DRRD Nutrition Privacy Policy

DRRD Nutrition is committed to protecting the privacy of our patients, prospective patients, and visitors. This Privacy Policy explains what personal and health information we collect, how we use it, who we share it with, and the choices you have regarding your information. We comply with Canadian and provincial privacy laws including PIPEDA, Ontario's Personal Health Information Protection Act (PHIPA), and Quebec's Law 25.

1. Scope and Application

This Privacy Policy applies to all personal information and personal health information that DRRD Nutrition ("we," "us," or "our") collects through our website, online booking platform, patient portal, video visits, and in-person services. By using our services or providing information to us, you agree to the practices described in this policy.

2. What Information We Collect

We collect different categories of information depending on how you interact with us:

  • Identification Information: name, date of birth, address, phone number, email, emergency contact, government-issued identifiers when required for billing or insurance.
  • Health Information: medical history, current medications, allergies, dietary restrictions, lifestyle factors, body measurements, lab results you share with us, food journals, clinical notes from your visits, and any information you provide during consultations.
  • Booking and Visit Information: appointments, attendance, communications, video visit recordings (only when you have explicitly consented), and clinical documentation generated during your care.
  • Account and Technical Information: login credentials, IP address, device information, browser type, and usage data when you access our patient portal.
  • Payment Information: billing address and payment details processed through our secure payment provider (we do not store full payment card numbers).

3. How We Use Your Information

We use your information for the following purposes:

  • Providing nutrition counselling, clinical assessments, meal planning, and follow-up care.
  • Scheduling appointments and sending appointment reminders.
  • Communicating with you about your care, including via email, SMS, and video visits.
  • Processing payments and managing billing.
  • Maintaining clinical records as required by professional and legal obligations.
  • Generating clinical documentation, including AI-assisted clinical notes (see Section 5 — AI-Assisted Documentation).
  • Improving our services and patient experience based on aggregated, de-identified data.
  • Complying with legal, regulatory, and professional requirements.

4. AI-Assisted Clinical Documentation

To improve the quality of clinical care and reduce administrative burden on our practitioners, we use artificial intelligence (AI) services to assist with clinical documentation. Specifically:

  • Note Polishing & Summarization: AI helps refine and structure clinical notes that our dietitians write during or after your visits.
  • Visit Transcription (with consent): If a video visit is recorded with your consent, AI may be used to transcribe the recording and generate structured clinical notes.
  • Clinical Insights: AI may help identify potential health alerts (e.g., nutrient deficiencies, contraindications) based on your health information.
  • AI-generated content is always reviewed by a qualified practitioner before being added to your clinical record.
  • Where these AI services are hosted: AI processing occurs through Amazon Web Services (AWS) Bedrock, a HIPAA-eligible service provided by Amazon. AWS Bedrock processes requests in data centers located in the United States.
  • Your data is not used to train AI models, is encrypted in transit and at rest, and is governed by Amazon's Business Associate Agreement (BAA), which contractually binds AWS to protect your health information.

5. Cross-Border Data Processing & Your Consent

Some of the technology services we use to support your care involve processing your information outside of Canada:

  • AI-assisted documentation (described above) is processed by AWS Bedrock in the United States.
  • Email delivery is handled by Amazon Simple Email Service.
  • Video visit infrastructure (Amazon Chime SDK) routes through AWS data centers, primarily in Canada.
  • All other patient data — including your medical records, appointments, communications, and uploaded documents — is stored in AWS data centers in Canada (Montreal region).
  • Under Quebec's Law 25 and Ontario's PHIPA, we are required to obtain your consent before processing your personal health information outside of Canada. By accepting this Privacy Policy and continuing to use our services, you consent to the cross-border processing described above for the purposes of providing your care.
  • You may withdraw this consent at any time by contacting us. Withdrawing consent will disable AI-assisted documentation features for your care; other services will continue normally.

6. Where Your Data Is Stored

We use Amazon Web Services (AWS) for our infrastructure. All primary data storage occurs in AWS Canada (Central) — Montreal region. Specific exceptions are detailed in Section 5 above. AWS is contractually obligated under our Business Associate Agreement to protect your health information in accordance with HIPAA standards, which also satisfy Canadian provincial privacy law requirements.

7. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We share your information only as follows:

  • With Your Consent: When you explicitly authorize us to share information with another healthcare provider, family member, or organization.
  • Other Healthcare Providers: As needed for continuity of care (e.g., your family doctor, specialists), with your consent.
  • Service Providers ("Sub-Processors"): We use trusted third-party providers to operate our services. Each is bound by a written data processing agreement. See our Sub-Processor List below.
  • Legal Obligations: When required by law, court order, or regulatory authority.
  • Professional Obligations: As required by our regulatory college (e.g., College of Dietitians of Ontario).

8. Sub-Processors

We rely on the following third-party services to deliver our care. Each is bound by data protection agreements:

  • Amazon Web Services (AWS) — cloud infrastructure, database hosting, file storage, AI processing (Bedrock), email (SES), and video visits (Chime SDK). HIPAA BAA in place.
  • Vercel — hosting for our patient-facing websites and portal. No PHI is stored on Vercel.
  • Stripe / Square — payment processing. PCI DSS compliant.
  • Google (Calendar API, optional) — when our practitioners connect their Google Calendar to manage appointments. Patient PHI is not transmitted to Google. See Section 9 — Google Services.

9. Google Services

We may use Google services for the following purposes:

  • Google Calendar Integration (Practitioner-Side): Our practitioners may connect their Google Calendar to our system to synchronize appointment availability. This connection uses Google's OAuth authentication. We only access calendar events necessary for scheduling — we do not access the content of unrelated events. Patient personal health information is never sent to Google through this integration.
  • Use of Google User Data: When a practitioner authorizes Google Calendar access, we use this data solely to: (a) read calendar events to determine availability, (b) create new events for booked appointments, and (c) update or cancel events when bookings change.
  • Google data is not shared with any other party, used for advertising, or used to train AI models.
  • Practitioners can revoke our access at any time through their Google Account settings.
  • Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

10. How Long We Keep Your Information

We retain your personal health information for the periods required by applicable law and our regulatory college:

  • Clinical records: 10 years from the date of last service, or until you reach the age of majority plus 10 years (whichever is later), as required by Ontario's Regulated Health Professions Act.
  • Billing and financial records: 7 years for tax and regulatory purposes.
  • Account and login records: until you request deletion or 2 years after your last activity.
  • Marketing communications: until you unsubscribe.
  • Video visit recordings (if made with consent): 90 days, then automatically deleted.

11. Your Rights

You have the following rights regarding your personal health information:

  • Right to Access: You may request a copy of the personal information we hold about you.
  • Right to Correction: You may request that we correct inaccurate or incomplete information.
  • Right to Withdraw Consent: You may withdraw consent for specific uses (e.g., AI processing, marketing communications) at any time.
  • Right to Lodge a Complaint: You may file a complaint with our Privacy Officer or with the Office of the Information and Privacy Commissioner of Ontario (IPC), the Commission d'accès à l'information du Québec (CAI), or the Office of the Privacy Commissioner of Canada (OPC).
  • Right to Data Portability: You may request your records in a portable electronic format.
  • To exercise any of these rights, contact our Privacy Officer using the information in Section 14.

12. How We Protect Your Information

We use industry-standard security measures to protect your information:

  • Encryption in transit (TLS 1.2 or higher) for all data sent over the internet.
  • Encryption at rest (AES-256) for all stored data.
  • Multi-factor authentication for all staff accounts.
  • Role-based access controls — staff only access information necessary for their role.
  • Comprehensive audit logging of all access to patient records, as required by PHIPA section 10(3).
  • Regular security assessments and updates.
  • Mandatory privacy and security training for all staff.
  • Background checks on employees handling personal health information.

13. Data Breach Notification

In the unlikely event of a privacy breach affecting your personal health information, we will notify you and the appropriate regulatory authorities as required by law. Under PHIPA, we will notify you and the Information and Privacy Commissioner of Ontario at the first reasonable opportunity. Under Quebec's Law 25, we will notify the Commission d'accès à l'information and affected individuals when a breach poses a risk of serious injury.

14. Children's Privacy

We provide services to minors under the supervision of their parents or legal guardians. For patients under the age of consent in their province (16 in Ontario, 14 in Quebec for healthcare decisions), parental consent is required for treatment and data collection. We do not knowingly collect personal information from children without appropriate consent.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, legal requirements, or business practices. When we make material changes, we will notify you by email or through our patient portal. The most recent version is always available on our website with the "Last updated" date below.

16. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or need to file a complaint, please contact our Privacy Officer:

Website: https://www.drrdnutrition.com

Privacy Officer Email: info@drrdnutrition.com

Phone: 1-(888) 609-3356

Last updated: 5/3/2026