Maple Copilot Inc – Privacy Policy

Last Updated: 27/08/2025

This Privacy Policy explains how Maple Copilot Inc. (“Maple Copilot,” “we,” “our,” or “us”) collects, uses, discloses, and safeguards information, including personal health information (“PHI”), when you use the Maple Copilot Clinical Decision Support platform (“Platform”). This Policy is incorporated by reference into the Maple Copilot Terms and Conditions of Use.

 1.⁠ ⁠Scope

This Policy applies to all users of Maple Copilot, including physicians, healthcare organizations, and their authorized staff. The Platform is designed for use in Canada, with optional safeguards for U.S. HIPAA and EU GDPR contexts.

 2.⁠ ⁠Compliance Anchors

• PHIPA (Ontario): Governs PHI collection, use, disclosure.

• PIPEDA (Canada): Governs personal information management.

• CPSO Standards: Physicians remain responsible for compliance with Ontario record-keeping requirements.

• CMPA: Physicians remain accountable for medico-legal liability.

• HIPAA: U.S. use requires BAAs.

• GDPR: EU use will not proceed until GDPR measures in place.

 3.⁠ ⁠Information Collected

• Registration (name, email, specialty).

• Clinical data (draft notes, diagnoses, orders).

• Technical logs (device ID, IP, usage).

• Support/feedback communications.

 4.⁠ ⁠Use of Information

We use information to:

• Provide and improve services.

• Generate drafts for physician review.

• Monitor security and compliance.

• Conduct de-identified analytics.

• Fulfill legal/regulatory obligations.

We do not sell or trade PHI.

 5.⁠ ⁠Privacy-by-Design Auto-Deletion

• PHI is not permanently stored.

• Drafts are auto-deleted immediately after physician copies them into the EMR or closes the session.

• No residual PHI is intentionally retained.

• De-identified logs only for system security and audit purposes.

 6.⁠ ⁠Disclosure of Information

• To physicians/organizations controlling the PHI.

• To service providers under contract, subject to PHIPA/PIPEDA.

• To comply with legal obligations.

• In de-identified form for quality improvement.

 7.⁠ ⁠Retention

• PHI: Not retained post-session.

• Accounts: Retained until closure, then securely deleted within 30 days.

• Logs: De-identified only, deleted when no longer required.

 8.⁠ ⁠Safeguards

• Encryption (at rest, in transit).

• Role-based access controls.

• Monitoring consistent with PHIPA/PIPEDA.

• User responsibility for device and credential security.

 9.⁠ ⁠Rights of Users

• PHIPA/PIPEDA rights: access, correction, consent withdrawal.

• HIPAA rights: access, amendment, accounting of disclosures (U.S. only).

• GDPR rights: access, erasure, portability, restriction (EU only, once applicable).

10.⁠ ⁠Children’s Privacy

Not directed to children; intended for licensed healthcare professionals only.

11.⁠ ⁠Policy Changes

We may update this Policy. Continued use of the Platform constitutes acceptance.

12.⁠ ⁠Contact

Maple Copilot Inc.

admin@maplecopilot.com

maplecopilot.com

Acknowledgement

By using Maple Copilot, you confirm that you have read and understood this Privacy Policy, that PHI remains under your custody and control, and that all drafts are auto-deleted at session end to the best of our ability.