Privacy Policy
for Auditra.

Who We Are

Infortex Inc. ("Infortex", "we", "us", "our") is an Ontario corporation operating the Auditra platform — a PHIPA compliance management tool for Ontario clinics and organizations handling patient data.

Our registered address and privacy contact details are listed in Section 15 of this policy. Infortex is the data controller for all personal information collected through this website and the Auditra platform.

Scope of This Policy

This Privacy Policy applies to:

• Visitors to infortex.ca and all related subdomains
• Users of the Auditra platform (web application)
• Individuals who complete the PHIPA Gap Assessment tool
• Anyone who submits a contact, demo request, or enquiry form
• Subscribers to Auditra email communications

This policy does not apply to the personal health information (PHI) of patients that clinic clients manage within the Auditra platform. That data is governed by our Data Processing Agreement with each clinic subscriber and by PHIPA. See Section 7 for details.

Data We Collect

We collect only the information necessary to provide and improve Auditra. We do not collect data speculatively.

Category	Examples	Source	Required?
Account Information	Name, email address, clinic name, role	You, on signup	Required
Assessment Data	Gap assessment answers, scores, risk bands	You, via assessment tool	Optional
Contact & Enquiry	Name, email, clinic, message content	You, via contact form	Optional
Billing Information	Name, billing address, last 4 digits of card	Stripe (payment processor)	Required for paid plans
Usage & Analytics	Pages visited, features used, session duration	Automatically, via platform	Functional
Technical Data	IP address, browser type, device type	Automatically, on visit	Functional

We do not collect sensitive personal information such as financial account numbers, Social Insurance Numbers, biometric data, or health information about our subscribers (as distinct from the PHI their clinics manage — see Section 7).

How We Use Your Information

We use the information collected for the following purposes:

• To provide and operate the Auditra platform — account management, compliance tracking, document storage, and reporting features
• To process and respond to enquiries — contact form submissions, demo requests, and support requests
• To deliver assessment results — sending your PHIPA Gap Assessment report to the email address you provide
• To process payments — billing management via our payment processor (Stripe)
• To send service communications — account notices, compliance reminders, and subscription updates. These are not marketing emails and cannot be fully opted out of while you maintain an active subscription
• To improve the platform — aggregated, anonymized usage analytics to understand how features are used
• To comply with legal obligations — including responding to lawful requests from regulatory authorities

We do not sell your personal information to third parties. We do not use your data for automated profiling or decision-making that produces legal effects.

Legal Basis for Processing

Infortex operates under PIPEDA (Personal Information Protection and Electronic Documents Act) as the primary federal privacy framework governing commercial activity in Canada. Where applicable, we also adhere to Ontario's PHIPA in our role as a service provider to health information custodians.

Our legal bases for processing personal information are:

• Consent — for marketing communications, assessment result emails, and cookies
• Contractual necessity — to fulfil our obligations under your Auditra subscription agreement
• Legitimate interests — for platform security, fraud prevention, and service improvement, where not overridden by your privacy interests
• Legal obligation — where required by applicable Canadian law

Data Storage & Residency

All Auditra platform data — including subscriber information, compliance records, and uploaded documents — is stored exclusively on Microsoft Azure Canada Central servers located in Toronto, Ontario.

Specific technical safeguards include:

• AES-256 encryption at rest via Azure SQL Transparent Data Encryption
• TLS 1.2+ encryption in transit for all data transfers
• Row-level database security preventing cross-tenant data access
• Tamper-evident audit logs using Azure SQL Ledger
• Policy documents stored in private Azure Blob containers with time-limited signed URLs
• Zero credentials stored in application code — all secrets managed via Azure Key Vault

Patient Health Information (PHI)

Auditra is a compliance management tool. Clinic subscribers do not upload, store, or transmit patient health records through Auditra. The platform manages compliance documentation (policies, staff records, audit logs, breach reports) — not patient charts or medical records.

To the extent that any incidental PHI (such as a staff member's name appearing in a breach incident report) is processed through the platform, Infortex acts as an agent of the health information custodian (the subscribing clinic) as defined under PHIPA s.17.

Sharing & Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

• Service providers — Microsoft Azure (hosting and storage), Stripe (payment processing). All vendors have executed data processing agreements and are contractually bound to process data only as instructed
• Legal requirements — where required by a court order, warrant, or lawful demand from a Canadian regulatory authority. We will notify you of any such request unless prohibited by law
• Business transfers — in the event of a merger, acquisition, or sale of assets, subscriber data would transfer to the successor entity subject to the same privacy obligations
• With your consent — for any other purpose, only with your explicit prior consent

We do not share data with advertising networks, data brokers, or analytics companies that build individual profiles.

Data Retention

Data Type	Retention Period	Reason
Active subscriber account data	Duration of subscription + 90 days	Service provision, wind-down period
Compliance records (policies, logs)	7 years from creation	PHIPA record-keeping obligations
Billing records	7 years from transaction	CRA tax and audit requirements
Gap assessment results	24 months	Service improvement, re-engagement
Contact form submissions	24 months	Customer service record
Server access logs	90 days	Security monitoring
Anonymized analytics	Indefinite	Product improvement (no personal data)

Upon account cancellation, you may request complete deletion of your data within the 90-day wind-down period. Compliance records subject to legal retention requirements will be retained for their mandatory period before deletion.

Your Privacy Rights

Under PIPEDA and applicable provincial privacy legislation, you have the following rights regarding your personal information:

• Right of access — request a copy of the personal information we hold about you
• Right to correction — request correction of inaccurate or incomplete information
• Right to withdraw consent — withdraw consent for non-essential processing (such as marketing emails) at any time
• Right to deletion — request deletion of your personal information, subject to legal retention requirements
• Right to data portability — receive your compliance data in a portable format (PDF or CSV) within 48 hours of request
• Right to complain — lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) if you believe your rights have been violated

To exercise any of these rights, contact our Privacy Officer using the details in Section 15. We will respond within 30 days as required by PIPEDA.

Cookies & Tracking

This website uses a minimal number of cookies necessary for basic functionality. We do not use advertising cookies, cross-site tracking cookies, or third-party analytics that build individual profiles.

Cookie	Purpose	Duration	Type
session_id	Maintains your authenticated session in the platform	Session	Essential
csrf_token	Security token preventing cross-site request forgery	Session	Essential
preferences	Stores UI preferences (dark mode, language)	1 year	Functional

You may disable cookies in your browser settings. Disabling essential cookies will prevent you from logging into the Auditra platform. The public website and Gap Assessment tool function without cookies enabled.

Security Measures

We implement technical, organizational, and administrative safeguards appropriate to the sensitivity of the information we process. Key measures include:

• All staff complete annual privacy and security training
• Access to production systems is restricted on a least-privilege basis
• Multi-factor authentication required for all internal system access
• Regular third-party security assessments
• Documented Breach Response Policy with IPC notification procedures
• All vendor agreements include security and confidentiality requirements

Children's Privacy

Auditra is a professional compliance platform intended for use by healthcare organizations and their staff. We do not knowingly collect personal information from individuals under the age of 18. If you believe a minor has submitted information through our platform, please contact us immediately and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform features. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send an email notification to all active subscribers at least 30 days before the change takes effect
• Display a notice within the Auditra platform dashboard

Continued use of the platform after the effective date of any change constitutes acceptance of the revised policy. Previous versions of this policy are available upon request.

Contact Our Privacy Officer

For any privacy-related questions, access requests, complaints, or to exercise your rights under PIPEDA, please contact our designated Privacy Officer:

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada: