ONHealth Alliance Logo

Privacy Policy

Last updated: April 2026

1. Introduction

ONHealth Alliance, Inc. (“ONRx”, “we”, “our”, or “us”) is committed to protecting your privacy and safeguarding your Personal Health Information (“PHI”) and personal information. This Privacy Policy describes how we collect, use, disclose, retain, and protect your information when you use our virtual healthcare platform and related services (the “Services”).

We comply with Ontario’s Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A (“PHIPA”) and the federal Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”), as well as all applicable provincial and federal privacy legislation.

By using the Services, you consent to the practices described in this Privacy Policy. Please read it carefully. If you do not agree with our practices, please do not use the Services.

2. Key Definitions

  • “Personal Health Information” (“PHI”) means information about an identifiable individual that relates to their physical or mental health, the provision of healthcare, a plan of service for long-term care, payments or eligibility for healthcare, donation of body parts or bodily substances, the individual’s health number, or the identification of a healthcare provider, as defined in PHIPA s. 4.
  • “Personal Information” means information about an identifiable individual, as defined under PIPEDA, that is not PHI. This includes account information, payment details, and website usage data.
  • “Health Information Custodian” (“HIC”) means a person or organization described in PHIPA s. 3(1) who has custody or control of PHI as a result of or in connection with their powers, duties, or work.

3. Our Role and Responsibilities

ONRx operates as a technology platform that facilitates virtual healthcare delivery. Healthcare Providers who deliver clinical services through our Platform are independent Health Information Custodians under PHIPA and are individually responsible for the PHI they collect, use, and disclose in the course of providing care.

ONRx acts as an agent of the Health Information Custodian (the Healthcare Provider) for the purposes of PHIPA, processing PHI on behalf of and under the authority of the Healthcare Provider. We also collect and process personal information in our own capacity for account management, billing, and platform operations.

Our designated Privacy Officer is responsible for overseeing our compliance with this Privacy Policy and applicable privacy laws. The Privacy Officer can be reached at privacy@onrx.ca.

4. Information We Collect

4.1 Personal Health Information (PHI)

When you use our clinical Services, the following PHI may be collected by or on behalf of your Healthcare Provider:

  • Medical history, symptoms, and health concerns
  • Diagnoses, treatment plans, and clinical notes
  • Medications, prescriptions, and allergies
  • Lab results, diagnostic information, and referral records
  • Ontario Health Insurance Plan (OHIP) number or other health card number
  • Consultation recordings or notes (where applicable and with consent)

4.2 Personal Information

We collect the following personal information for account management, billing, and service delivery:

  • Full legal name, date of birth, and gender
  • Contact information (email address, phone number, mailing address)
  • Payment and billing information (processed through PCI-compliant third-party processors — we do not store full credit card numbers)
  • Emergency contact details
  • Account credentials (passwords are stored in hashed form only)
  • Communication preferences

4.3 Technical and Usage Information

When you visit our website or use the Platform, we may automatically collect:

  • IP address and approximate geographic location
  • Browser type and version, operating system, and device type
  • Pages visited, time spent, and navigation patterns
  • Referral source (how you arrived at our website)
  • Session and cookie identifiers

This information is collected through cookies and similar technologies as described in our Cookie Policy. Analytics data is only collected with your consent.

5. How We Use Your Information

We use your information only for the purposes identified at or before the time of collection, or for purposes that a reasonable person would consider appropriate in the circumstances. Specifically:

5.1 PHI — Used for:

  • Providing virtual healthcare services, including consultations, diagnoses, and treatment
  • Processing prescriptions and referrals
  • Communicating with you about your care (appointment reminders, follow-ups)
  • Maintaining your health record on the Platform
  • Billing OHIP or processing payments for services rendered
  • Complying with legal and regulatory obligations
  • Quality assurance, risk management, and error management (as permitted under PHIPA s. 36(1)(e))

5.2 Personal Information — Used for:

  • Account creation, authentication, and management
  • Processing payments and issuing receipts
  • Responding to inquiries and providing customer support
  • Sending service-related communications
  • Improving and optimizing the Platform
  • Detecting, preventing, and addressing fraud or security issues
  • Complying with legal obligations

6. Consent

We rely on the following types of consent:

  • Express consent — For the collection, use, and disclosure of your PHI for healthcare purposes, we obtain your express consent at the time of registration or before your first Consultation. You will be asked to acknowledge and consent to the collection and use of your PHI.
  • Implied consent — Under PHIPA, where you present for care through the Platform and provide your health information to a Healthcare Provider, your consent to the collection, use, and disclosure of that information within the Healthcare Provider’s “circle of care” may be implied, unless you expressly withhold or withdraw consent.
  • Consent for analytics — We obtain your express, opt-in consent before placing analytics cookies or collecting website usage data. You may accept or decline analytics cookies through our cookie consent banner.

Withdrawing Consent

You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. To withdraw consent, contact our Privacy Officer at privacy@onrx.ca. Please note that withdrawing consent may affect our ability to provide certain Services. Withdrawal of consent does not affect the legality of information processing that occurred before the withdrawal.

7. Disclosure of Information

We may disclose your information in the following circumstances:

  • Circle of care. Your PHI may be shared among Healthcare Providers involved in your care through the Platform, including referring physicians, specialists, and pharmacists, in accordance with PHIPA’s circle-of-care provisions.
  • Pharmacies. Prescription information may be transmitted to your selected pharmacy or a pharmacy partner for dispensing purposes.
  • Service providers. We engage third-party service providers who process information on our behalf (e.g., cloud hosting, payment processing, email delivery). These providers are contractually bound to protect your information and may only use it for the purposes we specify.
  • Legal requirements. We may disclose information as required by law, including in response to a court order, subpoena, or request from a regulatory body, or where disclosure is necessary to comply with applicable laws (e.g., mandatory reporting obligations under the Child, Youth and Family Services Act).
  • Health and safety. We may disclose PHI without consent where necessary to eliminate or reduce a significant risk of serious bodily harm to you or another person, in accordance with PHIPA s. 40(1).
  • Business transactions. In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor organization, subject to applicable privacy laws and with appropriate notice to you.

We do not sell, rent, or trade your Personal Health Information or personal information to third parties for marketing or advertising purposes.

8. Data Storage and Security

We implement administrative, technical, and physical safeguards to protect your information, including:

  • Encryption of data in transit (TLS/SSL) and at rest (AES-256)
  • Secure cloud infrastructure hosted in Canadian data centres (AWS Canada Region)
  • Role-based access controls limiting access to authorized personnel only
  • Multi-factor authentication for administrative access
  • Regular security assessments and vulnerability testing
  • Employee privacy and security training
  • Audit logging of access to health records

Data Location

Your Personal Health Information is stored on servers located in Canada (AWS Canada — Central Region, Montreal). We do not transfer PHI outside of Canada. Non-PHI personal information and technical data may be processed by third-party service providers with servers in Canada or the United States; where such transfers occur, we ensure contractual safeguards are in place that provide a comparable level of protection.

9. Data Retention

We retain your information for the following periods:

  • Health records: A minimum of ten (10) years from the date of the last entry, or ten (10) years after the patient reaches the age of eighteen (18) for minors, in accordance with the regulations under the Medicine Act, 1991 (O. Reg. 114/94, s. 19) and applicable College standards. Longer retention may apply if required by law or professional obligations.
  • Account and billing information: For the duration of your account and for seven (7) years after account closure for tax and audit purposes.
  • Analytics and usage data: Aggregated and anonymized data may be retained indefinitely. Identifiable usage data is retained for a maximum of twenty-six (26) months.

When information is no longer required, it is securely destroyed or de-identified in accordance with our data retention and destruction procedures.

10. Your Rights

Under PHIPA and PIPEDA, you have the following rights:

  • Access. You have the right to request access to your PHI and personal information held by us. We will respond to your request within thirty (30) days, as required by PHIPA s. 54(3).
  • Correction. You have the right to request a correction of any inaccurate or incomplete PHI or personal information. If we disagree with the correction, we will attach a statement of disagreement to the record.
  • Information about practices. You have the right to be informed about our information practices, including what information we hold, how it is used, and to whom it has been disclosed.
  • Withdraw consent. You have the right to withdraw your consent to the collection, use, or disclosure of your information, subject to legal or contractual restrictions.
  • Complaint. You have the right to file a complaint about our privacy practices with our Privacy Officer or with the Information and Privacy Commissioner of Ontario (IPC).

How to Exercise Your Rights

To make an access request, correction request, or exercise any of your rights, contact our Privacy Officer in writing:

Privacy Officer, ONHealth Alliance, Inc.
Email: privacy@onrx.ca
Mail: Unit 163, Bldg 400, 1720 Howard Ave, Windsor, ON N8X 5A6, Canada

We may require you to verify your identity before processing your request. A reasonable fee may be charged for access requests that require extensive search or retrieval efforts, in accordance with PHIPA s. 54(11).

11. Privacy Breach Notification

In the event of a theft, loss, or unauthorized access to, use, or disclosure of PHI (a “privacy breach”), we will:

  • Take immediate steps to contain the breach and mitigate harm
  • Notify the affected Healthcare Provider(s) who are the Health Information Custodians
  • Notify you at the first reasonable opportunity, as required by PHIPA s. 12(2)
  • Report the breach to the Information and Privacy Commissioner of Ontario (IPC), as required
  • Document the breach, including the circumstances, the information involved, and the steps taken in response

For breaches of personal information (non-PHI), we comply with PIPEDA’s breach notification requirements, including reporting to the Office of the Privacy Commissioner of Canada where the breach creates a real risk of significant harm.

12. Children’s Privacy

We provide pediatric virtual healthcare services. The PHI of minor patients (under 18) is collected and managed with the consent of a parent or legal guardian who has registered the minor’s account. Parents and legal guardians have the right to access and manage their child’s health information, subject to the child’s evolving capacity to consent to their own care as recognized under Ontario law.

We do not knowingly collect personal information from children under 16 without parental consent. If we learn that we have collected information from a child under 16 without appropriate consent, we will take steps to delete it promptly.

13. Third-Party Links and Services

Our Platform may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service before providing your information. Third-party services used by the Platform include, but are not limited to:

  • Payment processors (PCI DSS compliant)
  • Email and SMS communication providers
  • Cloud hosting (Amazon Web Services — Canada Region)
  • Analytics (Google Analytics — with consent only; see our Cookie Policy)

14. Complaints

If you have a concern about our privacy practices, please contact our Privacy Officer first. We will investigate and respond to your complaint within thirty (30) days.

If you are not satisfied with our response, you have the right to file a complaint with:

  • Information and Privacy Commissioner of Ontario (IPC)
    For complaints about the handling of PHI under PHIPA.
    Website: www.ipc.on.ca
    Phone: 1-800-387-0073
  • Office of the Privacy Commissioner of Canada (OPC)
    For complaints about the handling of personal information under PIPEDA.
    Website: www.priv.gc.ca
    Phone: 1-800-282-1376

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Services. Material changes will be communicated by posting the updated policy on this page with a revised “Last updated” date and, where practicable, by notifying you via email or through the Platform. We encourage you to review this Privacy Policy periodically.

16. Contact Us

Privacy Officer
ONHealth Alliance, Inc.
Unit 163, Bldg 400, 1720 Howard Ave
Windsor, Ontario N8X 5A6, Canada

Email: privacy@onrx.ca

Phone: +1 (226) 773-5100