Let's Connect

Privacy Policy

Effective date: July 1st 2025
Company: Nuvio Software Inc.
Address: 333 Seymour St, Vancouver, BC V6B 5A7, Canada
Contact: info@nuviolife.com

Introduction and scope

  • Nuvio Software Inc. (NuvioLife, we, our, us) provides software that helps employers and individuals administer and use Health/Medical Spending Accounts and related benefit and payment services.
  • This Privacy Policy explains what personal information we collect, how and why we use it, how we protect it, with whom we share it, and the choices and rights you have.
  • This policy is designed to meet PIPEDA requirements, including explicit, informed consent that explains what we collect, the purposes for collection, use, and disclosure (e.g., identity verification, AML/KYC, account operation, transaction processing, security monitoring, regulatory reporting), how information is stored and protected, with whom it may be shared (including regulators), and how to access or withdraw consent, subject to legal/contractual restrictions.
  • Because NuvioLife supports health-related claims and payments, we include HIPAA provisions for Protected Health Information (PHI) when applicable (e.g., where we act as a business associate) and align data practices with CRA and IRS rules for PHSP/HSA tax compliance. We attempted to locate HIPAA- and IRS-specific guidance in the NuvioLife knowledge base provided by you but did not find relevant results; the HIPAA/IRS portions below reflect generally accepted requirements and industry standards.

What we collect

We collect information directly from you, from your employer/plan sponsor, from your use of the app, and from trusted service providers (e.g., identity verification, payments). Categories include:

  • Account and profile 
    • Name, contact details, credentials, language preferences.
    • Role and authorization within your organization (e.g., view-only, initiator, approver) for account security and operations.
  • Identity and compliance (KYC/AML) 
    • Full legal name, residential address, date of birth, phone number, email, government-issued photo ID (e.g., driver’s license, passport), identity verification results. Where permitted, we may use digital identity verification (biometric/liveness checks).
    • Source-of-funds information to confirm funds relate to the registered business activity and to link activity to the verified business account.
    • In certain cases, beneficial ownership information (>25%) and directors/officers information for corporate clients, as required under FINTRAC regulations.
    • Social Insurance Number (SIN) is generally not required for our services; we will request it only if there is a specific legal basis (e.g., a defined tax reporting requirement) and will explain that basis if requested.
  • Business account details (for company clients) 
    • Legal business name, registration/incorporation details, addresses, licenses, banking details for settlement, and other onboarding information needed to operate and secure accounts.
  • Financial and transactional 
    • Payment instruments, bank details (as needed for disbursements/collections), transaction histories, claim reimbursements, approvals, and audit trails.
  • Health and claims 
    • Expense claims and supporting documents (e.g., invoices/receipts), benefit eligibility, and claim outcomes. We limit collection to the minimum necessary to adjudicate claims, process payments, and meet legal and plan requirements.
  • Device and usage 
    • App activity, device identifiers, IP address, cookies/analytics, and security logs to operate, secure, and improve the service.
  • Communications 
    • Support requests, feedback, survey responses, and communication preferences.

How and why we use personal information

We use information for the following purposes and obtain explicit, informed consent for these uses where required:

  • Account setup and service delivery 
    • Create and manage accounts, verify identity, set and enforce roles/permissions, operate features, process claims and payments, and provide support.
  • Compliance, security, and risk 
    • Know-Your-Customer (KYC), Anti-Money Laundering/Anti-Terrorist Financing (AML/ATF), fraud prevention, security monitoring, audits, incident response, and regulatory reporting (e.g., FINTRAC) and obligations applicable to payment service providers, including the Retail Payment Activities Act (RPAA) and Payments Canada rules.
    • Confirm source of funds and linkage to verified business accounts.
  • HSA/PHSP administration and tax compliance 
    • Administer plans in line with CRA rules for a Private Health Services Plan (PHSP), including maintaining a written plan, reimbursing only eligible medical/dental expenses as defined by the Income Tax Act/CRA guidance, and applying correct tax treatment and records retention.
    • Maintain and, where necessary, share information required for CRA compliance and, where applicable for U.S. participants, IRS-related HSA records and reporting.
  • Legal obligations 
    • Respond to lawful requests, regulatory oversight, dispute resolution, and enforcement of our terms.
  • Service improvement and communications 
    • Improve and personalize the app, analytics, quality assurance, and send service notices and policy updates.

Legal bases and consent

  • We rely on your explicit, informed consent for the collection, use, storage, and disclosure of personal information, except where otherwise permitted or required by law.
  • We document consent via a digital checkbox/signature at signup and when material changes are introduced; consent language explains what we collect, the purposes, safeguards, sharing (including with regulators), and how to access/withdraw consent.
  • You may withdraw consent at any time, subject to legal/contractual restrictions (for example, we may need to retain or continue certain processing for regulatory compliance or to complete transactions already initiated). We will explain the implications of withdrawal.

Disclosures and sharing

We disclose personal information only as needed for the purposes above:

  • Service providers and subprocessors 
    • Identity verification, AML/KYC screening, payment processing, card issuers, cloud hosting, customer support, analytics, and document storage—subject to contracts, confidentiality, and security controls.
  • Financial institutions and networks 
    • Banks, payment networks, and settlement entities to move funds and reconcile transactions; this supports compliance with PSP obligations (e.g., RPAA/Payments Canada).
  • Regulatory and tax authorities (including explicit CRA/IRS audit provision) 
    • We may disclose personal information as necessary to comply with audits, examinations, investigations, filings, and lawful requests by regulatory and tax authorities. For Canadian plans, this includes the Canada Revenue Agency (CRA) in connection with PHSP administration and related tax compliance; for U.S. participants, this may include the Internal Revenue Service (IRS). Such disclosures are limited to the minimum necessary and align with our consent framework and CRA PHSP/HSA compliance context.
    • For CRA/IRS audits, we disclose only the following non-diagnostic data elements: the individual’s name, the amount, the general category of services (e.g., dental, vision, paramedical, prescription), and the provider name. We do not disclose detailed health information (such as diagnoses, clinical notes, treatment details, or other specific medical content) to those agencies in response to audits. If a binding legal obligation requires additional information, we will disclose only what is strictly required and will notify affected parties where permitted by law.
  • FINTRAC, Bank of Canada, and other regulators 
    • As applicable to our payment and compliance operations, we may disclose information required for AML/ATF reporting to FINTRAC and to meet RPAA oversight/operational risk obligations.
  • Employer/plan sponsor 
    • Limited information necessary for plan administration, funding, approvals, audits, and compliance with the written plan; we apply a minimum-necessary standard.
  • Professional advisors and legal 
    • Auditors, legal counsel, insurers, and consultants under confidentiality.
  • Corporate transactions 
    • Business transfers (e.g., merger, acquisition) subject to continuity-of-privacy safeguards.
  • Lawful requests and safety 
    • Law enforcement, courts, or regulators where required by law, or to protect rights, safety, and security.

HIPAA-specific provisions (when applicable)

  • Scope: NuvioLife is not always a HIPAA covered entity. When we act as a business associate to a covered entity or group health plan, we handle PHI in compliance with HIPAA and enter into Business Associate Agreements (BAAs) as required.
  • Permitted uses and disclosures of PHI: Payment and health care operations; administration and adjudication of claims/reimbursements; fraud/abuse prevention; and as required by law. Other uses/disclosures (e.g., most marketing or sale of PHI) require written authorization; you may revoke authorization as permitted by HIPAA. We apply the minimum necessary standard.
  • Individual HIPAA rights: Access and copies of PHI; request amendments; receive an accounting of certain disclosures; request restrictions; request confidential communications.
  • Safeguards and breach notification: Administrative, physical, and technical safeguards; workforce training; access controls; encryption in transit and at rest where feasible; risk assessments; and breach notification without unreasonable delay, consistent with HIPAA standards.
  • Knowledge base note: We attempted to query the NuvioLife knowledge base you provided for HIPAA-specific requirements but it did not return relevant results; this section reflects standard HIPAA obligations and industry practice.

CRA/PHSP and IRS compliance

  • Canadian HSAs administered as PHSPs: We structure and administer plans in line with CRA rules for PHSPs (e.g., written plan, eligible expenses, appropriate tax treatment, and records), and maintain documentation necessary to substantiate claims and tax treatment.
  • CRA/IRS audits: For CRA/IRS audits, disclosure is limited to name, amount, general category of services, and provider, not detailed health information, as described above.
  • Knowledge base note: We attempted to find IRS-specific audit guidance in the provided NuvioLife knowledge base but did not find relevant results; IRS points here reflect standard HSA recordkeeping practices.

Data residency and international transfers

  • We primarily store and process data in Canada. Some service providers or subprocessors may be located outside your province/territory or outside Canada.
  • Where data is transferred across borders (including to the United States), we use contractual, technical, and organizational measures to protect your information. For Quebec residents, we assess cross-border transfers and obtain express consent where required under provincial law (e.g., Law 25), and we are transparent about storage locations in this policy and related documentation.

Retail payment activities and AML/ATF context

  • If we provide or integrate payment services, we implement operational risk management and fund-safeguarding protocols and may be subject to Bank of Canada oversight under the Retail Payment Activities Act (RPAA) and to FINTRAC reporting for AML/ATF compliance. These obligations may require specific processing and disclosures for identity verification, transaction monitoring, and regulatory reporting.

Security safeguards

  • We implement layered administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including: 
    • Access controls, role-based permissions, and least-privilege access
    • Encryption in transit and at rest (where feasible)
    • Network and application security, vulnerability management, and logging
    • Vendor due diligence and confidentiality obligations
    • Workforce privacy/security training
  • We continually improve our security program and perform risk assessments, consistent with PSP operational risk expectations.

Retention

  • We retain personal information only as long as necessary for the purposes described, including: 
    • Contractual and operational needs
    • Regulatory and audit requirements (e.g., AML/ATF, CRA PHSP records) 
    • Dispute resolution and legal compliance
  • For CRA/IRS audit-support, we retain only the non-diagnostic data elements described above (name, amount, general category of services, provider) for as long as required by law, then securely delete or anonymize them. Retention necessary for compliance may continue notwithstanding a request to withdraw consent, to the extent permitted by law.

Your privacy choices and rights

  • Access and correction: You can request access to and correction of your personal information. We will respond within a reasonable time, subject to verification and legal/contractual limits.
  • Withdraw consent: You may withdraw consent to our processing, subject to legal/contractual restrictions and reasonable notice. We will explain any implications (e.g., we may be unable to provide services that require certain processing).
  • Preferences: You can update communication and marketing preferences at any time.
  • Appeals and complaints: If you are not satisfied, contact us using the details below. You may also contact the Office of the Privacy Commissioner of Canada or your provincial/territorial privacy regulator.

Cookies and tracking technologies

  • We use cookies and similar technologies to: 
    • Operate core site/app features
    • Remember preferences and improve usability
    • Perform analytics and measure performance
  • You can manage cookies via your browser/device settings. Disabling some cookies may affect functionality.

Children’s privacy

  • Our services are intended for employers and adult individuals. We do not knowingly collect personal information from children under 16 without appropriate parental/guardian consent.

Third-party links

  • Our services may link to third-party websites or services. Their privacy practices are governed by their own policies; we encourage you to review them.

Changes to this policy

  • We may update this policy to reflect changes to our practices or legal requirements. We will post the updated policy with a new effective date and, where required, request renewed consent.

How to contact us

  • Privacy Officer, Nuvio Software Inc.
  • Address: 333 Seymour St, Vancouver, BC V6B 5A7, Canada
  • Email: info@nuviolife.com
Facebook Twitter Youtube Instagram

Quick Link

Support

  • Privacy Policy
  • Term & Condition
  • Disclaimer
  • Support
  • FAQ

Contact