Information practices

Waiting Room operates as a PHIPA Agent on behalf of each clinic that signs our Service Agreement. The clinic remains the Health Information Custodian; we handle a narrow slice of personal information (first name, phone, appointment time) on the clinic's instructions, in support of the clinic's purpose of patient communication around appointment timing.

We never receive medical information — diagnoses, chart notes, test results, prescriptions, or treatment data. The fields aren't designed for it and our Terms of Service prohibit it.

• Patient first name (entered by clinic staff)
• Primary contact phone number (encrypted at rest with AES-256-GCM)
• Appointment scheduled time and duration
• Provider name (for SMS personalisation)
• Status events (timestamped, audit-logged)
• Time-bounded patient location during travel only — purged on arrival, completion, or 4-hour timeout
• Inbound SMS replies (HERE / OMW / YES / NO / STOP)

• Last name
• Date of birth
• Health Card / OHIP number
• Insurance information
• Medical condition, diagnosis, reason for visit
• Symptoms, treatments, prescriptions, care notes
• Identification documents

• TLS 1.3 in transit. HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy headers on every response.
• AES-256-GCM encryption at rest for phone numbers and other identifiers (app-layer; key in environment, never in database).
• Phone-number lookups use SHA-256 HMAC hashes, not decrypted phone strings.
• Patient access via signed JWTs (HS256) that expire 24 hours after the appointment.
• Per-clinic isolation enforced at the database layer via Postgres Row-Level Security on every table.
• Per-staffer authentication via PIN (HMAC-SHA256 hashed) with 5-attempt rate-limit and 15-minute lockout.
• Audit log of every status change, SMS send, and authentication event (24-month retention).
• Twilio webhooks signature-validated against the Auth Token; spoofed requests return 403.
• Sentry error monitoring with PII scrubbing — phone numbers, names, JWTs, and IPs are redacted before any event leaves the process.
• Cron endpoints authenticated via bearer token.

• Privacy Officer designated (Ahmad, founder).
• Written information practices (this document) and breach response runbook maintained.
• Subprocessor due-diligence — DPAs signed before any new vendor processes data. Public list at /subprocessors.
• Patient access / correction / deletion requests routed to support@a77inc.com; we acknowledge within 1 business day and respond within 30 days per PIPEDA.
• 30-day data deletion procedure on contract termination.

• Appointments and SMS logs: 12 months, then anonymized (first name and encrypted phone purged; aggregate stats preserved).
• Audit log: 24 months.
• Aggregate analytics (no identifiers): indefinite.
• Location data during travel: purged at arrival or 4-hour timeout — most-recent-point only, no trail.
• Opt-out list: indefinite (CASL — once a phone replies STOP, the suppression is permanent across our platform).

If a security incident affects clinic data, we notify the affected clinic within the timeline specified in our Service Agreement (typically 72 hours from confirmed breach). We assess against PHIPA's “real risk of significant harm” threshold and escalate to the Information and Privacy Commissioner of Ontario where required. Clinics remain responsible for direct patient notification under their own custodianship.

Privacy questions: support@a77inc.com
Security incidents: support@a77inc.com