Privacy Policy

Provera Care Incorporated, operating under the trade name ProveraCare (“ProveraCare,” “we,” “us,” or “our”), is committed to protecting your privacy and safeguarding your personal information. This Privacy Policy explains how we collect, use, disclose, store, and protect information through the Pearl platform.

1. Scope and Application

This Privacy Policy applies to all users of the Pearl platform accessible at hellopearl.app and through related mobile applications, including Core Members (seniors), Circle Members (family, friends, neighbours), and Trusted Providers (service professionals).

This Privacy Policy has been designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Ontario’s Personal Health Information Protection Act, 2004 (PHIPA), and, where applicable to users in the United States, the Health Insurance Portability and Accountability Act (HIPAA). Where multiple legal frameworks apply, we implement safeguards designed to meet or exceed applicable legal requirements.

Provera Care Incorporated is a federal corporation incorporated under the Canada Business Corporations Act (CBCA), with its mailing address at 2150 Winston Park Dr Unit 203 PMB #3024, Oakville, ON L6H 5V1, Canada. All data is stored and processed on servers located in Canada.

‍

2. Accountability and Privacy Officer

In accordance with PIPEDA’s accountability principle, ProveraCare has designated a Privacy Officer who is responsible for our compliance with this Privacy Policy and applicable privacy legislation. The Privacy Officer oversees all aspects of our personal information management program, including responding to privacy inquiries, access requests, and complaints.

Privacy Officer

Provera Care Incorporated

Email: privacy@hellopearl.app

All inquiries, requests, and complaints related to privacy should be directed to the Privacy Officer at the contact information above.

‍

3. Information We Collect

‍

3.1 Information You Provide Directly

We collect the following categories of personal information that you provide when registering for and using the Platform:

Account Information: Name, email address, phone number, postal code, date of birth, and account credentials.
Profile Information: Profile photos, biographical details, role within a Circle (Core Member, family member, friend, provider), and relationship to the Core Member.
Circle Information: Names and contact information of individuals you invite to join a Circle, Circle settings, and permissions.
Coordination Content: Requests, tasks, reminders, events, schedules, notes, chat messages, and other coordination-related information shared within Circles.
Health-Adjacent Information: Information related to daily wellness, appointments, medication reminders, mobility needs, dietary requirements, and daily check-in responses, shared at your sole discretion. This information may constitute personal health information under PHIPA. Pearl does not require you to share health-related information to use the Platform. Any such information is uploaded voluntarily, and you are solely responsible for its accuracy and for managing who can see it within your Circle.
Payment Information: Billing address and payment card details (processed and stored by our PCI-DSS-compliant third-party payment processor; we do not store full payment card numbers).
Provider Information: Business name, service type, qualifications, credentials, service area, rates, and availability (for Trusted Providers).
Communications: Correspondence with our support team and feedback you provide about the Platform.

‍

3.2 Information Collected Automatically

When you access or use the Platform, we automatically collect certain technical and usage information:

Device Information: Device type, operating system, browser type, unique device identifiers, and mobile network information.
Usage Data: Pages visited, features used, time and date of access, referring URLs, clickstream data, and interaction patterns.
Log Data: IP addresses, server logs, error reports, and diagnostic information.
Location Data: General geographic location based on IP address. We do not collect precise GPS location data unless you explicitly enable this feature and provide consent.
Cookies and Similar Technologies: We use cookies and similar tracking technologies as described in Section 12 of this Policy.

‍

3.3 Information from Third Parties

We may receive information about you from third parties, including:

Trusted Providers who share updates about services provided to a Core Member within a Circle.
Circle Members who provide information about a Core Member or other Circle Members in the course of using the Platform.
Third-party service integrations that you authorize to connect with the Platform.

‍

3.4 Information Shared by Trusted Providers About Clients

Trusted Providers may invite existing clients to join the Platform and may share updates or information about services provided within a Circle. Trusted Providers are independently responsible for obtaining appropriate consent from their clients before sharing any personal information or health-adjacent information through the Platform. ProveraCare does not direct or control what information Trusted Providers share and is not responsible for verifying that a Trusted Provider has obtained appropriate consent.

‍

3.5 Marketplace and Provider Information

Information provided by Trusted Providers in their Marketplace listings (such as business name, service descriptions, qualifications, and service areas) is provided by the Trusted Provider, not by ProveraCare. We do not independently verify the accuracy of provider listings. Please refer to our Terms of Service for important disclaimers regarding the Marketplace, provider vetting, and your responsibility to conduct your own due diligence.

‍

4. Purposes for Collecting, Using, and Disclosing Personal Information

In accordance with PIPEDA’s principle of identifying purposes, we collect, use, and disclose your personal information for the following purposes:

Provide and operate the Platform: To create and manage accounts, facilitate Circle coordination, process requests and tasks, enable chat and messaging, deliver the Marketplace, and provide AI Features.
Facilitate communication: To enable communication between Circle Members, Trusted Providers, and Core Members, including notifications, alerts, and reminders.
Process payments: To process subscription fees and Marketplace transactions through our secure payment processor.
Improve and develop the Platform: To analyze usage patterns, diagnose technical issues, conduct research and analytics, and improve Platform features and user experience.
Provide AI-enabled services: To power the Pearl assistant, generate smart suggestions, and provide automated coordination assistance. AI processing occurs on our Canadian servers.
Ensure safety and security: To detect and prevent fraud, unauthorized access, abuse, and other harmful activity, and to enforce our Terms of Service.
Legal compliance: To comply with applicable laws, regulations, legal processes, and government requests, including PIPEDA, PHIPA, and HIPAA.
Communicate with you: To send service-related notices, updates, security alerts, and support and administrative messages. Marketing communications are sent only with your express consent.

We will not use or disclose your personal information for purposes other than those for which it was collected, except with your consent or as required or permitted by law.

‍

5. Consent

‍

5.1 How We Obtain Consent

In accordance with PIPEDA’s consent principle, we obtain your consent for the collection, use, and disclosure of your personal information at the time of collection or before any new use or disclosure. Consent may be:

Express consent: Obtained through affirmative action, such as checking a consent box, signing up for the Platform, or providing explicit agreement for specific uses (e.g., marketing communications, sharing health-adjacent information).
Implied consent: Inferred from your voluntary provision of information for an obvious purpose (e.g., providing your email address when creating an account implies consent to use it for account-related communications).

‍

5.2 Sensitive Information

We require express consent for the collection, use, or disclosure of sensitive personal information, including personal health information, financial information, and any information shared by or about a Core Member within a Circle. Health-adjacent information shared through the Platform (such as wellness check-ins, appointment details, and medication reminders) may constitute personal health information under PHIPA. We treat all such information with the highest level of protection.

‍

5.3 Withdrawing Consent

You may withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions, by contacting our Privacy Officer at privacy@hellopearl.app. We will inform you of the implications of withdrawing consent, which may include our inability to provide certain features of the Platform. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

‍

5.4 Consent on Behalf of Others

If you are providing personal information about another individual (such as a Core Member), you represent and warrant that you have obtained the individual’s informed consent or that you have the legal authority to provide such consent on their behalf (e.g., as a substitute decision-maker under applicable law).

‍

6. Limiting Collection

We limit the collection of personal information to that which is necessary for the purposes identified in this Privacy Policy. We do not collect personal information indiscriminately and will not deceive or mislead individuals about the purposes for which information is collected.

‍

7. Limiting Use, Disclosure, and Retention

‍

7.1 Use and Disclosure

Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law. We may disclose your personal information to:

Other Circle Members within your Circle(s), in accordance with Circle settings and permissions.
Trusted Providers who have been invited to a Circle, limited to information necessary to fulfill their role within the Circle.
Service providers who assist us in operating the Platform (e.g., cloud hosting, payment processing, analytics, customer support), subject to contractual obligations to protect your information.
Law enforcement, regulatory authorities, or other third parties when required by law, court order, or legal process, or when we believe disclosure is necessary to protect the rights, property, or safety of ProveraCare, our users, or the public.
A successor entity in the event of a merger, acquisition, restructuring, or sale of assets, subject to a commitment by the successor to honour this Privacy Policy.

‍

7.2 Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods include:

Account information: Retained for the duration of your account and for a period of two (2) years following account closure, unless a longer retention period is required by law.
Coordination Content (requests, tasks, messages): Retained for the duration of the Circle’s existence and for one (1) year after the Circle is closed or the Core Member’s account is terminated.
Health-adjacent information: Retained in accordance with PHIPA requirements and for no longer than necessary to fulfill the purpose for which it was collected.
Payment and transaction records: Retained for seven (7) years in accordance with Canadian tax and financial record-keeping requirements.
Usage and log data: Retained for up to two (2) years for analytics and security purposes.

When personal information is no longer required, we will securely destroy, erase, or anonymize it in accordance with our data destruction procedures.

‍

8. Accuracy

We take reasonable steps to ensure that personal information in our custody is accurate, complete, and up to date for the purposes for which it is used. You are responsible for notifying us of any changes to your personal information. You may update your account information at any time through your account settings or by contacting us at privacy@hellopearl.app.

‍

9. Safeguards

We protect your personal information with administrative, technical, and physical security measures proportionate to the sensitivity of the information:

‍

9.1 Technical Safeguards

Encryption of data in transit using TLS 1.2 or higher and encryption of data at rest using AES-256 encryption.
Secure cloud infrastructure hosted in Canadian data centres (AWS Canada Region).
Role-based access controls ensuring that only authorized personnel can access personal information.
Multi-factor authentication for administrative access to systems containing personal information.
Regular security assessments, penetration testing, and vulnerability scanning.
Automated monitoring and logging of system access and activities.

‍

9.2 Administrative Safeguards

Privacy and security training for all employees and contractors who handle personal information.
Confidentiality agreements with all employees, contractors, and third-party service providers.
Documented incident response and breach notification procedures.
Regular reviews and updates of security policies and practices.
Privacy impact assessments for new features and significant changes to data processing activities.

‍

9.3 Physical Safeguards

Data is hosted exclusively in Canadian data centres operated by our cloud service provider.
Physical access to data centres is restricted and monitored by our cloud service provider in accordance with their SOC 2 and ISO 27001 certifications.

‍

10. Breach Notification

In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm, we will:

Notify affected individuals as soon as feasible, providing information about the breach, the personal information involved, steps we have taken or intend to take, and recommended steps the individual can take to mitigate potential harm.
Report the breach to the Office of the Privacy Commissioner of Canada as required under PIPEDA.
Report the breach to the Information and Privacy Commissioner of Ontario if personal health information under PHIPA is involved.
If HIPAA applies, notify affected U.S. individuals and the U.S. Department of Health and Human Services in accordance with HIPAA Breach Notification Rule requirements.
Maintain a record of all breaches of security safeguards, regardless of whether they meet the threshold for notification.

‍

11. Openness and Transparency

In accordance with PIPEDA’s openness principle, we make information about our privacy policies and practices readily available. This Privacy Policy is available at hellopearl.app/privacy and can be provided in an accessible format upon request. We will notify users of material changes to this Privacy Policy by email and through a prominent notice on the Platform at least thirty (30) days before such changes take effect.

‍

12. Cookies and Similar Technologies

We use cookies and similar tracking technologies to operate, customize, and improve the Platform. Categories of cookies we use include:

Strictly Necessary Cookies: Required for the Platform to function properly, including authentication, security, and session management. These cannot be disabled.
Functional Cookies: Used to remember your preferences and settings, such as language selection and display preferences.
Analytics Cookies: Used to understand how users interact with the Platform, which pages are visited most frequently, and to measure the effectiveness of our communications. We use privacy-focused analytics tools.

We do not use advertising or tracking cookies. You can manage your cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of the Platform.

‍

13. Your Rights

Under PIPEDA and applicable privacy legislation, you have the following rights with respect to your personal information:

‍

13.1 Right of Access

You have the right to request access to the personal information we hold about you. We will respond to your request within thirty (30) days or as required by applicable law. In limited circumstances, we may be unable to provide access (for example, if the information contains references to other individuals or cannot be disclosed for legal or security reasons).

‍

13.2 Right of Correction

You have the right to request the correction of any inaccurate or incomplete personal information we hold about you. If we disagree with the requested correction, we will note your request in our records.

‍

13.3 Right to Withdraw Consent

You may withdraw your consent to the collection, use, or disclosure of your personal information at any time, as described in Section 5.3 above.

‍

13.4 Right to Deletion

You may request the deletion of your personal information, subject to our legal obligations to retain certain information (such as financial records for tax purposes). We will process deletion requests in accordance with applicable law and our data retention schedule.

‍

13.5 Right to Complain

If you are not satisfied with our response to your privacy inquiry or complaint, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca or the Information and Privacy Commissioner of Ontario at ipc.on.ca.

‍

13.6 Exercising Your Rights

To exercise any of these rights, please contact our Privacy Officer at privacy@hellopearl.app. We may require you to verify your identity before processing your request. We will respond to all requests within thirty (30) days. If we require additional time, we will notify you of the extension and the reasons for it.

‍

14. International and Cross-Border Transfers

All personal information collected through the Platform is stored and processed on servers located in Canada. We do not transfer personal information outside of Canada for processing or storage except in the following limited circumstances:

Where a third-party service provider processes data outside Canada on our behalf, in which case we ensure that contractual safeguards are in place to provide a comparable level of protection to that required under Canadian privacy law.
Where required by law or court order.

If we transfer personal information outside of Canada, we will inform you in advance and ensure that appropriate safeguards are in place in accordance with PIPEDA requirements. We will identify any countries outside of Canada where personal information may be stored or accessed, along with the purposes for such transfers, in an appendix to this Privacy Policy if applicable.

‍

15. Additional Provisions for U.S. Users (HIPAA)

To the extent that ProveraCare acts as a Business Associate under the U.S. Health Insurance Portability and Accountability Act (HIPAA) in connection with services provided to U.S.-based healthcare entities, we comply with applicable HIPAA requirements, including:

Implementing administrative, physical, and technical safeguards to protect Protected Health Information (PHI) in accordance with the HIPAA Security Rule.
Entering into Business Associate Agreements (BAAs) with Covered Entities as required.
Reporting breaches of unsecured PHI in accordance with the HIPAA Breach Notification Rule.
Limiting the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose.
Ensuring that subcontractors who access PHI agree to the same restrictions and conditions that apply to ProveraCare as a Business Associate.

U.S. users may also have additional rights under state privacy laws. If you believe you have rights under specific state privacy legislation, please contact our Privacy Officer.

‍

16. Additional Provisions for Ontario Health Information (PHIPA)

Pearl may collect, use, or disclose personal health information as defined under Ontario’s Personal Health Information Protection Act, 2004 (PHIPA). Where the Platform processes personal health information:

We obtain express consent before collecting, using, or disclosing personal health information, except where implied consent is permitted under PHIPA (such as within a circle of care for the purpose of providing health care).
We limit the collection, use, and disclosure of personal health information to the minimum amount necessary to fulfill the identified purpose.
We maintain audit logs that record access to personal health information, including the date, time, identity of the person accessing the information, and the nature of the access.
We notify the Information and Privacy Commissioner of Ontario of any theft, loss, or unauthorized access to or disclosure of personal health information.
We comply with the 2020 PHIPA amendments relating to consumer electronic service providers, including obtaining consent before using an individual’s personal health information.

‍

17. Artificial Intelligence and Automated Decision-Making

The Platform uses AI-enabled features to provide coordination assistance, task suggestions, and service recommendations. We are committed to transparency regarding our use of AI:

AI processing occurs on servers located in Canada.
AI Features do not make decisions that have legal or similarly significant effects on individuals without human review.
AI Features are trained and operated in a manner designed to minimize bias and inaccuracy.
You may opt out of certain AI Features through your account settings without affecting your ability to use the core coordination features of the Platform.
We do not sell personal information to third parties for AI training purposes.
Personal information submitted to the Platform is not used to train publicly available artificial intelligence models.
Any AI processing occurs within ProveraCare‑controlled systems and is used solely to provide functionality within the Platform.
We regularly review and audit AI Features for accuracy, fairness, and compliance with applicable privacy law.

‍

18. Children’s Privacy

The Platform is not directed at children under the age of eighteen (18). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at privacy@hellopearl.app.

‍

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email and through a prominent notice on the Platform at least thirty (30) days before the changes take effect. The “Last Updated” date at the top of this Policy indicates when the most recent revision was made. Your continued use of the Platform after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

‍