This policy protects the personal information and data subject rights of customers or external users of Talkatoo products and services by clearly explaining the following:
- What personal information we need (and why we need it)
- How we protect your personal information and data subject rights
- How to request and access your personal information
- How to give, deny or withdraw consent to use your personal information
- How to give, deny or withdraw consent to collect and use their personal information or make complaints.
- Be notified, without unnecessary delay, in the event your personal information leaks to an unauthorized third party.
- Our commitments to legal and regulatory compliance
- Third party services we use and their privacy policies
This policy applies to all personal information stored on systems and media that are owned, leased, or otherwise provided by Talkatoo, regardless of location.
Personal information we may need (and why we need it):
We may collect and process these examples of personal information (at times we may also need to collect other personal information that isn’t listed here):
- Device information (IP address, browser type, internet service provider, referring/exit pages, and date/time stamps.
- Registration information (name, email address, phone number)
- Billing information (credit card information, billing address)
We may use/process this information to:
- We use the Device Information that we collect to help us screen for potential risk and fraud and more generally to improve and optimize our site (for example, by generating analytics about how customers browse and interact with the site, and to assess the success of our marketing and advertising campaigns).
- We use Registration and Billing information to manage our users and process payments.
- We do not sell, rent, or otherwise provide your information to other companies for any marketing purposes.
Protecting your information
Talkatoo has an appointed privacy officer responsible for your rights as a data subject. We have appropriate technical and organizational measures to protect your information. We will handle and protect your information in line with these data protection principles:
- Personal information must be processed fairly and lawfully.
- Personal information must be obtained only for one or more specified and lawful purpose(s) and will not be processed in a manner that is not compatible with that purpose(s).
- Personal information must be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.
- Personal information must be accurate and kept up to date when necessary. personal information must not be kept for longer than is required.
- Personal information must be processed in accordance with your rights as a data subject as set out in the privacy regulation(s) (“HIPAA”).
- Appropriate technical and organizational measures must be in place to protect personal information from unauthorized or unlawful processing and accidental loss, damage or destruction.
- Personal information will not be transferred to a country or territory outside of your country unless we can be assured there is an adequate level of protection of your personal information.
- Any changes, updates to any controls in place to protect your personal information will be communicated to you in writing.
Inventory Personal Information
In order to protect personal information, Talkatoo keeps an accurate inventory of all personal information that is collected, processed or stored and transferred by Talkatoo.
Cookies are little pieces of data that a website will store on your computer that allow the website to remember a user by the device they use. This may allow a website to remember the state the user left when they closed the browser or to track information about the user’s experience with the website. Some cookies are used to track other analytics about the user’s experience on the website, such as which pages they viewed, what links they clicked or how long they spent on a certain page.
We may track, with your consent, the following details about your experience with our website:
- Tracking Preferences
- Various Analytics
Special Considerations for California residents
As a California resident you have the following rights:
- To opt out of your data being sold, disclosed or traded for services in kind.
- To having a clear and conspicuous option to give or deny consent to your information being disclosed or sold.
- Should you choose to opt out of the collection or use of your personal information, you have the right to acquire the same service or product offering as one who has opted in.
- You have a private right of action which allows you to seek statutory or actual damages in the event that a data breach occurs and is a result of a lack of reasonable security measures. This means that whether or not there was actual loss to you as a person, when your information is leaked as a result of poor security, you have the right to sue or join a class action to pursue damages.
Accessing your information (Subject Access Requests)
You are entitled to ask for a copy of the personal information that we hold about you and to have any inaccuracies in your personal information corrected. When you submit a request for your personal information, you are entitled to:
- Know what personal information Talkatoo is processing or has processed.
- Know the reason(s) and purpose(s) for the processing of their personal information.
- Know if their personal information has been shared and if so with whom and for what purpose(s).
Process for submitting a Subject Access Request
The process for submitting a Subject Access Request is as follows:
- Requests for your personal information are submitted to your organization by email.
How to give, deny or withdraw consent or make complaints
Implicit consent is given if the user uses the services offered by Talkatoo once the cookie banner has been displayed.
Privacy compliance complaints can be made to the following email address:
Permitted and non-permitted disclosures
Talkatoo will only disclose ePHI as permitted and agreed upon in relevant BAA (Business Associate Agreements) with a covered entity. In no case will Talkatoo employees disclose ePHI in cases not covered in a relevant BAA with a covered entity. *The only exception to this is the case that the covered entity includes disclosures in the BAA that are in violation of the HIPAA Privacy Rule.
Right to make privacy requests under HIPAA
Talkatoo acknowledges the right for ePHI subjects to make privacy requests under HIPAA. All requests can be made to the following email address.
Denial of Access under HIPAA
Talkatoo acknowledges the requirement to deny access to ePHI to subject under the following conditions:
- The ePHI is a form of psychotherapy notes
- The ePHI is to be used in legal proceedings
- Gratuitous requests from an inmate of a correctional institution
- Research ePHI in which a condition be met to receive treatment
- Denials permitted by HIPAA
- Denials specifically addressed in a BAA with a covered entity
Anti-intimidation and Anti-retaliation under HIPAA
Talkatoo acknowledges that it is unacceptable to intimidate, make threats of retaliation or retaliate against ePHI subjects exercising their rights or well-intentioned individuals such as employees during the execution of their duties:
- Making a complaint as per their rights under HIPAA.
- Testifying, assisting or aiding in any, audit, legal hearings, legal proceedings, investigation relating to an ePHI incident, breach or violation.
- Any activity that is consistent with a “Whistleblower” including openly opposing or exposing any activity that the individual believes to be a violation of HIPAA or a ePHI subjects rights.
Correct inaccuracies to your personal information
You have the right to correct any inaccuracies identified in your personal information we collect.
Talkatoo provides the ability for you to correct inaccuracies in your personal information.
Right to be forgotten
You have the right to request that your information be deleted and that you be forgotten entirely from our records, unless there is a legal basis for keeping records, such as financial transactions and tax purposes.
Leak and Breach Notification
Anyone whose personal information has been leaked or is included in a breach has the right to be informed in a reasonable timeframe, once the leak or breach has been discovered and if the personal information leaked was leaked in an unencrypted form.
Notifying anyone of a leak or breach will be expedited if the personal information lost poses a real risk of significant harm to the individual. This type of personal information is referred to as sensitive information. The person whose personal information that has been leaked will be informed of possible consequences that could result from the leak.
Sensitive information that could pose a real risk of significant harm to an individual includes but is not limited to information that could result in the following:
- bodily harm
- damage to reputation or relationships
- loss of employment
- loss of business or professional opportunities
- financial loss
- identity theft
- negative effects on the credit record
- damage to or loss of property
Legal and Compliance
We may use your data as necessary to comply with legal or regulatory requirements and to respond to lawful requests, court orders, subpoenas, and other legal processes, as well as to protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with investing and preventing fraud.
We use the services provided by the following third parties to establish accounts, process payments, and process transcriptions. Each of these providers has their own privacy policies.
- Google https://policies.google.com/privacy
- Hubspot https://legal.hubspot.com/privacy-policy
- Chargify https://www.chargify.com/privacy-policy/
- Stripe https://stripe.com/en-ca/privacy
For more information about our privacy practices, data collection, and usage, or if you would like to review, update, or remove your data, please contact us at:
ATTN: Privacy Officer
1505 Barrington Street, Suite 247
Halifax, Nova Scotia, Canada