Privacy — Canadian data, Canadian law

1. Who we are

Caremynd is a trade name of a Canadian corporation headquartered in Winnipeg, Manitoba, on Treaty 1 territory. We provide white-label case management software to residential care, human services, and independent living programs across Canada. Our first tenant is a Canadian residential operator serving young people transitioning into adulthood.

When a residential care program uses Caremynd to manage resident records, the program (our customer) is the data controller (or, in health-privacy terms, the custodian or trustee) for resident information. Caremynd is the data processor — we store and process that information on our customer's behalf under a written data processing agreement. This policy describes practices common to both roles.

Caremynd is a registered Intuit Developer. Where a customer chooses to connect the service to their QuickBooks Online account, we act as a third-party application under the Intuit Developer Terms of Service.

2. Scope of this policy

This policy applies to:

Visitors to caremynd.com and any public marketing surface we operate.
Customer organizations and the staff members they provision.
Residents whose records are entered by a customer organization using Caremynd.
Prospects who contact us via email, form, or phone.

It does not cover third-party sites linked from our marketing pages or customer content handled outside Caremynd.

3. What we collect

3.1 Marketing visitors

Device and browser type, referrer, coarse location (country / province).
Pages viewed and approximate time on page (aggregated, privacy-respecting analytics).
Contact details you submit via forms (name, email, organization, message body).

3.2 Customer staff accounts

Name, work email, role, organization.
Password hash (argon2id) and TOTP MFA secret (encrypted).
Session metadata: login times, IP address (last-known), device fingerprint used to detect anomalous sign-ins.
OAuth access and refresh tokens for any third-party integration the customer connects (Google, Microsoft Graph, Intuit QuickBooks Online). Tokens are stored field-level encrypted and are never exposed to staff users or to other tenants.

3.3 Residents (processed on behalf of the customer organization)

Identity information: legal name, preferred name, date of birth, provincial identifiers.
Program context: referral source (child and family services agency, private referral, self-referral), funding source, program type.
Care information: goals, care plan, progress notes, incident reports, medications list (where the customer program is authorized to hold that information), assessments.
Indigenous nation or ancestry only when the resident has chosen to share it — governed by OCAP^® principles and Bill C-92, never a required field.
Messages exchanged through the platform between resident, staff, caseworkers, and other authorized parties.
Uploaded documents the resident or staff chose to store (identity documents, letters, photographs).

We do not collect biometric identifiers, precise device location, or advertising identifiers. We do not run third-party advertising trackers on authenticated surfaces.

4. Why we can process this information

Caremynd is a Canadian-operated service. Our processing activities are governed by the federal privacy framework and, where the customer operates, by the applicable provincial or territorial privacy and health-privacy statute:

Federal. Personal Information Protection and Electronic Documents Act (PIPEDA), SC 2000 c 5; An Act respecting First Nations, Inuit and Métis children, youth and families (Bill C-92), SC 2019 c 24, for records connected to Indigenous children and families; Canada's Anti-Spam Legislation (CASL), SC 2010 c 23, for commercial electronic messages.
British Columbia. Personal Information Protection Act (PIPA), SBC 2003 c 63; E-Health (Personal Health Information Access and Protection of Privacy) Act, SBC 2008 c 38.
Alberta. Personal Information Protection Act (PIPA), SA 2003 c P-6.5; Health Information Act (HIA), RSA 2000 c H-5.
Saskatchewan. The Health Information Protection Act (HIPA), SS 1999 c H-0.021.
Manitoba. Personal Health Information Act (PHIA), CCSM c P33.5.
Ontario. Personal Health Information Protection Act (PHIPA), SO 2004 c 3 Sch A; Part X of the Child, Youth and Family Services Act, 2017.
Quebec. Act respecting the protection of personal information in the private sector (Law 25), CQLR c P-39.1; Act respecting health services and social services, CQLR c S-4.2.
New Brunswick. Personal Health Information Privacy and Access Act (PHIPAA), SNB 2009 c P-7.05.
Nova Scotia. Personal Health Information Act (PHIA), SNS 2010 c 41.
Prince Edward Island. Health Information Act (HIA), RSPEI 1988 c H-1.41.
Newfoundland & Labrador. Personal Health Information Act (PHIA), SNL 2008 c P-7.01.
Yukon. Health Information Privacy and Management Act (HIPMA), SY 2013 c 16.
Northwest Territories. Health Information Act (HIA), SNWT 2014 c 2.
Nunavut. Access to Information and Protection of Privacy Act (ATIPPA), SNu 2003 c 5; federal PIPEDA applies to private-sector processing.

Under those statutes we rely on the following bases, matched to the activity:

Consent — for marketing emails, resident portal participation, and any optional field the resident chose to complete. Where Quebec Law 25 applies, we collect the specific, clear, separate consents it requires, and we honour the right to data portability and to object to automated decision-making.
Contractual necessity — to deliver the services a customer organization has contracted us to provide.
Legal obligation — to retain records under child and family services legislation, tax law, and employment law.
Legitimate interest — limited to security logging, fraud prevention, and service-quality analytics, always balanced against the affected person's rights.

5. How we use the information

We use information only for the purposes you would expect when you engage with us:

Delivering the case management service (storing records, routing messages, generating reports, producing invoices).
Authenticating users and enforcing role-based access.
Maintaining an append-only audit trail of every material action on a resident record (required by child and family services legislation and by sound security practice).
Notifying customers of security events, material platform changes, or planned maintenance.
Responding to support and sales inquiries.
Complying with lawful requests from Canadian regulators, courts, or child welfare authorities.

5.1 QuickBooks Online integration — purpose of use

When a customer connects Caremynd to their Intuit QuickBooks Online (QBO) company, Caremynd requests and uses QBO data only for the following purposes:

Reading the customer's QBO customer list, service items, tax codes, and chart of accounts to align Caremynd billing records with the customer's books.
Creating and updating invoices, credit memos, and payments in QBO to reflect billing events that originate in Caremynd (per-diem billing, funding-source reconciliation, vendor payments).
Retrieving payment status and bank-deposit context so Caremynd can show the customer an accurate A/R view inside the platform.

Caremynd does not use QBO data to build user profiles for advertising, does not sell or license QBO data, does not share QBO data with any party other than the sub-processors listed below, and does not use QBO data to train third-party AI models. The customer can disconnect the QBO integration at any time from inside the Caremynd platform.

6. AI features and anonymization

Some Caremynd modules use large language models to assist with drafting, summarizing, and risk signalling. When an AI model is invoked:

Personal identifiers (names, addresses, dates of birth, phone numbers, email addresses, government identifiers) are stripped by our anonymization layer before the request leaves Caremynd.
The inference call is made to a Canadian-region endpoint with zero-data-retention enabled.
Model responses are re-associated with the original record only inside Caremynd.
No customer content is used to train third-party foundation models.
A customer organization may disable AI features for their tenant at any time.

Where Quebec Law 25 applies, a resident may request not to be subject to a decision based exclusively on automated processing of their personal information; Caremynd surfaces AI outputs as drafts or signals, and final decisions remain with authorized staff.

We share information only in the following circumstances, and only to the minimum extent necessary:

Sub-processors acting on our behalf under written contract — listed below.
Customer-directed integrations — when a customer organization explicitly connects an external service (for example, Google Calendar, Microsoft 365 Calendar, or Intuit QuickBooks Online), only the data scoped to that integration is transmitted.
Child and family services authorities — when a customer organization is required to file an incident, notification, or statutory report.
Legal process — in response to a lawful subpoena, warrant, or court order issued by a Canadian court, only after consulting legal counsel and, where permitted, notifying the affected customer.
Corporate transactions — in the event of a merger, acquisition, or financing, personal information may be disclosed to a prospective counterparty under a confidentiality agreement; any such counterparty would assume the obligations in this policy.

7.1 OAuth scopes we request

Intuit QuickBooks Online: com.intuit.quickbooks.accounting (and openid profile email for sign-in context). Used for the purposes described in § 5.1.
Microsoft 365 / Microsoft Graph: Calendars.ReadWrite, offline_access, and User.Read. Used to create, update, and mirror calendar events between Caremynd and the authenticated staff user's Microsoft 365 calendar.
Google Workspace: https://www.googleapis.com/auth/calendar, openid, email, profile. Used to create, update, and mirror calendar events between Caremynd and the authenticated staff user's Google Calendar.

8. Sub-processors

Our sub-processors as of the last-updated date:

Supabase — PostgreSQL database, object storage, authentication. Canadian region (ca-central-1, Montreal). SOC 2 Type 2.
Vercel — application hosting and functions. Canadian region (yul1, Montreal). SOC 2 Type 2.
Anthropic — Claude API for AI features, accessed via zero-data-retention endpoints with mandatory anonymization upstream. SOC 2 Type 2.
Resend — transactional email delivery. Does not receive resident records; only email envelope metadata.
Sentry — error monitoring. Personal identifiers are scrubbed before transmission.
Intuit Inc. — invoked only when a customer has connected QuickBooks Online. Data transmitted is limited to the invoicing, customer, item, and payment records described in § 5.1. Intuit processes data on its own infrastructure per the Intuit End User License Agreement and Intuit Global Privacy Statement.
Microsoft Corporation. — invoked only when a customer has connected Microsoft 365. Data transmitted is limited to calendar event content for the authenticated staff user. Microsoft processes data on its own infrastructure per the Microsoft Online Services Terms.
Google LLC. — invoked only when a customer has connected Google Workspace. Data transmitted is limited to calendar event content for the authenticated staff user. Google processes data per the Google Workspace Terms of Service.

We will update this list at least thirty days before engaging a new sub-processor that processes personal information. Customers subscribed to product updates receive notification by email.

9. Data residency

All Caremynd-controlled customer data — database, object storage, backups, and application compute — is located in Canada. Our production infrastructure is pinned to Montreal (Vercel yul1) and Montreal (Supabase ca-central-1). We do not replicate personal information to non-Canadian regions for caching, CDN acceleration, or failover.

Third-party integrations that a customer explicitly connects (for example, Microsoft Graph, Google Workspace, Intuit QuickBooks Online) may process transmitted data on their own infrastructure, which for those providers typically includes data centres in the United States and the European Union. Each of those providers maintains its own data residency posture, documented in their respective terms. Before enabling an integration, the customer is shown a consent screen identifying the provider and the scope of data that will be transmitted. Under Quebec Law 25 s. 17, a customer with Quebec residents must perform a privacy impact assessment before transferring their personal information to a jurisdiction outside Quebec; Caremynd supplies the technical inputs for that assessment on request.

10. Security measures

A fuller description lives at caremynd.com/security. Summary:

TLS 1.3 in transit, AES-256 at rest, field-level encryption for OAuth tokens and sensitive identifiers.
Row-level security enforced at the database, not the application.
TOTP multi-factor authentication required for all staff roles.
Append-only audit log with database-level triggers on every mutation.
Quarterly internal security reviews; formal third-party penetration testing on a published cadence.
Documented incident response runbook and 24-hour customer notification SLA for confirmed breaches of security safeguards, consistent with PIPEDA's breach-of-security-safeguards regulations.

11. Retention

Retention is governed by the longest applicable statute for the customer's program type and province of operation. The statutory floors Caremynd recognizes are:

Jurisdiction	Statutory retention floor	Authority
Alberta (child and family services)	100 years	Child, Youth and Family Enhancement Act, RSA 2000 c C-12 s. 127(4)
Quebec (youth protection)	2–5 years / to age 18 / to age 43 for established-danger cases	Youth Protection Act, CQLR c P-34.1 ss. 37.1 – 37.4.1
Manitoba (child and family services)	7 years from last active engagement	Child and Family Services Act, CCSM c C80
Newfoundland & Labrador	Indefinite — until directed by the provincial director	NL Reg 38/19 ss. 16, 24, 34
British Columbia, Saskatchewan, Ontario, New Brunswick, Nova Scotia, Prince Edward Island	No numeric statutory floor for child-welfare records; customer-directed schedule applies (minimum = civil-limitation + tax floors below)	CFCSA BC; CFSA SK; CYFSA ON Part X; CYWBA NB; CFSA NS; CYFSA PE
Federal — income tax records	6 years from end of last taxation year	Income Tax Act, RSC 1985 c 1 (5th Supp) s. 230(4)
Federal — GST/HST records	6 years from end of year	Excise Tax Act, RSC 1985 c E-15 s. 286(3)
Indigenous children & families (federal)	As set by the applicable Indigenous Governing Body coordination agreement; no federal numeric floor	Bill C-92, SC 2019 c 24 s. 28

In addition, most Canadian provinces have eliminated the civil limitation period for claims based on sexual assault and on physical assault against a minor or a person in a relationship of trust, dependency, or authority, and have done so retroactively (for example, Ontario's Limitations Act, 2002, SO 2002 c 24 Sch B s. 16(1)(h), (h.1), (h.2)). Records may therefore be needed for evidentiary purposes long after any program-specific retention period has elapsed. Caremynd retains records at least until the expiry of every applicable statutory floor above plus any limitation-period obligation the customer organization identifies in its data processing agreement.

Marketing contact records are retained until the contact unsubscribes or twenty-four months of inactivity, whichever comes first. System audit logs are retained for a minimum of seven years in append-only form, reflecting the evidentiary requirements of child and family services jurisprudence.

11.1 QuickBooks Online — retention on disconnect

When a customer disconnects the QuickBooks Online integration, Caremynd immediately revokes the OAuth refresh token and stops all further calls to Intuit. Audit records showing which QBO records were created, updated, or read while the connection was active are retained inside Caremynd for the statutory tax-records floor (six years under the Income Tax Act and the Excise Tax Act), because those records form part of the customer's tax-law books and records. QBO data itself is not copied into Caremynd beyond what is strictly necessary to show a reconciled billing view.

12. Your rights

Subject to Canadian law and the customer organization's obligations, you have the right to:

Access personal information Caremynd holds about you.
Correct inaccurate or incomplete information.
Withdraw consent for any processing based on consent.
Request deletion of personal information, subject to statutory retention requirements that may require Caremynd to retain records for a defined period.
Portability of personal information in a structured, commonly used, technological format, where provided by applicable law (Quebec Law 25 s. 27 and the PIPEDA-successor framework as it evolves).
Object to automated decision-making where applicable law provides that right.
Complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the applicable provincial or territorial commissioner (see § 17).

If you are a resident whose records live inside a customer organization's tenant, we will route your request to that organization, as they are the controller. If you are unsure who to contact, email us and we will help you route it.

12.1 A note about non-Canadian users of a connected third-party service

Caremynd itself does not transfer customer data outside Canada. However, when a customer has connected Microsoft 365, Google Workspace, or Intuit QuickBooks Online, data exchanged with those providers may be processed on infrastructure in the United States or the European Union under their respective terms. Users in those jurisdictions retain the rights their local law affords them, and Caremynd will cooperate with the customer to satisfy any request routed through that customer organization.

13. Indigenous data governance

Where a resident has identified as First Nations, Inuit, or Metis, any records tagged to that identity are handled under OCAP^® principles — ownership, control, access, and possession — recognized by the First Nations Information Governance Centre. Aggregated reporting that would disclose nation-level patterns is never exported to external funders or researchers without explicit, documented consent from the governing nation or community authority.

Records touching the delivery of child and family services to First Nations, Inuit, and Métis children and families are also governed by the federal Act respecting First Nations, Inuit and Métis children, youth and families, SC 2019 c 24 (Bill C-92). Where an Indigenous Governing Body has enacted a coordination agreement, that agreement's provisions on collection, retention, use, and disclosure take precedence. Caremynd supports tenant-level configuration to honour the data-handling terms set by the relevant governing body.

14. Residents under the age of majority

Caremynd is used by residential care programs that serve residents under the age of majority (typically 16 to 21 in our launch configuration). We process that information on behalf of the customer organization, which is legally authorized to hold and process it under the relevant provincial child and family services or human services framework. We do not market directly to residents, and the resident portal is provisioned only at the customer organization's direction.

15. Cookies and similar technologies

Caremynd uses only strictly necessary first-party cookies on authenticated surfaces. We do not set third-party advertising cookies anywhere. On the marketing site we use a privacy-respecting analytics provider configured to aggregate data without persistent personal identifiers. Under Quebec's Act respecting the protection of personal information in the private sector (Law 25), we disclose the full list of technologies that identify or track an authenticated user:

ns-last-activity — Strictly necessary. Tracks last activity time so we can sign the user out after idle timeout. Expires after 24 hours.
ns-mfa-verified — Strictly necessary. Confirms the user completed multi-factor authentication so they do not have to repeat it on every page. Expires after 24 hours.
ns-mfa-just-verified — Strictly necessary. Short-lived handoff cookie during MFA sign-in. Expires after 60 seconds.
ns-portal-preview — Strictly necessary for users with the admin role. Records whether the admin is previewing the staff portal or the resident portal. Expires with the session.

We do not use Google Analytics, Facebook Pixel, advertising SDKs, session replay tools, or any cross-site or behavioural tracking technology on authenticated surfaces.

16. Changes to this policy

We will revise this policy when our practices change. Material changes will be announced to customer administrators at least thirty days before taking effect. The “Last updated” date at the top of this page reflects the most recent revision. Previous versions are preserved in our archive on request.

17. Contact us

Privacy questions, access requests, or complaints:

Email: privacy@caremynd.com
General inquiries: hello@caremynd.com
Support: support@caremynd.com
Mail: Caremynd, Winnipeg, Manitoba, Canada. Full civic address provided on written request.

17.1 Privacy commissioners

You may also direct complaints to the Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, Quebec, K1A 1H3, or to the commissioner for your province or territory:

British Columbia — Office of the Information and Privacy Commissioner for British Columbia (oipc.bc.ca)
Alberta — Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca)
Saskatchewan — Office of the Saskatchewan Information and Privacy Commissioner (oipc.sk.ca)
Manitoba — Manitoba Ombudsman, Access and Privacy Division (ombudsman.mb.ca)
Ontario — Information and Privacy Commissioner of Ontario (ipc.on.ca)
Quebec — Commission d'accès à l'information du Québec (cai.gouv.qc.ca)
New Brunswick — Office of the Access to Information and Privacy Commissioner for New Brunswick (info-priv-nb.ca)
Nova Scotia — Office of the Information and Privacy Commissioner for Nova Scotia (oipc.novascotia.ca)
Prince Edward Island — Office of the Information and Privacy Commissioner of Prince Edward Island (oipc.pe.ca)
Newfoundland & Labrador — Office of the Information and Privacy Commissioner for Newfoundland and Labrador (oipc.nl.ca)
Yukon — Office of the Yukon Information and Privacy Commissioner (ombudsman.yk.ca)
Northwest Territories — Office of the Information and Privacy Commissioner of the Northwest Territories (atipp-nt.ca)
Nunavut — Office of the Information and Privacy Commissioner of Nunavut (info-privacy.nu.ca)

18. Language

This policy is published in English. A French translation will be made available to customers and residents in Quebec on request, consistent with the Charter of the French Language (CQLR c C-11). In the event of a discrepancy between the English and French versions, the version in the language requested by the resident or customer governs for that party.