Metabolite Clinic — Privacy Policy

Effective date: May 9, 2026 Last updated: May 9, 2026

1. About this policy

Metabolite Clinic (“Metabolite,” “we,” “our,” or “us”) is a virtual medical clinic operating in the provinces of Ontario and British Columbia, Canada. We provide telemedicine services exclusively through virtual care, using the website www.metaboliteclinic.ca and the Telus Health Collaborative Health Record (Telus CHR) platform for clinical visits, charting, prescribing, and patient communications.

This Privacy Policy explains what information we collect, how we use it, who we share it with, how we protect it, and what rights you have. It applies to:

Patients and prospective patients of the clinic
Visitors to our website
Users of our optional AI-powered wellness check-in tool, Healix

We are committed to protecting the privacy of your personal information and personal health information, and to handling it in accordance with:

The federal Personal Information Protection and Electronic Documents Act (PIPEDA)
Ontario’s Personal Health Information Protection Act, 2004 (PHIPA)
British Columbia’s Personal Information Protection Act (PIPA BC)
Other applicable privacy and health-information laws in the provinces in which we operate

For Ontario patients, Metabolite Clinic acts as a Health Information Custodian under PHIPA. For British Columbia patients, we act as an Organization under PIPA BC handling personal information, including personal health information.

2. Who is responsible for your information

Health Information Custodian / Privacy Officer Dr. Mayank Ohri, Medical Director Metabolite Clinic Email: contact@metaboliteclinic.ca Phone: 647-250-0220

Mailing addresses:

Ontario: 384-3219 Yonge Street, Toronto, Ontario M4N 0A5
British Columbia: 430-5307 Victoria Drive, Vancouver, BC V5P 3V6

The Medical Director, in their capacity as Health Information Custodian, is accountable for the personal health information we hold. The Privacy Officer is responsible for day-to-day compliance with this policy and for responding to your privacy questions, access requests, and complaints.

3. What information we collect

We collect only the information we need to provide safe, effective virtual care and to operate our clinic.

3.1 Information you provide directly

Identification: name, date of birth, sex/gender, address, postal code, phone number, email
Provincial health coverage: OHIP number (Ontario) or MSP/PHN number (British Columbia), where applicable
Health information: medical history, current medications, allergies, symptoms, lifestyle information, family history, mental-health history relevant to your care, lab and imaging results, and any other clinical information you share with us
Consultation records: clinical notes, prescriptions, referrals, requisitions, and treatment plans created during your care
Payment information: credit card or other payment details, processed through a third-party payment processor (we do not store full credit card numbers on our systems)

3.2 Information collected automatically

Website analytics: IP address, browser type, device type, pages visited, referring URL, and timestamps, used to understand site usage and improve the website
Cookies and similar technologies: see Section 9 below

3.3 Information collected through Healix (anonymous wellness tool)

When you choose to use the Healix wellness check-in tool on our website, you may enter information such as how you are sleeping, how a medication is going, or what you would like to discuss with your provider. We do not ask for, and you should not enter, any identifying information into Healix (such as your name, health card number, contact details, lab values, or specific dates). See Section 7 for full details on how Healix works.

4. How we use your information

We use your personal and personal health information to:

Provide virtual medical consultations, prescriptions, and follow-up care
Communicate with you about appointments, results, and your treatment
Coordinate care with other healthcare providers, pharmacies, and laboratories with your consent
Maintain your medical record as required by provincial law and the standards of the College of Physicians and Surgeons of Ontario (CPSO) and the College of Physicians and Surgeons of British Columbia (CPSBC)
Process payments and issue receipts
Submit claims to provincial health insurance plans where applicable
Improve the quality and safety of our services
Comply with our legal, regulatory, and professional obligations

We will not use your personal health information for marketing purposes without your express consent.

5. Consent

By becoming a patient of Metabolite Clinic, you consent to the collection, use, and disclosure of your personal health information for the purposes described in this policy. This is known as implied consent within the circle of care, which under PHIPA allows us to share information with other healthcare providers directly involved in your treatment, unless you tell us otherwise.

You may withdraw or restrict your consent at any time, subject to legal and professional record-keeping requirements. To do so, contact our Privacy Officer (see Section 2). Withdrawing consent may affect our ability to provide some or all aspects of your care, and we will explain any consequences before acting on your request.

For uses outside the circle of care — for example, sharing information with an insurer, employer, or third party — we will obtain your express written consent in advance.

6. Who we share your information with

We share your information only when necessary, and only with parties bound by appropriate confidentiality and security obligations.

6.1 Within the circle of care

Other physicians, nurse practitioners, pharmacists, laboratories, and diagnostic imaging providers involved in your care
Specialists to whom we refer you

6.2 Service providers (“agents” under PHIPA)

We work with carefully vetted service providers who help us operate the clinic. These include:

Telus Health (TELUS Health Solutions Inc.), which provides the Telus Collaborative Health Record (Telus CHR) — our electronic medical record and virtual care platform. Telus CHR hosts your clinical chart, supports video and secure-messaging visits with our clinicians, and handles e-prescribing and lab/imaging requisitions. According to Telus’s published terms, Telus CHR data is encrypted in transit and at rest and stored on servers physically located in Canada, hosted on Telus’s Google Cloud Platform and Amazon Web Services data centres within Canada. Telus discloses that data may be temporarily viewed or accessed from outside Canada by Telus or its infrastructure providers solely as necessary to address service or technical issues (such as installation, maintenance, troubleshooting, or upgrades), limited to the minimum data and minimum time necessary. Telus operates under written agreements with Metabolite Clinic that meet PHIPA and PIPA BC requirements for service providers handling personal health information.
Amazon Web Services Canada, Inc. (AWS Canada), which provides cloud infrastructure for the Healix wellness tool and certain backend services. We have signed a Business Associate Addendum (BAA) with AWS that governs how patient information is handled and requires AWS to meet healthcare-grade security and confidentiality standards.
Stripe (Stripe Payments Canada, Ltd.), our payment processor, which handles credit card transactions. Stripe is PCI-DSS Level 1 certified and operates under its own published privacy and security commitments. We do not store full credit card numbers on our systems.
Pharmacy and lab integrations for sending prescriptions and requisitions, primarily delivered through Telus CHR’s connected networks
IT, hosting, email, and analytics providers who support the operation of our website

All service providers are contractually bound to use your information solely for the purposes we authorize, to safeguard it, and to return or destroy it when no longer needed. Although our service providers maintain their own privacy and security programs, Metabolite Clinic remains the Health Information Custodian and is accountable to you for the personal health information we hold, including information held on our behalf by Telus, AWS, and other agents.

6.3 Required by law or to protect safety

We may disclose information without your consent where we are legally required or permitted to do so, including:

To comply with a court order, subpoena, or warrant
To report to public health authorities (e.g., reportable diseases)
To report suspected child abuse or risk of harm to self or others, as required by law
To the College of Physicians and Surgeons of Ontario or British Columbia in connection with a regulatory investigation
Where disclosure is necessary to eliminate or reduce a significant risk of serious bodily harm

7. Healix — our AI-powered wellness check-in tool

Healix is an optional, anonymous wellness tool offered on our website. It uses artificial intelligence to generate personalized coaching messages based on what you share. Because of how Healix is designed, it has its own privacy treatment, which we explain in detail here.

7.1 What Healix does

When you choose to use Healix, you may enter free-text responses about topics such as:

How you are sleeping
How a medication is going
Goals you would like to discuss with your provider
General wellness topics

Healix uses these responses to generate a personalized coaching message back to you.

7.2 We do not collect identifying information through Healix

Healix is designed to be anonymous. We do not ask for, and you should not enter, your name, health card number, contact details, specific dates, lab values, or any other identifying information into Healix. Healix is not part of your clinical record and is not reviewed by our clinicians as part of your care.

7.3 Where Healix processes your responses

Your Healix responses are processed by Amazon Web Services Canada, Inc. (AWS Canada) in their Montreal data centre (the AWS Canada (Central) region, “ca-central-1”). We use Amazon Bedrock with a Canadian-only inference profile, meaning your inputs are processed in Canada and do not leave Canada during processing.

We have implemented an enforceable technical control (an AWS Service Control Policy) at the root of our AWS organization that prevents resources used for Healix from being created or operated outside the Canadian AWS regions (ca-central-1 and ca-west-1).

7.4 Storage and retention

We do not store your Healix inputs or outputs on our own servers. Your responses are processed in real time and discarded once your coaching message is generated.
AWS may temporarily retain anonymous inputs for up to 30 days for security and abuse-detection purposes, after which they are automatically deleted. AWS does not use your inputs to train its AI models, and our agreement with AWS prohibits any other secondary use.

7.5 Limits of Healix

Healix is not a medical device, not a substitute for medical care, and not a replacement for speaking with your clinician. It does not create a doctor-patient relationship, it cannot diagnose or treat any condition, and it is not designed for medical emergencies. If you are in crisis, call 911, go to your nearest emergency department, or contact a crisis line such as 9-8-8 (Suicide Crisis Helpline).

7.6 Your choice

Using Healix is entirely optional. You are not required to use Healix as part of your care, and choosing not to use it will not affect any treatment you receive at Metabolite Clinic.

8. Where your information is stored (data residency)

Your personal health information is stored on servers physically located in Canada. Specifically:

Your clinical chart, visit notes, prescriptions, and messages with our clinicians are stored within the Telus CHR platform. Telus hosts CHR data on its Google Cloud Platform and Amazon Web Services data centres within Canada, with encryption in transit and at rest. As Telus publicly discloses, data may be temporarily viewed or accessed from outside Canada by Telus or its infrastructure providers solely to address service or technical issues (installation, maintenance, troubleshooting, or upgrades), limited to the minimum data and minimum time necessary for those purposes.
The Healix wellness tool runs on AWS Canada (Central) in Montreal, with technical region-lock controls preventing operation outside the Canadian AWS regions (ca-central-1 and ca-west-1), as described in Section 7.3.
Backups, audit logs, and supporting clinic records are kept in Canadian-hosted environments.

In the rare event that any service provider must process information outside Canada (for example, certain communications-tooling backups), we will ensure the provider has signed contractual safeguards consistent with PHIPA, PIPA BC, and PIPEDA, and we will update this policy to disclose the arrangement.

While information is in Canada, it remains subject to Canadian law. While information is held by an international service provider that has Canadian operations (such as Telus’s underlying cloud providers, or AWS Canada directly), it may also be subject to lawful access requests by foreign governments. We assess these risks before engaging any provider and choose providers whose Canadian operations and contractual commitments minimize that risk.

9. Cookies and website analytics

Our website (www.metaboliteclinic.ca) uses cookies and similar technologies to:

Remember your preferences when you visit
Analyze how visitors use our site so we can improve it
Support certain functional features of the website

You can disable cookies in your browser settings, although some parts of the website may not work properly without them. Our website analytics are configured to anonymize IP addresses where technically possible.

If you access our patient portal through Telus CHR Connect, that platform uses its own cookies and tracking technologies, governed by Telus Health’s privacy practices. We encourage you to review Telus’s privacy information when you create or use a CHR Connect account.

10. How we protect your information

We use a combination of administrative, technical, and physical safeguards to protect your information, including:

Encryption in transit and at rest for all clinical data, including data within Telus CHR
Multi-factor authentication for clinician and staff accounts on Telus CHR and other clinic systems
Role-based access controls so that staff see only the information they need to do their jobs
Audit logging of access to electronic health records (provided by Telus CHR for clinical data), retained for the periods required by PHIPA and PIPA BC
Written service-provider agreements with Telus Health governing the handling of personal health information in Telus CHR, consistent with PHIPA and PIPA BC requirements
A signed Business Associate Addendum with AWS Canada governing handling of patient information used by Healix
Technical region-lock controls that prevent Healix and related Metabolite-managed AWS resources from being created outside Canadian AWS regions
Privacy and security training for all staff and contractors
Confidentiality agreements with all employees, contractors, and service providers
Breach response procedures consistent with PHIPA’s mandatory breach-notification requirements

No system can be guaranteed 100% secure, but we continuously review and improve our safeguards.

11. How long we keep your information

We retain your medical record for the periods required by law and by professional regulators:

Ontario: at least 10 years from the date of last entry, or 10 years after a patient reaches the age of 18, whichever is longer (CPSO requirements under the Medicine Act)
British Columbia: at least 16 years from the date of last entry, or 16 years after a patient reaches the age of majority, whichever is longer (CPSBC requirements)

Other information (such as billing records and website analytics) is retained only as long as necessary for the purposes described in this policy and then securely destroyed or anonymized. Healix interactions are not retained by Metabolite Clinic — see Section 7.4 for details on processing and AWS’s limited retention.

12. Your privacy rights

Subject to limited exceptions in the law, you have the right to:

Access your record: request a copy of your personal health information held by Metabolite Clinic
Correct your record: ask us to correct information you believe is inaccurate or incomplete
Withdraw or limit consent: restrict our use or sharing of your information, subject to legal and professional record-keeping requirements
Be informed of breaches: receive notice if your personal health information is lost, stolen, or accessed without authorization, in accordance with PHIPA and PIPA BC
File a complaint: contact our Privacy Officer or the relevant provincial privacy regulator

To exercise any of these rights, contact our Privacy Officer (see Section 2). We will respond within the timelines required by law (generally 30 days, with the possibility of an extension where permitted).

We may charge a reasonable fee for copies of records, as permitted by PHIPA and PIPA BC, and will tell you the fee in advance.

13. Complaints

If you have a concern about how we have handled your information, please contact our Privacy Officer first (see Section 2). We take all complaints seriously and will investigate promptly.

If you are not satisfied with our response, you may contact the relevant privacy regulator:

Ontario residents — Information and Privacy Commissioner of Ontario (IPC): 2 Bloor Street East, Suite 1400, Toronto, ON M4W 1A8 Phone: 1-800-387-0073 Web: www.ipc.on.ca

British Columbia residents — Office of the Information and Privacy Commissioner for BC (OIPC): PO Box 9038 Stn Prov Govt, Victoria, BC V8W 9A4 Phone: 1-800-663-7867 Web: www.oipc.bc.ca

For matters under federal law — Office of the Privacy Commissioner of Canada (OPC): 30 Victoria Street, Gatineau, QC K1A 1H3 Phone: 1-800-282-1376 Web: www.priv.gc.ca

14. Age and eligibility

Metabolite Clinic provides care only to patients aged 16 and older. We do not provide services to, market to, or knowingly collect information from children under the age of 16. Our website and the Healix wellness tool are not directed at children.

If you become aware that a child under 16 has submitted information to us, please contact our Privacy Officer (see Section 2) and we will take steps to delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page and, where the changes are material, we will notify patients by email or through our patient portal. Your continued use of our services after any change means you accept the updated policy.