Privacy Policy

#1. Who this applies to

This Privacy Policy describes how Kinevie ("we", "our", "us") handles personal information when you use:

The Kinevie marketing website at www.kinevieapp.com and any subdomain we operate.
The patient portal — including the public clinic directory, online booking, the Knowledge Hub, and the authenticated portal where you manage appointments, intake, invoices, and saved articles.
The clinic operating system used by therapists, receptionists, and clinic administrators at clinics that subscribe to Kinevie.
Any communications you send us (email, support tickets, contact forms).

If you book or receive care from a clinic that uses Kinevie, the clinic is the custodian of your health information. They decide the purposes for which your health information is collected and how it is used. Kinevie processes that information on the clinic's behalf under a written agreement.

#2. Information we collect

We collect only what is necessary for the services to function:

Account & identity

Name, email, password (stored as a salted hash — never in plain text).
Phone number and address (when you provide them for bookings, invoicing, or insurance).
Date of birth (required for clinical safety on bookings; mandated by most provincial regulators).
Health card number and province (only when a clinic requires it for direct billing).
Emergency contact and family-doctor referral details (optional, patient-controlled).

Health-related information (clinics only)

Intake forms, consent records, treatment notes, body charts, and treatment plans entered by therapists.
Booking history, session outcomes, and clinical communications between you and your therapist.
Insurance provider, member ID, and claim references (where applicable).

Usage & technical

Pages viewed, links clicked, and feature usage — aggregated for product improvement.
IP address, browser type, device type, language — kept only as long as needed to operate the service and prevent abuse.
Cookies and similar technologies — see our Cookie Notice for the full list.

Payment information

Kinevie does not store full credit-card numbers on our servers. When a clinic uses our payment integrations, card data is tokenized by a PCI-DSS Level 1 certified payment processor and only the resulting token, last four digits, and brand are retained for reconciliation.

#3. How we use information

We use personal information for the limited, defined purposes you would reasonably expect from a healthcare scheduling and patient-engagement platform:

Service delivery — to provide bookings, intake, billing, the patient portal, and the Knowledge Hub features you actively use.
Communication — appointment reminders, intake invites, account notifications, and replies to your support requests. You can opt out of non-essential communications at any time in your portal preferences.
Safety and clinical accuracy — ensuring the right patient is matched to the right record, supporting therapist note-keeping, and detecting clinical-error patterns (within a clinic only).
Security and fraud prevention — detecting account compromise, abusive bots, and unauthorized access attempts.
Service improvement — aggregated, de-identified usage analysis to fix bugs and improve performance. We never sell personal information; we never train any artificial-intelligence model on identifiable health data.
Legal obligations — keeping records mandated by provincial healthcare regulators, tax law, and applicable court orders.

#4. Health information

Personal health information receives the strongest level of protection under Canadian law. When you receive care through a clinic on Kinevie:

The clinic is the health information custodian. They decide what health information is collected, used, and disclosed for your care.
Kinevie acts as an electronic service provider / information manager for the clinic. We process health information only on the clinic's documented instructions, under a written agreement that mirrors the obligations of PHIPA s. 10 (Ontario), HIA s. 66 (Alberta), and the equivalent provisions in other provinces.
Kinevie staff cannot access your clinical record without an audited business reason (incident response, account-recovery requests, billing dispute investigation). Every access is logged and reviewable by your clinic.
We follow the World Health Organization's data-governance principles: confidentiality, integrity, availability, accountability, and respect for individual autonomy.

#6. Retention and deletion

We retain personal information only for as long as it is needed for the purposes set out above or as required by law. Retention defaults are:

Patient account profile — until you request deletion; we close dormant accounts after 7 years of inactivity.
Clinical records (held under custodianship of a clinic) — the retention period set by provincial healthcare regulators. In most provinces, the minimum is 10 years from the date of the last visit, or 10 years from the patient's 18th birthday for minors, whichever is later.
Booking, billing, and invoice records — 7 years to satisfy Canadian tax-law requirements.
Authentication logs and security audit trails — 2 years.
Web-analytics and support tickets — 24 months from collection.

When the retention period ends, records are securely deleted or de-identified beyond re-identification. Backups follow the same lifecycle on a 60-day rolling window so a deletion request flows through to disaster-recovery copies within that period.

#7. Where your data lives

Kinevie production data is stored on infrastructure located in Canada (currently Canadian regions of Cloudflare R2 and our primary cloud database provider). Backups and disaster-recovery copies stay within Canadian borders.

Limited operational data may be processed in other countries by sub-processors we engage (for example, a transactional-email provider). Where applicable, we rely on standard contractual safeguards and, for Québec residents, the cross-border-transfer assessment required by Law 25 (sections 17 and 70.1).

#8. Your rights

You have the right to:

Access the personal information we hold about you. We respond to requests within 30 days; complex requests may be extended by another 30 days with notice.
Correct inaccurate information at any time. Most fields can be corrected directly in your patient portal.
Withdraw consent for non-essential processing such as marketing communications. (Withdrawing consent for essential processing — e.g. clinical records — may mean a clinic can no longer deliver care to you through Kinevie.)
Port your data to another provider in a structured, commonly used, machine-readable format.
Delete your account and the personal information attached to it. Records subject to legal retention obligations (e.g. clinical records held by a clinic) remain with the clinic for the period required by law.
File a complaint with us or with a privacy regulator — see Contact below.

To exercise any of these rights, email privacy@kinevieapp.com or use the in-portal "Privacy & data" controls. We verify your identity before acting on any request that could affect another person's records.

#9. How we protect information

A summary is below; the full description is in our Security policy.

All traffic is encrypted in transit with TLS 1.2 or higher.
Data at rest is encrypted with AES-256 on managed cloud storage.
Authentication uses salted password hashing, optional multi-factor codes, and short-lived JWT sessions in HttpOnly cookies.
Access to production data follows the principle of least privilege and is reviewed quarterly.
Every record access by Kinevie staff is logged and auditable by the clinic.
We run third-party penetration tests annually and remediate findings on a fixed schedule.

#10. Minors and dependants

Children under the age of 13 may not create their own Kinevie patient account. A parent or legal guardian may add a minor as a family member on their own account. The guardian's account-holder agreement applies to all family-member records, and clinics treat minors' clinical information under the provincial age-of-consent rules (commonly 16, but younger if the minor demonstrates capacity to consent — see Ontario's Health Care Consent Act).

#11. International users

Kinevie is operated from Canada and intended for Canadian residents. If you access the service from outside Canada, you understand that your information may be transferred to and processed in Canada, where data-protection laws may differ from your home country. For users in the European Economic Area, Kinevie acts as a "processor" or "controller" (depending on context) under the GDPR; please contact us if you wish to invoke GDPR rights and we will work with you in good faith.

#12. Changes to this policy

We update this policy as the service evolves, when regulators issue new guidance, and when applicable laws change. Material changes are notified at least 30 days in advance via email to your account-holder address and via a banner on the patient portal. The "Last updated" date at the top of this page always reflects the most recent revision.

#13. Contact and complaints

Kinevie's privacy contact handles all questions, access requests, corrections, and complaints related to this policy.

Email: privacy@kinevieapp.com
Mail: Privacy Officer, Kinevie Inc., 1 King Street West, Toronto, ON, Canada

If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your provincial privacy regulator (e.g. Information and Privacy Commissioner of Ontario, Office of the Information and Privacy Commissioner of Alberta, Commission d'accès à l'information du Québec).

#1. Who this applies to

This Privacy Policy describes how Kinevie ("we", "our", "us") handles personal information when you use:

The Kinevie marketing website at www.kinevieapp.com and any subdomain we operate.
The patient portal — including the public clinic directory, online booking, the Knowledge Hub, and the authenticated portal where you manage appointments, intake, invoices, and saved articles.
The clinic operating system used by therapists, receptionists, and clinic administrators at clinics that subscribe to Kinevie.
Any communications you send us (email, support tickets, contact forms).

#2. Information we collect

We collect only what is necessary for the services to function:

Account & identity

Name, email, password (stored as a salted hash — never in plain text).
Phone number and address (when you provide them for bookings, invoicing, or insurance).
Date of birth (required for clinical safety on bookings; mandated by most provincial regulators).
Health card number and province (only when a clinic requires it for direct billing).
Emergency contact and family-doctor referral details (optional, patient-controlled).

Health-related information (clinics only)

Intake forms, consent records, treatment notes, body charts, and treatment plans entered by therapists.
Booking history, session outcomes, and clinical communications between you and your therapist.
Insurance provider, member ID, and claim references (where applicable).

Usage & technical

Pages viewed, links clicked, and feature usage — aggregated for product improvement.
IP address, browser type, device type, language — kept only as long as needed to operate the service and prevent abuse.
Cookies and similar technologies — see our Cookie Notice for the full list.

Payment information

#3. How we use information

We use personal information for the limited, defined purposes you would reasonably expect from a healthcare scheduling and patient-engagement platform:

Service delivery — to provide bookings, intake, billing, the patient portal, and the Knowledge Hub features you actively use.
Communication — appointment reminders, intake invites, account notifications, and replies to your support requests. You can opt out of non-essential communications at any time in your portal preferences.
Safety and clinical accuracy — ensuring the right patient is matched to the right record, supporting therapist note-keeping, and detecting clinical-error patterns (within a clinic only).
Security and fraud prevention — detecting account compromise, abusive bots, and unauthorized access attempts.
Service improvement — aggregated, de-identified usage analysis to fix bugs and improve performance. We never sell personal information; we never train any artificial-intelligence model on identifiable health data.
Legal obligations — keeping records mandated by provincial healthcare regulators, tax law, and applicable court orders.

#4. Health information

Personal health information receives the strongest level of protection under Canadian law. When you receive care through a clinic on Kinevie:

The clinic is the health information custodian. They decide what health information is collected, used, and disclosed for your care.
Kinevie acts as an electronic service provider / information manager for the clinic. We process health information only on the clinic's documented instructions, under a written agreement that mirrors the obligations of PHIPA s. 10 (Ontario), HIA s. 66 (Alberta), and the equivalent provisions in other provinces.
Kinevie staff cannot access your clinical record without an audited business reason (incident response, account-recovery requests, billing dispute investigation). Every access is logged and reviewable by your clinic.
We follow the World Health Organization's data-governance principles: confidentiality, integrity, availability, accountability, and respect for individual autonomy.

#6. Retention and deletion

We retain personal information only for as long as it is needed for the purposes set out above or as required by law. Retention defaults are:

Patient account profile — until you request deletion; we close dormant accounts after 7 years of inactivity.
Clinical records (held under custodianship of a clinic) — the retention period set by provincial healthcare regulators. In most provinces, the minimum is 10 years from the date of the last visit, or 10 years from the patient's 18th birthday for minors, whichever is later.
Booking, billing, and invoice records — 7 years to satisfy Canadian tax-law requirements.
Authentication logs and security audit trails — 2 years.
Web-analytics and support tickets — 24 months from collection.

#7. Where your data lives

#8. Your rights

You have the right to:

Access the personal information we hold about you. We respond to requests within 30 days; complex requests may be extended by another 30 days with notice.
Correct inaccurate information at any time. Most fields can be corrected directly in your patient portal.
Withdraw consent for non-essential processing such as marketing communications. (Withdrawing consent for essential processing — e.g. clinical records — may mean a clinic can no longer deliver care to you through Kinevie.)
Port your data to another provider in a structured, commonly used, machine-readable format.
Delete your account and the personal information attached to it. Records subject to legal retention obligations (e.g. clinical records held by a clinic) remain with the clinic for the period required by law.
File a complaint with us or with a privacy regulator — see Contact below.

#9. How we protect information

A summary is below; the full description is in our Security policy.

All traffic is encrypted in transit with TLS 1.2 or higher.
Data at rest is encrypted with AES-256 on managed cloud storage.
Authentication uses salted password hashing, optional multi-factor codes, and short-lived JWT sessions in HttpOnly cookies.
Access to production data follows the principle of least privilege and is reviewed quarterly.
Every record access by Kinevie staff is logged and auditable by the clinic.
We run third-party penetration tests annually and remediate findings on a fixed schedule.

#10. Minors and dependants

#11. International users

#12. Changes to this policy

#13. Contact and complaints

Kinevie's privacy contact handles all questions, access requests, corrections, and complaints related to this policy.

Email: privacy@kinevieapp.com
Mail: Privacy Officer, Kinevie Inc., 1 King Street West, Toronto, ON, Canada

#1. Who this applies to

#2. Information we collect

Account & identity

Health-related information (clinics only)

Usage & technical

Payment information

#3. How we use information

#4. Health information

#6. Retention and deletion

#7. Where your data lives

#8. Your rights

#9. How we protect information

#10. Minors and dependants

#11. International users

#12. Changes to this policy

#13. Contact and complaints

More from our legal center

Privacy Policy

#1. Who this applies to

#2. Information we collect

Account & identity

Health-related information (clinics only)

Usage & technical

Payment information

#3. How we use information

#4. Health information

#6. Retention and deletion

#7. Where your data lives

#8. Your rights

#9. How we protect information

#10. Minors and dependants

#11. International users

#12. Changes to this policy

#13. Contact and complaints

More from our legal center

Privacy Policy

#1. Who this applies to

#2. Information we collect

Account & identity

Health-related information (clinics only)

Usage & technical

Payment information

#3. How we use information

#4. Health information

#5. When we share information

Sub-processors

#6. Retention and deletion

#7. Where your data lives

#8. Your rights

#9. How we protect information

#10. Minors and dependants

#11. International users

#12. Changes to this policy

#13. Contact and complaints

Privacy Policy

#1. Who this applies to

#2. Information we collect

Account & identity

Health-related information (clinics only)

Usage & technical

Payment information

#3. How we use information

#4. Health information

#5. When we share information

Sub-processors

#6. Retention and deletion

#7. Where your data lives

#8. Your rights

#9. How we protect information

#10. Minors and dependants

#11. International users

#12. Changes to this policy

#13. Contact and complaints