Data may not be protected as such under applicable privacy laws. Therefore, you may not have the same rights regarding this personal data.
We process various types of Personal Data from End Users and their patients for the purposes of delivering our Services. End Users use Personal Data to evaluate, plan, and optimize the treatment of patients presenting with acute coronary syndromes.
You will find below the categories of Personal Data we collect along with a description as to why that Personal Data is collected, and how we use it.
With your express consent, we provide you with various communications, such as electronic newsletters. You can unsubscribe at any time from such communications by using the link to unsubscribe included in our electronic messages.
Commercial electronic messages, such as promotional emails, may contain cookies and tracking technologies which provide us with information as to whether you are interacting with our messages.
We don’t sell Personal Data, and we don’t use PHI except as needed to provide our Services. We don’t share your PHI with marketing partners.
We share your Personal Data with service providers, if we are required to comply with the law, to comply with your instructions, or as part of corporate transactions. If you are a patient, PHI collected by End Users will be shared with other End Users involved in your care.
We may also transfer your Personal Data to service providers that are assisting us in our operations. We ensure that those service providers are subject to appropriate privacy standards.
Examples of our service providers include:
|Service providers||Examples and explanations|
|Hosting and storage providers||We use Amazon Web Services (Amazon Web Services, Inc.) (“AWS”) to provide our Services, which are hosted on AWS servers.|
|Communications service providers||We use Stream (Stream.IO, Inc.) to enable and secure communication between End Users. We use Customer.io (Peaberry Software Inc.) to design and implement our business’ unique messaging workflows and deliver behavioural communication.|
|Analytical service providers||We use Segment (Segment.io, Inc.) and Mixpanel (Mixpanel, Inc.) to store analytics data and gather use case and product analytics insights.|
|Payment processors||We use Stripe (Stripe Payments Canada, Ltd.) to process all payments regarding the purchase of our Services.|
We may also be required to share Personal Data with law enforcement agencies if we are legally compelled to do so. We will take all commercially reasonable measures to notify you prior to doing so, unless we are prevented to do so by law.
If we go through a restructuration, a merger and acquisition or a sale of parts of all our assets, Personal Data may also be transferred in such context, subject to any limitations under applicable laws.
We have implemented physical, organizational, contractual, and technological security measures to protect Personal Data and other information from loss or theft, unauthorized access, disclosure, copying, use or modification. For instance, we collect PHI through a secure transport layer between devices and a backend API hosted in AWS with encryption at rest using AES 256-bit. Our database is designed to explicitly isolate each Health Institution’s workspace data, to minimize the risk of breaches from one workspace to another.
We have taken steps to ensure that the only Health Institution personnel authorized to access your PHI are those on a “need to know” basis or whose duties reasonably require access to such information. Most actions performed by End Users are logged in an audit database as permanent logs.
Despite the measures described above, no method of transmitting or storing information is 100% secure or error-free, so unfortunately we cannot guarantee absolute security. If you have reason to believe that your interaction with us is no longer secure (for example, if you believe that the security of information you have provided to us has been compromised), please contact us immediately using the contact information at the top of this page.
To protect your privacy, it is important that you also take steps to ensure that your credentials and devices use adequate passwords, that you don’t share your passwords and that you use secure Internet connections when sharing sensitive information over the Internet.
Our cloud-based platform is hosted in AWS’s data center located in Canada. AWS is HIPAA, SOC II, GDPR, and ISO 27001 certified and adheres to global privacy and data protection best practices.
Unless prohibited by law or contracts with our stakeholders, we may rely on service providers who are in the United States to assist us with the Services, in which case your Personal Data may be stored in or accessed from the United States. For instance, Stream uses AWS’ eastern U.S. servers and store End Users’ names, professional titles, workplaces, and chat messages exchanged. Mixpanel’s servers are also located in the U.S. and host various analytics data via the Google Cloud Platform. In such cases, Personal Data will be subject to United States laws and may be subject to disclosure to United States governments, courts or law enforcement or regulatory agencies, pursuant to those laws. Subject to those laws, we use commercially reasonable measures to protect your Personal Data as it would be protected in Canada. If you would like more information about our policies and practices regarding processing of personal data outside of Canada, please contact us at email@example.com. Each jurisdiction has different laws applicable to the protection of Personal Data, and when your Personal Data are processed in another jurisdiction, they may be subject to different laws with varying degrees of protection.
We retain your Personal Data for as long as required for the purpose for which it was collected, or longer if we are required or permitted to do so under applicable laws. We also retain the Personal Data we process on behalf of Health Institutions for as long as it is required under Health Institutions’ instructions.
We retain your online account information for as long as the account exists in our databases. You can request the deletion of your account by sending an email to the organization with whom you have set up your account (the Health Institution). When your account is deleted, Personal Data is automatically deleted from our databases.
The law provides you with rights regarding your Personal Data. These rights may change depending on where you are located, and they may not apply to all types of Personal Data. Most individuals have the right to access their Personal Data, and the right to request corrections to their Personal Data under certain circumstances, such as if the Personal Data is inaccurate or outdated.
If you want to exercise your rights, or if you have a question or complaint about how we collect, use, or disclose your Personal Data, you can communicate with us by email at firstname.lastname@example.org.
We will try to help you with your request free of charge. However, we may request that you pay a reasonable fee if you request a transcript, a reproduction, or for us to send a copy of your Personal Data, if the law allows us to do so. If we need to charge a fee to process your application, we will contact you before addressing your request.
For security reasons and to avoid any fraudulent request, we may be required to ask that you provide a proof of identity with your request. We will not use such Personal Data for any other purposes.
We will respond to your request within 30 days unless agreed otherwise. Please remember that Personal Data rights are not absolute and may be refused. If your request is denied, we will notify you in writing, and provide you with detailed reasons and information on how to contest our decision.
The Office of the Privacy Commissioner of Canada has published advice to help you access your Personal Data, as well as exercise your rights when it is held by a business. If you are a Québec resident, you can also read about your privacy rights with the Commission d’accès à l’information du Québec.
Finally, your browser may allow you to automatically transmit a “Do Not Track” request to websites you visit. Stenoa does not currently respond to or change any of its practices when it receives a “Do Not Track” request from your browser.
Yes, we will update this Policy if we change how we collect, use, or disclose your Personal Data, if there are changes to privacy legislations, or as needed. You can read previous versions of the Policy here. This Policy is effective as of the date indicated at the top of this page.