Privacy policy

What we collect

Information comes from you directly, your employer or plan sponsor, your use of the app, and trusted service providers.

Account and profile

• Name, contact details, credentials, and language preferences
• Role and authorization within your organization for security and operations

Identity and compliance (KYC/AML)

• Full legal name, residential address, date of birth, phone, email, government-issued photo ID, and verification results
• Digital identity verification (biometric/liveness checks) where permitted
• Source-of-funds information confirming funds relate to registered business activity
• Beneficial ownership information (greater than 25%) and directors/officers data for corporate clients under FINTRAC regulations
• Social Insurance Number (SIN) is generally not required; we will request it only where there is a specific legal basis

Business account details (company clients)

• Legal business name, registration and incorporation details, addresses, licenses, banking details for settlement, and onboarding information

Financial and transactional

• Payment instruments, bank details, transaction histories, claim reimbursements, approvals, and audit trails

Health and claims

• Expense claims and supporting documents (e.g. invoices and receipts), benefit eligibility, and claim outcomes — limited to the minimum necessary to adjudicate claims

Device and usage

• App activity, device identifiers, IP address, cookies and analytics, and security logs

Communications

• Support requests, feedback, survey responses, and communication preferences

How and why we use personal information

Account setup and service delivery

• Create and manage accounts, verify identity, set roles and permissions, operate features, process claims and payments, and provide support

Compliance, security, and risk

• KYC, AML/ATF, fraud prevention, security monitoring, audits, incident response, and regulatory reporting (FINTRAC)
• Payment service provider obligations including the Retail Payment Activities Act (RPAA) and Payments Canada rules
• Confirm source of funds and linkage to verified business accounts

HSA/PHSP administration and tax compliance

• Administer plans in line with CRA rules for a Private Health Services Plan (PHSP), including maintaining a written plan and reimbursing only eligible medical/dental expenses as defined by the Income Tax Act and CRA guidance
• Maintain and share information for CRA compliance and, for U.S. participants, IRS HSA records and reporting

Legal obligations

• Respond to lawful requests, regulatory oversight, dispute resolution, and enforce our terms

Service improvement and communications

• Improve and personalize the app, perform analytics and quality assurance, and send service notices and policy updates

Legal bases and consent

We rely on your explicit, informed consent for the collection, use, storage, and disclosure of personal information, except where otherwise permitted or required by law.

Consent is documented via digital checkbox or signature at signup and when material changes occur. Consent language explains collection, purposes, safeguards, sharing (including with regulators), and access and withdrawal procedures.

You may withdraw consent at any time, subject to legal or contractual restrictions — for example, we may need to retain or continue certain processing for regulatory compliance or to complete transactions already initiated.

Disclosures and sharing

We disclose personal information only as needed.

Service providers and subprocessors

• Identity verification, AML/KYC screening, payment processing, card issuers, cloud hosting, customer support, analytics, and document storage — subject to contracts, confidentiality, and security controls

Financial institutions and networks

• Banks, payment networks, and settlement entities for fund movement and transaction reconciliation; supports PSP obligations (RPAA / Payments Canada)

Regulatory and tax authorities

• We may disclose personal information as necessary to comply with audits, examinations, investigations, filings, and lawful requests by regulatory and tax authorities
• For Canadian plans: Canada Revenue Agency (CRA) for PHSP administration and tax compliance
• For U.S. participants: Internal Revenue Service (IRS) for HSA matters
• For CRA/IRS audits, we disclose only non-diagnostic data elements: the individual's name, the amount, the general category of services (e.g. dental, vision, paramedical, prescription), and the provider name. We do not disclose detailed health information — diagnoses, clinical notes, treatment details, or other specific medical content — to those agencies in response to audits

FINTRAC, Bank of Canada, and other regulators

• Information required for AML/ATF reporting to FINTRAC and RPAA oversight or operational risk obligations

Employer or plan sponsor

• Limited information necessary for plan administration, funding, approvals, audits, and compliance — applied with the minimum-necessary standard

Professional advisors and legal

• Auditors, legal counsel, insurers, and consultants under confidentiality

Corporate transactions

• Business transfers (merger, acquisition) subject to continuity-of-privacy safeguards

Lawful requests and safety

• Law enforcement, courts, and regulators where required by law, or to protect rights, safety, and security

HIPAA-specific provisions (when applicable)

NuvioLife is not always a HIPAA covered entity. When we act as a business associate to a covered entity or group health plan, we handle Protected Health Information (PHI) in compliance with HIPAA and enter into Business Associate Agreements (BAAs) as required.

Permitted uses and disclosures of PHI

• Payment and health care operations; claims administration and adjudication; fraud and abuse prevention; as required by law
• Other uses (marketing, sale of PHI) require written authorization, which may be revoked per HIPAA
• Minimum necessary standard applies

Individual HIPAA rights

• Access and copies of PHI; request amendments; receive an accounting of certain disclosures; request restrictions; request confidential communications

Safeguards and breach notification

• Administrative, physical, and technical safeguards; workforce training; access controls; encryption in transit and at rest where feasible; risk assessments; and breach notification without unreasonable delay

CRA/PHSP and IRS compliance

Canadian HSAs as PHSPs

• We structure and administer plans in line with CRA rules for PHSPs — including a written plan, eligible expenses, appropriate tax treatment, and records

CRA/IRS audits

• Disclosure is limited to name, amount, general category of services, and provider — not detailed health information, as described above

Data residency and international transfers

We primarily store and process data in Canada. Some service providers or subprocessors may be located outside your province or territory, or outside Canada.

Cross-border transfers use contractual, technical, and organizational protections. For Quebec residents, transfers are assessed and express consent obtained where required under Law 25, with transparency about storage locations.

Retail payment activities and AML/ATF context

Where we provide or integrate payment services, we implement operational risk management and fund-safeguarding protocols, and may be subject to Bank of Canada oversight under the Retail Payment Activities Act (RPAA) and to FINTRAC reporting for AML/ATF compliance.

Security safeguards

We apply layered administrative, technical, and physical safeguards appropriate to the sensitivity of the information.

Retention

We retain personal information only as long as necessary for the purposes described, including contractual and operational needs, regulatory and audit requirements (e.g. AML/ATF, CRA PHSP records), and dispute resolution and legal compliance.

For CRA/IRS audit support, we retain only the non-diagnostic data elements described above (name, amount, general category of services, provider) for as long as required by law, then securely delete or anonymize them.

Your privacy choices and rights

Access and correction

• Request access to and correction of your personal information within a reasonable time, subject to verification and legal or contractual limits

Withdraw consent

• You may withdraw consent to our processing, subject to legal or contractual restrictions and reasonable notice

Preferences

• Update communication and marketing preferences anytime

Appeals and complaints

• Contact us using the details below. You may also contact the Office of the Privacy Commissioner of Canada or your provincial or territorial privacy regulator

Cookies and tracking technologies

We use cookies and similar technologies to operate core site and app features, remember preferences and improve usability, and perform analytics and measure performance. Browser and device settings can manage cookies; disabling some may affect functionality.

Children's privacy

Our services are intended for employers and adult individuals. We do not knowingly collect personal information from children under 16 without appropriate parental or guardian consent.

Third-party links

Our services may link to third-party websites or services governed by their own privacy policies. Please review them.

Changes to this policy

We may update this policy to reflect practice or legal requirement changes. The updated policy is posted with a new effective date, and renewed consent is requested where required.

How to contact us

Privacy Officer, Nuvio Software Inc.
333 Seymour St, Vancouver, BC V6B 5A7, Canada
Email: info@nuviolife.com