Privacy Policy

CHAH TECHNOLOGY

Privacy Policy

Privacy Commitment: CHAH Technology is unconditionally committed to the protection of your personal and personal health information. Our Privacy Management Program is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), the Personal Health Information Protection Act (PHIPA), and all applicable provincial, professional, and sector-specific standards. As a technology-first health care company deploying Predictive AI and visual care monitoring, we hold this obligation to an elevated standard.

1. Accountability

All CHAH Technology employees, contractors, and technology partners share accountability for maintaining the privacy and confidentiality of client information. The CHAH Technology Privacy Officer holds primary responsibility for enterprise-wide compliance with all applicable privacy legislation and internal privacy practices. Every team member receives training in the Privacy Management Program upon onboarding and whenever material changes to legislation or best practices occur.

CHAH Technology will amend this Policy and its Privacy Management Program as changes to privacy legislation, AI governance frameworks, or industry best practices are identified.

2. Purposes for the Collection of Personal Information

CHAH Technology collects personal and personal health information strictly to fulfil the following purposes:

Direct client care planning, delivery, coordination, and evaluation
Operation of AI-powered predictive monitoring and risk-detection systems
Visual care technology analysis to detect health changes, fall risks, and behavioural anomalies
Administrative operations including scheduling, billing, and regulatory reporting
Quality assurance, service improvement, and outcomes research (de-identified where practicable)
Compliance with applicable legal and regulatory obligations

At or before the time of collection, CHAH Technology will clearly identify — and, upon request, explain — the specific purposes for which your information will be used, whether for traditional care delivery or AI-driven health analytics.

3. Categories of Information Collected

CHAH Technology may collect the following categories of information:

Personal Identifiers

Full name, date of birth, gender, home address, telephone number, and email address
Payment card and billing information

Personal Health Information

General and specific health concerns, diagnoses, medications, allergies, and substance use history
Personal and family medical history
Physician, specialist referrals, treatment plans, and care notes
Personal Support Worker (PSW) and nursing care documentation

AI and Technology-Generated Data

Sensor-derived data from in-home monitoring devices, including motion detection, gait patterns, sleep cycles, and bathroom frequency
Visual care data captured by privacy-preserving monitoring technology (silhouette and depth imagery; no identifiable video is stored)
AI model inputs, predictive outputs, risk-assessment scores, and alert logs
Device identifiers, system access timestamps, and platform interaction records

Website and Digital Analytics

IP address, domain name, browser type, and referring URLs collected via cookies for website performance and accessibility improvement only

4. Consent and the AI-Specific Consent Framework

Your knowledge and express written consent — or that of your legally authorized representative — are required before CHAH Technology collects, uses, or discloses your personal information. Consent obtained at the commencement of services remains valid for the duration of care, provided the stated purposes have not materially changed. You may withdraw consent, in whole or in part, at any time, and CHAH Technology staff will advise you of the implications of any such withdrawal.

AI-Specific Consent: Because CHAH Technology deploys Predictive AI models and visual care monitoring technology to analyse your health data, we obtain separate, explicit, informed consent for: (a) continuous in-home monitoring via sensor and visual technology; (b) the use of your health data as input to AI risk-prediction algorithms; and (c) the sharing of AI-generated insights with your clinical care team. You may withdraw consent for AI analysis or monitoring at any time without affecting your right to receive traditional care services.

For clients unable to provide consent — including minors, individuals with cognitive impairment, or those who are seriously ill — consent will be obtained from a legally authorized representative such as a Power of Attorney for Personal Care, legal guardian, or estate executor.

5. Limiting Collection and Use

CHAH Technology collects only the minimum information necessary to fulfil the purposes identified at the time of collection. We do not use personal health information for commercial profiling, targeted advertising, or any purpose beyond those stated in this Policy or separately consented to.

AI model outputs are used solely to support clinical decision-making by qualified health professionals. Automated AI-generated recommendations are never used as standalone determinants of care without human clinical oversight and review.

6. Disclosure of Personal Information

Your information may be shared, with your consent or as permitted or required by applicable law, with the following parties:

Your regulated health care practitioners, allied health professionals, and clinical care team members
Hospitals, pharmacies, or other health information custodians involved in your care
CHAH Technology’s vetted technology partners supporting AI and monitoring infrastructure, under binding data-processing and confidentiality agreements
Authorized substitute decision-makers or family members as directed by you
Regulatory authorities, law enforcement agencies, or courts as required by law

All third-party service providers are bound by contractual obligations requiring protection of your information consistent with PIPEDA, PHIPA, and CHAH Technology’s internal standards. Your personal information is stored and processed in Canada.

Please advise CHAH Technology of any individuals with whom you do not wish your information to be shared, and this restriction will be documented in your file.

7. Data Storage and Security Safeguards

CHAH Technology applies layered, enterprise-grade security controls commensurate with the sensitivity of personal health information and AI-generated data. Our safeguards include:

End-to-end encryption of all personal health information and AI data streams, both in transit and at rest
Role-based access controls that limit data access to personnel with a documented need-to-know
Comprehensive audit logging of all access to AI systems and client health records
Physical security controls for on-premise infrastructure, edge devices, and monitoring hardware
Regular penetration testing, vulnerability assessments, and independent third-party security audits
Vendor risk assessments and due diligence reviews for all technology partners and sub-processors
Privacy Impact Assessments (PIAs) conducted prior to deploying new AI features, data sources, or material changes to processing activities

In the event of a privacy breach involving your personal health information, CHAH Technology will notify you and the applicable regulatory authority in accordance with the requirements of PIPEDA and PHIPA, within legislatively mandated timelines.

8. AI Model Governance and Transparency

CHAH Technology is committed to responsible, accountable, and explainable AI. All AI systems deployed in care delivery are governed by the following standards:

AI models are validated for clinical accuracy, equity, and bias prior to deployment and continuously throughout their operational lifecycle
All AI-generated risk predictions and alerts are reviewed by a qualified care professional before any care action is initiated
Clients and their authorized representatives may request a plain-language explanation of how an AI model reached any conclusion affecting their care
AI systems are not used to make final care determinations autonomously; human clinical judgment is the determinative factor in all care decisions
CHAH Technology maintains a register of all active AI models, specifying their intended purpose, data inputs, output types, and ongoing performance metrics
AI model design, training data sources, and performance benchmarks are subject to periodic review by clinical and ethics oversight

9. Retention and Destruction

Personal health records are retained in accordance with Ontario legislation and applicable record-keeping requirements. AI-generated data, sensor logs, and model outputs are retained only for the period necessary to fulfil the care and safety purposes for which they were collected. Upon expiry of the applicable retention period, information is securely destroyed or rendered permanently de-identified, using methods appropriate to the sensitivity of the data.

10. Your Privacy Rights

As a CHAH Technology client, you have the right to:

Request access to your personal and personal health information held by CHAH Technology
Challenge the accuracy or completeness of your information and request amendments where appropriate
Withdraw consent for the collection, use, or disclosure of your information at any time
Request information about how AI models and monitoring technology have been used in your care
Obtain a copy of AI-generated data and monitoring records associated with your care
Request that your personal information be deleted, subject to applicable legal retention requirements

Requests for access will be acknowledged and substantively responded to within 30 days. Active clients may also access care plan information and care notes through the CHAH client and family digital portal.

11. Website and Cookie Policy

CHAH Technology’s website (chah.ai) uses cookies to enhance user experience. Cookies store anonymous, non-personal session information on your device. We may collect aggregate statistics — including IP addresses, domain names, access times, and referring URLs — solely to improve website performance and accessibility. No personal health information is collected through the website without your explicit, separate consent.

12. Updates to This Policy

CHAH Technology will review and update this Privacy Policy as required by changes to applicable legislation, AI governance standards, or our operational practices. Material changes will be communicated to active clients with reasonable notice. The current version of this Policy is always available at chah.ai.

Appendix A — CHAH Technology’s Ten Privacy Principles

The following principles, consistent with PIPEDA Schedule 1, govern CHAH Technology’s approach to personal information management:

Principle 1 — Accountability

CHAH Technology is responsible for all personal information in its custody or under its control. The Privacy Officer oversees compliance with all applicable privacy principles and legislation.

Principle 2 — Identifying Purposes

The purposes for collecting personal information are identified at or before the time of collection, covering direct care, AI-assisted analysis, administration, and legal compliance.

Principle 3 — Consent

Informed consent is obtained for all collection, use, and disclosure of personal information, including separate consent for AI analysis and in-home monitoring. Consent may be withdrawn at any time.

Principle 4 — Limiting Collection

Only the information necessary to fulfil stated purposes is collected, by fair and lawful means.

Principle 5 — Limiting Use, Disclosure, and Retention

Personal information is used and disclosed only for the purposes for which it was collected, unless consent is obtained for a new purpose or disclosure is required by law.

Principle 6 — Accuracy

CHAH Technology takes reasonable steps to ensure that personal information is accurate, complete, and up to date for its intended purposes.

Principle 7 — Safeguards

Personal information is protected by security safeguards appropriate to its sensitivity, including those specific to AI-generated health data and visual monitoring data.

Principle 8 — Openness

CHAH Technology’s privacy policies and practices are available to clients upon request and published at chah.ai.

Principle 9 — Individual Access

Clients may request access to their personal information, challenge its accuracy, and request corrections. Formal access requests are responded to within 30 days.

Principle 10 — Challenging Compliance

Clients may direct challenges concerning compliance with these principles to the CHAH Technology Privacy Officer using the contact information below.

Contact: CHAH Technology Privacy Officer

For all privacy inquiries, access requests, consent withdrawals, or complaints:

Email	info@chah.ai
Website	https://chah.ai/contact-us/
Legislation	PIPEDA \| PHIPA \| Ontario Health Information Act

CHAH Technology • Comprehensive Healthcare at Home • chah.ai