Privacy Policy

1. Introduction and Scope

iQonsulting Inc. ("iQonsulting"), including its Healthlytics.ai division, specializes in AI product development for the healthcare sector. This policy governs the WAIVS Platform and Solutions inclusive of its Waivs Surgical Care Companion and Waivs-Ambient AI Scribe solutions. Our mission—"Better healthcare is in our DNA"—drives us to deliver transformative solutions while maintaining absolute data integrity.

2. Regulatory Standards and Our Role

We manage our data practices toward the following standards to ensure a secure legal and ethical perimeter:

• PHIPA (Ontario):We act as a Business Associate, Agent, or Data Processor on behalf of the Health Information Custodian (HIC).
• HIPAA (United States):Our ecosystem is managed toward HIPAA standards, protecting 18 specified identifiers as a Business Associate.
• PIPEDA (Canada):We adhere to federal standards for personal information protection.
• Global Alignment:Our framework is designed to align with GDPR (EU), CCPA (US), NIST CSF, and ISO 27001.

3. PHI and Data Collection

We collect only the minimum amount of information necessary to deliver clinical functionality:

• Identifiers:Full names of patients and providers, medical record numbers, and account identifiers.
• Contact Details:Phone numbers for SMS onboarding and email addresses.
• Government/Clinical IDs:Health Insurance numbers, SSNs (where applicable), and provider IDs.
• Clinical & Longitudinal Data:Birth dates, surgery/discharge dates, specialized surgical milestones, and data such as BMI trends or lab results.
• Specialized Media:Incision photos for wound monitoring and raw audio/voice recordings.

4. Responsible AI and Data Integrity

iQonsulting utilizes advanced Artificial Intelligence with a "Human-in-the-Loop" philosophy to ensure accuracy and transparency:

• AI Transcription:Waivs-Ambient identifies AI-generated content; clinicians are required to act as the final validator.
• Mandatory Review:Clinicians must review, edit, and validate all AI-generated SOAP notes and patient summaries before they are finalized in the medical record.
• Ethical Training:Data sets used to train our solutions are free of PI/PHI and sourced in a manner that respects intellectual property rights.
• Data Minimization:Our AI filters out non-clinical "small talk" (e.g., weather) to ensure only essential medical information is captured.

5. Security and Data Residency

• Encryption:Data is encrypted with AES-256 bit standards at rest and TLS 1.3 in transit.
• Access Control:We enforce the "Principle of Least Privilege" and mandate Multi-Factor Authentication (MFA).
• Canadian Residency:All PHI for Canadian clients is stored and processed exclusively in Canada within the GCP Montreal region.

6. Retention and Disposal

• Configurable Retention:Providers may configure retention periods to comply with provincial laws or organisational policies.
• Secure Disposal:At the end of the retention period, data is securely overwritten and encryption keys are destroyed.
• Audit Logs:Maintained for 7 years to comply with Ontario health record regulations.

7. Contact Information

Accountability is overseen by our Chief Information Security Officer (CISO) and Chief Privacy Officer (CPO).