PHIPA Compliance Statement

Last updated: February 26, 2026 — This is a working draft pending legal review.

1. Compliance Framework

Photon AI Receptionist operates under Ontario's Personal Health Information Protection Act, 2004 (PHIPA). While the Platform primarily handles scheduling and appointment logistics — not clinical health records — we recognize that caller interactions may incidentally include personal health information (PHI) such as service preferences (e.g., "physiotherapy appointment") and health-related inquiries.

We treat all caller interactions with the same care as if they contained PHI, applying privacy-by-design principles throughout the Platform.

2. Data Classification

Data Type	Classification	Handling
Caller phone number	PHI (identifier)	Hashed — never stored in plain text
Caller name	PHI (identifier)	Stored temporarily for practitioner follow-up; subject to automatic purge
Service requested	Potentially PHI	Stored as structured data only (e.g., "facial", "massage")
Call audio	PHI	Processed in real-time; not stored unless recording enabled
Transcripts	PHI	Stored only if practitioner enables; subject to automatic purge
Voicemails	PHI	Stored; subject to automatic purge
Practitioner business info	Not PHI	Stored for service operation
Billing data	Not PHI	Managed by PCI-compliant payment processor

3. Technical Safeguards

All data encrypted in transit and sensitive data encrypted at rest
Caller phone numbers stored as irreversible one-way hashes
Strict tenant isolation — no cross-client data access
Role-based access controls (practitioners see only their own data)
Session authentication with automatic expiry
Account lockout and rate limiting protections
Comprehensive audit logging with PHI redaction
Automatic data purging on configurable schedules

4. Third-Party Data Sharing

The Platform uses third-party providers for voice AI processing, telephony, payment processing, and email delivery. For each provider:

Only the minimum data necessary for their function is shared
PHI exposure is minimized (hashed identifiers, structured data over raw content)
Business Associate Agreements (BAAs) are in place or being actively pursued where applicable
Providers that do not handle PHI (email, payments) are selected for their compliance posture regardless

A detailed sub-processor list with data handling practices is available to practitioners upon request.

5. Data Breach Notification

In the event of a breach involving personal health information:

Affected practitioners notified within 72 hours
Information and Privacy Commissioner of Ontario notified as required under PHIPA
Affected callers notified if the breach poses a risk of significant harm
Breach investigation and remediation documented and retained

6. Access Requests

Individuals may request access to, correction of, or deletion of their personal information by contacting [email protected]. We will respond within 30 days as required under PHIPA.

7. Infrastructure

The Platform is hosted on infrastructure with DDoS protection, encrypted database connections, and enforced security headers. We are committed to Canadian data residency for all application data.

8. Contact

For compliance inquiries:

Photon Cyber Solutions
Email: [email protected]
Ontario, Canada