Jevrix Health Technologies Inc. ("Jevrix", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website (jevrix.com) or use our cloud-based Electronic Health Record (EHR) platform. Please read it carefully.

This policy does not apply to Protected Health Information (PHI) that Jevrix processes as a Business Associate on behalf of healthcare providers. That data is governed by a separate Business Associate Agreement (BAA) and applicable healthcare privacy laws (HIPAA, PHIPA, etc.). If you are a patient, please contact your clinic directly, they are the controller of your health records.

1. Information We Collect

Information You Provide

Contact & demo forms: name, email, clinic name, phone number, job title, and message.
Account registration: email address, name, clinic details, and billing information (card details are processed by our PCI-DSS payment processor, we never store full card numbers).
Support interactions: communications you send via email or our help desk.
Employment applications: résumé and contact information sent to careers@jevrix.com.

Information Collected Automatically

Log data: IP address, browser type, pages visited, timestamps, and referring URLs.
Device information: operating system, screen resolution, and device identifiers.
Cookies: session and analytics cookies (see Section 6).

Platform Account Data

When you use the Platform as an authorised user, we process your work email, name, role, login events, audit log entries, and platform preferences. This data is subject to the customer agreement in addition to this policy.

2. How We Use Information

Respond to demo requests and inquiries.
Provide, operate, and maintain the Platform.
Process payments and manage subscriptions.
Send product updates, security notices, and transactional emails.
Analyse and improve Website and Platform performance.
Comply with legal and regulatory obligations.
Prevent fraud, abuse, and unauthorised access.
Send marketing emails (with your consent; you can unsubscribe at any time).

We never sell, rent, or trade your personal information to third parties.

3. HIPAA, PHIPA & Protected Health Information

Jevrix operates as a HIPAA-compliant Business Associate and a PHIPA-compliant service provider. All customers who store PHI in the Platform must execute a Business Associate Agreement (BAA) before any patient data is entered. As a Business Associate, Jevrix uses and discloses PHI only as permitted by the BAA and applicable law.

Key protections we provide:

AES-256 encryption at rest and TLS 1.2+ encryption in transit for all PHI.
Role-based access controls and least-privilege principles.
Multi-factor authentication and automatic session timeouts.
Full audit logging of PHI access and modification events.
Breach notification procedures meeting HIPAA's 60-day rule.
Annual risk assessments and staff privacy training.

Canadian customers benefit from equivalent protections under PHIPA (Ontario), PIPA (Alberta & British Columbia), and PIPEDA.

4. Sharing & Disclosure

We share personal information only in the following circumstances:

Service providers (sub-processors): We engage vetted third parties (cloud hosting, payment processing, email delivery, analytics, and support tooling) who process data only on our instructions under contractual confidentiality obligations.
Legal requirements: We may disclose information when required by law, court order, or regulatory authority, or to protect the rights and safety of Jevrix, our customers, or others.
Business transfers: In a merger or acquisition, personal information may transfer to a successor entity under equivalent privacy protections. We will notify affected users before any transfer.
With your consent: In any other circumstances, only with your explicit consent.

5. Cookies & Tracking

We use the following categories of cookies:

Strictly necessary: Core site functionality, security, and session management. Cannot be disabled.
Analytics: Aggregated, anonymised traffic and usage measurement. Optional, you can opt out via your browser settings.
Preferences: Remembering your language and display settings. Optional.

We do not use third-party advertising or retargeting cookies. You can manage cookie preferences through your browser settings. We respect Global Privacy Control (GPC) signals where technically feasible.

6. Data Retention

Website inquiry data: 24 months from last interaction.
Platform account data: Duration of your subscription, plus 90 days post-termination for data export, then securely deleted.
Billing records: 7 years to meet accounting and tax obligations.
Security & audit logs: 12 months (Website); 7 years (Platform, per HIPAA requirements).
Job application data: 12 months if no offer is made.

7. Your Privacy Rights

Depending on your location, you may have the right to access, correct, delete, or receive a copy of your personal data; object to or restrict processing; and withdraw consent at any time. To exercise any right, email privacy@jevrix.com. We will respond within 30 days.

California residents have additional rights under CCPA/CPRA, including the right to know, delete, and opt-out of sale (we do not sell data). Contact us to request our California Privacy Notice.

8. Security

We implement industry-standard technical and organisational safeguards including TLS 1.2+ in transit, AES-256 at rest, multi-factor authentication, continuous vulnerability scanning, annual penetration testing, and 24/7 intrusion detection. If you suspect a security incident, contact security@jevrix.com immediately.

9. Children's Privacy

The Website and Platform are not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe we have done so, please contact us and we will delete the information promptly.

10. International Data Transfers

Our infrastructure is hosted in the United States and Canada. Customers can select their primary data residency region. Transfers from the EEA or UK are protected by Standard Contractual Clauses (SCCs). Canadian customer data subject to PHIPA is stored in Canada unless otherwise agreed.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via a notice on our Website (for at least 30 days) and by email to active Platform users. Continued use after the effective date constitutes acceptance.

12. Contact & Privacy Officer

For privacy questions, data subject requests, or to report a concern:

Jevrix Health Technologies Inc.
Attn: Privacy Officer
Email: privacy@jevrix.com
Security: security@jevrix.com

We aim to respond to all privacy inquiries within 5 business days.