Serefin Inc. (“Serefin”, “we”, “us”, or “our”) is committed to protecting the privacy and security of personal information.
This Privacy Policy describes how we collect, use, disclose, and protect personal information when you:
This Privacy Policy applies to personal information collected through our Site, applications, and Services unless a separate privacy notice is provided.
By using our Site, applications, or Services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein.
Serefin Inc. (“Serefin”, “we”, “us”, or “our”) provides care coordination, navigation, and support services designed to help individuals access and navigate healthcare-related services.
These Services may be offered under various programs and service models, including MyCareSteps.
Serefin does not provide medical advice, diagnosis, or treatment. Any clinical care is provided by qualified healthcare professionals who are independent of Serefin.
Depending on how you interact with our Services, we may collect and process personal information, including information relating to your health.
In certain cases, Serefin provides services on behalf of healthcare providers or organizations that are subject to applicable health privacy laws, including Ontario’s Personal Health Information Protection Act, 2004 (“PHIPA”). In those cases, Serefin acts as a service provider or agent to such organizations and handles information in accordance with their instructions and applicable law.
In other cases, where you interact directly with Serefin, we collect and use your personal information in accordance with this Privacy Policy and applicable privacy laws.
We collect different types of personal information depending on how you interact with our Site and Services.
We collect information that you voluntarily provide when you interact with us, including when you:
This information may include your name, contact information (such as email addressand phone number), and any other information you choose to provide.
When you use MyCareSteps or interact with care coordinators, you may provide information relating to your health, including:
We collect this information only as necessary to provide our Services and support care coordination. Where required by applicable law, we will obtain your consent prior to collecting personal health information.
When you visit our Site or use our Services, we may automatically collect certain information about your device and usage, including:
This information helps us understand how our Site and Services are used and improve functionality and user experience.
In some cases, we may receive personal information about you from third parties,including:
We handle such information in accordance with this Privacy Policy and applicable laws.
We use personal information for the following purposes:
We use personal information to:
Where you provide health-related information, we use it only as necessary to support your use of the Services and facilitate care coordination.
We use your contact information to:
We use information to:
We may also use personal information to create de-identified or aggregated information that does not reasonably identify individuals, in accordance with applicable de-identification standards and best practices. We may use this de-identified or aggregated information for analytics, research, product development, and other business purposes. Once properly de-identified, such information is no longer considered personal information under applicable privacy laws.
We use personal information to:
We may use personal information to:
Where permitted by law or with your consent, we may use your contact information to:
You may opt out of marketing communications at any time.
We do not sell your personal information. We may share personal information in the following circumstances:
We may share personal information with third-party service providers who perform services on our behalf, such as hosting, data storage, analytics, customer support, and communication services.
These service providers are authorized to use personal information only as necessary to provide services to us and are required to protect it in accordance with applicable privacy laws.
When you use our Services, we may share personal information with healthcare providers or organizations involved in your care, as necessary to support care coordination and service delivery.
Such sharing occurs as part of your use of the Services and is limited to what is reasonably necessary for those purposes.
Personal information may be disclosed or transferred as part of a merger, acquisition, financing, reorganization, or sale of all or a portion of our business.
In such cases, personal information will be protected by appropriate confidentiality and contractual arrangements, and the acquiring party will be required to continue to protect your personal information in accordance with this Privacy Policy and applicable privacy laws, or provide you with notice of any changes to privacy practices.
We may disclose personal information where required to do so by law or where we believe such disclosure is necessary to:
We may share your personal information with your consent or at your direction.
We use cookies and similar technologies to collect information about how you interact with our Site and Services.
Cookies are small data files stored on your device that help us:
We may also use third-party analytics tools to help us analyze usage and performance of our Site and Services. These tools may collect information such as your IP address, device type, browser type, and pages visited.
You can control or disable cookies through your browser settings. However, disabling cookies may affect the functionality of certain parts of the Site.
We implement reasonable administrative, technical, and organizational safeguards designed to protect personal information against loss, theft, unauthorized access, disclosure, alteration, or destruction.
These measures include controls such as access restrictions, secure data storage, and encryption where appropriate. Access to personal information is limited to authorized personnel who require it to perform their duties.
We maintain an information security program certified to ISO/IEC 27001 and regularly review and update our security practices.
While we take steps to protect personal information, no method of transmission over the internet or method of electronic storage is completely secure. As a result, we cannot guarantee absolute security. You acknowledge and accept the inherent security risks of providing information over the internet and will not hold us responsible for any breach of security unless it is due to our gross negligence or willful misconduct.
If we become aware of a security incident involving personal information, we will take appropriate steps to investigate, contain, and address the incident, and notify affected individuals or authorities where required by applicable law.
We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including to provide our Services, comply with legal and regulatory obligations, resolve disputes, and enforce our agreements.
The length of time we retain personal information depends on the nature of the information and the context in which it was collected, including whether the information relates to ongoing service use, legal or regulatory requirements, or operational needs.
Where personal information relates to health or healthcare services, we retain such information in accordance with applicable laws, including Ontario’s Personal Health Information Protection Act, 2004 (“PHIPA”), and other relevant regulatory or professional requirements.
Where personal information is no longer required, we will take reasonable steps to securely delete or anonymize it. In some cases, information may be retained in backup systems or archives for a limited period in accordance with our data retention and security practices.
In certain circumstances, we may be required to retain information for longer periods where required by law, legal hold, investigation, or regulatory request.
Personal information is stored and processed in Canada, unless otherwise required to meet client, contractual, or legal requirements in other jurisdictions.
Where we provide services to clients in other jurisdictions, we may store, process, or share personal information in accordance with applicable local requirements and contractual obligations. This may include sharing information with authorized health information exchanges or similar systems where required by applicable law (for example, NABIDH in the United Arab Emirates). These requirements apply only where required by applicable laws in those jurisdictions and do not apply to users located in Canada.
In some cases, personal information may be transmitted through or accessed from jurisdictions outside of where it is stored (for example, in connection with service providers or network infrastructure). Where this occurs, such information may be subject to the laws of those jurisdictions.
We implement safeguards to protect personal information during such transfers, including the use of encryption and secure transmission protocols.
We take reasonable steps to ensure that personal information remains protected in accordance with applicable privacy laws and our contractual obligations, including through the use of contractual, technical, and organizational safeguards.
Subject to applicable law, you may have the right to access, update, or correct your personal information.
Depending on how you use our Services, you may also have the ability to access, update, or delete certain information directly through your account settings.
You may also withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice. Please note that withdrawing consent may affect our ability to provide certain Services.
You may opt out of receiving marketing communications from us at any time by following the unsubscribe instructions included in those communications or by contacting us using the information below.
To request access to or correction of your personal information, or to make another request regarding your information, you may contact us using the contact information set out in this Privacy Policy. We may need to verify your identity before responding to your request.
We will respond to requests in accordance with applicable privacy laws.
If you have concerns about how we handle your personal information, we encourage you to contact us first so that we can address your concerns. You also have the right to file a complaint with a privacy regulator, such as the Office of the Privacy Commissioner of Canada or a provincial privacy authority.
Our Services may be used in connection with services provided to individuals under the age of majority, typically through a parent, guardian, or other authorized representative.
We do not knowingly collect personal information directly from individuals under the age of 18 without appropriate authorization from a parent, guardian, or authorized representative.
Where personal information relating to a minor is collected, it is handled in accordance with applicable privacy laws, including appropriate safeguards as determined by Serefin Inc. in its reasonable discretion, consistent with industry-standard practices.
If we become aware that personal information has been collected from an individual under the age of majority without appropriate authorization, we will take reasonable steps, within a commercially reasonable timeframe, to either delete such information or obtain appropriate authorization, taking into account operational constraints and the best interests of the individual.
If you believe that we may have collected personal information from a minor without appropriate authorization, please contact us using the contact information provided in Section 13 below. We will use reasonable efforts to review such reports and provide a response within a reasonable timeframe, subject to the complexity of the inquiry and our operational capacity.
We reserve the right to update this Privacy Policy from time to time to reflect changes to our practices, technologies, legal requirements, or other factors. We will make reasonable efforts to notify users of significant changes where practicable.
When we make changes, we will update the “Last updated” date at the top of this Privacy Policy. Where required by applicable law, we will provide additional notice or obtain your consent.
Your continued use of our Site or Services after the effective date of any non-material updates indicates your acceptance of the revised Privacy Policy. For material changes, your express consent will be obtained as described above, and continued use alone will not constitute acceptance of such material changes.
If you have any questions or concerns regarding this Privacy Policy or how we handle your personal information, please contact us at:
Serefin Inc.
Attn: Privacy Officer
65 Front Street East, Suite 101
Toronto, ON M5E 1B5
Canada
Email: privacy@serefin.com
Individuals who have unresolved privacy concerns are encouraged to contact Serefin Inc.'sPrivacy Officer directly at the above contact information as a first step. Should a concernremain unresolved after engaging with Serefin Inc., individuals may contact the Office ofthe Privacy Commissioner of Canada at www.priv.gc.ca or 1-800-282-1376.
All requests will be addressed in accordance with applicable law and within a reasonable timeframe as determined by Serefin Inc. Serefin Inc. reserves the right to verify the identity of any individual submitting a request prior to processing, and to decline requests that are frivolous, vexatious, or not required by applicable law. We will respond to verified requests within 30 days, or inform you if we require an extension and the reasons for the extension, as permitted by applicable law. There is no fee for making a request, though we may charge a minimal fee to cover our costs for responding to repetitive or excessive requests, as permitted by law.
