Last Updated - April 23, 2026

Privacy Policy

For the purposes of Ontario's Personal Health Information Protection Act, 2004, 17056664 Canada Inc. operates as a consumer electronic service provider under PHIPA, delivering a personal health record platform directly to individuals who use the service to access, manage, and store their own personal health information. Where a user authorizes a health information custodian to access records within the platform, 17056664 Canada Inc. may also act as an agent to that custodian in respect of any personal health information accessed through that authorization.

This Privacy Policy, together with all schedules, appendices, attachments, any terms of service, and annexes (the "Agreement") (all of such documents are accessible via https://syncara.ca/) and between 7056664 Canada Inc. (operating under the brand "Syncara") and all its affiliates (together "us", "we", and/or "our") and you, the individual or company ("you", "your", and/or "User") governs your use of our web application, accessible at https://syncara.ca/, and all pages, templates, products, tools, information, protocols, software, and content located therein (the "Service"), and explains how we collect, safeguard, and disclose information that results from your use of the Service.

PLEASE READ THIS POLICY CAREFULLY.

1. Definitions

"Cookies" are small files stored on your device (computer or mobile device).

"Data Controller" means a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. For the purpose of this Privacy Policy, we are a Data Controller of your data.

"Data Processors" or "Service Providers" means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your data more effectively.

"Data Subject" is any living individual who is the subject of Personal Data.

"De-identified Data" means Personal Data or PHI from which all direct and indirect identifiers have been removed or altered using methods that meet or exceed the standards prescribed under O. Reg. 329/04 to PHIPA, such that there is no reasonable expectation that the information could be used to identify an individual, either alone or in combination with other available information.

"Device Information" is information about the computer or mobile device that a user uses to access the Service, such as the hardware model, operating system and version, identification numbers assigned to the device, such as the ID for Advertising (IDFA) on Apple devices, and the Advertising ID on Android devices, mobile network information, and website or app usage behaviour.

"Healthcare Practitioners" means practitioners who provide or assist in the provision of healthcare through our service, which may include nurse practitioners, nurses, physicians, mental health therapists, dietitians, and naturopaths.

"Location Information" is information about the location of a user when the user accesses or uses the Service, for example via browser information and other similar device or browser attributes (like IP address), a locator page, or from a mobile application.

"Navigational Information" — when a user accesses the Service, the user's computer, phone, and/or device may provide navigational information, such as browser type and version, service-provider identification, IP address, the site or online service from which you came, and the site or online service to which you navigate.

"Personal Data" means data about an individual as defined under section 3 of this Privacy Policy.

"Personal Health Information" ("PHI") means information about an identifiable individual that relates to physical or mental health, health services, payments, or provincial health-number identifiers.

"PHIPA" means the Personal Health Information Protection Act, 2004 (Ontario), together with all current amendments and its companion regulation O. Reg. 329/04.

"Privacy Officer" means the designated individual at Syncara responsible for overseeing compliance with this Privacy Policy and applicable privacy legislation. The Privacy Officer can be reached at support@syncara.ca.

"Usage Data" is data collected automatically either generated by the use of Service or from Service infrastructure itself (for example, the duration of a page visit).

2. Information Collection and Use

We collect several different types of information for various purposes to provide and improve our Service to you. See section 3 below for more information on the types of information we collect. Additionally, affiliated entities, vendors, social media networks, and analytics platforms may provide us with, or supplement, information about you. We may use this information for a variety of operational or marketing purposes related to Personal Data only (non-PHI). We do not use PHI for advertising.

3. Types of Information Collected

Collection of Personal Data

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you ("Personal Data"). Personal Data may include, but is not limited to:

(a) Name, address, phone number, email address, personal preferences, payment card number, purchase and ordering information, demographic information, responses to survey questions, your Location Information, your Navigational Information, your Device Information, your Usage Data, and any other information you choose to provide.

(b) We may use your Personal Data to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by emailing support@syncara.ca.

Collection of PHI

We collect PHI only as needed to deliver the Service and comply with Ontario's PHIPA. PHI may include:

  • Identity details — name, date of birth, gender, provincial health-card number.

  • Contact details — address, email, phone number.

  • Clinical records — diagnoses, treatment history, prescriptions, referrals, test and lab results uploaded or entered into the platform.

  • Care-related usage data — timestamps, feature interactions, and audit trails that show when and how you (or your care team) access PHI within the Service.

All PHI is stored and processed in accordance with PHIPA, segregated from non-health personal data, and used only for the purposes described in the "Use of Data" section.

Website and Platform Tracking Data

We use Framer to host our marketing website at syncara.ca. Framer may collect standard analytics and session data from website visitors, including page views, browser type, device type, and approximate location derived from IP address. This data is collected by Framer under its own privacy policy and is used for website performance and analytics purposes. We encourage you to review Framer's privacy policy at framer.com/privacy for more information.

Usage Data

We may also collect information that your browser sends whenever you visit our Service or when you access the Service by or through a mobile device ("Usage Data").

This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers, and other diagnostic data.

When you access the Service with a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers, and other diagnostic data.

Tracking Cookies Data

We may use cookies and similar tracking technologies to track activity on our Service and hold certain information.

Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies are also used such as beacons, tags, and scripts to collect and track information and to improve and analyze our Service.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

Examples of Cookies we may use:

(a) Session Cookies: We use Session Cookies to operate our Service.

(b) Preference Cookies: We use Preference Cookies to remember your preferences and various settings.

(c) Security Cookies: We use Security Cookies for security purposes.

4. Individual Rights Under PHIPA

Your rights to access, correct, or withdraw consent for PHI are described in section 5 (Consent to Collecting Personal Data and PHI). Your right to submit a data subject access request is described in section 10 (Data Subject Access Requests).

5. Use of Personal Data and PHI

Personal Data

We use the collected Personal Data for various purposes:

(a) to provide and maintain our Service;

(b) to notify you about changes to our Service;

(c) to allow you to participate in interactive features of our Service when you choose to do so;

(d) to provide customer support;

(e) to gather analysis or valuable information so that we can improve our Service;

(f) to monitor the usage of our Service;

(g) to detect, prevent and address technical issues;

(h) to fulfill any other purpose for which you provide it;

(i) to carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection;

(j) to provide you with notices about your account and/or subscription, including expiration and renewal notices, email instructions, etc.;

(k) to provide you with news, special offers, and general information about other goods, services, and events which we offer that are similar to those that you have already purchased or enquired about, unless you have opted not to receive such information;

(l) in any other way we may describe when you provide the information;

(m) to aggregate De-identified Data for statistical or other purposes; and

(n) for any other purpose with your consent.

Despite anything in this section 5, Google Workspace APIs are not used to develop, improve, or train generalized AI and/or ML models.

Use of PHI

We use your PHI only for the following limited purposes:

(a) Service delivery — to create and manage your account, enable the platform's healthcare and wellness features, and support any clinicians or care teams that you authorize to access your PHI.

(b) De-identified analytics — to measure performance, improve existing features, develop new tools, and generate statistical reports, but only after the data has been irreversibly de-identified in accordance with the standard defined in section 1 so that no individual can be identified.

(c) Legal and compliance obligations — to meet requirements under applicable laws, respond to lawful requests from regulators or courts, detect or prevent fraud or security threats, and keep necessary business records.

(d) We do not sell PHI. We do not use PHI for marketing, fundraising, or advertising unless you provide a separate, explicit opt-in consent for that specific purpose.

6. Consent to Collecting Personal Data and PHI

Collection of Personal Data

How do we get your consent? When you provide Personal Data to use our Service, you give knowledgeable consent for us to collect and use that data solely to deliver the Service described on our website. If we ask for your Personal Data for a secondary reason, such as for marketing, we will ask you directly for your express consent.

How do you withdraw your consent? If you change your mind regarding your consent to our collection of your Personal Data, you may withdraw your consent for us to contact you, for the continued collection, use, or disclosure of your Personal Data, at any time by emailing us at support@syncara.ca.

Collection of PHI

Express and informed consent to collecting PHI We will collect, use, or disclose your PHI only when you give clear, informed consent, unless PHIPA permits or requires us to act without consent (for example, to prevent serious harm or comply with a court order).

Full explanation of purpose Before or at the time we seek your consent, we will explain in plain language what PHI we need, why we need it, how we will use it, to whom we may disclose it, and any significant risks or benefits a reasonable person would want to know.

How you give consent You provide consent by taking a positive action, such as clicking "Accept," signing electronically, or verbally confirming in a recorded call. Consent is never assumed or implied.

Right to withdraw consent You may withdraw consent at any time by emailing support@syncara.ca or by using the in-app privacy settings. Withdrawal will not affect PHI already processed, but it may limit our ability to continue providing certain services.

Substitute decision makers and Minors The Service is intended for use by account holders who are 18 years of age or older. A parent or legal guardian acting as a substitute decision maker may create and manage a profile within their account on behalf of a Minor (a person under the age of 18). PHI collected within a Minor's profile is treated identically to adult PHI under this policy and is subject to all the same protections. The parent or legal guardian bears responsibility for the accuracy of consent provided on behalf of the Minor and may grant, refuse, or withdraw consent in accordance with PHIPA. If we become aware that a Minor has registered as an account holder without parental or guardian authorization, we will take steps to remove that account.

No marketing without separate opt-in We will not use PHI for marketing, fundraising, or advertising unless you give a separate and explicit opt-in consent for that specific purpose.

Contact for questions or requests To ask questions, withdraw consent, or exercise any privacy rights, contact our team at support@syncara.ca.

7. Subscriptions, Trials, and Billing

Trial Period

Syncara offers a 30-day free trial upon account creation. During the trial period, you have full access to all features of the Service. No credit card or payment information is required to begin a trial.

At the end of the 30-day trial period, your account will transition to a read-only state. In read-only mode, all PHI and Personal Data you have entered remains accessible and retained in your account, but you will not be able to add, edit, or update records until you subscribe.

Subscriptions

Syncara is offered as an annual subscription at the rate posted on our pricing page at the time of purchase (currently $99.99 CAD per year). Subscriptions are billed annually in advance.

Renewals and Cancellations

Subscriptions renew automatically at the end of each annual billing cycle unless you cancel before the renewal date. You may cancel at any time through your account settings or by contacting support@syncara.ca.

Cancellation stops future billing but does not immediately delete your account or data. Following cancellation, your account will revert to read-only mode. Your PHI and Personal Data will be retained for a period of 90 days following cancellation, after which it will be securely destroyed or irreversibly de-identified in accordance with section 7 (Retention of Personal Data and PHI) and our media sanitisation procedures, unless you request earlier deletion under section 10.

Account Lapse

If a subscription lapses due to non-payment or non-renewal, your account will revert to read-only mode. PHI and Personal Data will be retained for 90 days from the date of lapse to permit you to resubscribe and regain full access. After 90 days without renewal, data will be treated as described under the cancellation process above.

Billing Data

Billing information including your name, billing address, and payment details is collected and processed by our third-party payment processor. Billing data is not stored by Syncara on our own servers. We retain only the records necessary to manage your subscription (such as subscription status, renewal dates, and transaction references) and to comply with applicable financial and tax recordkeeping obligations. Billing records may be retained for up to seven years as required by law, independently of whether your PHI has been deleted.

Policy Changes and Consent

If we make material changes to our pricing or subscription terms, we will notify you by email and through a prominent notice on the Service before those changes take effect. Continued use of the Service after the effective date of any such change constitutes your agreement to the revised terms.

8. Retention of Personal Data and PHI

Retention of Personal Health Information

We keep your PHI only for as long as is reasonably necessary to deliver the Service you have requested and to meet any ongoing legal or regulatory obligations under PHIPA. Once those purposes have been fulfilled, we securely destroy the PHI or irreversibly de-identify it as soon as practicable, and in any event within a commercially reasonable period, using industry-standard media sanitisation methods.

Retention of Personal Data

We retain your Personal Data only for as long as necessary for the purposes described in this Privacy Policy. We keep and use this data to comply with legal obligations, resolve disputes, and enforce our agreements and policies. Usage data held solely for internal analysis is generally kept for a shorter period, unless it is needed to strengthen security, improve the Service, or satisfy a legal requirement.

Billing records are retained separately in accordance with applicable financial and tax legislation, as described in section 7.

9. Transfer of Data

Data Storage and Infrastructure

Syncara uses cloud infrastructure provided by Amazon Web Services (AWS) to host and operate the platform. Currently, the majority of production services run in AWS regions located in the United States. We have implemented appropriate security controls to protect your data in this environment, including encryption in transit and at rest, strict access controls, and breach notification procedures.

We are actively working toward migrating to Canadian-based infrastructure as the product scales and revenue supports the transition. We will update this policy when that migration is complete.

Personal Health Information

While our current infrastructure operates primarily in US-based AWS regions, your PHI is protected under the same security controls as all other data, including encryption in transit and at rest, and strict access limitations. We do not share or disclose PHI across jurisdictions for purposes beyond operating the service. As we migrate to Canadian-based infrastructure, PHI will be among the first data types transitioned to Canadian regions.

No Selling or Sharing

Regardless of where data is stored or processed, we do not sell your personal data or PHI. We do not use it for advertising. We do not share it with third parties beyond what is necessary to operate the service, as described in Section 11.

10. Data Subject Access Requests

Under PHIPA and applicable privacy legislation, you have the right to access, correct, and request deletion of your Personal Data and PHI held by Syncara.

How to Submit a Request

To submit a data subject access request, email support@syncara.ca with the subject line "Privacy Request" and include:

  • Your full name and the email address associated with your Syncara account

  • The nature of your request (access, correction, or deletion)

  • Any specific information or records you are requesting, if applicable

Response Timeline

We will acknowledge your request within 5 business days and provide a substantive response within 30 days of receipt, as required by PHIPA. If we require additional time to fulfil a complex request, we will notify you in writing before the 30-day period expires and advise you of the extended timeline.

Format of Response

Where you request access to PHI, we will provide it in a format that is readable and, where practicable, in the same format in which it is held (for example, a data export from the platform). We may use the platform's built-in export function to fulfil access requests.

Deletion Requests

If you request deletion of your PHI or Personal Data, we will fulfil that request within 30 days, except where retention is required by law or necessary to complete an ongoing transaction. Deletion of PHI will be performed using industry-standard media sanitisation methods.

Contact

All privacy requests should be directed to: support@syncara.ca

11. Disclosure of Personal Data and PHI

Disclosures That May Involve PHI

With your express consent: We disclose PHI to any person or service you explicitly authorize (e.g., your clinician).

Legal or regulatory requirements: We disclose PHI when a court order, warrant, subpoena, or other statute compels us, or where PHIPA expressly authorizes disclosure (e.g., to avert serious bodily harm).

Enforcement of our rights / fraud prevention: We may disclose PHI to establish, exercise, or defend legal claims, detect or prevent fraud or security threats, or investigate suspected unlawful activity, but always using the minimum PHI necessary, in accordance with PHIPA.

Business transaction (succession): If we merge, reorganize, or sell assets, PHI is transferred only if the recipient (a) is legally permitted to receive it, and (b) agrees in writing to use or disclose the PHI solely for completing the transaction and to continue protecting it in compliance with PHIPA.

We never sell PHI, and we do not use or disclose PHI for marketing, fundraising, or advertising without a separate, explicit opt-in consent.

Disclosures That Involve Only Non-Health Personal Data

Subsidiaries and affiliates: Internal group companies that support customer service, finance, or product development.

Business support vendors: Cloud-hosting providers, email delivery services, analytics platforms, payment processors, or professional advisers who help us operate the business. These vendors receive only the data necessary for their task and are bound by confidentiality and security obligations.

Business transaction: Transfer of non-health Personal Data to a successor entity in a merger, acquisition, or asset sale, subject to contractual privacy commitments.

Legal compliance and risk management: Courts, regulators, law-enforcement bodies, or insurers when we believe the disclosure is required to comply with law, enforce our terms, protect our rights or the safety of others, or investigate fraud.

Brand usage: With your permission, we may display your company name or logo on our website or marketing materials.

Other disclosures with consent: Any additional sharing you expressly approve at the time of collection.

Before any disclosure, whether PHI or Personal Data, we ensure that the recipient has appropriate administrative, technical, and physical safeguards to protect the information and that the disclosure complies with this Privacy Policy and applicable law.

12. Security of Personal Data and PHI

We maintain a comprehensive information-security program designed to protect both Personal Data and PHI against loss, misuse, and unauthorized access or disclosure. Safeguards include encryption in transit and at rest, multi-factor authentication, strict role-based access controls, continuous intrusion monitoring, regular penetration testing, and audited backup and recovery procedures. Administrative measures, such as employee training, least-privilege policies, and vendor due-diligence reviews, complement these technical controls.

Despite these measures, no Internet transmission or electronic storage method can be guaranteed 100 percent secure. We therefore cannot promise absolute security, but we continually assess and enhance our defenses to meet or exceed PHIPA requirements and relevant industry standards.

Breach Notification

If PHI or Personal Data is lost, stolen, or accessed without authorization, we will:

(a) Conduct an internal assessment to determine the nature and scope of the breach, targeting completion within 72 hours of initial detection.

(b) Notify affected individuals at the first reasonable opportunity following that assessment, and no later than as required by PHIPA section 12(3).

(c) Notify the Information and Privacy Commissioner of Ontario where required by PHIPA, and notify any other applicable regulator where required by law.

(d) Notify any other party required under applicable law, including where Personal Data subject to other privacy regimes has been affected.

Breach notifications will describe the nature of the incident, the type of PHI or Personal Data affected, the steps we have taken to contain it, and the steps you may take to protect yourself.

13. Your Data Protection Rights Under the General Data Protection Regulation (GDPR)

If you are a resident of the European Union (EU) or European Economic Area (EEA), you have certain data protection rights covered by GDPR.

Syncara is a Canadian platform and its primary market is Canada. All PHI is stored on AWS Servers and governed by PHIPA. We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.

If you wish to be informed what Personal Data we hold about you and if you want it to be removed from our systems, please email us at support@syncara.ca.

In certain circumstances, you have the following data protection rights:

(a) the right to access, update, or delete the information we have on you;

(b) the right of rectification — the right to have your information rectified if that information is inaccurate or incomplete;

(c) the right to object to our processing of your Personal Data;

(d) the right of restriction — the right to request that we restrict the processing of your personal information;

(e) the right to data portability — the right to be provided with a copy of your Personal Data in a structured, machine-readable, and commonly used format;

(f) the right to withdraw consent at any time where we rely on your consent to process your personal information.

Please note that we may ask you to verify your identity before responding to such requests. Please note we may not be able to provide the Service without some necessary data.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the EEA.

14. Your Data Protection Rights Under the California Privacy Protection Act (CalOPPA)

CalOPPA is the first state law in the United States to require commercial websites and online services to post a privacy policy. Syncara is a Canadian platform. Users in California may use the Service, with the acknowledgment that data is stored by AWS and governed by Canadian law.

According to CalOPPA, we agree to the following:

(a) users can visit our site anonymously;

(b) our Privacy Policy link includes the word "Privacy" and can easily be found on our website;

(c) users will be notified of any privacy policy changes on our Privacy Policy page;

(d) users are able to change their personal information by emailing us at support@syncara.ca.

Our Policy on "Do Not Track" Signals

We honour Do Not Track signals and do not track, plant cookies, or use advertising when a Do Not Track browser mechanism is in place. You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.

15. Your Data Protection Rights Under the California Consumer Privacy Act (CCPA)

If you are a California resident, you are entitled to learn what data we collect about you, ask to delete your data, and request that it not be sold. Syncara is a Canadian platform and does not sell personal information. To exercise your data protection rights, you may make the following requests:

(a) What personal information we have about you. If you make this request, we will return to you:

  • (i) The categories of personal information we have collected about you.

  • (ii) The categories of sources from which we collect your personal information.

  • (iii) The business or commercial purpose for collecting your personal information.

  • (iv) The categories of third parties with whom we share personal information.

  • (v) The specific pieces of personal information we have collected about you.

  • (vi) A list of categories of personal information that we have sold, along with the category of any other company we sold it to. We do not sell personal information.

  • (vii) A list of categories of personal information disclosed for a business purpose, along with the category of any other company we shared it with.

You are entitled to make this request up to two times in a rolling twelve-month period.

(b) To delete your personal information. If you make this request, we will delete the personal information we hold about you and direct any service providers to do the same. Deletion may be accomplished through de-identification in some cases. Deletion may affect your ability to use certain features of the Service.

(c) To stop selling your personal information. We do not sell or rent your personal information to any third parties for any purpose. You are the sole owner of your Personal Data.

To exercise your California data protection rights, contact us at: support@syncara.ca

16. Analytics and Third Party Services

We may use third-party Service Providers (such as Google Analytics) to monitor and analyze the use of our Service.

Google Calendar Data and OAuth

Scope requested: Syncara requests https://www.googleapis.com/auth/calendar.events to read existing events and to create, update, and delete events so your appointments in Syncara stay in sync with Google Calendar. We also use basic account information such as email for sign-in and support. We request the minimum access needed.

Use: Calendar data is used only for listing events, creating new events, reflecting edits from either side, and deleting events you cancel. No advertising or profiling uses.

PHI in calendar data: Calendar event titles, descriptions, or notes that contain clinical or health-related information may constitute PHI under PHIPA. If such information is entered into a calendar event that syncs with Syncara, it will be handled in accordance with our PHI obligations under this policy, including storage in Canadian data centres and protection in accordance with PHIPA.

Storage and retention: We securely store OAuth tokens and may cache event metadata to operate the sync. Data is encrypted in transit and at rest. Tokens are deleted immediately on disconnect or revocation. Cached event data is removed within 30 days following cancellation or account deletion, unless the law requires longer retention.

Sharing and human access: We do not sell or share Calendar data. Transfers occur only to essential service providers bound by confidentiality, for security, to meet legal obligations, or with your consent. Human access occurs only with your consent, for security, or to meet legal obligations.

Control: You can disconnect Google Calendar in Syncara at any time and revoke access at https://myaccount.google.com/permissions. After revocation we stop all access and delete stored tokens and cached event data as described above.

17. CI/CD Tools

We may use third-party Service Providers such as GitHub to automate the development process of our Service.

18. Payments

We may provide paid products and/or services within the Service. We use third-party services for payment processing.

We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council. PCI-DSS requirements help ensure the secure handling of payment information.

19. Links to Other Sites

Our website may contain links to other sites that are not operated by us. If you click a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

20. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our website or Service interface prior to the change becoming effective, and will update the "effective date" at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

21. Contact Us

If you have any questions about this Privacy Policy, please contact us:

Support: support@syncara.ca

Website: https://syncara.ca