Privacy Policy

This Privacy Policy describes how Filum Medical Inc. (“Company,” “Filum,” “we,” “us,” or “our”), a corporation incorporated under the laws of Canada, collects, uses, stores, shares, and protects your information when you use the website located at www.filummed.com and the associated platform (collectively, the “Site”). By accessing or using the Site, you agree to the practices described in this Privacy Policy.

This Privacy Policy should be read in conjunction with our Terms of Use, which govern your use of the Site.

1. Information We Collect

1.1 Information You Provide Directly

We collect information that you voluntarily provide when you create an account, complete our health survey, upload documents, or communicate with us. This may include:

• Account Information: Your name, email address, date of birth, and login credentials.
• Health Profile Information: Responses to our health survey, including demographic details, medical history, family history, lifestyle information, and current medications.
• Health Records: Lab reports, clinic notes, radiology reports, pathology reports, and any other medical documents you upload or synchronize with the Site.
• Payment Information: Billing details provided when you subscribe to a paid plan. Payment card information is collected and processed by Stripe and is not stored on our servers.
• Communications: Information you provide when you contact us for support or provide feedback.

1.2 Information Collected Through Health Record Synchronization

If you choose to synchronize your health records, we use third-party record-retrieval services, including Fasten Health, to access, retrieve, and store your health records from participating health systems. The information retrieved may include lab results, clinical notes, radiology reports, medication histories, immunization records, and other data available through the connected health system. This feature is currently available for health systems within the United States.

1.3 Information Collected Automatically

When you access the Site, we may automatically collect certain technical information, including:

• Device and Browser Information: Device type, operating system, browser type and version, and screen resolution.
• Usage Data: Pages visited, features used, time spent on the Site, click patterns, and referral sources.
• Log Data: IP address, access times, and server logs.
• Cookies and Similar Technologies: We use cookies and similar tracking technologies to maintain your session, remember your preferences, and analyze usage patterns. See Section 8 for more detail.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: To generate and maintain your personalized preventive care plan, including screening timelines, biomarker recommendations, supplement guidance, and automated reminders.
• Improving the Service: To analyze usage patterns, identify areas for improvement, and develop new features. Where health data is used for this purpose, it is de-identified and aggregated so that it cannot be used to identify you personally.
• Account Management: To create, maintain, and secure your account, process payments, and manage your subscription.
• Communications: To send you care plan updates, reminders, service notifications, and responses to your inquiries. We will not send you marketing emails unless you opt in, and you can unsubscribe at any time.
• Sharing with Providers: If you choose to share your care plan with a healthcare provider (via PDF download, eFax, or provider referral), we facilitate that sharing at your direction.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes, and to protect the rights, privacy, safety, and property of Filum, our users, and the public.

3. Protected Health Information (PHI)

3.1 What Constitutes PHI

Protected Health Information (“PHI”) includes any individually identifiable health information that you provide to us or that we receive through health record synchronization. This includes your medical history, lab results, clinical notes, radiology reports, medications, diagnoses, and any other health-related data that is linked to your identity.

3.2 How We Handle PHI

We treat all PHI in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and the Personal Information Protection and Electronic Documents Act (PIPEDA), as applicable. Specifically:

• PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256) and stored in HIPAA-compliant cloud environments.
• Access to PHI is restricted to authorized personnel and systems on a need-to-know basis, following the HIPAA minimum necessary standard.
• We maintain administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of your PHI.
• PHI is used solely for the purposes described in this Privacy Policy and our Terms of Use.

3.3 De-Identification

When we use health data for service improvement, research, or analytics, we de-identify the data in accordance with the HIPAA Safe Harbor method. De-identified data does not contain any of the 18 identifiers specified by HIPAA and cannot reasonably be used to identify you. De-identified, aggregated data is not considered PHI and may be retained after account deletion.

4. How We Share Your Information

4.1 We Do Not Sell Your Data

Filum does not sell, rent, or trade your personal information or PHI to any third party for any purpose, including marketing, advertising, or data brokering.

4.2 Service Providers

We share information with third-party service providers solely to the extent necessary to operate and improve the Site. These providers include:

• Cloud Infrastructure: For hosting, storage, and computing services (e.g., Google Cloud Platform).
• Payment Processing: Stripe processes your payment information. Filum does not store your payment card details.
• Health Record Retrieval: Fasten Health retrieves health records from participating health systems at your direction.
• Analytics: We use privacy-focused analytics tools to understand how the Site is used. These tools process only de-identified or aggregated data.
• Email and Communications: For sending transactional emails, care plan reminders, and service notifications.

4.3 Business Associate Agreements

Any third-party service provider that processes PHI on our behalf is bound by a Business Associate Agreement (BAA) as required by HIPAA. These agreements require the provider to maintain the privacy and security of your PHI, limit the use of PHI to the services they perform for us, report any security incidents or breaches, and return or destroy PHI upon termination of the agreement.

4.4 Healthcare Providers

If you choose to share your care plan with a healthcare provider, we will transmit your information to that provider at your direction. This may occur via PDF download, eFax, or direct provider referral. Filum does not share your information with any provider without your explicit consent and direction.

4.5 Legal Requirements

We may disclose your information if required to do so by law, regulation, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to: (a) comply with applicable law; (b) protect the rights, property, or safety of Filum, our users, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) respond to a government request.

4.6 Business Transfers

In the event of a merger, acquisition, corporate reorganization, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on the Site of any change in ownership or use of your personal information, and your choices regarding your information.

5. Data Retention

5.1 Active Accounts

We retain your personal information and PHI for as long as your account is active and as needed to provide the Site's services. Your care plan, health profile, and uploaded documents are maintained in our active systems to support ongoing plan updates and reminders.

5.2 Account Deletion

When you request deletion of your account, we will delete your personal information and PHI from our active databases within thirty (30) days of your request. Certain information may be retained in backup systems for a limited period as required by our backup and disaster recovery processes, after which it will be permanently deleted.

5.3 De-Identified Data

De-identified, aggregated data that has been produced prior to your deletion request may be retained indefinitely, as it cannot be used to identify you and is not considered PHI.

5.4 Legal Requirements

We may retain certain information for longer periods as required by applicable law, regulation, or legal process, or to resolve disputes and enforce our agreements.

6. Your Rights and Choices

6.1 Access and Portability

You have the right to access the personal information and PHI we hold about you. You may request a copy of your data in a commonly used, machine-readable format by contacting us at support@filummed.com.

6.2 Correction

You have the right to request correction of any inaccurate or incomplete personal information we hold about you. You can update certain information directly through your account settings, or contact us for assistance.

6.3 Deletion

You have the right to request deletion of your personal information and PHI at any time. You can initiate deletion through your account settings or by contacting us at support@filummed.com. See Section 5.2 for details on our deletion process.

6.4 Withdrawal of Consent

Where we process your information based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. If you withdraw consent for health record synchronization, we will stop retrieving new records from the connected health systems, but previously retrieved records will remain in your profile unless you request their deletion.

6.5 Opt-Out of Communications

You may opt out of marketing communications at any time by using the unsubscribe link in any marketing email or by updating your communication preferences in your account settings. Note that you cannot opt out of transactional communications related to your account and care plan (e.g., billing confirmations, care plan reminders, security alerts).

6.6 Restrictions on Automated Processing

Filum uses automated processes, including AI and clinical algorithms, to generate your personalized care plan. You have the right to request human review of any automated decision that significantly affects you. To make such a request, contact us at support@filummed.com.

7. Data Security

7.1 Technical Safeguards

We implement industry-standard technical safeguards to protect your information, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls and role-based permissions, audit logging and monitoring, regular vulnerability assessments and penetration testing, and secure software development practices.

7.2 Administrative Safeguards

We maintain administrative policies and procedures including employee background checks and confidentiality agreements, regular HIPAA compliance training for all personnel with access to PHI, documented incident response and breach notification procedures, and ongoing risk assessments in accordance with the HIPAA Security Rule.

7.3 Physical Safeguards

Our cloud infrastructure providers maintain physical safeguards including restricted facility access, environmental controls, and 24/7 monitoring. We do not store PHI on local devices or premises.

7.4 Breach Notification

In the event of a data breach involving your PHI, we will notify you in accordance with the HIPAA Breach Notification Rule and applicable Canadian and provincial privacy laws. Notification will be made without unreasonable delay and no later than sixty (60) days after discovery of the breach, unless a shorter period is required by law.

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

We use the following types of cookies and similar technologies:

• Essential Cookies: Required for the Site to function properly, including session management and authentication. These cannot be disabled.
• Functional Cookies: Remember your preferences and settings to improve your experience (e.g., language preferences, display settings).
• Analytics Cookies: Help us understand how the Site is used so we can improve it. These cookies collect de-identified, aggregated information only.

8.2 What We Do Not Use

Filum does not use advertising cookies, third-party tracking pixels, or any cookies or technologies that profile you for advertising purposes. We do not participate in ad networks or allow third-party advertisers to place cookies on the Site.

8.3 Managing Cookies

You can manage or disable cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Site.

9. Children's Privacy

The Site is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child under 18, we will promptly delete that information. If you believe that a child under 18 has provided us with personal information, please contact us at support@filummed.com.

10. International Data Transfers

Filum is incorporated in Canada and our servers are located in the United States and Canada. If you access the Site from outside of these countries, your information may be transferred to, stored in, and processed in jurisdictions where data protection laws may differ from those in your jurisdiction. By using the Site, you consent to the transfer of your information to these jurisdictions.

We take appropriate measures to ensure that your information receives an adequate level of protection in the jurisdictions in which we process it, including through contractual protections with our service providers.

11. Applicable Privacy Laws

11.1 HIPAA (United States)

To the extent that Filum is a covered entity or business associate under the Health Insurance Portability and Accountability Act, we are designed to comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule with respect to all PHI we collect, use, store, and disclose.

11.2 PIPEDA (Canada)

For users in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, including the Personal Information Protection Act (PIPA) of British Columbia. Under these laws, you have the right to access your personal information, request corrections, and withdraw consent for the collection, use, or disclosure of your information.

11.3 Other Jurisdictions

If you access the Site from a jurisdiction with specific data protection laws (such as the European Union's GDPR or applicable U.S. state privacy laws), we will comply with the applicable requirements of those laws to the extent they apply to our processing of your information. If you have questions about how specific laws apply to your use of the Site, please contact us at support@filummed.com.

12. Third-Party Services

The Site may contain links to or integrate with third-party websites and services that are not operated by Filum. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you interact with. Key third-party services include:

• Fasten Health: Used for health record retrieval and synchronization. Subject to Fasten Health's own terms of service and privacy policy.
• Stripe: Used for payment processing. Subject to Stripe's privacy policy. Filum does not store your payment card information.
• Google Cloud Platform: Used for cloud infrastructure. Subject to Google Cloud's data processing terms and BAA with Filum.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by email (using the last email address you provided) and/or by posting a prominent notice on the Site at least thirty (30) days before the changes take effect. Your continued use of the Site after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Filum Medical Inc.
Email: support@filummed.com
Website: www.filummed.com

If you are not satisfied with our response to your privacy concern, you may contact the Office of the Privacy Commissioner of Canada or the Office of the Information and Privacy Commissioner for British Columbia.