Privacy Policy

1. Information We Collect

We may collect information that you provide directly to us, information generated through your use of our services, and information processed by service providers acting on our behalf. This may include your name, preferred name, email address, phone number, date of birth, sex or gender, account credentials or authentication information, physical and delivery addresses, health card or provincial health information, government identification information, insurance or benefits information, family or caregiver relationship information, order and service history, prescription and pharmacy information, appointment information, communications with us, uploaded files or images, payment-related information, and device or account identifiers such as push notification tokens.

We collect and use this information to provide and support our services, manage accounts, communicate with you, process payments, deliver orders, support pharmacy and healthcare workflows, protect security, prevent fraud, meet legal and regulatory obligations, and maintain required records.

2. Health and Pharmacy Information

To provide pharmacy, prescription, appointment, medication review, ePrescription, minor-service, delivery, and related healthcare services, we may collect and process health and pharmacy information. This may include prescriptions, medication names, dosages or strengths, allergies, self-reported medications, medical history, symptoms, conditions, health card information, prescriber or pharmacy information, appointment details, service intake responses, order details, and information about dependents or family members where you use family or caregiver features.

We use this information to provide services, verify eligibility, support pharmacy and healthcare workflows, communicate with you, comply with legal and regulatory obligations, and maintain required records.

3. Uploaded Documents and Images

You may choose or be required to upload documents or images for certain services. These may include prescription images, health card images, government identification images, insurance or benefits card images, profile photos, chat or support attachments, order-related images, receipts, or other documents. These files may contain personal information, health information, identity information, and other sensitive information.

Uploaded files are stored in Google Cloud Storage in private buckets located in Toronto, Canada. Backups are stored in the same region. Files are encrypted at rest using GCP default encryption and are accessed using signed URLs. Uploaded files are not publicly accessible. Uploaded files may be retained for up to 10 years or as otherwise required or permitted for audit, compliance, pharmacy/healthcare recordkeeping, payment, security, or operational purposes.

4. Payment Information

For customer mobile app pharmacy, prescription, appointment, and related payment flows, payment information is processed using Stripe and, where applicable, Stripe Connect. Payment information may include cardholder details, billing details such as postal code, payment method identifiers, customer identifiers, payment intent or setup intent identifiers, checkout session identifiers, payment links, refund or transfer records, transaction amounts, payment status, and connected-account metadata.

Card details may be submitted directly to Stripe or processed by Stripe payment tools. Mednow may receive and store payment-related identifiers and transaction metadata needed to complete payments, manage saved payment methods, process refunds, reconcile transactions, support users, and meet legal, accounting, audit, payment, security, and operational requirements.

5. OTC Store / Shopify / Moneris

Mednow's OTC / Shopify store flows are separate from the customer mobile app pharmacy/payment flows. OTC store transactions may be processed through Shopify and Moneris. These providers may process information needed to complete store purchases, payments, refunds, order management, fraud prevention, support, accounting, and related operations.

6. Service Providers

We use service providers acting on our behalf to operate, support, and deliver the services. These include Stripe and Stripe Connect for mobile app payment processing; Shopify and Moneris for OTC / Shopify store flows; Google Cloud Storage for uploaded documents and related storage; Firebase Cloud Messaging and Apple Push Notification service for push notifications; Twilio SMS, Twilio Voice/Call Center, and Twilio Conversations for communications and chat; SendGrid for transactional email; Google Places/Maps for address autocomplete, place lookup, and pharmacy search; Uber Direct for delivery services; SRFax for faxing prescriptions or external pharmacy communications; Zoho for CRM or operational workflows; Kroll/PharmacyLink for pharmacy system integrations; and Health Canada DPD for drug product database data.

These service providers may process personal information, health or pharmacy information, payment-related information, communications, uploaded files, device identifiers, or address information where required to provide their services to us.

7. Communications and Notifications

We may communicate with you by email, SMS/text message, push notification, phone, in-app message, or chat for service, transactional, operational, account, support, payment, delivery, security, or administrative purposes.

Push, SMS, email, and chat payloads are not intended to include PHI. They may include service labels, payment links, appointment references, order IDs, and generic prescription or order status text. Communications may still reveal service context. Users should avoid sending unnecessary sensitive information through communication channels unless requested for a service.

We may collect and process communication details such as email addresses, phone numbers, push notification tokens, notification preferences, message content, call metadata, conversation identifiers, delivery status, and related records.

8. Address Autocomplete / Google Places / Maps

We may collect and process physical addresses, delivery addresses, service addresses, place identifiers, address search text, and selected address or pharmacy details to provide delivery, serviceability, appointment, pharmacy routing, and address autocomplete features. We use Google Places/Maps for address autocomplete, place lookup, map-related services, and pharmacy search.

Device GPS location should not be described unless legal and product confirm that it is collected by the app.

9. Delivery Services

Where delivery is available, we may use delivery partners such as Uber Direct to assess serviceability, provide delivery quotes, complete deliveries, and provide delivery status. Delivery partners may receive information needed to complete delivery, such as pickup/dropoff details, recipient contact information, delivery instructions, barcode/status details, and related service information.

10. Account Deactivation, Deletion Requests, and Retention

You may submit an account deactivation or deletion request through the app or by contacting us. The in-app request deactivates your account, creates a deletion request record, and signs you out by revoking active sessions. It does not immediately hard delete or anonymize all records.

After a request is created, Mednow has a manual deletion/anonymization process handled by the tech team. Certain records may remain for up to 10 years or as otherwise required or permitted by law, pharmacy or healthcare recordkeeping obligations, audit, payment, security, compliance, dispute resolution, tax, accounting, or operational requirements.

Retained records may include patient profile data, pharmacy/prescription/order/appointment records, uploaded files/images such as health card, government ID, benefits card, and prescription images, payment records and Stripe identifiers, chat/support messages, notification history and push tokens, and audit/security logs.

11. Security and Storage

We use administrative, technical, and organizational safeguards designed to protect personal information. These may include secure transmission methods, authentication controls, local secure storage for certain account or biometric unlock tokens, private cloud storage, encryption at rest where provided by our cloud provider, signed URLs for file access, and access controls for authorized personnel and service providers.

No method of transmission or storage is completely secure. We continue to review and update our safeguards as our services and legal obligations evolve.

12. Cross-Border / Service Provider Processing

Some service providers may process or store information outside your province, territory, or country. Where information is processed in another jurisdiction, it may be subject to the laws of that jurisdiction. We use service providers where needed to provide the services, subject to contractual, legal, privacy, and security safeguards where applicable.

Do not state that no data leaves Canada unless legal confirms every vendor and processing path.

13. Contacting the Privacy Officer

Privacy Officer
Mednow Digital
61 International Blvd
Etobicoke, Ontario
M9W 6K4
pharmacy-privacy@mednow.ca