Privacy Policy for USA

At ToothBox® (the “Company”), we are committed to maintaining the accuracy, confidentiality and security of Personal Information. Company has adopted a Privacy Policy in order to address the specific privacy concerns on how we collect, use, and disclose Personal Information of customers, clients and employees. It is our policy to comply with the privacy legislation within each jurisdiction in which we operate in the United States.

The following describes how the Personal Information, which we collect as part of the business, will be handled.

Health Insurance Portability And Accountability Act (Hipaa)

In the US, the HIPAA Privacy Rule addresses patient privacy issues and regulates how protected health information or “PHI” can be used and disclosed by parties, subject to HIPAA’s requirements. Generally speaking, healthcare providers and health plans/insurers (referred to as “covered entities”), as well as their vendors or contractors who access PHI to perform services for or on behalf of those parties (referred to as “business associates”), are required to abide by HIPAA. PHI that is subject to HIPAA’s privacy protections includes medical records and any other individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or its business associate.

As a dental laboratory and supply company, Company is considered a “health care provider” under HIPAA because it furnishes, bills, or is paid for health care (defined as care, services or supplies related to one’s health) in the normal course of business. However, not all health care providers are considered covered entities subject to HIPAA,
and because Company does not engage in any HIPAA covered transactions such as billing third-party payors for its services, it is not subject to HIPAA’s requirements. Our
dentist customers can share PHI with us under the use and disclosure allowances for treatment purposes under HIPAA’s Privacy Rule, which authorize covered entities to share PHI with other health care providers or third parties to provide, coordinate and manage health care and related services to patients.

In the case of a dental laboratory, such treatment includes the actions of the laboratory in providing the prosthetic, the communication between the dentist and the laboratory, and supplying the prosthesis to the patient. The American Dental Association confirmed this conclusion with the Office for Civil Rights, the federal agency responsible for enforcing HIPAA. See https://www.ada.org/en/publications/ada-news/2017-archive/march/ocr-responds-to-question-about-dental-labs-business-associateagreements. Although a business associate agreement is not required between us and our dentist customers, we are dedicated to preserving the confidentiality of all of our customers and their data, including patient data. To that end, Company requires (and therefore only requests) very little PHI from dentist customers to perform its health care services, usually limited to patient name, gender, and medical or dental conditions that need to be considered in providing treatment to the patient by Company. Our customers can have confidence in the fact that we will only use or disclose patient data we receive in strict accordance with applicable laws and regulations.

However, in some cases, business associate agreements may be required if, for example, Company provides other (nontreatment) services or functions on behalf of a dentist customer that falls within the definition of business associate and requires access to PHI. Where this is the case, we have a duty to protect patient privacy in accordance with HIPAA and have implemented policies and procedures for ensuring proper protection of PHI in compliance with HIPAA’s Privacy and Security Rules applicable to business associates. Specifically, each Company workforce member is responsible for maintaining and protecting all PHI to which they have access, and to only use or disclose PHI in accordance with applicable laws and regulations. All Company employees and representatives have been informed of these responsibilities through this Privacy Policy, our Privacy Code, and/or the Company’s HIPAA training. Company has also designated a Chief Privacy Officer to oversee our compliance with HIPAA and other privacy and requirements, as well as a Security Officer to ensure electronic PHI is also protected in a HIPAA compliant manner.

Personal Information

Personal Information defined

“Personal information” includes all the information provided to us by our customers, clients, employees, suppliers, contractors, and consultants, and may also include, but is not limited to, contact information, social security numbers, customer account information, health information, and information customers provide to us during the normal course of communication between dentists and Company staff that apply to specific individuals or customer entities. Personal information excludes publicly available information or information obtained from a third party.

Collection

The Company collects Personal Information by reasonable, lawfully permitted means and thus we limit the collection, use and disclosure of Personal Information to that which is reasonably necessary to administer our dental laboratory business. Thus, this may include collection in order to understand specific needs of customers, clients and employees, in order to meet legal, regulatory and contractual requirements, to facilitate the delivery of products and services, to maintain contact information, and to provide information. We will identify the reasons for which we collect Personal Information, either before or at the time of collection. The Personal Information we may collect is dependent upon the party who the information is being collected from and the reason for its collection.

We will only collect, use and disclose Personal Information with knowledge and consent, except where otherwise permitted or required by law. Our collection of Personal Information will be restricted to what is reasonable and necessary for the reasons identified and shall only be collected by reasonable and lawful means. Personal information will only be used, disclosed or retained for the purposes for which it was originally collected, unless otherwise permitted, or when required or permitted by law. We will only retain Personal Information for the period of time necessary to fulfill the purposes for which it was collected, or as required to be maintained by applicable laws or regulations. Lastly, information about our policies and practices at Company pertaining to how Personal Information is used, stored or disposed of, will be made readily available upon request.

Forms of Collection

Depending whether it is a customer, client or employee relationship with us, we may collect your Personal Information through various forms, including but not limited to, Company prescription pads, email, the Brightsquid Dental platform, employment forms, insurance forms, our website, etc.

Email and Email Campaigns:

If you are a customer or client, prior to marketing to you through email, we will confirm with you that we have your permission to do so. Any and all email campaigns sent to customer patients will be compliant with HIPAA as well as any other federal, state or local laws or regulations applicable to email use.
In addition, complying with applicable laws, all email communications from Company will also include the following:

  • a double opt-in where permission to send the email is received both at the time of sign-up with us, and upon receipt of the first message;
  • identification of the message source, and if to US recipients, a postal address for the message origin;
  • a conspicuous “unsubscribe” function; and
  • a contact email address for questions and concerns.

The Company Website:

Prior to collecting any of your Personal Information through our website, we will explain to you what we intend to do with that information.

Employees, Suppliers, Consultants, & Contractors

If you are, or are potentially, an employee or contractor/consultant, we collect your name, address, telephone number, and other relevant Personal Information including emergency contacts, family and health benefit information, past employment, educational experience and evaluative information. We use your Personal Information for lawfully authorized purposes relevant to our employment/contracting relationship including:

  • Administration of benefits and payroll
  • Entitlement for benefits, raises, bonuses and/or promotions
  • Business development and marketing

Clients and Customers

If you are a client or customer, we may collect Personal Information that we require in order to complete your project satisfactorily. We may collect information about you, and, if applicable, your employees, and/or others associated with your organization (such as contractors or consultants). These requests may include name, telephone, fax, email address, job title, and any other information that may be required as your project progresses. This information is used for:

  • Confirming your business identity
  • Entering into a service contract with us
  • Development of plans and documents necessary to the satisfactory completion of your project We may require certain patient information, including:
  • the name and gender of your patient seeking services from us
  • your patient’s pertinent health information necessary for rendering services to him/her, which will be used as permitted by applicable law

Consent

Consistent with privacy principles and applicable legislation, and where reasonably possible, the Company only collects, uses or discloses Personal Information with the consent from the individual. Note, however, consent may take several forms, both explicit or implicit, as well as by a failure to opt out or object to certain use or disclosure of Personal Information, depending on the circumstances and/or legal requirements for consent applicable to the circumstances.

If you are an employee or contractor/consultant, you are hereby notified that your Personal Information will be collected, used and disclosed to establish and generally to manage our employee or contractor/consultant relationship and facilitate the completion of projects with third parties. In certain limited circumstances consistent with law and regulation (e.g., legal, medical, or security reasons) Personal Information may legally be collected, used or disclosed without your knowledge or consent.

If you are a client or customer, you consent to supply certain pertinent Personal Information to us. You also consent to the use of that Personal Information to administer, implement and perform our services as they relate to your project. You also represent that you have obtained the consent required by applicable laws and policies to the disclosure of any Personal Information you share with us. In certain limited circumstances consistent with law and regulation (e.g., legal, medical, or security reasons) the Personal Information may legally be collected, used, or disclosed without your knowledge or consent.

Use & Disclosure Of Personal Information

The Company will not use or disclose Personal Information to any third party unrelated to our performance of services for you, except as permitted or required by applicable law, unless you consent to such use or disclosure. Your Personal Information shall be disclosed only to those who have a “need to know” and the specific information shall be restricted to only that information relevant to the recipients’ need to know, subject to permissible use and disclosure allowances and restrictions under applicable law (i.e., HIPAA for patient protected health information). Those who need to know may include employees, contractors, consultants, and dental and other health benefit providers. You may request restrictions on how or to whom we disclose your Personal Information, and to the extent feasible or required by law, Company will seek to comply with that request.

WE WILL NOT SELL YOUR PERSONAL INFORMATION. We will not use or disclose your Personal Information to third parties in exchange for remuneration without your consent, except as expressly permitted or required by applicable law. The Company may use and/or disclose your Personal Information without your consent only in limited circumstances, including but not limited to the following (functions beginning with “to” below are disclosure permissions only):

  • To our vendors and subcontractors to perform services or on our behalf, provided we obtain reasonable assurances from them to protect your Personal Information consistent with any requirements of applicable law
  • To a lawyer or other business advisor representing the Company, provided the Company obtains the requisite assurances from the advisor to protect your Personal Information as required by applicable law;
  • As needed for the proper management and administration of our business, to the extent permitted by applicable law;
  • With a payor or third-party insurer in order to collect a debt you may owe to the Company;
  • With others within Company for management and administration of our business relationships, to satisfactorily complete our obligations with you and/or your dental care providers, as necessary to help serve you better, subject to restrictions or limitations imposed by applicable law;
  • For research, to the extent permitted by law and subject to applicable legal requirements thereto;
  • For certain limited marketing functions, to the extent such marketing activities do not require your consent and are consistent with applicable law;
  • To comply with a subpoena, a warrant or an order made by the court or other body with appropriate jurisdiction, to the extent permitted or required by law;
  • To a law enforcement official or health oversight agency, provided that such use or disclosure would comply with applicable law;
  • In an emergency circumstances unless Company knows such disclosure would be contrary to your wishes or best interests, and disclosure is not required by law;
  • If it is publicly available and thus not considered Personal Information subject to this Privacy Policy and/or under applicable law; or
  • If required by law.

Any information shared will be done so with the condition that they will only use and retain such Personal Information for the specific purpose for which they are engaged by Company. Where HIPAA applies to any patient Personal Information to be shared, Company will comply with HIPAA’s requirements to obtain written assurances from the third-party recipient to use and protect such information in accordance with HIPAA’s requirements, if so required. Any third party to which Company discloses your Personal Information is required to protect the confidentiality of your Personal Information in a manner consistent with our own internal process, or as required by law.

Third Party Transfers

As specified in above, from time to time the Company may retain third parties to help us promote, implement and administer our services. As such, the Company may need to transfer to these third parties the Personal Information they need to perform their obligations.

The Company will take all reasonable steps to protect the Personal Information from unauthorized uses and disclosures while in the hands of the third party, and will require its subcontractors or other third parties performing work on its behalf to protect the Personal Information as required by applicable laws to ensure that an appropriate level of Personal Information protection is provided by these third parties, including restricting their use of the information for any unauthorized purpose, and/or entering into a written agreement obligating the third party to protect the Personal Information in accordance with applicable laws.

The Company will also seek to retain the right to audit and inspect how the third party handles and stores the information transferred to them, and we will exercise a right to audit and inspect the information if warranted by the circumstances.

Retention And Security Of Your Information

Notwithstanding other requirements of this Policy, we will only retain your Personal Information for the period of time required to fulfill the purposes for which it was collected, or as required by law. We will protect the Personal Information we collect with security safeguards appropriate to the sensitivity and/or legal classification of the information consistent with all legal requirements. The Company maintains complete records of the storage locations of Personal Information, both paper and electronic.

The Company will take appropriate security measures to protect your Personal Information against loss, theft, unauthorized access or disclosure, improper use, alteration
or destruction. We currently employ physical safeguards such as security systems, locked storage on and off-site, locked storage access limited to restricted personnel only, offsite backup, and additional facility, workstation and device/media controls. We also have technological safeguards in place such as, network security, firewalls, antivirus, and encryption, audit and data integrity controls, personal authentication and transmission security protections. The administrative safeguards we have in place include but are not limited to employee training in data privacy and security issues, circulation and mandatory compliance with Privacy Policies and Privacy Code, assigned security responsibility, security incident procedure adherence, contingent planning, subcontractor business associate agreements and other contractual controls to safeguard Personal Information as required by law.

If you are a customer, upon your written and reasonable request, your Personal Information will be erased from our records where permitted by law, though removal of your Personal Information from our records may affect our ability to provide you with our services or products.

If you are an employee or contractor/consultant, Personal Information that is no longer necessary or relevant for the identified purposes or required to be retained by law will be destroyed, erased or made anonymous or unidentifiable. We may retain your Personal Information for up to seven (7) years, unless longer retention is required by law.

If you are a customer, Personal Information that is no longer necessary or relevant for the identified purposes or required to be retained by law will be destroyed, erased or made anonymous or unidentifiable. When seven (7) years have elapsed after the substantial completion of your last contract, all Personal Information pertaining to you and your employees will be permanently destroyed and erased from our records, unless extended retention is required by applicable law.

Access

You have the right to ask whether we hold any Personal Information about you, what kind of information we are holding, and what we use and disclose your information for. You can request access to your Personal Information maintained by Company at any time. If you are a patient, we will respond to your request within 30 days, unless sooner required by applicable state law unless we are contractually or legally obligated to provide the information and/or your request for information to your dental provider to provide to you directly. There may be a small charge for each request, where permitted by law. If charges apply, we will notify you in writing and seek your approval of the charges prior to processing your request. If you believe any of the information we have collected from you is incorrect or incomplete, you have the right to request us to change it.
You may submit your request in writing to the Company’s Privacy Officer:

ToothBox USA Ltd.
115-17th Avenue S.W.
Calgary, AB T2S 0A1
Attn: Rita Schlegel
Chief Privacy Officer

Please specify as much as possible which Personal Information you are requesting. We will respond as quickly as possible, and we will inform you if for some reason we are unable to respond within the 30-day time frame. In certain specific circumstances, we may have the legal right to refuse your request for access.

Complaints

You may contact us at any time with suggestions, questions, and complaints about this policy. If you feel the Company has not complied with appropriate privacy law or regulations, you may register a privacy-related complaint with our Chief Privacy Officer, or the applicable government agency responsible for enforcement of such privacy law. You may at such time request that we correct or remedy such non-compliance and we will respond to your complaint promptly once we have had an opportunity to complete an investigation. Please address any complaints to our Chief Privacy Officer at the contact information listed above in Section 8.

We reserve the right to revise this policy from time to time and will publish revisions accordingly.

Privacy Policy for Canada

At ToothBox® (the “Company”), we are committed to maintaining the accuracy, confidentiality and security of Personal Information. Company has adopted a Privacy Policy in order to address the specific privacy concerns on how we collect, use, and disclose Personal Information of customers, clients and employees. It is our policy to comply with the privacy legislation within each jurisdiction in which we operate in the Canada.

The following describes how the Personal Information, which we collect as part of the business, will be handled.

The Personal Information Protection And Electronic Documents Act(Pipeda)

In brief, PIPEDA is the acronym for the Personal Information Protection and Electronic Documents Act, this is a Federal Act which sets out basic policies for the management of personal information collected, used, and distributed in the private business sector in Canada. It is federal legislation applicable to all provinces in Canada, except where the Province may have adopted similar legislation. Thus, organizations must, under the Act, obtain an individual’s consent when collecting, using, or disclosing that information. The individual has the right to access that information held, and to contest the correctness if warranted. The information can only be used for the purpose for which it was originally collected. If we need to or would like to use it for another objective, consent must then be acquired again. Your privacy is of utmost concern to us, and this Privacy Policy manual will explain both your rights and ours. Each employee or representative of the Company is responsible for maintaining and protecting all personal information under their control. Each employee or representative has been informed of these responsibilities through this Privacy Policy and our Privacy Code. We
has also designated a Chief Privacy Officer to oversee our compliance with PIPEDA and this Privacy Policy.

Provincial And Territorial Statutes To Govern Privacy

In addition, provincial and territorial governments have enacted statutes specifically aimed at protecting personal information in the private sector. Some provinces have passed legislation aimed at protecting personal health information, and some have passed legislation that applies to municipalities. This Policy is intended to comply with all Provincial and Territory regions within which we operate.

Canada’s Digital Charter

The Government of Canada has announced its Digital Charter, and launched its National Digital and Data consultations by publishing an accompanying paper entitled Strengthening Privacy for the Digital Age, which included numerous recommendations for amending PIPEDA.

In its Digital Charter, the Government of Canada tackles digital and data transformation, setting out its ten principles to guide amendments to PIPEDA. The proposed amendments include:

  • Enhancing the control and transparency that individuals have over their personal information by requiring specific standardized plain language information on its use;
  • Providing data mobility opportunities to support greater individual control over data and promotion of consumer choice; and
  • Strengthening enforcement mechanisms, including enhanced penalties for noncompliance.

The Prime Minister’s Office has delivered a mandate letter to the Minister of Innovation,
Science and Industry, outlining a number of data protection initiatives for the Ministry, to
potentially include:

  • advancing Canada’s Digital Charter;
  • enhancing the power of the Office of Privacy Commissioner of Canada, such as adding the ability to award administrative monetary penalties, creating new offences, or providing additional oversight by the Federal Court of Canada to incentivize compliance;
  • establishing a new set of rights for individuals online, including:
    1. data portability/privacy; and
    2. the right to be forgotten.
  • enhancing knowledge of how personal data is being used; and
  • creating new regulations for large digital companies to protect personal data and to encourage greater competition in the digital space.

Each of these amendments, if implemented, have the potential to effect a fundamental change in the way we would be able to collect, use, and disclose personal information. These amendments would serve to better align us with the data protection regime in the European Union under the General Data Protection Regulation (GDPR); to better allow for free data exchanges between the EU and Canada, with the exception of employee data and under certain conditions. We will stay on top of these announcements by the Canadian Government, and revise our Privacy policy accordingly when these Privacy changes come to PIPEDA.

Privacy Protocals

This policy governs how we may acquire, manage, store, and dispose of private and personal information. Private information may include:

  • “Private health information” which is defined to include all personal medical records and any other health information that is created or received by a health care provider. As we work closely with dentists to treat their patients, we may come into contact with some of this health information, and as such we have a duty to protect patient privacy. We have implemented policies and procedures for ensuring proper protection of privacy and data security.
  • “Personal Information” includes all the information provided to us by our customers, clients, employees, suppliers, contractors, and consultants, and may also include, but is not limited to, contact information, social security numbers, customer account information, health information, and information customers provide to us during the normal course of communication between dentists and Company staff that apply to specific individuals or customer entities. Personal information excludes publicly available information.

More specifically, what we may collect is dependent upon the party who the information is being collected from and the reason for its collection.

Each employee or representative of the Company is responsible for maintaining and protecting all personal information under their control. Each employee or representative has been informed of these responsibilities through this Privacy Policy and our Privacy Code. The Company has also designated a Chief Privacy Officer to oversee our compliance with PIPEDA and our Privacy Policy.

Information Management Agreements

The Privacy Rules under certain Provincial statutes do not require that we establish an Information Management Agreement with our Dentist customers regarding the protected health information, as the services we provide are “laboratory services” and are for “treatment” purposes only and do not include any other administrative services provided on behalf of the dentist. Moreover, the Company does not receive the following patient information:

  • patients’ telephone numbers;
  • patients’ addresses
  • patients’ medical records;
  • patients’ personal family information
  • or any other personal information belonging to the patient not required for
    treatment purposes.

The information that we receive from the dentist is limited to the patient’s name, sometimes gender, and if required, the patient’s health issues, used to identify and in the treatment of their case. We do not receive, collect, or maintain a patients’ telephone numbers, addresses, birth dates, social security numbers, medical records or data directly identifying individuals’ relatives, employers or household members.

Dentists, as custodians, are allowed under the certain Provincial and Territorial statutes to disclose individually identifiable health information to laboratories as necessary for patient treatment. We must only collect the health information that is necessary for us to carry out our dental laboratory services. We must not use health information in any manner that is not in accordance with our duties to the custodian. Thus, although an Information Manager Agreement is not required between us and the dentist, we are committed to protecting the confidentiality of all of our customers, and no doctorpatient confidential information we receive will be released without specific permission.

Personal Information

Collection

The Company collects personal information by reasonable, lawfully permitted means and thus we limit the collection, use and disclosure of personal information to that
which is reasonably necessary to administer our dental laboratory business. Thus, this may include collection in order to understand your specific needs, in order to meet legal, regulatory and contractual requirements, to facilitate the delivery of products and services to you, to maintain your contact information, and to provide information to you. We will identify the reasons for which we collect your personal information, either before or at the time of collection. We will only collect, use and disclose your personal information with your knowledge and consent, except where otherwise permitted or required by law. Our collection of your personal information will be restricted to what is reasonable and necessary for the reasons identified to you, and shall only be collected by reasonable and lawful means. Your personal information will only be used, disclosed or retained for the purposes for which it was originally collected, unless you have permitted otherwise, or when required or permitted by law. We will only retain your personal information for the period of time necessary to fulfill the purposes for which it was collected. Lastly, information about our policies and practices at the Company will be made readily available to you upon request.

Forms of Collection

Depending on the relationship you have with us, we may collect your personal information through various forms not limited to, Company prescription pads, email, employment forms, insurance forms, our website, etc.

Email and Email Campaigns:

If you are a customer, prior to marketing to you through email, we will confirm with you that we have your permission to do so. Any and all email campaigns will be compliant with PIPEDA guidelines, and will comply with CASL, as well as any other Canadian legislation applicable to email use, and specifically will include the following:

  • a double opt-in where permission to send the email is received both at the time of sign-up with us, and upon receipt of the first message;
  • identification of the message source;
  • an “unsubscribe” function; and
  • a contact email address for questions and concerns
Our Websites:

Prior to collecting any of your personal information through our website, we will explain to you what we intend to do with that information.

Employees, Suppliers, Consultants, & Contractors

If you are, or are potentially, an employee or contractor/consultant, we collect your name, address, telephone number, and other relevant personal information including emergency contacts, family and health benefit information, past employment, educational experience and evaluative information. We use your personal information for lawfully authorized purposes relevant to our employment/contracting relationship including:

  • Administration of benefits and payroll
  • Entitlement for benefits, raises, bonuses and/or promotions
  • Business development and marketing

Clients and Customers

If you are a client or customer, we may collect Personal Information that we require in order to complete your project satisfactorily. We may collect information about you, and, if applicable, your employees, and/or others associated with your organization (such as contractors or consultants). These requests may include name, telephone, fax, email address, job title, and any other information that may be required as your project progresses. This information is used for:

  • Confirming your business identity
  • Entering into a service contract with us
  • Development of plans and documents necessary to the satisfactory completion of your project

Providing ongoing service in doing a project for you, we may require your patient information, including:

  • the name of your patient
  • your patient’s health information provided solely for the purpose of completing the project
  • Administration of benefits and payroll
  • Entitlement for benefits, raises, bonuses and/or promotions
  • Business development and marketing

Employees, Suppliers, Consultants, & Contractors

If you are, or are potentially, an employee or contractor/consultant, we collect your name, address, telephone number, and other relevant Personal Information including emergency contacts, family and health benefit information, past employment, educational experience and evaluative information. We use your Personal Information for lawfully authorized purposes relevant to our employment/contracting relationship including:.

  • Administration of benefits and payroll
  • Entitlement for benefits, raises, bonuses and/or promotions
  • Business development and marketing

Consent

Consent is defined as the “voluntary agreement with what is being done or proposed”. Consent can be explicit or implied, or by not opting out. Express consent is given explicitly, either orally or in writing. Express consent is undisputable and does not necessitate any presumption on the part of the Company when seeking the consent. Implied consent occurs where consent may logically be understood from the action or inaction of the individual.

Consistent with privacy principles and applicable legislation, and where reasonably possible, the Company only collects, uses or discloses personal information with the consent from the individual. The Company is careful to select a fair and reasonable form for the consent required in the circumstances. If you are an employee or contractor/consultant, you are hereby notified that your personal information will be collected, used and disclosed to establish and generally to manage our employee or contractor/consultant relationship and facilitate the completion of projects with third parties. In certain limited circumstances consistent with law and regulation (e.g., legal, medical, or security reasons) personal information can be collected, used or disclosed without your knowledge or consent.

If you are a customer, you consent to supply certain pertinent personal information. You consent to the use of that personal information to administer, implement and perform
our services as they relate to your project. You also represent that you have obtained the consent required by applicable laws and policies to the disclosure of that personal
information. In certain limited circumstances consistent with law and regulation (e.g., legal, medical, or security reasons) the personal information can be collected, used, or disclosed without your knowledge or consent.

Use & Disclosure Of Personal Information

The Company will not use or disclose Personal Information for purposes other than those for which it was collected, except with your consent or as required by law. Your
Personal Information shall be disclosed only to those who have a “need to know” and the specific information shall be restricted to only that information relevant to the recipients’ need to know. Those who need to know may include employees, contractors, consultants, and dental and other health benefit providers. Also, the Personal Information disclosed is limited to only that Personal Information required for the purpose. You may specify any restrictions on which we want to disclose your Personal Information to or restrict the content.

WE WILL NOT SELL YOUR PERSONAL INFORMATION. We will not use or disclose it to third parties without your knowledge or permission, except in special circumstances, where consent is not required under legislation.

When we may use your information without your consent

The Company may use and/or disclose your Personal Information without your consent
only in limited circumstances, including but not limited to the following (functions
beginning with “to” below are disclosure permissions only):

  • We have reasonable grounds to believe that the Personal Information could be useful when investigating a contravention of a federal, and provincial or foreign law and the information is used for that investigation;
  • for an emergency that threatens an individual’s life, health, or security; In an emergency circumstances unless Company knows such disclosure would be contrary to your wishes or best interests, and disclosure is not required by law;
  • for statistical or scholarly study or research (in such case the Company must notify the Privacy Commissioner of Canada before using the information);
  • if it is publicly available as specified in the applicable legislations;
  • if the use is clearly in the individual’s interest and consent is not available in a timely way; or
  • if knowledge and consent would comprise the availability or accuracy of the information and collection was required to investigate a breach of an agreement or contravention of federal, or provincial law;
  • To our vendors and subcontractors to perform services or on our behalf, provided we obtain reasonable assurances from them to protect your Personal Information consistent with any requirements of applicable law;
  • To a lawyer or other business advisor representing the Company, provided the Company obtains the requisite assurances from the advisor to protect your Personal Information as required by applicable law;
  • As needed for the proper management and administration of our business, to the extent permitted by applicable law;
  • With a payor or third-party insurer in order to collect a debt you may owe to the Company;
  • With others within Company for management and administration of our business relationships, to satisfactorily complete our obligations with you and/or your dental care providers, as necessary to help serve you better, subject to restrictions or limitations imposed by applicable law;
  • For research, to the extent permitted by law and subject to applicable legal requirements thereto;
  • For certain limited marketing functions, to the extent such marketing activities do not require your consent and are consistent with applicable law;
  • To comply with a subpoena, a warrant or an order made by the court or other body with appropriate jurisdiction, to the extent permitted or required by law;
  • To a law enforcement official or health oversight agency, provided that such use or disclosure would comply with applicable law;
  • If it is publicly available and thus not considered Personal Information subject to this Privacy Policy and/or under applicable law; or
  • to the Financial Transaction and Reports Analysis Centre of Canada (FINTRAC) as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, or any other applicable anti-money laundering Act;
  • to a government institution that has requested the information, identified its lawful authority to obtain the information, and indicates that disclosure is for the purpose of enforcing, carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law, or suspects that the information relates to national security, the defence of Canada or the conduct of international affairs; or is for the purpose of administering any federal or provincial law;
  • to an investigative body named in the Regulations of the Act or government institution on the Company’s initiative where the Company has reasonable grounds to believe that the Personal Information concerns a breach of an agreement, or a contravention of a federal, provincial, or foreign law, or suspects the information relates to national security, the defence of Canada or the conduct of international affairs;
  • 20 years after the individual’s death or 100 years after the record was created if in Canada;
  • If required by law;

Any information shared will be done so with the condition that they will only use and
retain such Personal Information for the specific purpose for which they are engaged
by the Company. Any third party to which the Company discloses your Personal
Information is required to protect the confidentiality of your Personal Information in a
manner consistent with our own internal process, or as required by law.

Third Party Transfers

As specified in Section 6 above, from time to time the Company may retain third parties to help us promote, implement and administer our services. As such, the Company may need to transfer to these third parties the personal information they need to perform their obligations. “Transfer” is a “use” by an organization and is not to be confused with disclosure. In such cases, the Company must take all reasonable steps to protect the personal information from unauthorized uses and disclosures while in the hands of the third party. The Company will thus take all reasonable contractual steps to ensure that a comparable level of personal information protection is provided by these third parties, including restricting their using the information for any other purpose.

When we disclose or provide your personal information to a third party as permitted by these principles, the Company will require them, by agreement, instruction or otherwise, to comply with the requirements that are embodied in these principles. We will also
ensure that it is satisfied that the third party has similar policies and processes in place, including training of the staff and other effective security measures to ensure that the information in its care is properly safeguarded at all times. The Company will also retain the right to audit and inspect how the third party handles and stores the information transferred to them, and we will, if needed, exercise our right to audit and inspect the
information.

Accuracy

The Company will make every reasonable effort to ensure that the personal information we obtain from you will be maintained as accurately and completely as necessary for its purpose. Your personal information will be verified in our records and updated if necessary each time you notify us of a change, and as practical during the course of our business relationship with you. It is your responsibility to notify us immediately of any change in personal information which you have previously supplied to us. For more information on accuracy of your information, please see Section 11 below.

Retention And Security Of Your Information

We will only retain your personal information for the period of time required to fulfill the purposes for which it was collected, or as required by law. We will protect the personal information we collect with security safeguards appropriate to the sensitivity of the information. The Company maintains complete records of the storage locations of personal information, both paper and electronic.

The Company will take appropriate security measures to protect your personal information against loss, theft, unauthorized access or disclosure, improper use, alteration or destruction. We currently employ physical safeguards such as security systems, locked storage on and off-site, locked storage access limited to restricted personnel only, offsite backup, etc.

We also have technological safeguards in place such as, network security, firewalls, antivirus, and encryption, etc. The administrative safeguards we have in place include
employee training in privacy issues, circulation and mandatory compliance with Privacy Policies and Privacy Code.

If you are a customer, upon your written and reasonable request, your personal information will be erased from our records, though removal of your personal information from our records may affect our ability to provide you with our services or products.

If you are an employee or contractor/consultant, personal information that is no longer necessary or relevant for the identified purposes or required to be retained by law will be destroyed, erased or made anonymous or unidentifiable. We may retain your personal information for up to seven (7) years.

If you are a customer, personal information that is no longer necessary or relevant for the identified purposes or required to be retained by law will be destroyed, erased or made anonymous or unidentifiable. When seven (7) years have elapsed after then substantial completion of your last contract, all personal information pertaining to you
and your employees will be permanently destroyed and erased from our records.

Access

You have the right to ask whether we hold any personal information about you, what kind of information we are holding, and what we use and disclose your information for. You can request access to your personal information maintained by the Company at any time. We will respond to your request within 45 days. There may be a small charge for each request. If charges apply, we will notify you in writing and seek your approval of the charges prior to processing your request. If you believe any of the information we have collected from you is incorrect or incomplete, you have the right to request us to change it. Where we have obtained medical information about you from a dentist, we will only release this information to you and /or back to the dentist.
You may submit your request in writing to the Company’s Privacy Officer:

ToothBox Canada Ltd.
115-17th Avenue S.W.
Calgary, AB T2S 0A1
Attn: Rita Schlegel
Chief Privacy Officer

Please specify as much as possible which personal information you are requesting. We will respond as quickly as possible, and we will inform you if for some reason we are unable to respond within the 45 day time frame. In certain specific circumstances, we have the legal right to refuse your request for access.

Complaints

You may contact us at any time with suggestions, questions, and complaints about our Privacy policy and Privacy Code. If you feel the Company has not complied with appropriate privacy principles or practices, you may register a privacy-related complaint with our Chief Privacy Officer. You may at such time request that we correct or remedy such non-compliance and we will respond to your complaint promptly once we have had an opportunity to complete an investigation. If a complaint is justified, we will take all reasonable steps to correct the non-compliance, which may include updating our policies and practices at the Company. Please address any complaints
to:

ToothBox Canada Ltd.
115-17th Avenue S.W.
Calgary, AB T2S 0A1
Attn: Rita Schlegel
Chief Privacy Officer

We reserve the right to revise this policy from time to time, as privacy laws and practices evolve and will publish revisions at our earliest reasonable convenience.

ToothBox® © (2020). Reproduction of this work in whole or in part by any means whatsoever is strictly prohibited without the express written consent of ToothBox Canada Ltd. All rights reserved.