PHIPA Statement

This PHIPA Statement explains how OpusCall Inc. ("OpusCall," "we," "us," or "our") supports Ontario healthcare clinics in meeting their obligations under the Personal Health Information Protection Act, 2004 (PHIPA).

This Statement applies to clinics and healthcare providers in Ontario that use OpusCall to handle patient calls, bookings, and related communications. It is intended to give clinic owners, privacy officers, and compliance teams a clear understanding of how OpusCall handles personal health information ("PHI") on their behalf.

Under PHIPA, the clinic is the health information custodian and OpusCall is the clinic's agent for the purposes of handling PHI through the Services.

This means:

• The clinic determines what PHI is collected, why, and how it is used
• The clinic remains legally responsible for the PHI as the custodian
• OpusCall processes PHI only on the clinic's instructions and only as needed to deliver the Services
• OpusCall does not use PHI for any purpose outside of providing the Services to the clinic

OpusCall does not act as a custodian. Patients and members of the public should direct PHIPA-related requests (access, correction, complaints) to the clinic that holds their record.

When a patient calls a clinic that uses OpusCall, the AI receptionist may process:

• The caller's name and phone number
• The reason for the call
• Appointment preferences and booking details
• Insurance and coverage information (if provided by the caller)
• Any other personal or health-related information voluntarily shared during the call
• Audio recordings and transcripts of the conversation
• Call metadata (date, time, duration, outcome)

This information is processed under the clinic's instructions and stored on the clinic's account.

OpusCall applies the following safeguards to PHI:

• Data Residency: All PHI is stored in Canada, on infrastructure hosted in AWS Canada Central (ca-central-1), Supabase (Canadian region), and Twilio Canada. PHI does not leave Canada in the normal course of operations.
• Encryption: All calls are encrypted in transit. All recordings, transcripts, and stored data are encrypted at rest.
• Access Controls: OpusCall uses role-based access controls and passwordless authentication (magic-link email and Google SSO). Only authorized personnel and systems can access PHI, and only when necessary to operate the Services.
• No Training on PHI: OpusCall does not use PHI, patient data, or clinic data to train AI models. AI providers (such as OpenAI and Google) are configured with enterprise data protection settings that prevent retention or use of PHI for model training.
• Retention: Call recordings and transcripts are retained for 30 days, then automatically deleted unless the clinic exports them. Other data is retained as described in our Privacy Policy.
• Audit Logs: Sensitive actions (such as data exports and account changes) are logged and reviewed.

OpusCall will only use or disclose PHI:

• To deliver the Services to the clinic
• As directed by the clinic
• To comply with applicable law (including a court order, subpoena, or lawful government request)
• To prevent fraud, abuse, or imminent harm

OpusCall does not sell, rent, or share PHI for marketing or advertising purposes.

OpusCall uses a limited number of trusted third parties to operate the Services. Each sub-processor is contractually bound to protect PHI and use it only as authorized.

Current sub-processors are listed in our Privacy Policy. They include AWS Canada, Supabase, Twilio Canada, OpenAI, Google, and Stripe.

We will provide reasonable notice to clinic customers before adding new sub-processors that materially affect the handling of PHI.

OpusCall takes privacy breaches seriously. If we confirm a breach of security safeguards that has resulted in, or is reasonably believed to have resulted in, the unauthorized access, use, disclosure, loss, or theft of PHI, we will:

• Notify the affected clinic within 24 hours of confirming the breach
• Provide the clinic with all information reasonably required to assess the breach and meet their PHIPA obligations
• Cooperate with the clinic's investigation and response
• Take reasonable steps to contain and remediate the breach

The clinic, as the health information custodian, is responsible for notifying affected patients and the Information and Privacy Commissioner of Ontario (IPC) where required under PHIPA.

Patients have rights under PHIPA, including:

• The right to access their PHI
• The right to request corrections
• The right to file a complaint with the IPC

Because the clinic is the health information custodian, patients should direct these requests to the clinic, not to OpusCall. OpusCall will support clinics in responding to patient requests by providing access to relevant data on their account.

While OpusCall provides tools and safeguards to support PHIPA compliance, the clinic remains responsible for:

• Acting as the health information custodian
• Obtaining valid consent from patients for the collection, use, and disclosure of their PHI
• Posting required notices (such as call recording disclosures) where applicable
• Reviewing call recordings and transcripts for accuracy
• Maintaining accurate configuration data (hours, services, pricing, policies)
• Notifying patients and the IPC of any privacy breaches as required under PHIPA
• Complying with all other obligations under PHIPA and related Ontario healthcare regulations

OpusCall provides infrastructure and tooling to support compliance, but final compliance responsibility rests with the clinic.

For questions about this PHIPA Statement or how OpusCall handles PHI:

• OpusCall Inc. — Privacy Officer
• Richmond Hill, Ontario, Canada
• Email: hello@opuscall.ai

If you are a patient with a PHIPA-related question or request, please contact the clinic that holds your record. The clinic is the health information custodian and is responsible for responding to your request.

You may also contact the Information and Privacy Commissioner of Ontario (IPC) at ipc.on.ca or 1-800-387-0073.

This PHIPA Statement describes our practices in good faith and is not a substitute for legal advice. OpusCall is designed to support clinics in meeting their PHIPA obligations, but final compliance responsibility rests with the clinic as the health information custodian. Clinics are encouraged to consult with their own legal and privacy advisors regarding their specific obligations.