Privacy Policy

Last updated: February 2026

In short

  • Your clinic is the Health Information Custodian (HIC). Aqueo acts as its authorized agent/service provider and processes information on the clinic’s behalf.
  • For the clinical intake tool, we process pseudonymous questionnaire responses and blink-test metrics; we do not collect patient name, phone number, or email in the intake flow.
  • If you contact us through our website contact form, we collect name, work email, organization, and message to respond.
  • Uploading blink video is optional and separately consented; the intake works without video upload.
  • We do not sell personal information, and we do not use uploaded videos for advertising or to train public or third-party AI models.
  • Questions: privacy@aqueo.ca

Demo for clinics — decision-support only.
This tool supports triage and workflow; it is not a diagnosis or treatment.

1. Who we are

Aqueo Health Inc. (“Aqueo”, “we”, “us”) provides a pre-screening and triage-support tool used by clinics.

Under the Personal Health Information Protection Act (PHIPA) in Ontario and comparable provincial laws, your clinic is the Health Information Custodian (HIC).

Aqueo acts as the clinic’s agent (sometimes called “service provider” or “processor”) and processes information only on the clinic’s behalf and under its instructions.

Each clinic signs a written Agent Agreement with Aqueo before data collection begins, defining responsibilities for privacy, retention, and breach notification.

When Aqueo interacts directly with you outside the clinical intake flow (for example, if you email support or submit a website contact form), Aqueo acts as a controller for that limited context under PIPEDA.

2. What we collect (clinical intake tool)

  • Symptom questionnaire responses and score (e.g., OSDI-6 / DEQ-5, depending on clinic workflow).

  • Blink test metrics (blink dynamics and quality indicators).

  • Lifestyle and exposure information (optional) — limited information about daily activities and environment that may affect eyes, such as approximate daily screen/close-up work time, contact lens wear and comfortable wear time, and time spent in air-conditioned or heated indoor places.

  • Optional blink video + research/validation data — collected and used only if you explicitly consent. The intake works without video upload or research use. Where consent is provided, only a cropped recording of the eye region (no audio) is uploaded.

  • Clinician-entered findings (optional) — after clinic visits, clinicians may enter findings such as dry eye status, primary driver (DEWS III), severity, treatment decisions, and optional test results (e.g., TBUT, osmolarity, staining, meibomian assessments).

  • Technical data (browser/device, timestamps, error codes) for reliability and security.

  • Clinic context (clinic identifier/code) so results are matched to the clinic visit.

Aqueo does not collect direct patient identifiers such as name, phone number, or email in the clinical intake flow.

Each intake record is stored under a pseudonymous Intake ID and clinic identifier. The clinic maintains any linkage between that Intake ID and a medical chart.

We do not sell personal information and do not use uploaded videos for advertising or unrelated machine-learning models.

3. Website inquiries (contact form)

If you contact us through our website contact form, we collect:

  • Name
  • Work email
  • Organization
  • Message content
  • Topic (e.g., General / Privacy / Pilot)
  • Technical metadata (such as timestamps and basic request metadata needed for security and reliability)

We use this information to receive and respond to your inquiry and to support security and abuse prevention.

This contact-form information is not part of the clinical intake dataset stored in S3. It is processed by our website hosting provider and sent to our inboxes via email delivery services (see “Storage & service providers” and “Subprocessors”).

4. How we use information (clinical intake tool)

We use clinical intake information to:

  • Clinical triage support: assist the clinic’s workflow and prioritization.
  • Service operation & safety: troubleshoot issues, prevent abuse, secure the platform.
  • Product improvement: improve accuracy and usability using de-identified or aggregated data. We may use de-identified or pseudonymised information from questionnaires, optional lifestyle questions, blink tests, and clinician-entered findings to develop, train, validate, and improve algorithms (including machine learning models) that improve the accuracy, usability, and reliability of the Aqueo service.
  • Research/validation (optional): only if the video/research consent is given or the clinic instructs it under its authority. All optional research use is conducted under the clinic’s oversight and ethics framework, using de-identified data only.

5. Storage & service providers

5.1 Clinical intake data

Clinical intake data resides in AWS ca-central-1 (Canada Central region). Encrypted S3 buckets are used for storage (archive and uploads), encrypted with customer-managed KMS keys (SSE-KMS). No cross-region replication is enabled.

S3 lifecycle policy (clinical S3 buckets):

  • Objects stored in Standard S3 on upload
  • After 30 days → Glacier Instant Retrieval
  • After 365 days → Glacier Deep Archive
  • After 1095 days (≈ 3 years) → permanent delete

Automatic expiration is handled by S3 lifecycle rules.

5.2 Website inquiries (contact form)

Website inquiries are processed by:

  • Vercel (website hosting and serverless execution for the contact-form endpoint), and
  • AWS Simple Email Service (SES) (email delivery for contact-form messages)

These services may process information outside Canada depending on the service and routing. We use contractual safeguards and least-privilege access controls.

6. Retention & disposal

6.1 Clinical intake data

Clinical data stored in S3 buckets follows the automated lifecycle policy described above (approximately three years), unless the clinic instructs earlier deletion.

  • Triage records: subject to lifecycle policy above, or deleted per clinic instructions if earlier.
  • Uploaded videos (where used): subject to lifecycle policy above, or deleted per clinic instructions if earlier.
  • Aggregated data: kept only in non-identifiable form for analytics and service reliability.
  • Security logs: retained for 90 days in CloudWatch Logs (ca-central-1) with KMS encryption.
  • Upon termination of a clinic’s account, Aqueo deletes or returns records per the Agent Agreement.

6.2 Website inquiries (contact form)

We retain website inquiry messages and related correspondence as long as needed to respond and for reasonable business recordkeeping. We do not publish a fixed retention period for these communications unless and until it is enforced by a specific technical control.

7. Security & audit

Aqueo maintains administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including:

  • Encryption in transit (HTTPS/TLS) and at rest (AWS SSE-KMS).
  • Strict least-privilege access control and session security.
  • Scoped file access using time-limited presigned URLs.
  • Continuous monitoring, patching, and dependency updates.
  • Application logging: clinical payload fields are redacted from application logs by default; logs contain only technical diagnostic metadata such as timestamps, request path, and IP address. Logs are stored in CloudWatch Logs (ca-central-1) with 90-day retention and KMS encryption.
  • Audit logging (current pilot): key access events are logged in the system for operational monitoring and security while the service is running.
  • Breach notification: Aqueo will notify the clinic/HIC of any unauthorized access, disclosure, or loss of data that it becomes aware of, and cooperate in required regulatory reporting.

8. Cross-border transfers

When limited processing occurs outside Canada (for example, website hosting, DNS/TLS, email delivery, or third-party asset delivery), it is protected by contractual safeguards ensuring comparable privacy protection.

No PHI is transferred cross-border without the HIC’s authorization.

For the current list of subprocessors and their locations, see the Subprocessors page at /subprocessors/.

9. Your choices & rights

  • Contact your clinic first.

    Your clinic is the HIC and is the primary point of contact for access, correction, or questions about your PHI.

  • Aqueo contact:

    You may contact Aqueo at privacy@aqueo.ca for general questions about this Policy and our role as a service provider.

  • Optional video and validation consent:

    You may choose not to allow video upload or participation in product validation and improvement uses. The blink test and questionnaire still function without video upload.

  • Withdrawal of consent:

    Where we rely on consent (for example, optional video and research), you may withdraw that consent on a go-forward basis, consistent with your clinic's processes.

10. Children

The tool is intended primarily for adults unless a clinic has enabled pediatric use in its workflow and obtains appropriate guardian consent in accordance with applicable law.

11. Regulators and oversight

If you have unresolved concerns about how your PHI is handled, you may contact:

12. Changes & contact

We may update this Privacy Policy from time to time to reflect changes in practice or law. The revised version will include an updated date and will be made available to clinics.

Contact:

Aqueo Health Inc.

Email: privacy@aqueo.ca