Privacy Policy

Effective Date: April 18th, 2025

At Korrelate Inc. ("we," "us," or "our"), we are committed to maintaining the accuracy, confidentiality, and security of your personal information. This Privacy Policy outlines our practices regarding the collection, use, disclosure, and protection of personal information, in accordance with applicable laws in Canada, including the Personal Information Protection and Electronic Documents Act (PIPEDA).

1. Scope of this Policy

This Privacy Policy applies to all personal information collected, used, or disclosed by Korrelate during the course of providing data science services. This includes information about clients, potential clients employees, and other individuals whose personal information may be under our control.

2. What is Personal Information?

"Personal information" means any information that can be used to identify an individual, including but not limited to:

  • Name
  • Email address
  • Phone number
  • Address
  • Financial information
  • Demographic information (e.g., age, gender, etc.)
  • Employment-related information
  • Health attributes
  • Medications prescribed
  • Insurance authorization or benefits programs
  • Health service access information
  • IP addresses or device identifiers
  • Biometric data (e.g., fingerprints, facial recognition)
  • Location data and travel patterns
  • Online behavior and preferences
  • Social media profiles and activity
  • Communication preferences and history
  • Educational and professional credentials
  • Customer service interactions and support history
  • User authentication credentials and security questions
  • Payment and transaction history
  • Browser and device information
  • Cookies and tracking data
  • Survey responses and feedback

Note: Information that has been anonymized or aggregated such that it cannot be associated with a specific individual is not considered personal information and is not subject to this policy.

3. Purposes for Collecting Personal Information

We collect personal information for the following purposes:

  • To provide data science services to clients, such as data analysis, model development, and reporting.
  • To manage client relationships, including billing, communication, and marketing.
  • To comply with legal and regulatory requirements.
  • To improve our products and services based on client feedback and usage patterns.
  • For employment and human resource management (for employee personal information).

4. Consent

We obtain your consent before collecting, using, or disclosing personal information, except where permitted or required by law. Consent can be express (oral, written, or electronic) or implied (through actions such as the use of our services).

You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. However, withdrawing consent may impact our ability to provide services to you.

5. Limiting Collection

We only collect personal information that is necessary to fulfill the purposes identified in this policy. We do not collect excessive information or use it for unrelated purposes. When we work with partner organizations, we take additional measures to qualify the necessity of data and exclude any data that can uniquely identify an individual patient or customer. In the event that this data use is necessary to meet service requirements, PHI is encrypted.

6. Limiting Use, Disclosure, and Retention

We use or disclose personal information only for the purposes for which it was collected, or as permitted or required by law. We retain personal information that we collect for 7 years. Interactions with Korrelate services are consolidated and stored, where raw logs are rotated weekly.

Third-party service providers may be engaged to assist us in providing services (e.g., cloud service providers, payment processors). These providers may access personal information but are contractually obligated to protect it in accordance with this policy and applicable laws.

7. Accuracy of Personal Information

We take reasonable steps to ensure that the personal information collected by Korrelate is accurate, complete, and up to date. You have the right to access and correct any personal information we hold about you.

8. Safeguarding Personal Information

We protect personal information using physical, organizational, and technological measures appropriate to the sensitivity of the information. These measures include:

  • Secure physical premises (e.g., locked offices, restricted access areas, locked server racks).
  • Technical safeguards (e.g., encryption, firewalls, location filtering, passwordless (key) logins).
  • Organizational measures (e.g., confidentiality agreements, staff training).

However, no method of transmission or storage is 100% secure. While we take appropriate steps to protect your personal information, we cannot guarantee its absolute security.

9. Cross-Border Data Transfers

All data directly controlled by Korrelate is stored within Canada on secured, private servers. However, in the course of providing services, we may interact with client data or utilize third-party services (e.g., cloud platforms specified by a client) where data might be stored or processed outside of Canada. When data is processed outside Canada, it becomes subject to the laws of that foreign jurisdiction.

When acting as agents for clients (data custodians), we follow their instructions regarding data handling, including storage location and transmission, while applying encrypted methods for data transmission under our control. Clients remain responsible for the data stored on services under their direct control.

10. Access to Personal Information

You have the right to request access to any personal information colleced by Korrelate. If you make such a request, we will provide you with access to your personal information within a reasonable time, subject to any exceptions provided by law.

You also have the right to challenge the accuracy and completeness of your personal information and request changes to it. If we make changes to your information, we will notify any third parties to whom we have disclosed your personal information, where appropriate.

11. PHIPA Compliance

This policy outlines our commitment to protecting personal health information in compliance with the Personal Health Information Protection Act (PHIPA).

In our consultation with custodians of Personal Health Information (PHI), such as healthcare providers or institutions, we act as agents performing analytic services according to their instructions and agreements. In the course of our regular business processing and analyzing health-related data provided by custodians, our ingestion processes apply measures to strip personally identifiable markers, such as name, email address, home/work address, date of birth, health card number, MRN, prescription id, along with any data that can reasonably be used to identify individuals or correlated data that can be used to infer an individual's identity.

Related personal health information handled during our services is collected, used, stored, and disclosed in accordance with PHIPA, other applicable laws, and the specific instructions provided by the data custodian (our client). We ensure that all personal health information is handled with the utmost care and in compliance with relevant regulations. We also implement strict access controls and regular audits to ensure compliance with our privacy policies and client agreements.

These measures are designed to protect your personal health information from unauthorized access and disclosure and minimize risk that in an event of a data breach of our systems, the information where we act as agents is not affected. We do not store client data on Korrelate's production servers beyond the necessary duration for processing and analysis as defined in our client agreements. Data used for local development purposes is handled securely according to our internal policies and is not retained long-term.

We are committed to transparency and will notify you of any changes to our privacy practices.

12. Data Breach Notification

In the event of a data breach involving personal information under our control, we will notify affected individuals and the appropriate authorities (such as the Office of the Privacy Commissioner of Canada - OPC) as required by law. If a breach involves personal information we are processing on behalf of a client (acting as an agent or processor), we will promptly notify the client to enable them to meet their own notification obligations.

We will provide relevant information about the breach, including the nature of the breach, the personal information potentially involved, and the steps we are taking to address it and mitigate risks. We will also provide information about any potential risks and how affected individuals can protect themselves, where applicable.

We will take all reasonable steps to prevent future breaches and continuously improve our security measures.

13. Anti-Spam (CASL)

Korrelate may send commercial electronic messages to users who have provided their consent. Users can unsubscribe from these communications at any time.

We will not send unsolicited commercial electronic messages without your consent. We will also include a clear and easy way for you to unsubscribe from our communications.

We will not share your personal information with third parties for marketing purposes without your consent.

14. Challenging Compliance

If you have any questions or concerns about our privacy practices, you can contact us at:

Email: legal@korrelate.ca

We will respond to privacy complaints and inquiries in a timely manner. If you are not satisfied with our response, you may also contact the Office of the Privacy Commissioner of Canada (www.priv.gc.ca).