Privacy Policy

Waiting Room is a logistics and scheduling-status platform operated by A77 Inc., an Ontario corporation (49 Thorncliffe Park Drive, Suite 2004, Toronto, Ontario, Canada). We act as a PHIPA Agent on behalf of each clinic that uses the Service. The clinic is the Health Information Custodian; we process a narrow slice of personal information on the clinic's instructions and for its stated purpose.

From or about patients (or their authorized caregivers):

• Patient first name (entered by clinic staff)
• Primary contact phone number (encrypted at rest with AES-256-GCM)
• Appointment scheduled time and duration
• Provider name (for SMS personalisation)
• Status events (timestamped, audit-logged)
• Time-bounded patient location during travel only — purged on arrival, completion, or 4-hour timeout
• Inbound SMS replies (HERE / OMW / YES / NO / STOP)

From clinic staff users:

• Email address used to sign in
• Display name and role chosen by the clinic
• Hashed PIN (HMAC-SHA256; we never store the plaintext)
• Audit-trail metadata (who did what, when)

We never collect, store, transmit, or process any of the following, regardless of what a clinic might attempt to enter:

• Last name
• Date of birth
• Health Card / OHIP number
• Insurance information
• Medical condition, diagnosis, or reason for visit
• Symptoms, treatments, prescriptions, or care notes
• Lab results, imaging, or any clinical content
• Identification documents
• Payment card information (handled by Stripe; we never see card numbers)

Our Terms of Service and Charter Partner Agreement prohibit clinics from entering medical information into the Service, and the input fields are intentionally narrow to discourage it.

To send appointment-status SMS, calculate when the patient should leave for the appointment, and auto-mark them arrived when they reach the clinic. We do not use personal information for any other purpose except: (a) operating and improving the Service in aggregate / de-identified form, (b) responding to support requests, and (c) as required by law.

We use the following third-party services to operate the platform. The current authoritative list is at /subprocessors.

• Supabase / AWS (Canada-Central region) — database, auth, realtime
• Twilio (US) — SMS delivery
• Google Maps Platform (US) — travel time and geocoding
• Vercel (US/global edge) — hosting
• Stripe (US/CA) — subscription billing (clinic-side only)
• Sentry (US) — error monitoring (PII scrubbed before send)

Each subprocessor is bound by a Data Processing Agreement (or equivalent terms in their standard ToS). We remain liable for the acts and omissions of our subprocessors. We do not sell or rent personal information to anyone, ever.

The primary database is hosted in Canada (AWS ca-central-1). Some subprocessors (Twilio, Google Maps, Vercel edge, Sentry) operate in the United States. By using the Service, the clinic acknowledges this cross-border transfer and discloses it to patients via the SMS Consent Rider included in the clinic's intake form.

• TLS 1.3 in transit; HSTS, CSP, X-Frame-Options, and other security headers on every response
• AES-256-GCM encryption at rest for phone numbers and other identifiers
• Phone-number lookups use SHA-256 HMAC hashes; plaintext is never written to logs
• Postgres Row-Level Security enforcing strict per-clinic isolation
• Patient access via signed JWTs that expire 24 hours after the appointment
• Per-staffer authentication via PIN with 5-attempt rate-limit and 15-minute lockout
• Audit log of every status change, SMS dispatch, and authentication event (24-month retention)
• Twilio webhook signature validation on every inbound request
• Sentry error monitoring with PII scrubbing — phone numbers, names, JWTs, and IPs are redacted before any event leaves the process

Full technical detail is published at /information-practices.

• Appointments + SMS logs: 12 months, then first name and encrypted phone are anonymized; aggregate stats preserved
• Audit log: 24 months
• Aggregate analytics (no individual identifiers): indefinite
• Location data during travel: most-recent-point only (no trail), purged at arrival or 4-hour timeout
• Opt-out list: indefinite (CASL — once a phone replies STOP, the suppression is permanent across our platform)
• On clinic termination: data deleted within 30 days, subject to legal retention requirements and the audit-log retention above

Under PIPEDA and PHIPA, patients (or their authorized representatives) have the right to access, correct, or request deletion of personal information held about them. Because the clinic is the Health Information Custodian, requests are most efficiently directed to the clinic; we provide reasonable assistance to the clinic to respond.

You can also write to us directly at support@a77inc.com. We acknowledge requests within one (1) business day and respond within thirty (30) days, as required by PIPEDA. To opt out of SMS at any time, reply STOP to any text — Twilio honours this automatically and our platform mirrors the suppression permanently.

Waiting Room is not directed at patients under 13. The Service is accessed by adult clinic staff and by patients (or their authorized caregivers) of medical specialist clinics. Where a patient is a minor, the SMS recipient is typically a parent or legal guardian, and the clinic is responsible for obtaining the appropriate consent.

The web app uses essential first-party cookies for sign-in sessions (clinic side) and for the patient privacy notice acknowledgement. We do not use third-party advertising cookies, behavioural tracking pixels, social-media trackers, or session replay tools on patient-facing surfaces. The patient tracking page contains no third-party analytics.

If we confirm a security incident affecting clinic data, we notify the affected clinic in writing within seventy-two (72) hours under our Charter Partner Agreement. We assess against PHIPA's “real risk of significant harm” threshold and assist the clinic with any required notification to the Information and Privacy Commissioner of Ontario, the federal Office of the Privacy Commissioner under PIPEDA, or to affected individuals.

We may update this Privacy Policy from time to time. Material changes will be communicated to clinic admin contacts at least thirty (30) days before taking effect. The current version is always available at waitingroom.live/privacy.

Privacy questions, access / correction / deletion requests, and security incident reports: support@a77inc.com.

A77 Inc., 49 Thorncliffe Park Drive, Suite 2004, Toronto, Ontario, Canada.

For unresolved concerns, you may contact the Information and Privacy Commissioner of Ontario (ipc.on.ca) or the federal Office of the Privacy Commissioner of Canada (priv.gc.ca).