Privacy and personal information protection policy

August 8, 2025

Privacy and personal information protection policy

Introduction

Dilato Applications Inc. ("Dilato" or "we") places the utmost importance on the protection of personal information. This Privacy Policy describes our practices regarding the collection, use, storage, and disclosure of personal information in relation to our services. Our services are exclusively intended for authorized healthcare professionals and are not intended for use by patients or the general public.

Information Collected

We collect only the personal information necessary for providing and improving our services. This may include:

  • Account Information: Name, title, contact details (email address, phone number), registration, and billing information of the healthcare professional user.
  • Usage Data: Technical information related to the use of the Dilato application (e.g., activity logs, device type, IP address) to enhance user experience and security.
  • Health Information entered into the application: Clinical or health data related to patients that the healthcare professional user may input when creating notes using our clinical templates or audio recordings. This health information is handled confidentially and securely, as detailed below, and remains under the control of the healthcare professional user.

We collect this information voluntarily when you create an account, use our services, or contact us for support. We do not directly collect any patient information; all patient data processed by Dilato is provided by the healthcare professional user in the context of their use of the platform.

Use of Information

Collected personal information is exclusively used for the following purposes:

  • Provision of Service: We use your account information and the data you enter to operate the Dilato application and provide requested features (e.g., clinical note creation).
  • Communication: Your contact details may be used to send technical and administrative notifications related to your account (e.g., action confirmations, security alerts, updates to Terms of Use or this Policy), provide user support by responding to your assistance requests/suggestions, and resolving technical issues, and, with your consent, inform you about service updates, new features, promotional offers, or events related to our application. You can adjust your communication preferences at any time by following instructions provided in our emails.
  • Service Improvement: We may analyze the usage of Dilato in an aggregated and anonymous manner (excluding health information) to enhance our templates, features, or application performance. No identifiable health data is used to train or improve our artificial intelligence algorithms. Personal data is not used for any secondary purpose unrelated to providing our services unless explicitly authorized by you. Specifically, the health information you enter is never used for research, marketing, or AI model training purposes without prior explicit consent.
  • Legal Compliance and Support: Your information may be used to comply with applicable laws, fulfill legal or regulatory obligations, prevent fraud, ensure user safety, or provide technical support.

Data Disclosure and Transfer

Dilato does not sell or rent your personal information to third parties. We may disclose personal information only in the following cases:

  • Authorized Service Providers: We engage trusted subcontractors (e.g., cloud hosting, artificial intelligence services, analytics tools) to operate our platform. These providers are selected according to strict security and compliance criteria, access only information necessary to perform their services, and are contractually obligated to protect your data and maintain confidentiality per our instructions and applicable laws. This includes a Data Processing Agreement with each third party processing personal data. Additionally, for subcontractors handling health information, a Business Associate Agreement (BAA) is executed to ensure the protection and confidentiality of such information.
  • Billing Group: If your Dilato subscription is paid by another person, such as an employer, clinic, or organization via a centralized billing group, you agree that your name and email address may be shared with the payer for billing and account management purposes. Additionally, we may provide the payer with aggregated usage statistics (e.g., frequency of use, number of templates created). We will never share the content of your templates or clinical notes you enter. Certain payers, especially large organizations, may apply specific account settings within their billing group, such as restricting access to certain features. Your Dilato account remains personal, and if you wish to leave a billing group for an individual subscription, you can request this directly from the person managing your group or contact us directly.
  • Legal Obligations: We may disclose personal information if required by law or in response to valid judicial proceedings (e.g., warrant, court order, regulatory request). Dilato also reserves the right to disclose information necessary to detect or prevent fraud, enforce our Terms of Use, or protect the rights, property, or safety of Dilato or its users.
  • Corporate Transaction: In case of a merger, acquisition, reorganization, or any other transaction involving the transfer of our activities, personal data may be transferred to the succeeding entity in accordance with applicable laws. Users will be informed in such an event, and your data protection rights will be maintained.

Outside these cases, our policy is to not disclose any personal information to third parties without your consent.

Hosting and Data Location

Dilato prioritizes local hosting of health data to ensure confidentiality and data sovereignty. Thus, the health information you enter into Dilato (clinical data about your patients) is hosted on secure servers located in Quebec, Canada, unless you explicitly choose another data location. This option might be offered to meet specific needs or regulatory obligations (e.g., hosting in another jurisdiction), but by default, health data remains in Quebec.

Other user data (e.g., your account information and usage metadata) may be stored on servers located either in Canada or the United States, depending on operational needs. Any transfer or storage of personal information outside Quebec or Canada complies with applicable laws, including the implementation of appropriate safeguards and, where required, conducting prior Privacy Impact Assessments in accordance with Law 25.

Data Retention and Deletion

We retain personal information only for as long as necessary to achieve the purposes described in this Policy or as required by law. Our Data Retention Policy specifies retention periods for different types of information. Once retention periods expire or deletion requests are processed, we securely destroy or anonymize your data.

For example, data associated with your account remains stored as long as your account is active. Protected Health Information, if entered by you into the application, is deleted from our systems within 48 hours of processing.

If you decide to delete your account or request the deletion of your data, we will erase or anonymize your personal information in accordance with your request. Upon data deletion request, Dilato will remove your personal information within a maximum of thirty (30) days, including your profile data and any identifiable personal information in our systems.

Please note that certain information may be retained beyond this 30-day period if legally required or for limited legitimate reasons, such as fulfilling legal obligations, resolving disputes, or exercising rights (e.g., retained invoices, fraud prevention). Such residual data is strictly protected and accessible only for legal or regulatory purposes.

Data Security

We take the security of personal and health information entrusted to us very seriously. We implement administrative, technical, and physical security measures in line with industry standards and our legal obligations (notably the security requirements of Law 25 and HIPAA) to protect your data from unauthorized access, misuse, disclosure, or modification. These measures include encryption of sensitive data in transit and at rest, strict access controls limiting access to only individuals needing to view data to provide the service, monitoring our infrastructure, regular security checks, and backup and disaster recovery protocols.

Personal information provided by you is stored on secure, restricted-access servers. Our internal policies detail practices and procedures implemented to maintain a secure environment and effectively respond to incidents. Our hosting systems adhere to high security standards equivalent to or exceeding those required in the healthcare sector.

Despite our efforts, no method of internet transmission or electronic storage is completely secure. Due to the nature of the public internet, absolute security of transmitted data cannot be guaranteed. Therefore, Dilato cannot promise that no security breach will ever occur, but we make every effort to prevent it and minimize impacts if it occurs. We also recommend that our users maintain the confidentiality of their credentials and regularly update their passwords.

Details about our current security measures can be viewed on our security page.

Data Breach Notification

In the event of a security incident affecting personal information, Dilato commits to following notification procedures required by applicable laws. If a data breach poses a high risk of harm to individuals, we will notify the relevant data protection authorities as quickly as possible, and in any case within 72 hours after becoming aware of the breach. This notification will include required details (nature of the incident, affected data, corrective measures taken, etc.).

Additionally, if a data breach poses a significant risk of serious harm to affected individuals, we will promptly notify the impacted individuals or our healthcare professional client, who may in turn inform their patients if applicable. This communication will describe the breach and recommend measures to mitigate risk. We also maintain an internal register of all privacy incidents and will provide it, upon request, to the Commission d’accès à l’information du Québec or any relevant authority as required by law. Each security incident is treated with the highest priority by our team, and we take all necessary corrective actions to prevent recurrence.

Compliance with Laws and Protection of Health Information

Dilato complies with data protection requirements across various jurisdictions, particularly regarding sensitive health data:

  • Law 25 (Québec): We fulfill the obligations under Law 25, including designating a privacy & security officer, adopting internal confidentiality governance rules, conducting risk assessments for transferring data, and notifying security incidents. Adopted in 2021, Law 25 aims to protect Québec citizens by holding companies accountable for the personal information they manage, guiding our practices. Dilato processes the personal data of Québec users following this law, granting rights to access, rectify, object, erase, and portability of personal data according to Québec’s legal framework. Moreover, we adhere to privacy-by-design principles, avoid profiling, and do not make automated decisions without valid legal grounds and proper notification.
  • HIPAA (United States): We comply with the Health Insurance Portability and Accountability Act (HIPAA), a federal law governing how healthcare organizations handle and secure sensitive medical information. Dilato acts as a "business associate" of healthcare professionals (who are "covered entities" under HIPAA). We implement administrative, technical, and physical safeguards required by HIPAA to protect protected health information. We only use or disclose health information entered in Dilato to provide services or for legally permitted purposes (e.g., treatment, authorized internal operations), never for unauthorized purposes such as marketing or AI training without explicit consent. No health data is used to train our artificial intelligence or machine learning models.

Dilato is exclusively designed for healthcare professionals. Patients do not directly access Dilato or create accounts; thus, personal information processed primarily pertains to our professional users (and indirectly to patients whose data they enter). Healthcare professionals remain responsible for obtaining necessary patient consents to use Dilato. As a service provider, Dilato processes this information according to professional instructions and confidentiality agreements, ensuring it is not used for other purposes.

Cookies and Tracking Technologies

No non-essential cookies or analytical tracking are activated by default on our website without your explicit consent. Only cookies strictly necessary for the operation and security of the website (e.g., authentication, session management) are active by default. You have the option to accept or refuse analytical cookies through the consent banner displayed during your initial visit. You can also modify your preferences at any time via the data use management link available at the bottom of the page. Disabling certain essential cookies may affect the functionality of specific features.

Policy Updates

This Privacy Policy may be modified in the future to reflect changes in our practices, the addition of new features, or compliance with new legal requirements. In the event of significant changes, the updated version of the Policy will be posted on our website at least 30 days before it takes effect, and a notification may be sent to you (via email or within the application). We encourage you to regularly review our Privacy Policy to stay informed about our data protection practices.

If you continue to use Dilato after the effective date of the changes, you will be deemed to have accepted the updated Policy. If you do not agree with the modified terms, you must cease using our services.

Contact and Questions

For questions or complaints about this Privacy Policy or to exercise your personal data rights (such as accessing or correcting your data, withdrawing consent, data portability, etc.), you can contact our Privacy & Security Officer:

Dilato Applications Inc.: Privacy & Security Officer

Email: info@dilato.app

We will respond to your requests as promptly as possible and within legally required timeframes. Depending on your location, if you believe your rights have not been respected after contacting us, you have the right to lodge a complaint with your local data protection authority.