Skip to main content
ClaimCoach North

Privacy Notice

Last Updated: May 20, 2026 Version: 1.2 (Lawyer-Reviewed) Effective Date: May 26, 2026

Privacy Officer: Nicolas Faye Contact: privacy@claimcoachnorth.ca

1. INTRODUCTION

ClaimCoach North ("we," "us," "our," or "Company") is committed to protecting your privacy and ensuring you have a positive experience on our platform.

This Privacy Policy explains:

  • What information we collect
  • Why we collect it
  • How we use and protect it
  • Your rights and how to exercise them
  • How we handle privacy breaches

This Privacy Policy applies to all users of ClaimCoach North, including customers in Ontario, Quebec, and all other Canadian provinces.

2. OUR COMMITMENT

We comply with:

  • PIPEDA (Personal Information Protection and Electronic Documents Act) — federal private-sector privacy law
  • PHIPA (Personal Health Information Protection Act, 2004) — Ontario health information privacy law where applicable
  • Quebec Law 25 (Law modernizing privacy legislation) — Quebec's comprehensive privacy law
  • CASL (Canada's Anti-Spam Legislation) — email and messaging regulations
  • AODA (Accessibility for Ontarians with Disabilities Act)

Key Data Residency Commitment

We aim to store primary customer records in Canada where technically available. Some service providers may process or store limited personal information outside Canada, as described in Section 5.2 below. When international transfers occur, we use contractual, technical, and organizational safeguards to protect the information.

3. WHAT INFORMATION WE COLLECT

We collect information in four categories:

3.1 Account Information (L1 — Account PII)

When you create an account, we collect:

  • Full name
  • Email address
  • Phone number (optional)
  • Billing address
  • Password (hashed and encrypted)
  • Province/territory of residence (for jurisdictional compliance)
  • Date of account creation

How we collect it: Directly from you via the signup form.

How long we keep it: For as long as your account is active, plus 30 days after account deletion (for recovery purposes).

3.2 Claim and Insurance Information (L2 — Claim Metadata)

When you create or track an appeal, we collect:

  • Insurer name (Manulife, Sun Life, Canada Life, etc.)
  • Policy number
  • Claim number
  • Date of denial
  • Denial reason category (change of definition, insufficient medical evidence, etc.)
  • Province/territory of appeal
  • Appeal deadline
  • Status of appeal (draft, submitted, resolved, etc.)

This data does NOT include health information. It is structured metadata about your claim, not medical details.

How long we keep it: For 30 days after you delete the claim (for recovery), then permanently deleted.

3.3 Health Information (L3 — PHI/PHI-Adjacent)

When you use ClaimCoach North to appeal an insurance denial or benefits decision, you may upload or provide:

  • Denial or decision letters
  • Medical records, test results, or clinical notes
  • Prescription records
  • Treatment history
  • Functional limitation assessments
  • Your narrative description of your condition and symptoms
  • Appeal drafts we generate for you

This is Protected Health Information (PHI). We treat it with a high level of protection.

How we collect it: You upload documents or paste text directly into the platform.

How long we keep it: Active records are deleted within 30 days after you request deletion, subject to:

  • Backups and backup lifecycle procedures
  • Legal holds or pending litigation
  • Fraud prevention obligations
  • Tax and accounting obligations
  • Dispute resolution requirements
  • Service provider retention periods (e.g., Anthropic may retain logs per their terms)

Backup copies are deleted or overwritten according to our backup lifecycle policies.

Security: PHI is encrypted at rest and encrypted in transit using TLS 1.3. Access is restricted to authorized personnel only.

3.4 Usage and Technical Information (L4 — Audit and Compliance Records)

We automatically collect:

  • IP address (hashed, not stored raw)
  • Browser type and version
  • Device type and operating system
  • Pages you visit and features you use
  • Timestamp of each action
  • Error messages and technical issues
  • API calls and their status codes
  • AI token usage (to track API costs, not content)

We use this information to:

  • Improve the Service
  • Diagnose technical issues
  • Prevent fraud and abuse
  • Comply with legal obligations
  • Measure usage and performance

We do NOT log the content of your uploads, drafts, or translations. We log only that you performed an action (e.g., "user uploaded document," "user generated appeal draft") without recording what was in that document or draft.

How long we keep it: Up to 7 years for security, fraud prevention, legal, audit, dispute resolution, and compliance purposes, unless a shorter or longer period is required by law.

3.5 Consent Records

We keep a record of every consent you give us:

  • Date and time of consent
  • Which consents were given (Privacy Policy, Terms of Service, PHI Processing)
  • Your IP address (for verification purposes)
  • Any consent withdrawal

Retention: 7 years (required for regulatory compliance).

4. WHY WE COLLECT THIS INFORMATION

Purpose 1: Delivering the Service

We use your account information, claim metadata, and PHI to:

  • Process your requests
  • Generate appeal letter drafts
  • Provide customer support
  • Track your appeals and deadlines
  • Store and retrieve your documents
  • Communicate with you about your account

Purpose 2: Improving the Service

We use aggregated, anonymized data to:

  • Identify common insurance denial reasons
  • Improve our templates and prompts
  • Optimize our appeal-generation process
  • Enhance user experience and interface
  • Conduct product research and testing

We strip all identifying information before using data for improvement. We cannot trace insights back to you.

Purpose 3: Compliance and Legal Obligations

We use your information to:

  • Verify your identity
  • Comply with tax and accounting requirements
  • Respond to valid legal requests (subpoenas, court orders, government investigations)
  • Prevent fraud and enforce our Terms of Service
  • Maintain audit trails as required by law

Purpose 4: Communication

We use your email address to:

  • Send transactional emails (account confirmations, password resets, billing receipts)
  • Notify you of major Service changes
  • Provide educational resources about appeals (if you opt in)

We do NOT send marketing emails or sales pitches without your explicit consent.

5. WHO WE SHARE YOUR INFORMATION WITH

5.1 We Do NOT Share or Sell Your Information

We do not sell, rent, lease, or trade your personal information or health information to any third party.

We do not share your information with:

  • Marketing firms or data brokers
  • Insurance companies (your insurer does not know you used ClaimCoach North)
  • Government agencies (except in response to valid legal requests)
  • Employers or educational institutions
  • Credit agencies or collection firms

5.2 Service Providers (Subprocessors)

We share information only with trusted service providers who process it on our behalf under data processing agreements:

Supabase (Authentication and Database)

  • Manages account authentication and stores customer records (account info, claim metadata, PHI, audit logs)
  • Region: ca-central-1 (Canada Central, Canada)
  • Agreement: Data Processing Agreement (DPA) in place
  • Encryption: At-rest AES-256, in-transit TLS 1.3
  • Access: Limited to system administrators for operational purposes only

Anthropic Claude API (AI Language Model)

  • Processes your documents and appeals when you use the translation and drafting features
  • Sends: Your denial letters, medical summaries, and other information you upload
  • Data retention and use: Per Anthropic's API terms and our enterprise agreement. We do not permit Anthropic to use your information to train models, where covered by our agreement.
  • Important: Anthropic may temporarily process and retain request data according to its terms. Do not assume data is deleted immediately after processing.
  • Agreement: Data Processing Agreement in place

Stripe (Payment Processing)

  • Processes your paid package payments and any future subscription payments if subscriptions are later enabled
  • Receives: Email, billing address, payment card information
  • Does NOT receive: Your health information, appeals, or claim details
  • Retention: Stripe retains payment records as required by law (7 years for tax purposes)
  • PCI Compliant: Stripe is certified PCI-DSS Level 1 (highest standard)
  • Agreement: Standard DPA in place

Postmark (Email Service)

  • Sends transactional and informational emails on our behalf
  • Receives: Your email address and the content of emails we send you
  • Does NOT receive: Your health information or appeals (unless you include it in an email request)
  • Retention: Postmark retains email logs for 30 days
  • Agreement: DPA in place

Fly.io (Cloud Hosting)

  • Hosts our website and API servers
  • Receives: Your requests and responses (in encrypted form)
  • Does NOT access: Your stored data (encryption keys are managed separately)
  • Region: Toronto (yyz)
  • Agreement: Standard terms of service

Google Workspace (Company Email)

  • Used for internal business email and administration only
  • Does NOT store customer PHI unless necessary and approved
  • Region: Data residency options available
  • Agreement: Governed by Google's standard terms and security controls

5.3 Legal Requests

We may disclose your information if required by law:

  • Valid court order or subpoena
  • Government investigation or regulatory inquiry
  • Law enforcement request
  • Protection of health and safety (imminent danger)

We will notify you of legal requests whenever legally permitted. If a request is confidential, we will challenge it before complying when possible.

6. YOUR RIGHTS

6.1 Right of Access

You have the right to request a copy of all personal information we hold about you. To request access:

  1. Email privacy@claimcoachnorth.ca with the subject "Right of Access Request"
  2. Include your full name, email, and account number (if available)
  3. We will respond within 30 days with a copy of your information in a readable format

Cost: Free for the first request per year. Subsequent requests may incur a reasonable fee ($25–100 CAD depending on complexity).

Format: We will provide your information in a portable, machine-readable format (CSV, PDF, or JSON) unless you request otherwise.

6.2 Right of Correction

You have the right to request correction of inaccurate personal information. To request a correction:

  1. Email privacy@claimcoachnorth.ca with the subject "Correction Request"
  2. Include your full name, email, and a detailed description of the inaccuracy
  3. We will correct the information within 15 business days

If we dispute your correction request, we will respond with our reasons.

6.3 Right of Deletion

You have the right to request deletion of your personal information. To request deletion:

  1. Log into your account and click "Delete Account" in settings, OR
  2. Email privacy@claimcoachnorth.ca with the subject "Deletion Request"
  3. We will delete your account within 30 days

What happens:

  • Your account and login are disabled immediately
  • Active records (documents, drafts, data) are permanently deleted within 30 days
  • We retain audit logs for up to 7 years (as required by law) but these are not linked to your name

Exceptions: We may retain data longer if required by law (tax records, legal disputes, regulatory investigations).

6.4 Right to Opt-Out of Email Communications

You have the right to opt out of non-transactional emails:

  1. Click "Unsubscribe" at the bottom of any email from us, OR
  2. Email privacy@claimcoachnorth.ca with "Unsubscribe" in the subject line

We will remove you from educational and marketing emails within 5 business days. Note: You will continue to receive transactional emails (receipts, password resets, account notifications).

6.5 Right to Data Portability

You have the right to request your data in a portable, machine-readable format. To request portability:

  1. Email privacy@claimcoachnorth.ca with the subject "Data Portability Request"
  2. We will provide your account data, claims, and uploads in JSON or CSV format within 30 days

6.6 Right to Withdraw Consent

You can withdraw consent for any purpose at any time by:

  1. Updating your account settings, OR
  2. Emailing privacy@claimcoachnorth.ca

Note: Withdrawing consent may prevent us from serving you. For example, withdrawing consent for PHI processing means we cannot generate appeal drafts.

6.7 Right to Challenge Compliance

You may challenge our compliance with this Privacy Policy by contacting the Privacy Officer at privacy@claimcoachnorth.ca. We will investigate, respond in writing, and explain any corrective steps taken.

7. HOW WE PROTECT YOUR INFORMATION

7.1 Encryption

  • At rest: All data is encrypted using AES-256 encryption at the database level.
  • In transit: All communication between your device and our servers uses TLS 1.3 (highest current standard).

7.2 Access Controls

  • Authentication: All access to our systems requires multi-factor authentication (MFA).
  • Role-based: Staff can access data only for their specific role (support, operations, engineering).
  • Audit logging: All access to health information is logged and reviewed monthly.
  • Separation: Customer data and company operations are on separate, isolated systems.

7.3 Physical Security

  • Data centers: All data is stored in AWS Canada Central data centers in ca-central-1, which are guarded 24/7 with biometric access controls, climate-controlled and redundantly powered, tested against natural disasters and attacks, and audited annually by third-party security firms.

7.4 Employee Access

  • Limited access: Only authorized personnel can access customer data, restricted by role.
  • Screening: All employees and contractors undergo background checks.
  • Training: All staff receive annual privacy and security training.
  • Agreements: All staff sign confidentiality agreements.

7.5 Ongoing Monitoring

  • Security scanning: We run automated security scans regularly to detect vulnerabilities.
  • Penetration testing: We conduct annual third-party penetration testing.
  • Incident response: We have a documented breach response plan.
  • Insurance: We carry cyber liability and E&O insurance.

8. PRIVACY BREACH NOTIFICATION

8.1 What Is a Privacy Incident or Breach?

A privacy incident is any unauthorized access to, use of, disclosure of, loss of, or compromise of personal information.

A privacy breach is a privacy incident that creates a real risk of significant harm (PIPEDA) or risk of serious injury (Quebec Law 25), or where another applicable law requires notification or reporting.

8.2 Our Breach Response Process

Immediate (within 24 hours):

  1. We confirm the incident and contain it
  2. We notify our Privacy Officer
  3. We assess the risk of significant harm to you

Notification (if there is a real risk of significant harm):

To you directly (as soon as feasible after we determine that the breach creates a real risk of significant harm):

  • Email to your registered email address
  • Includes: what happened, what data was affected, what we're doing about it, what you should do
  • We provide a direct contact for questions

To Canadian regulators:

  • Office of the Privacy Commissioner of Canada (OPC) — under PIPEDA, as soon as feasible after determining there is a real risk of significant harm
  • Quebec Commission d'accès à l'information (CAI) — under Quebec Law 25 within 72 hours of becoming aware of the breach
  • Information and Privacy Commissioner of Ontario (IPC) — where PHIPA applies in prescribed circumstances

8.3 Assessment of Risk

For health information, we presume there is a real risk of significant harm unless circumstances show otherwise.

For account information (email, name, address), we assess based on how much information was exposed and for how long.

For encrypted data with strong encryption (AES-256), we generally do not presume real risk of harm.

8.4 Our Commitments if There Is a Breach

  • We will offer 2 years of complimentary identity theft protection and credit monitoring
  • We will investigate the cause and provide a detailed report
  • We will implement remediation measures to prevent recurrence
  • We will not increase your fees
  • You can request full deletion of your account at no cost

9. BILLING AND PAYMENT INFORMATION

9.1 What We Collect

When you purchase a paid ClaimCoach North service, we collect:

  • Billing name and address
  • Email address
  • Payment card type and last 4 digits (full number is NOT stored by us)
  • Package type, and billing cycle/subscription tier only if a subscription product is later enabled
  • Invoice history and payment status

9.2 How Long We Keep It

We retain billing information for 7 years, as required by Canadian tax law (Canada Revenue Agency). After 7 years, all billing data is permanently deleted.

9.3 Payment Security

  • Stripe: Payment card information is processed by Stripe, a PCI-DSS Level 1 certified payment processor. We never see or store your full card number.
  • Compliance: We comply with PCI-DSS standards for payment data handling.
  • Fraud detection: Stripe monitors for fraudulent transactions and alerts us to suspicious activity.

10. QUEBEC LAW 25 COMPLIANCE

If you are a Quebec resident, this section applies:

10.1 Consent

You must provide explicit consent for us to:

  • Collect your personal information
  • Process your health information
  • Use AI to analyze your documents
  • Send you email communications

You have given consent by:

  • Signing up for an account
  • Checking the three consent boxes (Privacy Policy, Terms of Service, PHI Processing)
  • Confirming that you are at least 18 years old

You can withdraw consent at any time by deleting your account or emailing privacy@claimcoachnorth.ca.

10.2 Automated Processing and AI-Assisted Tools

We use automated processing and AI-assisted tools to generate draft documents and plain-language explanations.

Important: These tools do not make final legal, insurance, medical, or benefit decisions. You decide whether to use, edit, or submit any draft.

Quebec Law 25 requires transparency when personal information is used to make a decision based exclusively on automated processing. We are transparent about how we use AI and do not make binding decisions about your benefits or appeals.

10.3 Privacy Officer

We have designated Nicolas Faye as our Privacy Officer under Quebec Law 25. Contact privacy@claimcoachnorth.ca with any privacy inquiries.

10.4 Language Rights

You have the right to interact with ClaimCoach North in French. The product interface, consent flow, and core customer communications are designed for English and French use. During beta or pre-launch periods, some legal documents may temporarily appear in English with a French availability notice while final French legal translations are completed. We will update this notice when the French legal versions are available.

10.5 Risk of Serious Injury Assessment

Under Quebec Law 25, we assess "risk of serious injury" considering:

  • Sensitivity of the information
  • Anticipated consequences
  • Likelihood of injurious use

11. COOKIES AND TRACKING

11.1 What Are Cookies?

Cookies are small files stored on your device that help us recognize you when you return to our site.

11.2 What Cookies We Use

Essential cookies (always on, no consent required):

  • Session cookies — keep you logged in
  • Security cookies — prevent fraud and attacks
  • Preference cookies — remember your language choice (EN/FR)

Analytics cookies and scripts:

  • We do not currently run analytics cookies or third-party tracking scripts in the beta web app
  • If we later add analytics such as Plausible or PostHog, we will update this Privacy Notice and any required consent or opt-out controls before enabling them
  • We will not use analytics to inspect the contents of uploaded denial letters, appeal drafts, translations, or health-related claim information

Marketing cookies:

  • We do NOT use marketing cookies or third-party tracking pixels
  • We do NOT sell data to advertisers
  • We do NOT use Facebook Pixel, Google Analytics, or similar invasive trackers

11.3 Disabling Cookies

You can disable cookies in your browser settings. This may prevent login and some features from working.

12. WHERE YOUR DATA IS STORED

We aim to store primary customer records in Canada where technically available. However:

Canadian storage (ca-central-1, Canada Central):

  • Supabase authentication, database, and storage (customer accounts, claim data, uploads)

Partial international processing (with safeguards):

  • Anthropic Claude API may process documents outside Canada temporarily
  • Postmark, Stripe, and other providers operate globally with encryption and DPAs in place

When international transfers occur, we use contractual, technical, and organizational safeguards (encryption, DPAs, access restrictions) to protect your information.

13. DATA RETENTION SUMMARY

Account information (L1): Retained while active, plus 30 days after account deletion (account recovery).

Claim metadata (L2): 30 days after you delete the claim, then permanently deleted.

Health information (L3): Active records deleted within 30 days of a deletion request, subject to backups, legal holds, fraud prevention, dispute resolution, and service-provider retention periods.

Audit logs (L4): Up to 7 years (security, fraud prevention, legal, audit, compliance).

Consent records: 7 years (regulatory compliance).

Billing records: 7 years (tax compliance — CRA).

Cookies: 12 months (session and preference tracking).

Payment data: 7 years (tax law — CRA).

14. THIRD-PARTY LINKS AND SERVICES

Our website may link to third-party websites (government sites, lawyer directories, ombudsmen, etc.). This Privacy Policy does not apply to those sites. You are responsible for reviewing their privacy policies before providing information.

15. CHILDREN'S PRIVACY

ClaimCoach North is not intended for children under 18. We do not knowingly collect information from children. If we learn that we have collected information from a child, we will delete it immediately.

A parent, guardian, or authorized representative may submit information about a minor only if they have legal authority to do so.

If you are a parent or guardian and believe a child has used ClaimCoach North, contact us at privacy@claimcoachnorth.ca.

16. UPDATES TO THIS POLICY

We may update this Privacy Policy at any time to reflect changes in our practices, technology, or law. We will:

  • Post the updated version on our website
  • Update the "Last Updated" date at the top
  • Notify you by email if changes are material

Continued use of ClaimCoach North after updates constitutes acceptance of the revised Privacy Policy.

17. HOW TO CONTACT US

For privacy questions, requests, or complaints:

Email: privacy@claimcoachnorth.ca Website: claimcoachnorth.ca

Response time: We will respond to all privacy inquiries within 30 days.

Complaint to regulators:

If you are not satisfied with our response, you can file a complaint with:

Office of the Privacy Commissioner of Canada (PIPEDA) Email: info@priv.gc.ca Website: www.priv.gc.ca Phone: 1-800-282-1376

Quebec Commission d'accès à l'information (Law 25) Email: info@cai.gouv.qc.ca Website: www.cai.gouv.qc.ca Phone: 1-888-666-0045

Information and Privacy Commissioner of Ontario (PHIPA) Email: info@ipc.on.ca Website: www.ipc.on.ca Phone: 1-800-387-0073

Last Updated: May 20, 2026 Version: 1.2 (Lawyer-Reviewed)

By using ClaimCoach North, you confirm that you have read and understood this Privacy Policy.