OmaScan Privacy Policy

1. Introduction and Scope

OmaScan Inc. ("OmaScan," "we," "us," or "our") provides a 3D assessment, viewing, and collaboration platform used by occupational therapists, healthcare organizations, contractors, equipment vendors, individuals, families, and other users in connection with home and accessibility assessments (the "Service").

This Privacy Policy describes how OmaScan collects, uses, discloses, retains, and protects Personal Information in connection with the Service. It applies globally to all users of the Service, regardless of location or role. Where specific laws grant you additional rights or require specific disclosures, those are set out in Section 15 (Your Rights and Jurisdiction-Specific Disclosures).

This Privacy Policy applies in addition to the OmaScan Terms of Service, any Data Processing Agreement, Information Manager Agreement, or Business Associate Agreement executed between OmaScan and an organization using the Service, and any applicable law. Where a separate agreement provides terms more favorable to the individual or required by law, those terms prevail over this Privacy Policy.

Where the Service is provided to an individual by an occupational therapist, healthcare organization, or other professional, that organization or professional is the health information custodian and is responsible for obtaining any consent required by law before collecting or sharing Personal Health Information through the Service. Where OmaScan collects Personal Information directly from you as an account holder, for example when you create an account or contact us, we will obtain any required consent at or before the time of collection.

By creating an account or using the Service, you consent to the collection, use, and disclosure of Personal Information and Personal Health Information for the purposes described in this Privacy Policy.

2. Key Terms

"Personal Information" means information that can identify an individual. This includes Personal Health Information and any other information that identifies or could reasonably be linked to a specific person.

"Personal Health Information" or "PHI"means Personal Information about an individual's physical or mental health, the health care provided to them, or information collected in connection with a health assessment. Scans of an individual's home, measurements taken in that home, annotations about that individual's functional needs, and recommendations for modifications to support that individual are Personal Health Information when collected in a clinical context.

"Service Usage Data" means information about how the Service is used, collected in part through product analytics, including account activity, device and application information, feature usage events, session information, error logs, diagnostic information, and performance data. Service Usage Data is associated with your account but is not intended to include the content of scans, measurements of specific spaces linked to an individual, or other Personal Health Information.

"De-Identified Data" means information derived from Personal Information that has been processed so that it cannot reasonably be used, alone or in combination with other information, to identify you, any individual, or any specific home or location.

"Your Content" means the scans, measurements, annotations, reports, photos, files, messages, and other materials that you or others acting on your behalf, submit, or generate using the Service.

"Custodian"means a person or organization that has custody or control of Personal Health Information under applicable health privacy law, including a health information custodian under Ontario's Personal Health Information Protection Act, a custodian under Newfoundland and Labrador's Personal Health Information Act, a covered entity under the United States Health Insurance Portability and Accountability Act, and equivalent roles under other laws. A Custodian may also be a user of the Service.

"Subject" means the individual whose home, functional needs, or circumstances are the subject of a scan or assessment uploaded to the Service. A Subject may also be a user of the Service.

3. Who We Are and Our Role

OmaScan's role depends on how the Service is used.

When you use the Service on your own behalf, for example to scan your own home or view a scan shared with you by a professional, OmaScan is the organization responsible for your Personal Information under PIPEDA and applicable provincial privacy laws.

When the Service is used by a Custodian, or by an employee, contractor, or agent acting under a Custodian's authority, OmaScan acts as the Custodian's Information Manager (Newfoundland), or an Electronic Service Provider (Ontario), under a written agreement (IMA, DPA, or equivalent). This applies whether the Custodian is an individual practitioner or an organization such as a health authority, hospital, or professional practice. We handle Personal Health Information only on the Custodian's instructions, and only for the purposes set out in that agreement.

If you are the subject of an assessment and want to access, correct, or ask questions about your Personal Health Information, contact the Custodian responsible for the assessment.

4. Personal Information We Collect

We collect the following categories of information.

Information you provide to us when you create and maintain an account: name, email address, password, phone number (optional), professional role or title (optional), and organization or practice name (where applicable).

Information contained in Your Content: scans uploaded to the Service, measurements, annotations, placed equipment models, photos, notes, locations or addresses associated with scans (where provided), and any other information you or other authorized users include when using the Service. Your Content often includes Personal Health Information about Subjects.

Information exchanged through sharing features: email addresses of recipients you invite to view scans, messages or comments added to shared scans, and access records showing who viewed a scan and when.

Service Usage Data: we record whether and when features of the Service are used — including whether scans were uploaded or created, assessments created, measurements taken, annotations added, equipment items placed, reports generated, shares created, and scans viewed, along with the dates of those actions. We may also record session information, error logs, diagnostic information, performance data, and aggregate counts of actions per scan, assessment, or user. This data is associated with your user ID, name, email address, organization or practice name, professional role or title, and subscription tier. It does not include the content of what you created: not scan data, report contents, annotation text or location, measurement values, lengths, or positions, home addresses, or other Personal Health Information.

Technical information automatically collected: IP address, device type, operating system, browser type and version, device identifiers, application version, language and region settings, and referring URLs.

Communications with us: the content of emails, support requests, and other communications you send to OmaScan, and records of our responses.

For paid accounts, we use Stripe to process payments, including one-time payments and subscriptions. When you pay for the Service, Stripe collects your payment method details, such as credit or debit card numbers or bank account information through its secure payment interface. OmaScan does not receive or store your raw financial account numbers. Stripe handles and stores that information in accordance with its own privacy policy. Stripe is listed as a subprocessor in Section 7.

If you voluntarily include sensitive information such as government identification numbers or financial account details in Your Content (for example, by typing them into a free-text annotation field), that information will be stored as part of Your Content. We recommend against doing so.

5. How We Use Personal Information

We use Personal Information for the following purposes.

To provide and operate the Service: to create and manage your account, authenticate you, process and store Your Content, deliver outputs you request (including reports, measurements, share links, and exports), facilitate collaboration with other users you authorize, and communicate with you about your use of the Service.

To maintain, improve, and understand use of the Service: to diagnose and resolve issues, monitor performance, understand how features are used, measure feature adoption, generate product analytics, develop new features and products, support customers, and support commercial and strategic planning. For these purposes, we rely primarily on Service Usage Data and De-Identified Data.

To secure the Service and protect users: to detect, prevent, and respond to fraud, misuse, unauthorized access, and security incidents, and to enforce our Terms of Service.

To comply with legal obligations: to meet our obligations under applicable privacy, health, tax, and other laws, to respond to valid legal requests, and to protect our legal rights.

To communicate with you: to send service-related messages (such as account notifications, security alerts, and changes to these terms) and, with your consent where required, to send informational or promotional messages about the Service. You can opt out of non-essential communications at any time.

To create De-Identified Data: we may create De-Identified Data from Your Content and from your use of the Service for research, benchmarking, publication, analytics, product development, and other lawful purposes. Once data has been de-identified in accordance with recognized standards, it is no longer Personal Information or Personal Health Information.

We do not sell Personal Information.

6. Artificial Intelligence Features

The Service may include features that use artificial intelligence and machine learning. This section describes how those features work and how your information is handled.

Standards Assistant. The Standards Assistant lets you ask questions about accessibility standards and returns answers generated by a large language model, with citations to reference material. When you submit a query, the query text is sent to the model provider for processing. Queries are not used to train general-purpose AI models.

Scan Analysis. The Scan Analysis feature reviews uploaded scans and flags items against the accessibility standards you select. When you use this feature, the scan data or derived geometry is processed by automated systems to produce flags and suggestions.

These features are tools, not advice. The Standards Assistant and Scan Analysis are reference and triage tools. They are not a substitute for professional judgment, and their outputs are not advice from a clinician, lawyer, code official, or any other qualified person. Outputs may contain errors, omissions, or misinterpretations, and they do not make clinical, regulatory, or compliance determinations. You use these features at your own risk, and any output must be independently verified by a qualified professional before you rely on it.

OmaScan does not make automated decisions about you. OmaScan does not use AI to make decisions that produce legal effects or similarly significant effects for you. AI outputs are provided to you or to authorized users for review. OmaScan does not use them to approve, deny, or determine any entitlement, benefit, or treatment.

Use of your information to train AI models. We do not use the raw content of scans, the content of Personal Health Information, or your identifiable queries to train, fine-tune, or improve general-purpose AI models without a separate written agreement authorizing that use. We may use De-Identified Data to improve AI features.

Right to human review. Where applicable law grants you the right to request that automated processing be reviewed by a person, or to be informed of the principal factors that led to an automated output affecting you, you may exercise that right by contacting us at the address in Section 18.

7. Sharing and Disclosure

We share Personal Information in the following circumstances.

With other users you authorize. Scans, reports, and other content are shared with the users and recipients you or your organization authorize. When you use the sharing features of the Service, the recipients you designate receive access to the content you have chosen to share.

With Custodians and within authorized care relationships. Where you use the Service in connection with an assessment carried out by or for a Custodian, Personal Health Information is made available to that Custodian and to other persons or organizations authorized by the Custodian or by applicable law to receive it in the course of providing care, authorizing care, funding care, or coordinating modifications or services related to the assessment.

With our service providers and subprocessors. We engage service providers to help us operate the Service. These providers have access to Personal Information only to the extent necessary to perform their functions and are contractually required to protect it. Our current subprocessors include:

• Amazon Web Services: cloud infrastructure and data storage (currently in the Canada (Central) region, ca-central-1)
• Vercel: web application hosting and delivery
• Stripe: payment provider
• Resend: email communications and assessment sharing
• PostHog: product analytics

For legal and safety reasons. We may disclose Personal Information when we believe in good faith that disclosure is necessary to comply with a legal obligation, respond to a valid request from a government authority, enforce our agreements, protect the rights, property, or safety of OmaScan, our users, or others, or respond to an emergency involving risk of death or serious physical harm. Where we receive a request for your Personal Information from a government authority or through legal process, we will notify you before disclosure unless we are legally prohibited from doing so or unless notification would impede a lawful investigation or create a risk of harm.

In connection with a business transaction. If OmaScan is involved in a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy, Personal Information may be transferred as part of that transaction, subject to the protections of this Privacy Policy or equivalent protections.

With your consent. We may disclose Personal Information for other purposes with your consent.

8. Cross-Border Data Transfers

Personal Information provided through the Service is currently stored in Canada, in Amazon Web Services' Canada (Central) region (ca-central-1).

Service Usage Data (as described in Section 4) is processed by PostHog on servers located in the United States. This includes the identifiers and account-level information associated with feature usage events, and does not include scan content, Personal Health Information, or other sensitive Personal Information stored in Canada.

As OmaScan grows and serves users in additional jurisdictions, we may store or process Personal Information in other countries, including the United States. Before moving any category of Personal Information outside of Canada, we will assess the privacy and security implications, apply appropriate contractual and technical safeguards, and update this Privacy Policy to reflect the change.

When Personal Information is transferred outside of the jurisdiction where it was collected, it may be subject to the laws of the receiving country, including laws that permit government authorities in that country to access the information. We apply safeguards consistent with recognized standards, including standard contractual clauses or equivalent mechanisms where applicable, to protect Personal Information during and after transfer.

If you are located in a jurisdiction that restricts cross-border transfers without specific conditions (for example, Quebec, British Columbia public-sector contexts, or the European Economic Area), we will apply those conditions before any transfer occurs.

9. Data Retention

We retain Personal Information for the periods necessary to fulfill the purposes described in this Privacy Policy, to meet our legal, regulatory, and professional obligations, and to resolve disputes and enforce our agreements.

Our standard retention periods are:

• Account information (name, email, profile details): for the duration of your account, and for a reasonable period after account closure to resolve billing, disputes, and legal obligations
• Personal Health Information contained in Your Content: retained for the period directed by the applicable Custodian or by law.
• Service Usage Data: retained for the duration of your account and for up to seven (7) years after termination for analytics, security, and business purposes, after which it is deleted or de-identified.
• Technical logs: retained for ninety days for security and diagnostic purposes, with longer retention where required for incident investigation or legal obligations.
• Audit Logs: retained for ten years, with longer retention where required for incident investigation or legal obligations.
• Communications with us: retained for a reasonable period after the matter is resolved
• De-Identified Data: may be retained indefinitely, as it is no longer Personal Information

When Personal Information is no longer needed, we securely delete or de-identify it. In some cases we may be required to retain information beyond our standard periods to comply with legal, regulatory, or professional obligations, to resolve disputes, or to respond to lawful requests.

If you close your account, Your Content remains available to the Custodian or organization under whose authority the assessment was conducted, and is retained in accordance with that Custodian's or organization's obligations.

10. Security Safeguards

We implement administrative, technical, and physical safeguards designed to protect Personal Information against loss, theft, and unauthorized access, use, disclosure, modification, or destruction. Our safeguards include:

Technical safeguards: encryption of data in transit using TLS 1.2 or higher, encryption of data at rest using industry-standard algorithms, role-based access controls following the principle of least privilege, automated monitoring and logging, regular security patching, and secure software development practices.

Administrative safeguards: written security and privacy policies, confidentiality and privacy obligations for all personnel and contractors, privacy and security training, privacy impact assessments for significant new features or changes, vendor risk review before engaging subprocessors, and incident response procedures.

Physical safeguards: reliance on the physical security controls of our cloud infrastructure providers, which maintain certified data centers with physical access controls, environmental protections, and redundancy.

No security measure is perfect. You are also responsible for protecting your account by using a strong, unique password, keeping your credentials confidential, enabling multi-factor authentication where available, keeping your devices and applications up to date, and exercising caution when sharing content with others.

11. Breach Notification

We maintain a breach response process designed to identify, contain, investigate, and remediate security incidents. If a breach of security safeguards affects your Personal Information and creates a real risk of significant harm, we will:

• Notify you without unreasonable delay, targeting notification within 72 hours of confirming the breach, unless a longer period is permitted by applicable law or required to complete the investigation
• Provide a description of the incident, the Personal Information and Personal Health Information affected, the steps we have taken in response, and steps you can take to protect yourself
• Where the affected information includes Personal Health Information held on behalf of a Custodian, notify the Custodian at the first reasonable opportunity, so the Custodian can fulfill its notification obligations to affected individuals and the applicable health privacy regulator
• Where the affected information is Personal Information not held on behalf of a Custodian, notify the applicable privacy regulator in accordance with applicable law
• Maintain an internal record of the incident as required by applicable law

If you believe your account has been compromised or that your Personal Information has been accessed without authorization, contact us immediately at security@omascan.com.

12. Your Rights and Choices

Subject to applicable law and verification of your identity, you have the following rights with respect to your Personal Information.

Access: you may request confirmation of whether we hold Personal Information about you and request a copy of that information.

Correction: you may request that we correct Personal Information that is inaccurate or incomplete.

Deletion: you may request that we delete your Personal Information, subject to our legal and contractual retention obligations.

Portability: you may request that we provide your Personal Information in a structured, commonly used, machine-readable format, or transfer it to another service provider where technically feasible.

Withdrawal of consent: where we process Personal Information based on your consent, you may withdraw that consent at any time. Withdrawal does not affect processing carried out before the withdrawal and may affect our ability to provide the Service to you.

Objection and restriction: you may object to certain processing of your Personal Information or request that we restrict processing in defined circumstances.

Automated decision review: where automated processing produces outputs that significantly affect you, you may request review by a person and information about the principal factors involved.

Complaints: you may file a complaint with us or with the privacy regulator in your jurisdiction. Contact information for Canadian federal and provincial regulators is available at www.priv.gc.ca.

To exercise any of these rights, contact us at security@omascan.com. We will respond within the timeframe required by applicable law, typically 30 days for requests under Canadian privacy law. We may need to verify your identity before responding. Where a request concerns Personal Health Information held by OmaScan on behalf of a Custodian, we will work with the Custodian to respond to your request.

13. Jurisdiction-Specific Disclosures

In addition to the rights described above, the following disclosures apply to users in specific jurisdictions.

Residents of Canada. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy laws apply to the processing of your Personal Information. If you are dissatisfied with our response to a privacy concern, you may contact the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner.

Residents of Quebec.Act Respecting the Protection of Personal Information in the Private Sector (Law 25) applies to the processing of your Personal Information. You have the right to receive specific information about automated decisions affecting you, the right to data portability, the right to de-indexation in certain circumstances, and the right to be informed of cross-border transfers of your Personal Information. Our Privacy Officer is the person designated to ensure compliance with Law 25. You may file a complaint with the Commission d'accès à l'information du Québec.

Users subject to provincial health privacy laws.If you are a Custodian or if Personal Health Information about you is processed through the Service, additional rights and obligations apply under the relevant provincial health privacy law (for example, Newfoundland and Labrador's Personal Health Information Act, Ontario's Personal Health Information Protection Act, Alberta's Health Information Act, or Nova Scotia's Personal Health Information Act). Requests concerning Personal Health Information held on behalf of a Custodian are generally directed to that Custodian.

14. Children and Minors

Account Holders

Service accounts may only be created and operated by persons who have reached the age of majority in their jurisdiction of residence. The age of majority in Canada varies by province: 18 in Alberta, Manitoba, Ontario, Prince Edward Island, Quebec, and Saskatchewan; 19 in British Columbia, New Brunswick, Newfoundland and Labrador, Nova Scotia, and the three territories (Yukon, Northwest Territories, Nunavut).

Minors may not register for or operate an account, with or without parental or guardian involvement.

Subjects of Assessments

Subjects whose Personal Health Information is processed through the Service may include minors (for example, a child with a disability whose home is being assessed for accessibility modifications). In such cases, the Custodian operating the account is solely responsible for:

• obtaining all consents required under applicable law (including PHIPA, HIA, and other provincial health privacy legislation) from the parent, legal guardian, or substitute decision-maker; and
• ensuring that the collection, use, and disclosure of the minor's Personal Health Information complies with that law.

If we become aware that we have collected Personal Information from a person under the age of majority without appropriate consent, we will delete that information.

15. Third-Party Scanning Applications and Services

The Service accepts scan files produced by third-party scanning applications and devices. OmaScan does not control, and is not responsible for, the privacy or security practices of those third-party applications. When you use a third-party scanning application to capture a scan, that application's terms and privacy policy apply to its collection and processing of information, including any location data, device identifiers, or other information collected by that application.

Before using a third-party scanning application in connection with the Service, you should review its terms and privacy policy.

OmaScan does not receive information from third-party scanning applications except the scan file you choose to upload to the Service.

The Service may also integrate with or link to other third-party services (for example, email providers used to deliver share-link notifications). Those third parties have their own privacy practices, and we are not responsible for their practices.

16. Cookies and Similar Technologies

We use essential cookies and similar technologies (such as local storage) to operate the Service, remember your preferences, authenticate you, and authorize your actions. We also use an analytics cookie set by PostHog to associate product analytics events with a distinct device and user identifier (see Section 4, Service Usage Data). We do not use third-party advertising cookies or sell information to advertisers.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email, by an in-Service notice, or by posting the updated Privacy Policy on our website and updating the "Last Revised" date. Where applicable law requires, we will obtain your renewed consent before material changes take effect. Your continued use of the Service after the effective date of an updated Privacy Policy constitutes acceptance of the updated Privacy Policy, except where consent is required.

18. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of Personal Information, contact us at:

OmaScan Inc.
748 Old Broad Cove Rd
Portugal Cove-St. Philip’s, Newfoundland
A1M 1P1
Email: security@omascan.com
Data Protection Officer: Liam French