Your Privacy Deserves a Policy You Can Actually Read

Who We Are and Why This Matters

We're Providerclaimconnect Inc., based at 637 3 Avenue NW, Calgary, Alberta T2N 0E4.

We process healthcare claims — which means we handle personal health information every single day, to the tune of 3.2 million claims annually across 4,800+ provider locations in every Canadian province.

We take that responsibility seriously not because regulations require it (though they do — PIPEDA, Alberta's HIA, Ontario's PHIPA, BC's PIPA, New Brunswick's PHIPAA, and several others), but because the data flowing through our platform represents real patients, real diagnoses, and real financial lives.

This policy explains — in plain English, not legalese — exactly what we collect, why we collect it, how we protect it, and what rights you have.

Our Director of Security & Compliance, Jordan Flett (CISA), is our designated Privacy Officer and the person ultimately accountable for every word in this document and every practice it describes.

1. What Information We Collect (and Why)

We collect different categories of information depending on how you interact with us, and each category exists for a specific, defensible reason.

Information You Provide When Creating an Account

• Practice information: clinic name, business address, CRA business number, provincial regulatory college registration numbers, and practitioner license details — because we need to validate your eligibility to submit claims and register you with carriers.
• Contact information: name, email address, phone number, and mailing address — because we need to communicate with you about your account, onboarding status, and platform updates.
• Billing information: payment card or banking details — because we need to process your monthly subscription fee. (We never store full card numbers on our servers — payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor.)

Information Transmitted Through Claims Processing

• Patient health information: patient names, dates of birth, policy numbers, ICD-10-CA diagnosis codes, procedure codes, and service dates — because this data is essential to the claims your practice submits through our platform. We act as your electronic data interchange (EDI) conduit, not as the custodian of this data.
• Provider treatment records: referring provider details, clinical notes attached to claims, and fee guide line items — because carriers require this information for adjudication.

Information We Collect Automatically

• Usage analytics: pages visited, features used, session duration, and error logs — because we use this data (in aggregate, never individually) to improve the platform. We use a self-hosted analytics tool; we do not use Google Analytics or any third-party tracking pixels.
• Device and browser information: browser type, operating system, and screen resolution — because we need to ensure the platform works correctly across devices and diagnose technical issues.

We do not collect any information beyond what is listed above, and we do not purchase data from third-party brokers, data aggregators, or marketing lists — ever.

2. How We Use Your Information

Every piece of data we collect maps to a specific operational purpose — no fishing expeditions, no "we might use it someday" reserves.

• Claims processing and routing: We use patient health information and provider details to format, validate (against our 1,200+ pre-submission rules), and route claims to the correct carrier in the correct EDI format (EDI 837P, 837D, CDAnet, or proprietary API).
• Carrier credentialing and registration: We use your practice and practitioner details to manage direct-billing registrations with 60+ carrier endpoints.
• Remittance reconciliation: We match incoming ERA 835 electronic remittance advice and EOB responses to your original claims so you can track the status of every submission.
• Account management and billing: We use your contact and payment information to manage your subscription and communicate about your account.
• Platform improvement: We use aggregated, de-identified usage data to understand which features work well and which need improvement. No individual patient data is ever used for this purpose.
• Compliance and audit: We maintain tamper-evident audit trails of all claims activity to support your practice's compliance obligations and our own SOC 2 Type II attestation requirements.

We do not use your data for advertising, marketing profiling, algorithmic targeting, or any purpose beyond the direct operation of the claims processing platform you signed up for.

3. Who We Share Information With

Spoiler: almost nobody — and never for money.

We share information only in these tightly scoped circumstances:

• Insurance carriers and provincial health ministries: When you submit a claim, we transmit the claim data to the specified payer (Sun Life, Manulife, Canada Life, Green Shield, provincial WCBs, AHCIP, OHIP, MSP, RAMQ, etc.). This is, quite literally, the core function of the platform — you're asking us to send this data.
• Payment processor (Stripe): We share your billing information with our PCI DSS Level 1 certified payment processor to collect your subscription fee. Stripe's privacy policy governs their handling of payment data.
• Audit and compliance partners (Deloitte Canada): During our annual SOC 2 Type II audit, our auditors may access system logs and process documentation. Patient health information is accessed only in de-identified or aggregate form during audit procedures.
• Law enforcement or regulatory bodies: If we receive a valid legal order — a court order, a warrant, or a mandatory request from the Office of the Privacy Commissioner of Canada — we will comply. We will notify you before disclosing your information unless the legal order explicitly prohibits us from doing so. In 13 years of operation (2013–2026), we have received zero such requests.

We do not sell data. We do not share data with marketing partners. We do not provide data access to AI training companies. We do not permit carrier partners to access any provider's data beyond the specific claims submitted to that carrier.

4. How We Protect Your Information

This is where we get technical — because "we take security seriously" is a meaningless platitude without specifics.

• Encryption in transit: All data transmitted between your browser and our servers, and between our servers and carrier endpoints, is encrypted using TLS 1.3 — the current highest standard for transport layer security.
• Encryption at rest: All stored data is encrypted using AES-256, the same encryption standard used by the Canadian federal government for classified information.
• Infrastructure: Our platform runs exclusively on SOC 2 Type II-certified Canadian data centres located in Calgary and Toronto. No data ever touches a server outside of Canada. No US cloud regions, no "data may be transferred" exceptions. This has been a foundational architectural decision since 2013.
• Access controls: Role-based access control (RBAC) ensures that our team members can access only the data necessary for their specific function. Access logs are immutable and reviewed monthly.
• Penetration testing: Annual third-party penetration testing conducted by an independent security firm. Quarterly internal vulnerability assessments led by Jordan Flett's security team.
• SOC 2 Type II attestation: Our most recent audit was completed in March 2026 by Deloitte Canada, covering security, availability, processing integrity, confidentiality, and privacy trust service criteria.
• Incident response: Documented breach response protocol rehearsed quarterly. Target notification timeline: affected providers within 24 hours, Office of the Privacy Commissioner as required under PIPEDA.
• Cyber liability insurance: $10 million in coverage. In our 13-year operating history, we have had zero reportable privacy incidents.

5. Cookies and Tracking

We use cookies for exactly two purposes: keeping you logged in during your session (because nobody wants to re-enter credentials every time they switch tabs), and aggregate analytics so we can see which parts of the platform people actually use.

We don't sell cookie data. We don't build advertising profiles. We don't track you across other websites. Your browsing habits are, frankly, none of our business.

Specifically, here's what we set:

• Session cookie (pcc_session): Keeps you logged in while you use the platform. Expires when you close your browser or after 12 hours, whichever comes first. Essential — the platform doesn't work without it.
• Remember-me cookie (pcc_remember): Set only if you check "Remember me" at login. Stores an encrypted token (not your password) that lets us recognize your device for 30 days. You can revoke this at any time from your account settings.
• Cookie consent cookie (pcc_consent): Records whether you've accepted or declined non-essential cookies. Persists for 365 days. The irony of needing a cookie to track cookie consent is not lost on us.
• Analytics cookie (pcc_analytics): A first-party, self-hosted analytics identifier. No third-party tracking. Collects page views and feature usage in aggregate. Set only if you accept cookies. Expires after 90 days.

We do not use Google Analytics, Facebook Pixel, LinkedIn Insight Tag, or any other third-party tracking technology on this website or within the platform.

6. Your Rights Under PIPEDA

Canada's Personal Information Protection and Electronic Documents Act gives you specific, enforceable rights over your personal information — and we honour every one of them without making you jump through hoops.

• Right of access: You can request a complete copy of all personal information we hold about you or your practice. We will respond within 30 days — though in practice, we typically fulfill these requests within 5 business days.
• Right of correction: If any information we hold is inaccurate, you can request correction and we will process the update within 2 business days.
• Right to withdraw consent: You can withdraw consent for non-essential data processing at any time. Note that withdrawing consent for essential processing (claims routing, carrier communication) will require account closure, because the platform fundamentally cannot function without transmitting claim data to carriers.
• Right to complaint: If you believe we've mishandled your information, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada. We'd prefer you contact us first (compliance@providerclmconnect.com) so we can resolve the issue directly — but we fully support your right to escalate.

To exercise any of these rights, email compliance@providerclmconnect.com or call (702) 343-8317 and ask for Jordan Flett.

7. Provincial Privacy Legislation We Comply With

PIPEDA provides the federal baseline, but several provinces have enacted substantially similar or sector-specific health privacy legislation that applies to the personal health information processed through our platform.

• Alberta — Health Information Act (HIA): Governs the collection, use, and disclosure of health information by custodians and affiliates in Alberta. As a health information service provider under HIA, we maintain information manager agreements with Alberta-based provider practices.
• Ontario — Personal Health Information Protection Act (PHIPA): Applies to health information custodians in Ontario. We operate as an electronic service provider under PHIPA and comply with the requirements of O. Reg. 329/04.
• British Columbia — Personal Information Protection Act (PIPA): Governs private-sector handling of personal information in BC. Our data practices comply with PIPA's consent, collection limitation, and safeguarding requirements.
• New Brunswick — Personal Health Information Privacy and Access Act (PHIPAA): Applies to custodians of personal health information in New Brunswick. We comply with PHIPAA's provisions on electronic health information systems.

For providers in Quebec, Saskatchewan, Manitoba, Nova Scotia, PEI, Newfoundland and Labrador, and the territories, PIPEDA applies as the governing privacy legislation, and we comply fully with its requirements.

8. How Long We Keep Your Data

We keep your information only as long as there's a defensible reason to keep it — and not a day longer.

• Active account data: Retained for the duration of your subscription. If you cancel, we retain account data for 90 days in case you change your mind — then we permanently delete it.
• Claims processing data: Retained for 7 years from the date of claim submission, consistent with provincial record retention requirements for healthcare billing records and CRA audit timelines. After 7 years, claims data is irreversibly purged.
• Audit trail logs: Retained for 7 years, consistent with SOC 2 Type II requirements and provincial regulatory expectations.
• Analytics data: Aggregated analytics (no personally identifiable information) retained indefinitely for trend analysis. Individual session data purged after 90 days.
• Data export on cancellation: If you leave, we'll export your complete claims history, remittance records, and practice data in a standard format (CSV and JSON) within 5 business days of your request. Your data is yours — we believe in portability, not hostage-taking.

9. Changes to This Policy

If we make material changes to this privacy policy — changes that affect how we collect, use, or share your information — we will notify you by email at least 30 days before the changes take effect.

Minor changes (formatting, clarifications that don't alter the substance of our practices) may be made without individual notice, but the "Last updated" date at the top of this page will always reflect the most recent revision.

We maintain a version history of all policy revisions, available upon request from compliance@providerclmconnect.com.

10. How to Contact Our Privacy Officer

For any question, concern, request, or complaint related to your privacy or the handling of your personal information:

Jordan responds personally to every privacy inquiry — typically within 2 business days, and always within 5.

If you're not satisfied with our response, you may also contact the Office of the Privacy Commissioner of Canada.

Important Disclosures