Skip to main content

Bêta sur invitation : la relecture reste active.

ClaimCoach North fournit une aide documentaire canadienne en autoassistance, sans conseil juridique, représentation, service d'expert en sinistres public ni promesse de résultat.

Privacy Notice

Le texte juridique anglais ci-dessous est la version active. Une traduction juridique française est en préparation et doit être révisée avant publication.

Last Updated: June 21, 2026 Version: 1.4 Effective Date: June 21, 2026

Privacy Officer: Nicolas Faye Contact: privacy@claimcoachnorth.ca

1. INTRODUCTION

ClaimCoach North ("we," "us," or "our") is a self-help document preparation and review service operated by Nicolas Faye as a sole proprietorship in Ontario, Canada. We are committed to protecting your privacy and handling sensitive insurance and benefit-claim information carefully.

This Privacy Policy explains:

  • What information we collect
  • Why we collect it
  • How we use and protect it
  • Your rights and how to exercise them
  • How we handle privacy breaches

This Privacy Policy applies to all users of ClaimCoach North, including customers in Ontario, Quebec, and all other Canadian provinces.

2. OUR COMMITMENT

We comply with:

  • PIPEDA (Personal Information Protection and Electronic Documents Act) — federal private-sector privacy law
  • PHIPA (Personal Health Information Protection Act, 2004) — Ontario health information privacy law where applicable
  • Quebec Law 25 (Law modernizing privacy legislation) — Quebec's comprehensive privacy law
  • CASL (Canada's Anti-Spam Legislation) — email and messaging regulations
  • AODA (Accessibility for Ontarians with Disabilities Act)

Key Data Residency Commitment

We aim to store primary customer records in Canada where technically available. Some service providers may process or store limited personal information outside Canada, as described in Section 5.2 below. When international transfers occur, we use contractual, technical, and organizational safeguards to protect the information.

3. WHAT INFORMATION WE COLLECT

We collect information in four categories:

3.1 Account Information (L1 — Account PII)

When you create an account, we collect:

  • Full name
  • Email address
  • Phone number (optional)
  • Billing address
  • Password (hashed and encrypted)
  • Province/territory of residence (for jurisdictional compliance)
  • Date of account creation

How we collect it: Directly from you via the signup form.

How long we keep it: For as long as your account is active, plus 30 days after account deletion (for recovery purposes).

3.2 Claim and Insurance Information (L2 — Claim Metadata)

When you create or track an appeal, we collect:

  • Insurer name (Manulife, Sun Life, Canada Life, etc.)
  • Policy number
  • Claim number
  • Date of denial
  • Denial reason category (change of definition, insufficient medical evidence, etc.)
  • Province/territory of appeal
  • Appeal deadline
  • Status of appeal (draft, submitted, resolved, etc.)

We classify this as claim metadata, but we still treat it as sensitive because insurance and benefit claim details may reveal health, employment, financial, or disability-related context.

How long we keep it: For 30 days after you delete the claim (for recovery), then permanently deleted.

3.3 Health Information (L3 — PHI/PHI-Adjacent)

When you use ClaimCoach North to appeal an insurance denial or benefits decision, you may upload or provide:

  • Denial or decision letters
  • Medical records, test results, or clinical notes
  • Prescription records
  • Treatment history
  • Functional limitation assessments
  • Your narrative description of your condition and symptoms
  • Appeal documents prepared through the Service

This is Protected Health Information (PHI). We treat it with a high level of protection.

How we collect it: You upload documents or paste text directly into the platform.

How long we keep it: Active records are deleted within 30 days after you request deletion, subject to:

  • Backups and backup lifecycle procedures
  • Legal holds or pending litigation
  • Fraud prevention obligations
  • Tax and accounting obligations
  • Dispute resolution requirements
  • Service provider retention periods under their applicable terms

Backup copies are deleted or overwritten according to our backup lifecycle policies.

Security: PHI is protected with provider-managed encryption at rest, HTTPS/TLS in transit, and restricted access controls.

3.4 Usage and Technical Information (L4 — Audit and Compliance Records)

We automatically collect:

  • IP address (hashed, not stored raw)
  • Browser type and version
  • Device type and operating system
  • Pages you visit and features you use
  • Timestamp of each action
  • Error messages and technical issues
  • API calls and their status codes
  • Service usage metrics (to monitor performance and cost, not document content)

We use this information to:

  • Improve the Service
  • Diagnose technical issues
  • Prevent fraud and abuse
  • Comply with legal obligations
  • Measure usage and performance

We do NOT log the content of your uploads, drafts, or translations. We log only that you performed an action (e.g., "user uploaded document," "user generated appeal draft") without recording what was in that document or draft.

How long we keep it: Up to 7 years for security, fraud prevention, legal, audit, dispute resolution, and compliance purposes, unless a shorter or longer period is required by law.

3.5 Consent Records

We keep a record of every consent you give us:

  • Date and time of consent
  • Which consents were given (Privacy Notice, Terms of Service, PHI Processing, document-processing technology, and any optional marketing consent)
  • Your IP address (for verification purposes)
  • Any consent withdrawal

Retention: 7 years (required for regulatory compliance).

4. WHY WE COLLECT THIS INFORMATION

Purpose 1: Delivering the Service

We use your account information, claim metadata, and PHI to:

  • Process your requests
  • Prepare supervised self-help appeal package documents for supported paid packages
  • Use approved technology subprocessors to prepare and internally review self-help package materials when required consents, payment, scope, readiness, budget, and review gates pass
  • Provide customer support
  • Track your appeals and deadlines
  • Store and retrieve your documents
  • Communicate with you about your account

Purpose 2: Improving the Service

We use de-identified or aggregated data where practical to:

  • Identify common insurance denial reasons
  • Improve our package-preparation process
  • Optimize our appeal-package workflow
  • Enhance user experience and interface
  • Conduct product research and testing

We do not use your uploaded documents, drafts, or claim details in public examples, advertising, or marketing. Any product-improvement review must avoid public disclosure of identifiable customer information.

Purpose 3: Compliance and Legal Obligations

We use your information to:

  • Verify your identity
  • Comply with tax and accounting requirements
  • Respond to valid legal requests (subpoenas, court orders, government investigations)
  • Prevent fraud and enforce our Terms of Service
  • Maintain audit trails as required by law

Purpose 4: Communication

We use your email address to:

  • Send transactional emails (account confirmations, password resets, billing receipts)
  • Notify you of major Service changes
  • Provide educational resources about appeals (if you opt in)

We do NOT send marketing emails or sales pitches without your explicit consent.

5. WHO WE SHARE YOUR INFORMATION WITH

5.1 We Do NOT Share or Sell Your Information

We do not sell, rent, lease, or trade your personal information or health information to any third party.

We do not share your information with:

  • Marketing firms or data brokers
  • Insurance companies (your insurer does not know you used ClaimCoach North)
  • Government agencies (except in response to valid legal requests)
  • Employers or educational institutions
  • Credit agencies or collection firms

5.2 Service Providers (Subprocessors)

We share information only with trusted service providers who process it on our behalf under data processing agreements:

Supabase (Authentication and Database)

  • Manages account authentication and stores customer records (account info, claim metadata, PHI, audit logs)
  • Region: ca-central-1 (Canada Central, Canada)
  • Agreement: Data Processing Agreement (DPA) in place
  • Encryption: provider-managed encryption at rest and HTTPS/TLS in transit
  • Access: Limited to system administrators for operational purposes only

OpenAI (Approved Technology Subprocessor for Document Preparation)

  • Processes minimum-necessary claim facts, evidence summaries, document text, and package-preparation instructions when approved document-processing tools are enabled for your file
  • Receives: the information needed to prepare or internally review the self-help package, subject to consent, feature flags, budget controls, and safety gates
  • Does NOT receive: payment card details, Stripe payment credentials, or raw application secrets
  • Data handling: governed by OpenAI's business/API terms and data processing terms. We do not opt in to provider training on your API inputs or outputs.
  • Location: OpenAI may process information outside Canada. We use contractual, technical, and organizational safeguards for this transfer.
  • Important: provider-generated document-preparation output is internal until Insurance Expert Review and final delivery gates pass. Technology providers never approve, file, email, or release your final package.

Stripe (Payment Processing)

  • Processes your paid package payments
  • Receives: Email, billing address, payment card information
  • Does NOT receive: Your health information, appeals, or claim details
  • Retention: Stripe retains payment records as required by law (7 years for tax purposes)
  • PCI Compliant: Stripe is certified PCI-DSS Level 1 (highest standard)
  • Agreement: Standard DPA in place

Postmark (Email Service)

  • Sends transactional and informational emails on our behalf
  • Receives: Your email address and the content of emails we send you
  • Does NOT receive: Your health information or appeals (unless you include it in an email request)
  • Retention: Postmark retains email logs for 30 days
  • Agreement: DPA in place

Fly.io (Cloud Hosting)

  • Hosts our website and API servers
  • Receives: Your requests and responses (in encrypted form)
  • Does NOT access: Your stored data (encryption keys are managed separately)
  • Region: Toronto (yyz)
  • Agreement: Standard terms of service

Cloudflare (DNS, CDN, and security)

  • Protects our public website and routes traffic to the Service
  • Receives: limited request metadata such as IP address, browser metadata, and URL/request information needed for security and routing
  • Does NOT receive: your stored claim documents from our database or storage bucket

Error Monitoring Provider

  • Helps us detect technical errors and security-relevant failures
  • Receives: error metadata and limited technical context
  • Does NOT intentionally receive: uploaded documents, appeal drafts, medical facts, payment card data, or raw request bodies
  • We configure logging and error reporting to redact sensitive fields where possible

Google Workspace (Company Email)

  • Used for internal business email and administration only
  • Does NOT store customer PHI unless necessary and approved
  • Region: Data residency options available
  • Agreement: Governed by Google's standard terms and security controls

5.3 Legal Requests

We may disclose your information if required by law:

  • Valid court order or subpoena
  • Government investigation or regulatory inquiry
  • Law enforcement request
  • Protection of health and safety (imminent danger)

We will notify you of legal requests whenever legally permitted. If a request is confidential, we will challenge it before complying when possible.

6. YOUR RIGHTS

6.1 Right of Access

You have the right to request a copy of all personal information we hold about you. To request access:

  1. Email privacy@claimcoachnorth.ca with the subject "Right of Access Request"
  2. Include your full name, email, and account number (if available)
  3. We will respond within 30 days with a copy of your information in a readable format

Cost: Free for the first request per year. Subsequent requests may incur a reasonable fee ($25–100 CAD depending on complexity).

Format: We will provide your information in a portable, machine-readable format (CSV, PDF, or JSON) unless you request otherwise.

6.2 Right of Correction

You have the right to request correction of inaccurate personal information. To request a correction:

  1. Email privacy@claimcoachnorth.ca with the subject "Correction Request"
  2. Include your full name, email, and a detailed description of the inaccuracy
  3. We will correct the information within 15 business days

If we dispute your correction request, we will respond with our reasons.

6.3 Right of Deletion

You have the right to request deletion of your personal information. To request deletion:

  1. Log into your account and click "Delete Account" in settings, OR
  2. Email privacy@claimcoachnorth.ca with the subject "Deletion Request"
  3. We will delete your account within 30 days

What happens:

  • Your account and login are disabled immediately
  • Active records (documents, drafts, data) are permanently deleted within 30 days
  • We retain audit logs for up to 7 years (as required by law) but these are not linked to your name

Exceptions: We may retain data longer if required by law (tax records, legal disputes, regulatory investigations).

6.4 Right to Opt-Out of Email Communications

You have the right to opt out of non-transactional emails:

  1. Click "Unsubscribe" at the bottom of any email from us, OR
  2. Email privacy@claimcoachnorth.ca with "Unsubscribe" in the subject line

We will remove you from educational and marketing emails within 5 business days. Note: You will continue to receive transactional emails (receipts, password resets, account notifications).

6.5 Right to Data Portability

You have the right to request your data in a portable, machine-readable format. To request portability:

  1. Email privacy@claimcoachnorth.ca with the subject "Data Portability Request"
  2. We will provide your account data, claims, and uploads in JSON or CSV format within 30 days

6.6 Right to Withdraw Consent

You can withdraw consent for any purpose at any time by:

  1. Updating your account settings, OR
  2. Emailing privacy@claimcoachnorth.ca

Note: Withdrawing consent may prevent us from serving you. For example, withdrawing consent for PHI processing means we cannot generate appeal drafts.

6.7 Right to Challenge Compliance

You may challenge our compliance with this Privacy Policy by contacting the Privacy Officer at privacy@claimcoachnorth.ca. We will investigate, respond in writing, and explain any corrective steps taken.

7. HOW WE PROTECT YOUR INFORMATION

7.1 Encryption

  • At rest: Primary database and storage records use provider-managed encryption at rest.
  • In transit: Communication between your device and the Service uses HTTPS/TLS.

7.2 Access Controls

  • Authentication: Administrative access requires secure authentication, and MFA is required where supported for founder/admin accounts and critical vendor consoles.
  • Role-based: Staff can access data only for their specific role (support, operations, engineering).
  • Audit logging: Access and sensitive actions are logged so they can be reviewed for security, support, and compliance.
  • Separation: Customer data and operational systems use role-based access and separate controls where technically available.

7.3 Physical Security

  • Data centers and hosting: Primary customer records are stored with our database/storage provider in Canada where technically available. Our hosting, payment, email, document-processing, security, and support providers may process limited information in other regions as described in this Privacy Policy.

7.4 Employee Access

  • Limited access: Only authorized personnel can access customer data, restricted by role.
  • Founder/operator access: During beta, Nicolas Faye is the primary operator and Privacy Officer. Any future staff or contractors must be approved for their role and bound by confidentiality obligations before accessing customer data.
  • Training: Any person with access to sensitive customer information must follow ClaimCoach North privacy and security procedures.

7.5 Ongoing Monitoring

  • Security scanning: We use automated checks and targeted security review for launch-critical changes.
  • Security testing: We use automated checks and targeted testing before launch-critical changes. Independent penetration testing will be scheduled as the product matures or before broader public launch.
  • Incident response: We have a documented breach response plan.
  • Insurance: We will not state that specific cyber or E&O coverage exists unless it has been bound and verified.

8. PRIVACY BREACH NOTIFICATION

8.1 What Is a Privacy Incident or Breach?

A privacy incident is any unauthorized access to, use of, disclosure of, loss of, or compromise of personal information.

A privacy breach is a privacy incident that creates a real risk of significant harm (PIPEDA) or risk of serious injury (Quebec Law 25), or where another applicable law requires notification or reporting.

8.2 Our Breach Response Process

Immediate (within 24 hours):

  1. We confirm the incident and contain it
  2. We notify our Privacy Officer
  3. We assess the risk of significant harm to you

Notification (if there is a real risk of significant harm):

To you directly (as soon as feasible after we determine that the breach creates a real risk of significant harm):

  • Email to your registered email address
  • Includes: what happened, what data was affected, what we're doing about it, what you should do
  • We provide a direct contact for questions

To Canadian regulators:

  • Office of the Privacy Commissioner of Canada (OPC) — under PIPEDA, as soon as feasible after determining there is a real risk of significant harm
  • Quebec Commission d'accès à l'information (CAI) — under Quebec Law 25 within 72 hours of becoming aware of the breach
  • Information and Privacy Commissioner of Ontario (IPC) — where PHIPA applies in prescribed circumstances

8.3 Assessment of Risk

For health information, we presume there is a real risk of significant harm unless circumstances show otherwise.

For account information (email, name, address), we assess based on how much information was exposed and for how long.

For encrypted data, we assess risk based on the strength of the encryption, whether keys or credentials were affected, and the surrounding circumstances.

8.4 Our Commitments if There Is a Breach

  • We will assess whether identity theft protection, credit monitoring, or other support is appropriate based on the nature of the breach, affected information, legal obligations, insurance coverage, and professional advice
  • We will investigate the cause and provide information required by law and appropriate to the incident
  • We will take reasonable remediation steps to reduce the risk of recurrence
  • You can request full deletion of your account at no cost

9. BILLING AND PAYMENT INFORMATION

9.1 What We Collect

When you purchase a paid ClaimCoach North service, we collect:

  • Billing name and address
  • Email address
  • Payment card type and last 4 digits (full number is NOT stored by us)
  • Package type and payment status
  • Invoice history and payment status

9.2 How Long We Keep It

We retain billing information for 7 years, as required by Canadian tax law (Canada Revenue Agency). After 7 years, all billing data is permanently deleted.

9.3 Payment Security

  • Stripe: Payment card information is processed by Stripe, a PCI-DSS Level 1 certified payment processor. We never see or store your full card number.
  • Compliance: We comply with PCI-DSS standards for payment data handling.
  • Fraud detection: Stripe monitors for fraudulent transactions and alerts us to suspicious activity.

10. QUEBEC LAW 25 COMPLIANCE

If you are a Quebec resident, this section applies:

10.1 Consent

You must provide explicit consent for us to:

  • Collect your personal information
  • Process your health information
  • Use approved technology subprocessors for document processing where enabled
  • Prepare self-help documents from the information you provide
  • Send you email communications

You have given consent by:

  • Signing up for an account
  • Checking the required consent boxes (Privacy Notice, Terms of Service, PHI Processing, and document-processing technology where applicable)
  • Confirming that you are at least 18 years old

You can withdraw consent at any time by deleting your account or emailing privacy@claimcoachnorth.ca.

10.2 Automated Processing and Package Preparation Tools

During the V1 paid beta, ClaimCoach North uses structured intake, readiness checks, supervised package preparation, and Insurance Expert Review to prepare self-help documents for supported Manulife appeal categories.

Important: These tools do not make final legal, insurance, medical, or benefit decisions. You decide whether to use, edit, sign, or submit any document.

Quebec Law 25 requires transparency when personal information is used to make a decision based exclusively on automated processing. ClaimCoach North does not make binding decisions about your benefits or appeals.

10.3 Privacy Officer

We have designated Nicolas Faye as our Privacy Officer under Quebec Law 25. Contact privacy@claimcoachnorth.ca with any privacy inquiries.

10.4 Language Rights

You have the right to interact with ClaimCoach North in French. The product interface, consent flow, and core customer communications are designed for English and French use. During beta or pre-launch periods, some legal documents may temporarily appear in English with a French availability notice while final French legal translations are completed. We will update this notice when the French legal versions are available.

10.5 Risk of Serious Injury Assessment

Under Quebec Law 25, we assess "risk of serious injury" considering:

  • Sensitivity of the information
  • Anticipated consequences
  • Likelihood of injurious use

11. COOKIES AND TRACKING

11.1 What Are Cookies?

Cookies are small files stored on your device that help us recognize you when you return to our site.

11.2 What Cookies We Use

Essential cookies (always on, no consent required):

  • Session cookies — keep you logged in
  • Security cookies — prevent fraud and attacks
  • Preference cookies — remember your language choice (EN/FR)

Analytics cookies and scripts:

  • We do not currently run analytics cookies or third-party tracking scripts in the beta web app
  • If we later add analytics, we will update this Privacy Notice and any required consent or opt-out controls before enabling them
  • We will not use analytics to inspect the contents of uploaded denial letters, appeal drafts, translations, or health-related claim information

Marketing cookies:

  • We do NOT use marketing cookies or third-party tracking pixels
  • We do NOT sell data to advertisers
  • We do NOT use advertising pixels or similar invasive trackers

11.3 Disabling Cookies

You can disable cookies in your browser settings. This may prevent login and some features from working.

12. WHERE YOUR DATA IS STORED

We aim to store primary customer records in Canada where technically available. However:

Canadian storage (ca-central-1, Canada Central):

  • Supabase authentication, database, and storage (customer accounts, claim data, uploads)

Partial international processing (with safeguards):

  • OpenAI may process minimum-necessary document-preparation inputs outside Canada when approved document-processing tools are enabled and required consents/gates pass
  • Postmark, Stripe, Cloudflare, error monitoring tools, and other approved service providers may operate globally with encryption, contractual safeguards, and access restrictions in place

When international transfers occur, we use contractual, technical, and organizational safeguards (encryption, DPAs, access restrictions) to protect your information.

13. DATA RETENTION SUMMARY

Account information (L1): Retained while active, plus 30 days after account deletion (account recovery).

Claim metadata (L2): 30 days after you delete the claim, then permanently deleted.

Health information (L3): Active records deleted within 30 days of a deletion request, subject to backups, legal holds, fraud prevention, dispute resolution, and service-provider retention periods.

Audit logs (L4): Up to 7 years (security, fraud prevention, legal, audit, compliance).

Consent records: 7 years (regulatory compliance).

Billing records: 7 years (tax compliance — CRA).

Cookies: 12 months (session and preference tracking).

Payment data: 7 years (tax law — CRA).

14. THIRD-PARTY LINKS AND SERVICES

Our website may link to third-party websites (government sites, public legal resources, ombudsmen, etc.). This Privacy Policy does not apply to those sites. You are responsible for reviewing their privacy policies before providing information.

15. CHILDREN'S PRIVACY

ClaimCoach North is not intended for children under 18. We do not knowingly collect information from children. If we learn that we have collected information from a child, we will delete it immediately.

A parent, guardian, or authorized representative may submit information about a minor only if they have legal authority to do so.

If you are a parent or guardian and believe a child has used ClaimCoach North, contact us at privacy@claimcoachnorth.ca.

16. UPDATES TO THIS POLICY

We may update this Privacy Policy at any time to reflect changes in our practices, technology, or law. We will:

  • Post the updated version on our website
  • Update the "Last Updated" date at the top
  • Notify you by email if changes are material

Continued use of ClaimCoach North after updates constitutes acceptance of the revised Privacy Policy.

17. HOW TO CONTACT US

For privacy questions, requests, or complaints:

Email: privacy@claimcoachnorth.ca Website: claimcoachnorth.ca

Response time: We will respond to all privacy inquiries within 30 days.

Complaint to regulators:

If you are not satisfied with our response, you can file a complaint with:

Office of the Privacy Commissioner of Canada (PIPEDA) Email: info@priv.gc.ca Website: www.priv.gc.ca Phone: 1-800-282-1376

Quebec Commission d'accès à l'information (Law 25) Email: info@cai.gouv.qc.ca Website: www.cai.gouv.qc.ca Phone: 1-888-666-0045

Information and Privacy Commissioner of Ontario (PHIPA) Email: info@ipc.on.ca Website: www.ipc.on.ca Phone: 1-800-387-0073

Last Updated: June 21, 2026 Version: 1.4

By using ClaimCoach North, you confirm that you have read and understood this Privacy Policy.