PRIVACY POLICY

1. Purpose, Scope, and Legal Nature

This Privacy Policy (the "Policy") governs the collection, use, processing, storage, disclosure, and protection of personal information and personal health information by Milya Inc. ("Milya", "we", "our", or "us") in connection with its products and services (collectively, the "Services").

This Policy applies to:

  • Healthcare professionals and organizations using the Services
  • Individuals whose information is processed through the Services
  • Users interacting with Milya's digital platforms

This Policy forms an integral part of Milya's contractual framework and must be read in conjunction with applicable agreements, including Terms of Service, Data Processing Agreements ("DPA"), and, where applicable, Business Associate Agreements ("BAA").

In the event of inconsistency, contractual agreements shall prevail to the extent permitted by law.

2. Regulatory Framework and Standard of Compliance

Milya operates within a multi-jurisdictional legal environment and structures its practices to align with:

  • Quebec's Law 25
  • Quebec's Law 5 governing health and social services information
  • Ontario's Personal Health Information Protection Act (PHIPA)
  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
  • U.S. Health Insurance Portability and Accountability Act (HIPAA), where applicable

Where multiple regimes apply, Milya adopts a risk-adjusted, highest-standard compliance approach, except where a specific legal obligation requires otherwise.

3. Definitions and Interpretation

For the purposes of this Policy:

"Personal Information" means any information relating to an identifiable individual

"Personal Health Information" ("PHI") refers to health-related data subject to enhanced statutory protection

"Controller" or "Custodian" refers to the entity determining the purposes and means of processing

"Processor" or "Service Provider" refers to the entity processing data on behalf of a Controller

Interpretation of this Policy shall be consistent with applicable legislation.

4. Allocation of Roles and Responsibilities

4.1 Milya's Role

Milya provides technical infrastructure and AI-enabled processing capabilities and acts primarily as:

  • A processor / service provider
  • A provider of secure systems supporting clinical workflows

Milya processes personal information strictly:

  • On documented instructions of healthcare providers; or
  • As required for system operation, security, and compliance

4.2 Healthcare Provider Responsibilities

Healthcare providers:

  • Act as controllers / custodians of personal health information
  • Determine purposes and lawful basis of processing

Are responsible for:

  • Obtaining patient consent
  • Ensuring regulatory compliance
  • Validating clinical content

4.3 No Clinical Responsibility

Milya does not:

  • Provide medical advice or diagnosis
  • Replace professional judgment
  • Guarantee clinical accuracy of outputs

5. Categories of Information Processed

Milya adheres to the principle of data minimization.

5.1 Clinical Data

  • Audio recordings (subject to consent)
  • AI-generated transcripts and structured notes
  • Associated metadata required for traceability

5.2 User and Organizational Data

  • Identification and contact information
  • Professional and organizational affiliations
  • Access credentials and role definitions

5.3 Technical and Security Data

  • IP addresses and device identifiers
  • System logs and access records
  • Usage and performance data

6. Legal Basis for Processing

Processing activities are grounded in:

  • Consent, obtained by the healthcare provider
  • Contractual necessity
  • Legal and regulatory obligations

Milya does not independently determine the legal basis for clinical data collection.

Milya processes personal information solely within the scope of instructions provided by healthcare providers and does not independently determine the purposes or essential means of processing personal health information.

7. Purpose Limitation and Use Restrictions

Personal information is processed solely for:

  • Clinical documentation support
  • System operation and security
  • Auditability and traceability
  • Service improvement within controlled parameters
  • Legal compliance

Milya expressly prohibits:

  • Commercial exploitation of personal health information
  • Use of identifiable data for unrelated purposes

8. Data Governance and Stewardship (Law 5 Alignment)

Milya maintains a structured governance framework including:

8.1 Auditability

  • Immutable, time-stamped logs
  • Full traceability of access and modifications

8.2 Access Control

  • Role-based access control (RBAC)
  • Least-privilege enforcement

8.3 Data Segregation

  • Separation between clinical data and operational data
  • Controlled processing environments

8.4 Lifecycle Management

  • Defined retention and deletion protocols

8.5 Risk Management

  • Privacy Impact Assessments (PIA)
  • Continuous monitoring and mitigation

Milya acts as a technical steward of data, without assuming legal custodianship.

These measures form part of Milya's continuous data governance framework in alignment with Quebec's evolving health data governance requirements.

9. Data Localization and Sovereignty

All personal information and personal health information is hosted and stored within the Province of Quebec, Canada.

Milya's architecture ensures:

  • Data residency within Quebec
  • Governance under Quebec legal jurisdiction
  • Reduced exposure to cross-border risks

This design reflects a commitment to data sovereignty and regulatory alignment.

No persistent storage of personal health information occurs outside the Province of Quebec. Any transient or technical processing occurring outside Quebec, if applicable, is strictly limited, non-persistent, and subject to appropriate safeguards.

10. Security Measures

Milya implements commercially reasonable safeguards, including:

  • Encryption (in transit and at rest)
  • Authentication and access control
  • Monitoring and threat detection
  • Secure infrastructure practices

Notwithstanding these measures, no system can guarantee absolute security. Milya implements safeguards consistent with industry standards; however, residual risks inherent to digital systems remain and are accepted as part of the use of the Services.

11. Third-Party Service Providers

Milya engages third-party providers under strict conditions:

  • Binding contractual obligations
  • Security and confidentiality requirements
  • Restricted data use

Milya is not liable for acts of third parties beyond its reasonable control.

Third-party providers act as independent service providers and are responsible for their own compliance with applicable laws.

12. Cross-Border Processing

Milya's default position is no transfer of personal health information outside Quebec.

Where limited cross-border interaction is required:

  • Processing is minimized
  • A Privacy Impact Assessment is conducted
  • Safeguards are implemented

Such processing shall not result in a material transfer of custody or control of personal health information outside Quebec.

Milya does not transfer or expose identifiable personal health information outside the Province of Quebec.

Where limited technical processing outside Quebec may occur, such processing is restricted to non-identifiable, de-identified, or transient data that cannot reasonably be used to identify an individual.

Under no circumstances, within the normal operation of the Services, does such processing result in the disclosure of identifiable personal health information to external systems or jurisdictions.

13. Retention and Destruction

Personal information is retained only as necessary.

Deletion:

  • Follows defined retention schedules
  • May be subject to backup and legal constraints

Retention periods are determined based on legal, regulatory, and operational requirements applicable to healthcare providers.

14. Individual Rights

Individuals may:

  • Access their information
  • Request correction
  • Request deletion
  • Withdraw consent

Requests involving clinical data are coordinated with healthcare providers.

Requests may be subject to verification of identity and applicable legal limitations.

15. U.S. Compliance (HIPAA Alignment)

Where applicable, Milya aligns with Health Insurance Portability and Accountability Act (HIPAA):

  • Business Associate Agreements (BAA)
  • Safeguards aligned with HIPAA standards
  • Restricted use and disclosure of PHI

16. Limitation of Liability

To the fullest extent permitted by applicable law:

Milya provides the Services on a commercially reasonable efforts basis

Milya makes no warranties, express or implied, regarding:

  • Accuracy of outputs
  • Continuous availability
  • Fitness for a particular purpose

Milya shall not be liable for:

  • Clinical decisions or outcomes
  • User reliance without validation
  • Failure to obtain required consents
  • Regulatory non-compliance by users

In all cases, Milya's liability shall be limited as set forth in applicable contractual agreements.

To the extent permitted by law, Milya shall not be liable for indirect, incidental, consequential, or punitive damages, including loss of data, revenue, or business opportunities.

17. Amendments

Milya reserves the right to amend this Policy at any time. Continued use constitutes acceptance.

18. Limitation of Recourse

To the extent permitted by law, any claim arising from the use of the Services shall be limited to direct damages and subject to contractual limitations agreed between the parties.

Any claim must be brought within the time limits prescribed by applicable law and subject to any contractual limitation periods agreed between the parties.

19. Compliance, Interpretation, and Regulatory Cooperation

Milya implements policies, procedures, and technical safeguards designed to comply with applicable privacy and health data governance laws, including Quebec's Law 25 and Law 5.

Milya's obligations are limited to those expressly required under applicable law and contractual agreements.

In the event of any inquiry, investigation, or request from a competent authority, including the Commission d'accès à l'information, Milya reserves the right to:

  • Cooperate as required by law
  • Disclose relevant information where legally obligated
  • Take any necessary measures to ensure compliance

Nothing in this Policy shall be interpreted as limiting Milya's legal rights, defenses, or obligations under applicable law.

20. No Guarantee of Regulatory Outcome

While Milya implements commercially reasonable and industry-aligned safeguards, no representation or warranty is made that the Services will ensure compliance by users with all applicable laws or regulatory requirements.

Compliance with professional, legal, and regulatory obligations remains the responsibility of the healthcare provider using the Services.

21. User Responsibility and Indemnification

Users of the Services agree to:

  • Use the Services in compliance with applicable laws and professional obligations
  • Ensure that all necessary consents are obtained
  • Review and validate all outputs before clinical use

To the extent permitted by law, users are responsible for any misuse of the Services or failure to comply with applicable legal requirements.

Users acknowledge that Milya provides tools to support workflows and does not replace legal, clinical, or regulatory obligations applicable to the user.

22. SMS Messaging Privacy Policy & Data Protection

22.1 Information Collection and Opt-In Data

Milya Inc. collects mobile phone numbers only when a patient voluntarily requests and consents to receive an appointment confirmation, scheduling update, reminder, or secure patient intake link via SMS. Consent may be obtained verbally during an inbound telephone call with Milya Receptionist or through another legally permitted consent mechanism authorized by the participating dental practice.

The information collected is used solely for the purpose of delivering requested transactional healthcare-related communications and providing the Services.

22.2 Strict Prohibition on Sale or Marketing Use of SMS Data

Milya Inc. maintains a strict policy prohibiting the sale, rental, lease, transfer, or disclosure of consumer mobile phone numbers, SMS opt-in information, consent records, or messaging history to third parties, affiliates, or external organizations for their own marketing, advertising, solicitation, or promotional purposes.

Milya does not use SMS opt-in information to create marketing profiles or conduct targeted advertising.

22.3 Limited Authorized Disclosures

Text messaging originator opt-in data and consent records will not be shared with third parties for marketing or promotional purposes.

Milya may disclose such information only to authorized service providers, subprocessors, telecommunications providers, or infrastructure providers acting on Milya's behalf and solely to the extent necessary to:

  • Deliver SMS communications;
  • Operate and maintain the Services;
  • Protect system security and integrity;
  • Comply with applicable laws, regulations, legal obligations, or court orders; or
  • Investigate fraud, abuse, or security incidents.

Such providers are contractually required to maintain appropriate confidentiality and security protections.

22.4 Data Security and Protection

Milya implements administrative, technical, and physical safeguards designed to protect mobile phone numbers, consent records, and related information against unauthorized access, disclosure, alteration, or destruction.

These safeguards are designed to align with applicable privacy and security requirements, including Quebec Law 25, PIPEDA, HIPAA (where applicable), and industry best practices.

Milya prioritizes hosting and storage within the Province of Quebec whenever feasible. However, certain service providers or telecommunications providers may process limited information in other jurisdictions, subject to contractual safeguards, privacy protections, and applicable legal requirements.

22.5 Retention of Consent Records

Milya maintains records of SMS opt-in consent, message delivery activity, opt-out requests, and related compliance records for the period required by applicable laws, contractual obligations, regulatory requirements, and legitimate business purposes.

Such records are retained solely for compliance, audit, security, dispute resolution, and legal purposes.

22.6 Role of Milya

Milya acts as a technology service provider and data processor on behalf of participating dental practices.

The participating dental practice remains responsible for ensuring that any required patient consents are properly obtained and that patient contact information provided to Milya is accurate and lawful.

23. Privacy Officer

Milya has designated a person responsible for the protection of personal information in accordance with applicable laws.

Privacy Officer

Milya Inc.

Email: privacy@milya.ca