Background and Scope
SRx Health is a provider of a complete range of patient care solutions within the Canadian health care industry. We are committed to safeguarding the confidentiality, security and accuracy of personal information, including personal health information, that is processed by SRx Health.
This Policy applies across all SRx business units and may be supplemented by additional policies and procedures. This Policy does not apply to our employees’ personal information or any anonymized information.
Personal Information Collected
For the purposes of this Policy, “personal information” means any information about an identifiable individual or any information that can be used, either alone or in combination with other information, to identify an individual (for example, an individual’s name, home address, telephone number and email address), except any information that is exempted by applicable privacy laws.
The types of information we receive and collect depends on how our Services are used. We require certain information to deliver some of our Services, and without that information we will not be able to provide those Services. Some of our Services have optional features that, if used, require us to collect additional information to provide those features. You will be notified of such collection, as appropriate. If you choose not to provide the information needed to use a feature, you will be unable to use the feature.
When you use our Services, we may collect the following personal information from you:
- Contact information, such as name, email address, mailing address and phone number;
- Unique identifiers, such as username, account/identification number and password;
- Billing information, such as credit card number, billing address and bank account information;
- Insurance information, such as insurance provider and plan/policy number;
- Personal health information, such as medical conditions, test results and medication history, and;
- Other information that you upload to, post or provide through the Services.
Your personal information may be collected when:
- You register for an account;
- You use the features of the Services;
- You interact with us; and
- We collect information from thid parties (such as other health care providers).
We only collect personal information that we need. We encourage you to not provide us with any personal information beyond what is necessary and as requested by us.
Collection from Third Parties
We may collect personal information from third party sources, such as other health care providers and insurers. For example, we may receive written , verbal, facsimile or electronic health information and prescription orders for you from other health care providers in order to dispense prescription medications to you, to coordinate your treatment with other health care providers, and provide you with prescriptions, lab work or other healthcare services.
If we collect your personal information from a third party, we will only process that information for the specific prupose for which it was provided to us in accordance with this Policy and the policy under which that information was collected.
Information about Minors
Our Services are intended solely for individuals who are at least 14 years of age. We do not knowingly collect personal information about anyone under the age of 14, and no person under the age of 14, nor any parent or legal guardian as it relates to such child should submit such child’s personal information to us through the Services or otherwise, for any reason and under any circumstances.
If we discover that a child under 14 has provided us with personal information in violation of applicable law, we will delete that information from our systems. If you are a parent or legal guardian and you believe we have collected your child’s personal information in violation of applicable law, please contact us using the contact information provided below.
Purpose for Which Personal Information is Processed
Generally, we may process your personal information for the following purposes (the “Purposes”):
- Verification and Authentication: To verify and authenticate your identity.
- Products and Services: To operate, maintain and provide our Services to you; to carry out our obligations under under any contracts entered into between us and you; and to ensure the Services are optimized for your use and benefit.
- Treatment: To dispense prescription medications to you; to coordinate your treatment with other health care providers and provide you with prescriptions, lab work or other healthcare services; and to contact you to provide treatment-related services, such as refill reminders, treatment alternatives (e.g., available generic products), and other health-related benefits and services that may be of interest to you.
- Payment Processing: To contact your third party payor (such as your insurer) to determine whether the third party payor will pay for your prescription; to bill you and/or a third party payor for the cost of prescription medications dispensed to you. We will not bill you without your prior consent. The information on or accompanying the bill may include your identification information, as well as the prescriptions you are taking.
- Health care pharmacy operations: These uses and disclosures are necessary to run the pharmacy and to make sure that all of our patients receive quality care. For example, we may use your
personal information to monitor the quality of pharmacist performance and to train pharmacy personnel.
- Analytics and Improvement: To analyze user experience and improve the Services, including to better understand how users access and use the Service, and for other research and analytical
purposes, such as to evaluate and improve our products and services and business operations; to develop additional products, services and features; and for internal quality control and training purposes.
- Marketing and Advertising: To communicate with you in accordance with applicable laws to provide you with services, contacts, materials and/or recommendations, including to send you
information, such as offers, newsletters and other promotional content [including about third party products and services we think may interest you], as well as any other information that you sign up to receive; and to manage and improve our advertising campaigns.
- Security and Protection of Rights: To protect our Services and our business operations and to prevent and detect fraud, unauthorized activities and access, and other misuse, as well as where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, or situations involving potential threats to the safety or legal rights of any person or third party.
- General Business and Operational Support: To administer and manage operations and to comply with internal policies and procedures; and to consider and implement mergers, acquisitions,
reorganizations, bankruptcies and other business transactions.
- Compliance and Legal Process: To investigate breaches, or potential breaches, of applicable laws; and to comply with legal and regulatory requirements.
Transfer and Disclosure of Personal Information
We may transfer, disclose or make available personal information for the Purposes described above, including as follows:
- Employees, suppliers, service providers and business partners. We may disclose personal information to our employees, contractors, suppliers, service providers, processors and others who perform functions on our behalf. These may include, for example, hosting and technology providers, payment processors, analytics providers, consultants, auditors and legal counsel.
- Affiliates and subsidiaries. We may disclose personal information to our affiliates or subsidiaries, who will use and disclose this personal information in accordance with the principles of this Policy.
- Health care providers. We may also disclose your personal information to other health care providers to coordinate your treatment and provide you with prescriptions, lab work or other
- In support of business transfers. If we or our affiliates are or may be acquired by, merged with, or invested in by another company, or if any of our shares or assets are or may be transferred to another company, whether as part of a bankruptcy/insolvency proceeding or otherwise, we may transfer personal information to the other company. We may also share certain personal Information as necessary prior to the completion of such a transfer, such as to lenders, auditors, and third-party advisors, including attorneys and consultants, as part of due diligence or as necessary to plan for the transfer.
- Compliance and legal obligations. We may disclose personal information to third parties to comply with legal and regulatory requirements and to respond to legal process. For example, we may
disclose information in response to subpoenas, court orders, and other lawful requests by regulators and law enforcement, including to respond to national security or law enforcement disclosure requirements. This may include law enforcement, government or regulatory bodies, or other lawful authorities, as required by law or legal process.
- Security and protection of rights. We may also disclose personal information to other third parties where we believe doing so is necessary to protect our Services, our rights and property, or the rights, property and safety of others. For example, we may disclose personal information in order to (i) prevent, detect, investigate and respond to fraud, unauthorized activities and access, illegal activities, and misuse of the Services, or (ii) situations involving potential threats to the health, safety or legal rights of any person or third party. We may also disclose information related to litigation and other legal claims or proceedings in which we are involved.
Your personal information that we collect may be processed outside of your jurisdiction (including in other jurisdictions in Canada, or outside of Canada) but only in relation to the Purposes and in accordance with applicable laws. As a result, your personal information may be accessible to government, courts, law enforcement and regulatory authorities in accordance with other jurisdictions’ applicable laws.
Legal Basis for Processing Your Personal Information
We will process your personal information only with your knowledge and consent, except where exempted, required or permitted by applicable laws. The form of consent may vary depending on the circumstances and the type of information being requested. Your consent may be express with clear options to say “yes” or “no”, such as by being asked to check a box to indicate your consent, or implied, such as when you provide us with your address through a form or email seeking information and we use those means to respond to your request. Your consent can also be provided by your authorized representative.
Taking into account the sensitivity of your personal information, purposes of collection, and your reasonable expectations, we will obtain the form of consent that is appropriate to the personal information being processed. By using our Services, or otherwise by choosing to provide us with your personal information, you acknowledge and consent to the processing of your personal information in accordance with this Policy and as may be further identified when the personal information is collected. When we process your personal information for a new purpose, we will document that new purpose and, if required, ask for your consent again.
If you do not consent to the processing of your personal information in accordance with this Policy, please do not access or continue to use any part of the Services or otherwise provide any personal information to us.
You may refuse to provide consent or may notify us at any time that you wish to withdraw or change your consent to the processing of your personal information without penalty, subject to legal or contractual restrictions and reasonable notice by opting out of the use of your personal information by contacting our Privacy Officer (see Section 10 below). However, if you withdraw or change your consent, we may not be able to provide you with the Services.
Other Legal Bases
Aside from consent, we may also process your personal information under other legal bases, as permitted
by applicable laws.
Security of Personal Information
We protect personal information using reasonable physical, technological and organizational safeguards. We regularly review our practices to ensure they align with reasonable industry practices appropriate to the level of sensitivity to safeguard personal information against loss or theft, unauthorized access,
alteration or disclosure.
Suppliers, service providers, contractors and agents processing personal information on our behalf are contractually required to use appropriate physical, technical and administrative safeguards and precautions to secure personal information and must have in place appropriate privacy policies and practices, including data security policies and practices. Our employees and contractors are expected to use secure processes to maintain the integrity of company and customer information, including the use of secure encryption whenever personal information is transmitted over public networks or is contained on portable or mobile devices used or carried outside our offices.
However, no method of transmission over the Internet or method of electronic storage is completely secure. Therefore, despite our safeguards and protocols, we cannot fully guarantee the security of your personal information and you should always exercise caution when disclosing personal information over the Internet.
Your Access and Correction Rights
Applicable privacy laws allow, to varying degrees, individuals the right to access or request the correction of their personal information that is in our custody or under our control.
You may request, in writing, access to and review of your personal information under our control. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is an appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Once we verify your request, we will provide you with your personal information under our control. We will also give you information about the ways in which that information is being used and a description of the individuals and organizations to whom that information has been disclosed.
In some situations, applicable laws may prohibit us from providing access to certain personal information (for example if disclosure would reveal personal information about another individual, or the personal information is protected by solicitor/client privilege. If we refuse an access request, we will notify you in writing, document the reasons for refusal, and outline further steps that are available to you.
We will make a reasonable effort to ensure that personal information we are using or disclosing is accurate and complete. To the extent that you provide personal information to us, we will rely on you to provide accurate information and provide updated information as needed.
If you demonstrate the inaccuracy or incompleteness of personal information, we will change the information under our control as required. If a challenge regarding the accuracy of your personal information is not resolved to your satisfaction, we will annotate the personal information under our control with a note that the correction was requested but not made.
Please Contact our Privacy Officer designated in Section 10 to make any requests regarding your personal information.
Retention of Your Personal Information
We generally keep personal information for only as long as it is needed to accomplish the purposes for which it was collected, or as needed for authorized or legitimate purposes. More specifically, we retain personal information as long as necessary for the fulfillment of the identified purposes for its collection or as otherwise necessary to comply with applicable laws or protect our interests. When personal information is no longer necessary or relevant for the identified purposes, or when its retention is no longer required by applicable laws, we will take steps to have it deleted, destroyed, erased, aggregated or made anonymous. We use reasonably industry practices to ensure we have adequate controls, schedules and practices for information and records retention and destruction which apply to personal information.
Updates or Changes to this Policy
This Policy was last updated on January 26, 2023. We will occasionally update this Policy and revise the “last updated” date appearing in this paragraph.
If we make any material changes we will either (a) notify you by email (sent to the email address listed in our records), or (b) provide notice on our website or otherwise through our application, before the change becomes effective. Any change to this Policy will apply to existing information, as well as information collected after the date that this Policy is posted or on the date as specificed in the notice. We encourage you to periodically review this Policy for the latest information on our privacy practices to ensure you are aware of any changes.