Canadian Privacy at MedMe.
PIPEDA, provincial privacy laws, and pharmacy-act obligations from coast to coast — addressed at the platform layer so our pharmacy customers can stay focused on care. Last reviewed: April 2026.
The PIPEDA principles, addressed
The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ten Fair Information Principles. MedMe addresses each principle directly in our platform design, contractual commitments, and operational policies. As a service provider acting on behalf of a pharmacy custodian, we apply these obligations both to our own collection of personal information (e.g., from prospective customers, job applicants, pharmacist users) and to information we process on a customer's behalf.
- Accountability. MedMe has a designated Privacy Officer reachable at privacy@medmehealth.com, supported by a cross-functional Privacy Council that meets monthly.
- Identifying purposes. Purposes are identified at or before collection, both on our public site and within our pharmacist-facing product. Service-provider purposes are documented in our contracts with pharmacy customers.
- Consent. We obtain meaningful consent appropriate to the sensitivity of the information. For health information processed on behalf of a custodian, consent is obtained by the custodian in accordance with applicable provincial law.
- Limiting collection. We collect only what is necessary for the identified purpose. Optional fields are clearly marked and never used to gate service delivery.
- Limiting use, disclosure, and retention. We use information only for the purposes consented to, retain it only as long as needed, and delete or de-identify it on schedule.
- Accuracy. Pharmacist users can update their profile at any time. Pharmacy customers control accuracy of patient data through the platform's editing controls.
- Safeguards. Administrative, physical, and technical controls aligned to SOC 2 Type II and HITRUST CSF r2. See our Security page.
- Openness. Our privacy policies are publicly available and written in plain language.
- Individual access. Individuals may request access to their personal information by emailing privacy@medmehealth.com; for patient information held on behalf of a pharmacy, requests are routed to the pharmacy custodian.
- Challenging compliance. Concerns and complaints can be raised with our Privacy Officer; we acknowledge within 5 business days and respond fully within 30 days.
Provincial privacy laws covered
MedMe customers operate under a range of provincial and territorial privacy regimes. We design the platform so that, regardless of the customer's home province, the applicable law is honored at the configuration and policy layer. The table below summarizes the laws we map against in the course of onboarding, configuration, and audit.
| Jurisdiction | Statute | Scope MedMe addresses |
|---|---|---|
| Federal | PIPEDA | Private-sector personal information; cross-border transfers |
| Ontario (ON) | PHIPA — Personal Health Information Protection Act | PHI processing under custodian instruction; agent obligations |
| Quebec (QC) | Loi 25 (formerly FIPPA / Act 64) | Privacy-by-default; cross-border impact assessments; deletion rights |
| Nova Scotia (NS) | PHIA — Personal Health Information Act (NS) | Custodian instructions; security of PHI; breach notification |
| Manitoba (MB) | PHIA — Personal Health Information Act (MB) | Information Manager obligations; access & correction |
| Alberta (AB) | HIA — Health Information Act | Custodian / affiliate obligations; PIA support |
| Newfoundland & Labrador (NL) | PHIA — Personal Health Information Act (NL) | Information Manager Agreement; reporting to OIPC NL |
| British Columbia (BC) | PIPA — Personal Information Protection Act (BC) | Private-sector personal information; service-provider obligations |
| Saskatchewan (SK) | HIPA — Health Information Protection Act | Trustee instructions; access & correction; breach reporting |
| New Brunswick (NB) | PHIPAA — Personal Health Information Privacy and Access Act | Information Manager obligations; PIA support |
| Prince Edward Island (PE) | HIA — Health Information Act | Custodian agency relationships; breach reporting |
| Yukon (YT) / NWT / Nunavut | ATIPPA & territorial health-info laws | Public-body custodian instructions where applicable |
Data residency
For Canadian pharmacy customers, all production environments are hosted in AWS ca-central-1 (Montréal). Patient health information processed on behalf of Canadian custodians does not leave Canada in the course of normal operation. Disaster recovery uses additional AWS Canadian availability zones; we do not replicate Canadian PHI to US regions.
Some sub-processors may be headquartered outside of Canada. We disclose these in our public sub-processor list, conduct privacy impact assessments where required (especially under Quebec's Loi 25), and execute information-management or data-processing agreements with each.
Pharmacy-specific obligations under provincial pharmacy acts
In addition to general privacy statutes, Canadian pharmacies operate under provincial pharmacy acts and the standards set by their provincial colleges (e.g., the Ontario College of Pharmacists, the Ordre des pharmaciens du Québec, the College of Pharmacists of British Columbia). MedMe's product and configuration support these obligations, including:
- Documentation requirements for clinical services (medication reviews, minor ailments, immunizations);
- Record-retention obligations specific to each province (typically 10 years from last interaction, or 10 years past age of majority for minors);
- Provincial billing-routing requirements for OHIP, RAMQ, ASEBP, MSP, and equivalent payers;
- Quality-assurance and audit-trail requirements expected by provincial regulators;
- Specific consent forms and patient acknowledgements where mandated.
Our role as a service provider
For pharmacy customers, MedMe acts as a service provider, agent, affiliate, or Information Manager (the term varies by statute) to a custodian or trustee under provincial law. We process personal health information only as directed by the custodian, only for the purposes set out in our Information Management Agreement, and only with safeguards equivalent to or greater than those required of the custodian themselves. We do not use PHI for our own marketing, research, or commercial purposes.
Breach notification
MedMe will notify a Canadian customer of a confirmed privacy breach without unreasonable delay and in any event within 72 hours of discovery. Where mandated by provincial law (e.g., PHIPA in Ontario), the customer is responsible for notifying the Information and Privacy Commissioner; MedMe will provide all reasonable cooperation, documentation, and forensic detail. We retain breach records for at least 24 months in accordance with PIPEDA's recordkeeping requirements.
Subject access & correction rights
Individuals (including patients of MedMe-using pharmacies) generally have the right to request access to, and correction of, their personal information. For information that MedMe controls directly (e.g., a pharmacist user account), requests can be made to privacy@medmehealth.com. For patient information held on behalf of a pharmacy custodian, requests should be directed to the pharmacy; MedMe will assist the pharmacy in responding.
Provincial privacy commissioner contacts
Individuals who feel their privacy concerns have not been adequately addressed may contact the relevant privacy oversight authority directly.
| Jurisdiction | Authority | Contact |
|---|---|---|
| Federal | Office of the Privacy Commissioner of Canada (OPC) | priv.gc.ca · 1-800-282-1376 |
| Ontario | Information and Privacy Commissioner of Ontario (IPC) | ipc.on.ca · 1-800-387-0073 |
| Quebec | Commission d'accès à l'information (CAI) | cai.gouv.qc.ca · 1-888-528-7741 |
| British Columbia | Office of the Information and Privacy Commissioner for BC | oipc.bc.ca · 1-800-663-7867 |
| Alberta | Office of the Information and Privacy Commissioner of Alberta | oipc.ab.ca · 1-888-878-4044 |
| Manitoba | Manitoba Ombudsman / IPC | ombudsman.mb.ca · 1-800-665-0531 |
| Saskatchewan | Office of the Saskatchewan Information & Privacy Commissioner | oipc.sk.ca · 1-877-748-2298 |
| Nova Scotia | Office of the Information & Privacy Commissioner for NS | foipop.ns.ca · 1-866-243-1564 |
| New Brunswick | Office of the Access to Information & Privacy Commissioner | info-priv-nb.ca · 1-877-755-2811 |
| Newfoundland & Labrador | Office of the Information & Privacy Commissioner of NL | oipc.nl.ca · 1-877-729-6309 |
| Prince Edward Island | Office of the Information & Privacy Commissioner of PEI | oipc.pe.ca · 1-902-368-4099 |
| Yukon | Office of the Information & Privacy Commissioner of Yukon | yukonombudsman.ca · 1-800-661-0408 |
| NWT & Nunavut | Information & Privacy Commissioner of NWT and NU | atipp-nt.ca · 1-867-669-0976 |
Privacy contact
MedMe Health, Inc. — Privacy Officer (Canada)
Email: privacy@medmehealth.com
Mailing address: 100 King Street West, Suite 1300, Toronto, ON M5X 1A9, Canada