How Rebookly protects your clinic and your patients

Our Role: Service Provider, Not Custodian

Under Canadian privacy law, your clinic is the Health Information Custodian (HIC) — the party ultimately accountable for patient information. Rebookly operates as your service provider and agent under Applicable Privacy Law, which includes PIPEDA, provincial privacy statutes, and provincial health privacy statutes.

What this means in practice:

• Your clinic decides what data is collected, how it's used, and how long it's kept
• Rebookly processes that data only on your instructions, for the purposes you've configured
• Your clinic remains responsible for obtaining patient consent and meeting provincial obligations
• Rebookly supports your compliance through technical safeguards, contractual commitments, and operational controls

This is the same model used by Jane App™ itself and by virtually every modern SaaS provider serving Canadian healthcare.

What Data We Handle — and What We Don't

What Rebookly processes

• Patient name, phone number, and email address
• Appointment metadata — service type, practitioner, location, date/time, cancellation or no-show status
• Communication history between the clinic's AI assistant and the patient
• Consent and opt-out status

What Rebookly never accesses

• Clinical notes, chart data, or treatment records
• Diagnoses or medical history
• Insurance information or billing details
• Intake forms, assessments, or clinical questionnaires
• Payment card information

This boundary is deliberate. By design, Rebookly interacts only with the scheduling and communication data needed to operate booking and follow-up workflows. Your clinical records stay in Jane, under your control, where they belong.

Canadian Regulatory Alignment

PIPEDA (Federal)

Rebookly is designed around the ten fair information principles of PIPEDA, including accountability, limiting collection, consent, safeguards, and individual access. Our practices are documented in our Privacy Policy, and we have a designated Privacy Officer responsible for compliance.

PHIPA (Ontario)

For Ontario clinics, Rebookly operates as an agent of the Health Information Custodian. We follow your information practices, limit our handling of personal health information to what's needed to deliver the Services, and notify you promptly of any security incident affecting your data.

Provincial Private-Sector and Health Privacy Laws

Rebookly's practices are designed to align with:

• Alberta — PIPA (private sector) and HIA (health information)
• British Columbia — PIPA BC
• Manitoba — PHIA
• Saskatchewan — HIPA
• New Brunswick — PHIPAA
• Newfoundland and Labrador — PHIA
• Nova Scotia — PHIA
• Prince Edward Island and the territories — PIPEDA and applicable local legislation

Quebec (Law 25)

Quebec's Act to modernize legislative provisions as regards the protection of personal information (Law 25) imposes additional requirements, including designated privacy officers, transfer risk assessments for data leaving Quebec, and expanded breach notification obligations to the Commission d'accès à l'information. Clinics operating in Quebec should contact us directly to discuss additional measures before onboarding.

CASL (Anti-Spam)

Canada's Anti-Spam Legislation governs electronic messaging for commercial purposes. Rebookly enforces consent and opt-outs operationally: when a patient replies STOP or otherwise withdraws consent, all automated outbound messaging halts immediately across every workflow. Your clinic is responsible for obtaining appropriate consent to contact patients; Rebookly is responsible for honouring it.

HIPAA: What Applies and What Doesn't

HIPAA is a United States federal law that applies to US healthcare providers, health plans, and their business associates. It does not apply to Canadian clinics serving Canadian patients. Canadian clinics are governed by PIPEDA and provincial health privacy laws instead.

We sometimes get asked whether Rebookly will sign a HIPAA Business Associate Agreement (BAA). A BAA is a HIPAA-specific construct. For Canadian clinics, the correct and legally relevant document is a Data Processing Agreement (DPA) aligned with PIPEDA and provincial law. We can provide a DPA on request.

If your clinic treats US patients (for example, cross-border telehealth or a border clinic with US clientele), contact us directly so we can discuss whether additional measures are appropriate for your situation.

Security Safeguards

Rebookly protects data through a combination of technical and organizational controls:

• Encryption in transit — all data moving between your browser, our platform, and Jane App™ is protected using industry-standard TLS encryption
• Encryption at rest — stored data is encrypted on our infrastructure partners' servers
• Role-based access controls — access to clinic data is limited to authorized personnel for specific operational purposes
• Operational boundaries — our AI is designed to escalate rather than guess, avoiding unauthorized disclosures through conservative scope
• Consent and opt-out enforcement — opt-outs are honoured immediately and retained indefinitely to prevent accidental re-contact

Data Location and Cross-Border Processing

Rebookly's platform runs on infrastructure provided by third-party cloud and communication vendors whose servers are located in the United States. Your clinic's data, and the patient data processed on your behalf, may therefore be transferred to, stored in, or processed in the United States.

Both PIPEDA and applicable provincial health privacy laws generally permit cross-border processing when adequate safeguards are in place. Rebookly implements those safeguards — encryption, access controls, and vendor selection — and relies on the published Data Processing Agreements and Terms of Service of our sub-processors, each of which commits them to security, confidentiality, and breach notification obligations consistent with Canadian privacy expectations.

You remain responsible for informing your patients that their data may be processed outside Canada, and for obtaining any consent required under your provincial law. We provide template language you can include in your own privacy notice.

Sub-Processors

Rebookly relies on carefully selected third-party services to operate. These providers operate under their own published Data Processing Agreements and Terms of Service, which commit them to security safeguards, confidentiality, and breach notification practices.

Our sub-processor categories include:

• Automation and CRM infrastructure — platform services that power our unified inbox, automations, and integrations
• SMS and voice communication — telecommunications carriers and infrastructure providers that deliver messages and calls
• Cloud hosting — enterprise-grade cloud infrastructure providers
• Scheduling integration — Jane App™ by Jane Software Inc., which remains the source of truth for your schedule
• Payment processing — payment providers that handle billing securely and never expose card data to Rebookly

An updated list of named sub-processors is available on request.

Breach Notification

In the event of a security incident that affects your clinic's data, Rebookly will notify you promptly — within 72 hours of confirming the incident, where technically feasible — so you can meet your own notification obligations to affected patients and, where applicable, to your provincial Privacy Commissioner.

Applicable Privacy Law includes distinct breach notification standards — for example, PIPEDA's "real risk of significant harm" threshold, PHIPA's reporting obligations to the Information and Privacy Commissioner of Ontario, and Quebec Law 25's reporting obligations to the Commission d'accès à l'information. Rebookly supports your decision-making by providing the facts of any incident; final determinations about notification to patients and regulators rest with your clinic as the Health Information Custodian.

AI, Oversight, and Ongoing Refinement

Rebookly uses artificial intelligence to handle patient conversations, trigger follow-up workflows, and support booking. Our AI is not autonomous or self-learning in an uncontrolled way. It operates within defined boundaries, escalates uncertainty to your staff, and is continuously reviewed and refined based on real conversations.

Rebookly's AI never provides clinical advice, interprets insurance, overrides clinic policies, or makes medical decisions. Where a conversation requires judgment beyond its configured scope, it is handed off to your team. Your clinic retains full visibility into every conversation and can intervene, take over, or override automated responses at any time.

We do not use identifiable clinic or patient data to train general-purpose AI models. Improvements to our system are deliberate, reviewed, and aligned with Canadian privacy expectations.

Shared Responsibility

Clinic operations involve overlapping responsibilities between the clinic (as Health Information Custodian) and Rebookly (as service provider). The table below summarizes how those responsibilities are divided.

Your Clinic (Custodian / HIC)

• Obtaining patient consent to contact by SMS, email, and voice
• Disclosing to patients that a service provider processes their data
• Configuring which patients are eligible for which workflows
• Maintaining accurate availability and services in Jane App™
• Appointing a designated Privacy Officer as required by provincial law
• Responding to patient access, correction, and deletion requests
• Notifying regulators and patients of reportable breaches
• Meeting provincial registration, record-keeping, and audit obligations

Rebookly (Service Provider / Agent)

• Encrypting data in transit and at rest
• Limiting data handling to what's needed for configured workflows
• Enforcing opt-outs immediately and retaining them indefinitely
• Never accessing clinical records, diagnoses, or treatment notes
• Selecting sub-processors with appropriate security commitments
• Notifying the clinic of security incidents within 72 hours, where feasible
• Supporting patient access and deletion requests initiated through the clinic
• Escalating situations that fall outside the AI's operational boundaries

A Note on Tracking Technologies

We sometimes get asked about the 2022 and 2024 guidance from the US Department of Health and Human Services (HHS) regarding online tracking technologies on healthcare websites. Those bulletins apply to HIPAA-regulated entities in the United States, and the most controversial portion was vacated by a US federal court in 2024.

For Canadian clinics, the relevant question is whether your website collects personal information through cookies or pixels without appropriate disclosure under PIPEDA and provincial law. This is handled in your own privacy notice and cookie practices, not in Rebookly. We do not place tracking pixels on your clinic's website or on Jane App™-hosted booking pages.

Documents Available on Request

The following documents are available to subscribing clinics and qualified prospects on request:

• Data Processing Agreement (DPA) aligned with PIPEDA and provincial law
• Current sub-processor list
• Security and operational overview
• Template patient privacy notice language

Email [email protected] with your request and we'll respond within two business days.

Questions or Concerns

If you have questions about how Rebookly handles your clinic's data, or if you'd like to discuss your specific provincial requirements before onboarding, contact our Privacy Officer directly.

Privacy Officer: Chris Eder
Email: [email protected]
Phone: (587) 801-4659
Address: Calgary, AB, Canada

Jane App™ is a trademark of Jane Software Inc. Rebookly is an independent service provider and is not affiliated with, endorsed by, or officially partnered with Jane Software Inc. This page provides general information about Rebookly's privacy and security practices and is not legal advice. Clinics should consult their own legal counsel regarding provincial obligations.