PRIVACY POLICY

1. Purpose, Scope, and Legal Nature

This Privacy Policy (the "Policy") governs the collection, use, processing, storage, disclosure, and protection of personal information and personal health information by Milya Inc. ("Milya", "we", "our", or "us") in connection with its products and services (collectively, the "Services").

This Policy applies to:

  • Healthcare professionals and organizations using the Services
  • Individuals whose information is processed through the Services
  • Users interacting with Milya's digital platforms

This Policy forms an integral part of Milya's contractual framework and must be read in conjunction with applicable agreements, including Terms of Service, Data Processing Agreements ("DPA"), and, where applicable, Business Associate Agreements ("BAA").

In the event of inconsistency, contractual agreements shall prevail to the extent permitted by law.

2. Regulatory Framework and Standard of Compliance

Milya operates within a multi-jurisdictional legal environment and structures its practices to align with:

  • Quebec's Law 25
  • Quebec's Law 5 governing health and social services information
  • Ontario's Personal Health Information Protection Act (PHIPA)
  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
  • U.S. Health Insurance Portability and Accountability Act (HIPAA), where applicable

Where multiple regimes apply, Milya adopts a risk-adjusted, highest-standard compliance approach, except where a specific legal obligation requires otherwise.

3. Definitions and Interpretation

For the purposes of this Policy:

"Personal Information" means any information relating to an identifiable individual

"Personal Health Information" ("PHI") refers to health-related data subject to enhanced statutory protection

"Controller" or "Custodian" refers to the entity determining the purposes and means of processing

"Processor" or "Service Provider" refers to the entity processing data on behalf of a Controller

Interpretation of this Policy shall be consistent with applicable legislation.

4. Allocation of Roles and Responsibilities

4.1 Milya's Role

Milya provides technical infrastructure and AI-enabled processing capabilities and acts primarily as:

  • A processor / service provider
  • A provider of secure systems supporting clinical workflows

Milya processes personal information strictly:

  • On documented instructions of healthcare providers; or
  • As required for system operation, security, and compliance

4.2 Healthcare Provider Responsibilities

Healthcare providers:

  • Act as controllers / custodians of personal health information
  • Determine purposes and lawful basis of processing

Are responsible for:

  • Obtaining patient consent
  • Ensuring regulatory compliance
  • Validating clinical content

4.3 No Clinical Responsibility

Milya does not:

  • Provide medical advice or diagnosis
  • Replace professional judgment
  • Guarantee clinical accuracy of outputs

5. Categories of Information Processed

Milya adheres to the principle of data minimization.

5.1 Clinical Data

  • Audio recordings (subject to consent)
  • AI-generated transcripts and structured notes
  • Associated metadata required for traceability

5.2 User and Organizational Data

  • Identification and contact information
  • Professional and organizational affiliations
  • Access credentials and role definitions

5.3 Technical and Security Data

  • IP addresses and device identifiers
  • System logs and access records
  • Usage and performance data

6. Legal Basis for Processing

Processing activities are grounded in:

  • Consent, obtained by the healthcare provider
  • Contractual necessity
  • Legal and regulatory obligations

Milya does not independently determine the legal basis for clinical data collection.

Milya processes personal information solely within the scope of instructions provided by healthcare providers and does not independently determine the purposes or essential means of processing personal health information.

7. Purpose Limitation and Use Restrictions

Personal information is processed solely for:

  • Clinical documentation support
  • System operation and security
  • Auditability and traceability
  • Service improvement within controlled parameters
  • Legal compliance

Milya expressly prohibits:

  • Commercial exploitation of personal health information
  • Use of identifiable data for unrelated purposes

8. Data Governance and Stewardship (Law 5 Alignment)

Milya maintains a structured governance framework including:

8.1 Auditability

  • Immutable, time-stamped logs
  • Full traceability of access and modifications

8.2 Access Control

  • Role-based access control (RBAC)
  • Least-privilege enforcement

8.3 Data Segregation

  • Separation between clinical data and operational data
  • Controlled processing environments

8.4 Lifecycle Management

  • Defined retention and deletion protocols

8.5 Risk Management

  • Privacy Impact Assessments (PIA)
  • Continuous monitoring and mitigation

Milya acts as a technical steward of data, without assuming legal custodianship.

These measures form part of Milya's continuous data governance framework in alignment with Quebec's evolving health data governance requirements.

9. Data Localization and Sovereignty

All personal information and personal health information is hosted and stored within the Province of Quebec, Canada.

Milya's architecture ensures:

  • Data residency within Quebec
  • Governance under Quebec legal jurisdiction
  • Reduced exposure to cross-border risks

This design reflects a commitment to data sovereignty and regulatory alignment.

No persistent storage of personal health information occurs outside the Province of Quebec. Any transient or technical processing occurring outside Quebec, if applicable, is strictly limited, non-persistent, and subject to appropriate safeguards.

10. Security Measures

Milya implements commercially reasonable safeguards, including:

  • Encryption (in transit and at rest)
  • Authentication and access control
  • Monitoring and threat detection
  • Secure infrastructure practices

Notwithstanding these measures, no system can guarantee absolute security. Milya implements safeguards consistent with industry standards; however, residual risks inherent to digital systems remain and are accepted as part of the use of the Services.

11. Third-Party Service Providers

Milya engages third-party providers under strict conditions:

  • Binding contractual obligations
  • Security and confidentiality requirements
  • Restricted data use

Milya is not liable for acts of third parties beyond its reasonable control.

Third-party providers act as independent service providers and are responsible for their own compliance with applicable laws.

12. Cross-Border Processing

Milya's default position is no transfer of personal health information outside Quebec.

Where limited cross-border interaction is required:

  • Processing is minimized
  • A Privacy Impact Assessment is conducted
  • Safeguards are implemented

Such processing shall not result in a material transfer of custody or control of personal health information outside Quebec.

Milya does not transfer or expose identifiable personal health information outside the Province of Quebec.

Where limited technical processing outside Quebec may occur, such processing is restricted to non-identifiable, de-identified, or transient data that cannot reasonably be used to identify an individual.

Under no circumstances, within the normal operation of the Services, does such processing result in the disclosure of identifiable personal health information to external systems or jurisdictions.

13. Retention and Destruction

Personal information is retained only as necessary.

Deletion:

  • Follows defined retention schedules
  • May be subject to backup and legal constraints

Retention periods are determined based on legal, regulatory, and operational requirements applicable to healthcare providers.

14. Individual Rights

Individuals may:

  • Access their information
  • Request correction
  • Request deletion
  • Withdraw consent

Requests involving clinical data are coordinated with healthcare providers.

Requests may be subject to verification of identity and applicable legal limitations.

15. U.S. Compliance (HIPAA Alignment)

Where applicable, Milya aligns with Health Insurance Portability and Accountability Act (HIPAA):

  • Business Associate Agreements (BAA)
  • Safeguards aligned with HIPAA standards
  • Restricted use and disclosure of PHI

16. Limitation of Liability

To the fullest extent permitted by applicable law:

Milya provides the Services on a commercially reasonable efforts basis

Milya makes no warranties, express or implied, regarding:

  • Accuracy of outputs
  • Continuous availability
  • Fitness for a particular purpose

Milya shall not be liable for:

  • Clinical decisions or outcomes
  • User reliance without validation
  • Failure to obtain required consents
  • Regulatory non-compliance by users

In all cases, Milya's liability shall be limited as set forth in applicable contractual agreements.

To the extent permitted by law, Milya shall not be liable for indirect, incidental, consequential, or punitive damages, including loss of data, revenue, or business opportunities.

17. Amendments

Milya reserves the right to amend this Policy at any time. Continued use constitutes acceptance.

18. Limitation of Recourse

To the extent permitted by law, any claim arising from the use of the Services shall be limited to direct damages and subject to contractual limitations agreed between the parties.

Any claim must be brought within the time limits prescribed by applicable law and subject to any contractual limitation periods agreed between the parties.

19. Compliance, Interpretation, and Regulatory Cooperation

Milya implements policies, procedures, and technical safeguards designed to comply with applicable privacy and health data governance laws, including Quebec's Law 25 and Law 5.

Milya's obligations are limited to those expressly required under applicable law and contractual agreements.

In the event of any inquiry, investigation, or request from a competent authority, including the Commission d'accès à l'information, Milya reserves the right to:

  • Cooperate as required by law
  • Disclose relevant information where legally obligated
  • Take any necessary measures to ensure compliance

Nothing in this Policy shall be interpreted as limiting Milya's legal rights, defenses, or obligations under applicable law.

20. No Guarantee of Regulatory Outcome

While Milya implements commercially reasonable and industry-aligned safeguards, no representation or warranty is made that the Services will ensure compliance by users with all applicable laws or regulatory requirements.

Compliance with professional, legal, and regulatory obligations remains the responsibility of the healthcare provider using the Services.

21. User Responsibility and Indemnification

Users of the Services agree to:

  • Use the Services in compliance with applicable laws and professional obligations
  • Ensure that all necessary consents are obtained
  • Review and validate all outputs before clinical use

To the extent permitted by law, users are responsible for any misuse of the Services or failure to comply with applicable legal requirements.

Users acknowledge that Milya provides tools to support workflows and does not replace legal, clinical, or regulatory obligations applicable to the user.

22. Privacy Officer

Milya has designated a person responsible for the protection of personal information in accordance with applicable laws.

Privacy Officer

Milya Inc.

Email: privacy@milya.ca