Is your medication still right for you?
OUTRO HEALTH

Privacy Policy

Outro Health Canada Inc. (“Outro”, “we”, “us” or “our”) is a company providing a secure platform (the “Platform”) that allows our members (the “Users”) access to virtual healthcare, mental health, and counselling services, as well as self-guided health and wellness resources (“Services”) with the goal reducing users reliance on antidepressant medications. Our services are provided to our Users through the Platform with the help of standard forms and questionnaires developed by us or by our professionals, working as partners, contractors and employees whether by video call, audio call, asynchronous chat, or text message (the “Consultations”). Our Platform is accessible through mobile applications or a web browser (the “App”). 

At Outro, we are committed to protecting the privacy and security of your Personal Information and Personal Health Information (As defined below). We are committed to meet our obligations under respective Canadian and United States data privacy laws, including the Personal Information Protection and Electronic Documents Act (Canada), the Personal Health Information Protection Act (Ontario), the Personal Information Protection Act (British Columbia), the Health Insurance Portability and Accountability Act (United States), and regulations thereunder. We have established a set of policies, procedures and other practices, including this privacy policy (“Policy”), which govern our processing of personal information.

The purpose of this policy is to inform you regarding:
a. the type of information we may collect from you or that you may provide when you access and use the App, the Platform or when you visit the website Outro.health (our “Website”),
b. how we collect, use, disclose, and protect the personal information, including personal health information, of our Users and/or website users (”you”),
and c. our practices for collecting, using, maintaining, protecting, and disclosing that information.

We will only use your personal information in accordance with this Policy unless otherwise required by applicable law. We take steps to ensure that the personal information that we collect about you is adequate, relevant, not excessive, and used for limited purposes. All employees and contractors of Outro who collect and process personal information in accordance with this Policy are those with a business “need-to-know” or whose duties reasonably require such information, and are required to adhere to the protections described in this Policy. Whenever we engage a third-party service provider or whenever we work with a new partner, we ensure that the information is properly safeguarded at all times at a comparable level of protection the information would have received if it had not been transferred.

Please read this Policy carefully to understand our policies and practices for collecting, processing, and storing your information. If you do not agree with this Policy, your choice is to not use our Platform, our App or our Website. This Policy should be read in conjunction with our Terms of Use.

When accessing the Platform, you will also be required to read and agree with the Consent Form prior to using the Platform, which informs you about the benefits, risks and limitations of our services and the Consultations rendered through the Platform and obtains your consent to be provided with our services. You should not use our Platform unless you fully understand and agree to the Terms of Use, the Consent Form and this Policy. By accessing or using our Platform you indicate that you understand, accept, and consent to the practices described in this Policy, the Terms of Use and the Consent Form, as applicable.

Note that from time to time we may make changes to this Privacy Policy. Our Privacy Policy is current as of the “last revised” date which appears at the top of this page, and we will treat PI and PHI in a manner consistent with the Privacy Policy under which it was collected unless we have your consent to treat it differently.

What information is collected from me?

Outro collects and uses various types of information along the user journey and across our Platform, App, and Website.
When you complete questionnaires on our website to determine your eligibility or create an account on our Platform, we may Personal Information (“PI”), which is any information that is identifiable with you, as an individual, that we can reasonably use to directly or indirectly identify you and contact you when needed, such as:
 
● Your name
● Date of birth
● Health insurance details
● Mailing address
● E-mail address
● Telephone number
● Internet protocol (IP) address used to connect your computer to the Internet
● User name or other similar identifier and any other identifier we may use to contact you online or offline where applicable

When you complete questionnaires on our website to determine your eligibility or use the Platform to receive Services, we may collect Personal information as described above in addition to Personal Health Information (“PHI”), is any personal health information about your physical and mental health you may disclose to our intake team and healthcare practitioners that is relevant to establish your care plan, such as:

● Your medication history
● Your medical history, including mental and physical health symptoms, diagnoses, etc.
● Previous appointment history and clinician observations
● Test results and treatment information; and
● All personal information regarding your personal, familial, financial or legal situation that you may choose to disclose to our intake team and professionals that is relevant to provide you with our Services

When you use our website, app, or platform we may collect and use de-identified, aggregated, and anonymized information: 
● Non-personal information that does not directly or indirectly reveal your identity or directly relate to an identified individual, such as demographic information, or statistical or aggregated information.
● Statistical or aggregated data does not directly identify a specific person, but we may derive non-personal statistical or aggregated data from the personal information we collected. 
● For example, we may aggregate personal information to analyze the quality of our Services, inform future product development, and perform research. Such information will be anonymized and de-identified before being analyzed and used for such purposes.

When you make a payment through our Platform: 

● Any transaction information including your credit card or banking information or other financial data in order to process the payment will be collected and processed by a PCI-compliant third-party provider and will not be collected nor processed by Outro
● Any other personal information you may provide for the purposes of the transaction will be collected and used to process the transaction only

When you access and use our Website:
● We may collect technical information, such as your login information, your geo-location information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, or information about your internet connection, the equipment you use to access our Website, and usage details.
● We may collect Digital interaction information : Non-personal details about your Website interactions, including the full Uniform Resource Locators (URLs), clickstream to, through and from our Website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, or any phone number used to call our customer service number.

How do you collect my information?

We will always collect your PI and PHI by fair and lawful means. We may collect PI or PHI from you directly and/or from third parties, where we (and/or those third parties) have obtained your consent, or as otherwise required or permitted by law. We use different methods to collect your information, including:

● Via direct interactions with you through our Website, App, and Platform, including during Consultations, through forms and questionnaires, and by receiving care from our healthcare practitioners. 
● Automatically, through cookies and other automated data collection technologies or interactions, as you navigate through our Website and the Platform. Information collected automatically may include usage details, IP addresses, and information collected through cookies, web beacons, and other tracking technologies (the “Activity Information”).
● Through business partners and clients that provide us with a list of eligible Users that can have access to our Platform and services.

How do you use my personal information? 

We identify the purposes for which we use your PI or PHI at the time we collect such information from you and obtain your consent, in any case, prior to such use. We generally use your PI and PHI for the following purposes (the “Purposes”):

● To determine your eligibility to access the Platform and our services;
● To create and administer your User account when you register on our Platform;
● To identify and authenticate you in order for you to access the Platform and to provide you with our services;
● To communicate with you with respect to the Platform registration and your account and respond to your inquiries on the Platform, the App, our Website or our products and services offering in general;
● To provide you with access to our Platform and to any consultations, information, products, or services that you request from us, including healthcare services;
● To carry out our obligations and enforce our rights arising from any contracts we may have with you, notably our Terms of Use, including for billing and collection or to comply with legal requirements;
● To notify you about new locations, products, or services releases, new partnerships and other key information;
● To notify you about changes to our Platform, our App or our Website or any products or services we offer or provide though it;
● To provide you with useful information about trends and best practices in healthcare, mental health and well-being and other relevant topics in connection with our services;
● To improve our Website, products or services, marketing, or customer relationships and experiences;
● To fulfill any purposes we described before you provided the information; and
● For any other purposes upon your consent

When and how do you obtain my consent to collect or use my information? 

We generally obtain your consent prior to collecting, and in any case, prior to using or disclosing your PI or PHI for any of the above Purposes. You may provide your consent to us either orally, electronically or in writing. The form of consent that we seek, including whether it is express or implied, will largely depend on the sensitivity of the PI or PHI and the reasonable expectations you might have in the circumstances. In limited circumstances, we may rely on a third party to obtain your consent to the sharing of your PI or PHI with us. You may withdraw your consent by providing us notice. You may expressly instruct that your personal health information not be used or disclosed for healthcare purposes without your consent. Notwithstanding the above, we may share anonymized data to contribute to improvements, research, and general knowledge about treatments and therapy programs; in all such situations Outro will take reasonable steps to remove personally identifiable information before such results are shared externally.

How is my information disclosed or transferred?

Generally, we will only make disclosures or transfers of your Personal Information and Personal Health Information to such persons or third parties for which you provide your consent, to fulfill the purpose for which you provide it, and for any other purpose disclosed by us when you provide the information. Your information may be disclosed or transferred to:

● Service providers such as, Psychiatrists, Nurse Practitioners, Coaches, Social Workers, Therapists, Pharmacists, and other professionals providing services to you. All professionals engaged by Outro, whether as contractors or employees, are contractually obligated to keep personal information confidential, use it only for the purposes for which we disclose it to them, and to process the personal information with the same standards set out in this Policy. When the disclosure is part of a care plan or any other health services that you have agreed to, we will consider the agreed care plan or the health services to constitute implied consent;● Third-party service providers that provide technology or communication services, data storage and processing, cloud-based software, payment processing,  or other similar services. For disclosures to a third-party not associated with Outro’s Platform or services, we will only make the disclosure after obtaining your express consent;

In addition, we may also disclose or transfer your personal information:

● To comply with any court order, law, or legal process, including to respond to any government or regulatory request, in accordance with applicable laws, notably in case of suspected or actual privacy breach;
● To enforce or apply our Terms of Use and other agreements, including for billing and collection purposes.
● To a potential acquiror in connection with a transaction involving the sale of some or all of the business of Outro (in which case the use of your personal information by the new entity would continue to be limited by applicable law), or as otherwise permitted or required by law.
● If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Outro, our clients, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

How is my personal information processed and stored?

We keep the PI and PHI that we collect either at our service provider’s data centres located in the United States and Canada.
If you live in Canada, please note that Outro transfers and stores PI or PHI in the United States for the purposes set out above, including for processing and storage by service providers in connection with such Purposes. 

You should note that to the extent that any PI or PHI is processed or stored in the United States, it is subject to the laws of the country in which it is held, and may be subject to disclosure to the governments, courts or law enforcement or regulatory agencies of such other country, pursuant to the laws of such country.

You can ask us for a list of individuals and / or organizations we have shared your information with. Except in limited circumstances is an organization able to not disclose the information, including if the disclosure could threaten the safety, physical, or mental health of the person who made the request.

What safeguards are in place to protect my information? 

We have implemented physical, organizational, contractual and technological security measures to protect your PI and PHI from loss or theft, unauthorized access, disclosure, copying, use or modification. The only employees, who are granted access to your PI and PHI, are those with a business ‘need-to-know’ or whose duties reasonably require such information.

How long will you use, disclose, or retain my personal information?

Outro retains personal information and PHI only for as long as necessary to fulfill the purposes for which this information was originally collected, unless further retention is required for legitimate legal, regulatory or business purposes. When personal information and PHI is no longer required to be retained, Outro will securely destroy, erase or anonymize the information in accordance with relevant legal, regulatory and contractual requirements.

We reserve the right to use anonymized and de-identified data for any legitimate business purpose without further notice to you or your consent.

Some of your personal information and PHI cannot be deleted due to statutory retention requirements (for example, the minimum retention period of patient records varies by jurisdiction and is typically a minimum of 10 years). For any deletion request, please contact us at privacy@outro.health, and we will let you know if we can accommodate your request.

How is accuracy of my personal information ensured?

We endeavour to ensure that all decisions involving your information are based upon accurate and timely information. While we will do our best to base our decisions on accurate information, we rely on you to disclose all material information and to inform us of any relevant changes.

At any time, you can challenge the accuracy or completeness of your Personal Information in our records. If you successfully demonstrate that your Personal Information in our records is inaccurate or incomplete, we will amend the Personal Information as required. Where appropriate, we will transmit the amended information to third parties having access to your Personal Information.
If you make a written request to review any PI or PHI about you that we have collected, used or disclosed, we will provide you with any such PI or PHI to the extent required by law. We will make such PI or PHI available to you in a form that is generally understandable, and will explain any abbreviations or codes.

We may request that you provide sufficient identification to permit access to the existence, use or disclosure of your Personal Information. Any such identifying information shall be used only for this purpose.

How can I contact you regarding this privacy policy?

We encourage you to contact us with any questions or concerns you might have about your privacy or our Privacy Policy. We will investigate and respond to your concerns about any aspect of our handling of your information.

All comments, questions, concerns or complaints regarding your PI and PHI, this Privacy Policy or our privacy practices, should be forwarded to our Privacy Officer at the following email address: privacy@outro.health

We will attempt to respond to each of your written requests not later than 30 days after receipt of such requests. We will advise you in writing if we cannot meet your requests within this time limit.

You have the right to make a complaint to the Privacy Commissioner of your jurisdiction in respect of this time limit.