TOSCTOSC
Privacy Policy

How TOSC handles your information.

We are a small Canadian healthcare-operations consultancy and product studio. We try to collect as little personal information as possible, and to be specific about what we do collect, why, and where it goes.

Last updated · April 2026

At a glance
Privacy Officer
Himanshu Khetarpal — privacy@tosc.ca
Statutes we follow
PIPA-BC, PIPEDA, CASL
Patient identifiers (PHI) we collect
None — see § 4
Patient clinical text
Sent to our Canadian-controlled drafting model after on-device PHI scrubbing — see § 5
Subscriber info we collect
Email, name, clinic, role — see § 3
Storage location
Notion (US) for subscriber + telemetry; Vercel (US edge) for web; Canadian-controlled host for the LLM
Cookies / analytics
Google Analytics; non-essential only — see § 8
Right of access / correction / deletion
Email privacy@tosc.ca — 30-day response
Breach notification
PIPA s.34 + PIPEDA s.10.1 procedure
§ 01

Who we are.

TOSC Digital Health Inc. ("TOSC", "we", "us") is a privately-held Canadian company based in British Columbia. We sell consulting services and clinical-software products to healthcare clinics and clinicians, primarily in BC.

For the purposes of PIPA-BC and PIPEDA, our designated Privacy Officer is Himanshu Khetarpal. The Privacy Officer is reachable at privacy@tosc.ca for any privacy question, complaint, or request.

§ 02

What this policy covers.

This policy covers personal information we collect through this website (tosc.ca), our products (including the Performa form-writer), and our consulting engagements.

It does not cover: third-party websites we link to, or personal information you handle inside your own clinic (including any patient information you choose to paste into Performa — see § 5).

§ 03

Subscriber information we collect (you).

When you unlock the Performa beta, we collect:

  • Your name
  • Your email address
  • The clinic / organisation you belong to
  • Your professional role (physio, OT, family physician, etc.)

Why: to give you access to the beta, send you product updates and substantive notes from our newsletter, and respond to your support requests.

Where: stored in our Notion workspace (Notion is hosted in the United States — see § 7).

For how long: until you ask us to delete it, or until the product is sunset and we no longer need it.

Your consent to this collection is given explicitly when you submit the access form. You can withdraw that consent at any time by emailing privacy@tosc.ca.

§ 04

Patient identifiers (PHI) — we don't collect these.

When you use Performa to draft a clinical form, your patient's identifiers — name, date of birth, PHN, claim number — are detected and held in your browser only. They are used to fill the local PDF and are never transmitted to our servers.

We have no patient database. There is no row in any TOSC table containing a patient's name.

Important caveat: our PHI scrubber recognises common identifier patterns (Title-Case names, numeric dates in standard formats, PHN-style numbers). It is not perfect. Names with unusual structures (single-syllable, hyphenated, non-Latin), or dates in unusual formats, may not be detected. Performa shows you the scrubbed text before sending — you should review it. If something private isn't redacted, do not proceed.

§ 05

Patient clinical text — what is sent and where.

After PHI scrubbing, the scrubbed clinical text (your session notes, outcome measures, plan of care — minus the identifiers in § 4) is sent to our drafting model. The drafting model runs on a server we operate ourselves, on infrastructure under our control, located in Canada.

We do not route any text through OpenAI, Anthropic, Google, Microsoft, or any other consumer or commercial AI provider.

Network path note: our website is currently hosted on Vercel, whose edge network includes nodes in the United States. The HTTP request that carries the scrubbed clinical text transits a Vercel US edge node before reaching our Canadian-hosted drafting server. The text is encrypted in transit (HTTPS) end-to-end. We disclose this transit because BC OIPC guidance requires it; the actual processing of the text happens in Canada.

Retention: the drafting server does not persist the text after the response is returned. We do log non-PHI metadata (timing, success/failure, model version) for operational reasons, retained 90 days.

§ 06

Telemetry — opt-in only.

Performa includes an opt-in product-quality signal that tracks structural events (which form, which step, success or failure). You explicitly consent to this when you turn it on. It is off by default.

Telemetry signals never include patient information, clinical text, or your full IP address. We retain the /24-bucket of your IP address (e.g. 192.0.2.0) for retry-storm detection. Telemetry rows are kept 90 days.

§ 07

Sub-processors — who else touches the data.

We use a small number of US-based sub-processors. By using this site you consent to your information being processed by each of the following, with the knowledge that the data physically traverses or is stored in the United States. The US has different privacy laws than Canada, including legal processes (e.g. the CLOUD Act) under which US authorities may request data.

  • Vercel (United States) — web hosting and serverless functions. Vercel sees: page requests, IP-derived headers, the scrubbed clinical text in transit (not at rest).
  • Notion (United States) — subscriber list, telemetry signals, download events, form requests. Notion sees: subscriber name, email, clinic, role; opt-in telemetry rows; download metadata.
  • Google Analytics (United States) — page-view analytics. Google sees: page paths, referrers, IP addresses (Google anonymises). Loaded only after you accept the cookie banner.

Our drafting LLM runs on a Canadian-controlled host (not a US sub-processor).

§ 08

Cookies and analytics.

Essential cookies (e.g. the email-gate session) are set without consent because the site cannot function without them.

Non-essential analytics (Google Analytics) load only after you give explicit consent through our cookie banner. You can withdraw that consent at any time by clearing thetosc_analytics_consent entry in your browser's local storage.

§ 09

Your rights.

Under PIPA-BC and PIPEDA, you have the right to:

  • Access — ask us what personal information we hold about you (we respond within 30 days, free for reasonable first requests).
  • Correct — ask us to correct inaccurate information.
  • Delete — ask us to delete your information (subject to legal retention obligations).
  • Withdraw consent — at any time.
  • Complain — to TOSC's Privacy Officer first; if unresolved, to the BC Office of the Information and Privacy Commissioner (oipc.bc.ca) or the Office of the Privacy Commissioner of Canada (priv.gc.ca).

To exercise any of these rights, email privacy@tosc.ca.

§ 10

Breach notification.

If we discover a breach of personal information that creates a real risk of significant harm to you, we will notify you without unreasonable delay. We will also notify the BC OIPC and Office of the Privacy Commissioner of Canada in accordance with PIPA s.34 and PIPEDA s.10.1.

We maintain a written breach response procedure. Records of breaches (significant or not) are kept for 24 months as required under PIPEDA.

§ 11

Children.

TOSC's services are intended for use by healthcare professionals. We do not knowingly collect personal information from individuals under 16 directly. If a clinician uses Performa to draft a form for a minor patient, that handling is governed by the clinician's own custodianship.

§ 12

Changes to this policy.

We will update this policy as our practices change. The "Last updated" date at the top reflects the most recent version. Material changes will be announced by email to active subscribers.

§ 13

How to reach us.

Himanshu Khetarpal
Privacy Officer · TOSC Digital Health Inc.
Email: privacy@tosc.ca

We also welcome general questions at contact@tosc.ca.

See also: Terms of Service →