Privacy Policy

Depending on how you interact with Medfair, we may collect:

• Account and profile. Name, email address, phone number, professional role, clinic affiliation, credentials you choose to provide, and authentication identifiers managed through our identity provider.
• Business and clinic records. Business name, address, tax or business registration numbers you supply for verification, invoicing, or onboarding, and operational data you enter into Clinic Manager (for example vendors, expenses, or internal notes you choose to store).
• Transaction and commerce data. Orders, carts, product selections, payment request metadata (amounts, status, payer contact fields you provide for sending a payment link), and related audit logs needed to operate the service. We do not collect full payment card numbers for Medfair-hosted card payments — those are collected directly by our payment processor (see Payment processing).
• Support and communications. Messages you send us (including email content), feedback, and records of correspondence.
• Technical and usage data. IP address, device and browser type, general location derived from IP, timestamps, diagnostic logs, cookies or similar technologies, and aggregated usage metrics (for example through Vercel Web Analytics where enabled).

We use personal information to:

• Provide, maintain, secure, and improve the platform;
• Authenticate users, prevent fraud and abuse, and enforce our terms;
• Process or facilitate payments, payouts, and related compliance obligations with the help of Stripe;
• Operate the e-commerce storefront and synchronize catalog and order data with Shopify-backed systems;
• Send service, security, and transactional messages;
• Send marketing communications where permitted — you may opt out as described below;
• Meet legal, regulatory, and insurance requirements; and
• Analyze usage in aggregate to improve product performance and reliability.

Medfair provides software and commerce infrastructure for clinics. Unless we expressly agree otherwise in writing, we do not position the platform as a HIPAA- or PHIPA-compliant electronic health record for clinical charting, and you should not use it to store regulated health information you are obligated to protect under those regimes without an appropriate agreement and controls.

When you enable payments, we share your business name, business number, banking details, and transaction data with Stripe (payment processor) to comply with know-your-customer / anti-money laundering obligations and to settle funds. Stripe’s privacy policy is available at stripe.com/en-ca/privacy.

Payments are processed by Stripe Payments Canada, Ltd. By enabling payments on Medfair, clinics agree to the Stripe Connected Account Agreement, which governs the connected account relationship between the clinic and Stripe.

Patients who pay via a Medfair payment link share their card or bank-account information directly with Stripe. Medfair never sees raw card numbers.

Where PIPEDA (or applicable provincial law) requires consent, we collect, use, or disclose personal information with your meaningful consent — including through account creation, continued use of the services after notice of material changes, or explicit agreement where a higher bar applies (for example sensitive uses). You may withdraw consent where withdrawal does not prevent us from fulfilling a legal obligation or completing a transaction you requested before withdrawal.

We use trusted third parties who process personal information on our instructions and appropriate contractual terms. At a minimum, the following categories and vendors are in scope today (verify during diligence — vendors may change with notice as described below):

• Stripe Payments Canada, Ltd. — payment processing, Connect onboarding, fraud prevention, and settlement.
• Supabase Inc. — managed PostgreSQL database, authentication, and related infrastructure used to persist account and application data.
• Vercel Inc. — application hosting, edge routing, and (where enabled) privacy-friendly web analytics.
• Resend — transactional and product email delivery (for example waitlist confirmations, invites, and operational notifications) sent via HTTPS API integration.
• Shopify — e-commerce catalog, cart, checkout, and order processing for the Medfair storefront experience integrated with our stack.

Some service providers may process or store information in the United States or other jurisdictions outside Canada (including Stripe, Supabase, Vercel, Resend, and Shopify). Where personal information is transferred across borders, we take steps that are appropriate in the circumstances — including contractual safeguards — to require a comparable level of protection. Cross-border processing remains subject to the laws of the destination country, which may differ from Canadian law.

We use cookies and similar technologies that are necessary for authentication, security, and core site functionality. Where we or our analytics partners use optional analytics cookies or similar tools, we will align collection with applicable consent requirements and provide controls where required.

We may disclose personal information:

• To service providers who assist us in operating the platform;
• To professional advisors (lawyers, accountants) under confidentiality obligations;
• To comply with lawful requests, court orders, or regulatory requirements;
• In connection with a merger, acquisition, financing, or sale of assets — with notice where required; and
• With your direction or otherwise with consent as required by applicable law.

Subject to applicable exceptions, you may request access to the personal information we hold about you and request corrections where it is inaccurate or incomplete. You may also ask us to delete personal information where retention is no longer necessary for the purposes described, unless we must retain it to meet legal, security, or dispute-resolution obligations.

To exercise these rights, contact the Privacy Officer using the details below. We may need to verify your identity before responding. You may also opt out of non-essential marketing emails by using the unsubscribe link in those messages.

We retain personal information only as long as necessary for the purposes described in this policy, including to satisfy legal, accounting, or reporting requirements. Retention periods vary depending on the nature of the record (for example payment and tax records may be retained longer than transient server logs).

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the information we process. No method of transmission or storage is completely secure; we encourage you to use strong passwords and protect your account credentials.

Medfair is intended for businesses and adult professionals. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child, contact us and we will take appropriate steps to delete it.

We may update this policy from time to time. We will post the revised version on this page and update the “Updated” date. Where changes are material, we will provide additional notice as required by law (which may include email or an in-product notification).

For privacy inquiries or to exercise your rights, contact Medfair’s Privacy Officer at privacy@medfair.ca. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada (OPC) or your provincial privacy regulator, as applicable.