Governing Jurisdiction: Ontario, Canada
This Cookie Policy forms part of, and must be read together with, the Privacy Policy and the Terms of Service. Capitalized terms that are not defined in this Cookie Policy have the meanings given to them in the Privacy Policy and the Terms of Service. Cookie-specific terms (such as "cookie", "session cookie", "persistent cookie", and "essential" and "non-essential" cookies) are defined in this Cookie Policy.
The Privacy Policy governs how RoomaMD handles personal information generally, including the providers it relies on and the country in which each of them processes personal information. This Cookie Policy governs the cookies and similar technologies the Platform uses and the choices available to you in respect of them. The providers identified below are a subset of the service providers listed in the Privacy Policy, namely those that may set or read cookies or similar storage. The data-residency facts for each provider are stated consistently with the Privacy Policy.
Section 1. Purpose and Plain-Language Summary
1.1 This Cookie Policy explains how RoomaMD Inc. ("RoomaMD", "we", "us", "our", the "Platform") uses cookies and similar technologies on the website and application at roomamd.com.
1.2 The short version. RoomaMD keeps cookies to a minimum. We use a small set of strictly necessary cookies so that the Platform can log you in, keep your session secure, remember your language, and protect against fraud and abuse. We use a small set of functional storage to remember preferences such as your currency and your search filters. We use product-analytics technology (PostHog) to understand how the Platform is used; this is non-essential and is not enabled until you accept. We use error-monitoring technology (Sentry) to find and fix problems and keep the Platform secure and reliable; its session reconstruction is error-only and fully masked, and it also receives a small anonymous sample of page-timing measurements; because it is used solely for security and reliability, we treat it as strictly necessary, so it runs without separate consent (you can still block it in your browser). We do not set advertising or remarketing cookies. On your first visit we show a consent banner: product analytics are not enabled until you accept, and you can decline. For visitors who are not signed in, our analytics technology runs without writing a persistent identifier to your device, and where supported it treats a Do Not Track signal from your browser as a decline of analytics. You can also control all of these technologies through your browser. The detailed rules follow.
1.3 This Cookie Policy supplements, and does not replace, the Privacy Policy. Where this Cookie Policy and the Privacy Policy address the same subject (for example, the identity of a provider or the country in which it processes data), the two are intended to say the same thing; if they nonetheless differ on a matter the Privacy Policy addresses in substance, the Privacy Policy governs.
Section 2. What Cookies and Similar Technologies Are
2.1 A "cookie" is a small text file placed on your device when you visit a website. Cookies allow a website to recognize your device across page loads and visits, to keep you signed in, to remember your preferences, and to understand how the website is used.
2.2 RoomaMD uses both:
- (a) session cookies, which are deleted when you close your browser; and
- (b) persistent cookies, which remain on your device until they expire on the date set when they are created, or until you delete them.
2.3 RoomaMD also uses technologies that behave like cookies, and this Policy treats them the same way. These include local storage and session storage (browser storage that holds small amounts of data on your device). References to "cookies" in this Policy include these similar technologies unless the context requires otherwise. The Platform does not rely on email open-tracking pixels for its core operation; any email-related consent and tracking is addressed in the Privacy Policy under Canada's Anti-Spam Legislation, not by this Cookie Policy.
2.4 No advertising fingerprinting. RoomaMD does not use device fingerprinting, canvas fingerprinting, audio fingerprinting, or similar persistent-identifier techniques to build advertising or cross-site tracking profiles, and it does not use cookies for behavioural advertising. The Platform does collect operational signals for two limited and clearly identified purposes that are not advertising: a fraud-detection signal collected by our payments provider, Stripe, through its fraud-prevention service to protect Users against fraudulent transactions; and an error-only session reconstruction collected by our error-monitoring provider, Sentry, which is described in Section 4. Neither is used to advertise to you. The Stripe signal is governed by Stripe's own privacy policy, which is linked in the table in Section 5.
Section 3. The Two Categories That Matter: Essential vs Non-Essential
3.1 The clearest way to understand RoomaMD's cookies is to divide them into two groups by whether they are strictly necessary to deliver the service you have requested.
(a) Essential cookies are required for the Platform to work and for it to be secure. They are set whenever you use the Platform because the Platform cannot function without them. You can block them in your browser, but if you do you will be unable to sign in to or use the Platform. The law treats cookies that are strictly necessary to deliver a service the User has requested as not requiring separate consent.
(b) Non-essential cookies are everything else: functional preferences and product analytics. (Error monitoring is treated as strictly necessary and runs without separate consent, as explained in Section 4; you can still block it in your browser.) The Platform works without the non-essential cookies. If you decline or remove them, you keep full access to the Platform; you simply give up some convenience and you reduce the diagnostic information we receive. Section 6 explains the controls available to you, including how our analytics technology behaves before you sign in and how it responds to the Do Not Track signal.
3.2 RoomaMD does not set a third category that many marketplaces do: advertising or remarketing cookies. See Section 7.
3.3 First-party and third-party. RoomaMD's own cookies, together with those set by Supabase (authentication) in the course of operating the Platform on RoomaMD domains, are first-party in character. (Namecheap provides domain registration and DNS for RoomaMD's domains only and does not set any cookies on the Platform.) Cookies or storage set by PostHog, Sentry, and Mapbox are third-party, set under those providers' own privacy policies for the limited purposes described below.
Section 4. Cookie Categories in Detail
4.1 The following table describes each cookie category, what it does, who processes the data, whether your consent is required, and how to control it. The technical cookie names listed are examples and may change as the Platform evolves; the categories and their purposes will not change without an update to this Policy.
| Category | What it does | Example cookies / storage | Processed by | Consent required | Typical lifetime | How to control |
|---|---|---|---|---|---|---|
| Strictly necessary | Sign-in and session continuity; security including protection against cross-site request forgery; bot and abuse mitigation at the edge; remembering your language; routing your request to the correct region. The Platform cannot operate without these. | Supabase authentication tokens (for example, an access token and a refresh token); a locale preference cookie. | RoomaMD; Supabase (authentication). | No (strictly necessary to deliver the service you requested). | Session, and persistent tokens that expire when your sign-in expires. | Cannot be disabled while using the Platform. You may block them in your browser, but the Platform will not function. |
| Functional | Remembering choices you make so the Platform feels personalized: your selected currency, your chosen listing view, and the search filters you last applied; and, where you display a map, caching map tiles. | Preference cookies and local-storage entries set by RoomaMD; map-tile storage set by Mapbox. | RoomaMD; Mapbox (maps you choose to view). | No (set only in response to a feature you actively use, to deliver the personalization you asked for). | Persistent, up to twelve (12) months, or until you clear your browser storage. | Clear or block in your browser as described in Section 6. The Platform keeps working; personalization is reduced. |
| Analytics (product) | Understanding, in the aggregate, how the Platform is used: which pages convert, where Users drop off in onboarding, and which features are used. This helps us improve the Platform. It is not used to advertise to you. | PostHog event-capture storage. For signed-in users only, persistent storage prefixed ph_, keyed to your account identifier (a meaningless code, never your name, email, or phone). For visitors who are not signed in, no persistent identifier is written. |
PostHog (product analytics). | Yes (consent required). | None before sign-in (in-memory only); persistent storage after sign-in, up to twelve (12) months. | Not enabled until you select Accept on the consent banner (Section 6); select Decline to keep it off. Where supported, a Do Not Track signal is also treated as a decline. Clear or block in your browser. |
| Error monitoring | Detecting, diagnosing, and fixing errors and crashes so the Platform stays reliable and secure. When an error occurs, our error-monitoring provider captures a reconstruction of the session that led to it (Session Replay), so the bug can be reproduced and fixed. | Sentry Session Replay buffer and a client-side identifier used to group related error reports, held in browser storage. | Sentry (error monitoring). | No. Treated as strictly necessary for the security and reliability of the Platform: it is error-only, all text and inputs are masked, all media are blocked, and it is never used for advertising. It runs without separate consent; you can still block it in your browser (Section 6). | Held in your browser only while a session is active; transmitted to Sentry only when an error occurs. | Clear or block in your browser as described in Section 6. |
4.2 Sentry Session Replay, described plainly. When the Platform encounters an error, Sentry records a reconstruction of your session leading up to that error: the structure of the pages you saw, the navigation between them, and the interactions that produced the problem. This is materially more than an error message, and we describe it here so you understand exactly what it does. It is configured to protect your privacy: all text and all form inputs are masked, and all images and other media are blocked, so the reconstruction is a redacted, wireframe-style view rather than a literal video of your screen. It is captured only on errors, never on ordinary sessions, and it is used solely to diagnose and fix problems, never to advertise to you.
4.3 Why analytics and error monitoring are separated. Product analytics (PostHog) tells us how the Platform is used so we can improve it. Error monitoring (Sentry) tells us when something breaks so we can fix it, and on errors captures the redacted session reconstruction described above. In addition to error reports, Sentry receives a small random sample (currently about one in ten page loads) of performance-timing measurements - the page path and how long it took to load - which contain no text you typed, no form content, and no media; this is used solely to keep the Platform fast and reliable. They serve different purposes and are processed by different providers, so we list them separately rather than bundling them under a single "analytics" label.
4.4 Namecheap. Namecheap provides domain registration and DNS for RoomaMD's domains. It resolves domain names only, operates outside the Platform, and does not set any cookies or local storage on the Platform.
4.5 How analytics personal information is minimized. Product analytics are configured to minimize the personal information they collect. For visitors who are not signed in, events are collected without a persistent identifier on your device. For signed-in users, events are keyed to a pseudonymous account identifier (a meaningless code, never your name, email, or phone) and aggregated for analysis. We do not combine this analytics information with advertising profiles, and we do not sell it.
Section 5. Third-Party Cookies and Service Providers
5.1 In addition to RoomaMD's own cookies, certain features rely on third-party services that may set their own cookies or storage under their own privacy policies. The table below lists those services, the purpose they serve on the Platform, where they process data, and a link to their privacy policy. These providers are a subset of the service providers disclosed in the Privacy Policy, namely those that may set or read cookies or similar storage, and the data-residency facts are stated consistently with that policy.
| Provider | Purpose on the Platform | Data residency | Privacy policy |
|---|---|---|---|
| Supabase Inc. | Authentication and session (strictly necessary) | Canada (Montreal region) | https://supabase.com/privacy |
| Stripe, Inc. and Stripe Payments Canada Ltd. | Payment processing and a fraud-prevention signal (not advertising tracking) | Canada and United States | https://stripe.com/en-ca/privacy |
| Namecheap, Inc. | Domain registration and DNS | United States | https://www.namecheap.com/legal/general/privacy-policy/ |
| PostHog Inc. | Product analytics | United States | https://posthog.com/privacy |
| Functional Software, Inc. (Sentry) | Error monitoring, including error-only Session Replay | United States | https://sentry.io/privacy/ |
| Mapbox, Inc. | Map tiles and geocoding on Listing pages | United States | https://www.mapbox.com/legal/privacy |
5.2 Maps. When a page displays a map, Mapbox may set cookies or read local storage to render and cache map tiles. This is a functional feature tied to displaying the map you chose to view, and it is treated as a functional cookie in Section 4.
5.3 Payments. Stripe appears in this table because it sets a fraud-prevention signal that helps protect Users against fraudulent transactions. It does not set advertising or behavioural-tracking cookies for RoomaMD. Stripe's handling of payment data is governed by Stripe's own privacy policy and is described more fully in the Privacy Policy.
5.4 Cross-border processing. Some of these providers process data outside Canada (for example, in the United States). RoomaMD keeps personal information at rest within Canada wherever a Canadian-region service tier is available, and assesses each provider that processes personal information outside Canada for comparability with the protections required under the Personal Information Protection and Electronic Documents Act (PIPEDA) before relying on it. The Privacy Policy describes RoomaMD's cross-border safeguards in detail.
Section 6. Your Choices and How to Manage Cookies
6.1 How non-essential cookies behave today. RoomaMD is designed to limit non-essential cookies at the source rather than to rely on a single after-the-fact toggle. In particular:
- For visitors who are not signed in, our product-analytics technology (PostHog) runs without writing a persistent identifier to your device. No analytics cookie is stored on your device before you sign in.
- Where it is technically supported and configured in the Platform, our product-analytics technology treats a recognized Do Not Track signal as a decline of product analytics, and does not capture analytics events from a browser that sends one.
- Our error-monitoring technology (Sentry) captures the redacted, error-only Session Replay described in Section 4 to keep the Platform reliable. It activates only when an error occurs and masks all text, inputs, and media. You can prevent this and all other non-essential storage using the browser controls in Section 6.4.
6.2 The consent banner, Platform controls, and browser controls. On a visitor's first session, RoomaMD shows a cookie-consent banner: product-analytics technology (PostHog) is not loaded or initialized until the visitor selects Accept, and a visitor who selects Decline keeps full access to the Platform with no analytics technology enabled. Essential cookies are always set because the Platform cannot operate without them. Beyond the banner, RoomaMD also limits non-essential technologies at the source: no analytics identifier is written before you sign in, and error monitoring is redacted and runs only on errors. Where a recognized browser privacy signal (including Do Not Track) is supported and configured in the Platform, RoomaMD treats it as a decline of product analytics. In addition, you can control all cookies, including non-essential ones, through your browser. Most browsers let you block all or some cookies, delete cookies already stored, and ask to be notified before a cookie is set. Guidance for common browsers:
- Google Chrome: https://support.google.com/chrome/answer/95647
- Apple Safari: https://support.apple.com/en-ca/HT201265
- Mozilla Firefox: https://support.mozilla.org/en-US/kb/cookies
- Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge
6.3 Quebec and the rest of Canada. RoomaMD operates from Ontario and serves Users across Canada, and it is mindful of the heightened consent expectations under Quebec's private-sector privacy law (the Act respecting the protection of personal information in the private sector, CQLR c P-39.1, as amended by the Act to modernize legislative provisions as regards the protection of personal information, Quebec, 2021, c 25). RoomaMD's current posture, consistent with its reading of the guidance of the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner of Ontario, is to minimize non-essential cookies at the source: no analytics identifier is written before sign-in, Do Not Track is honoured for analytics, and error monitoring is redacted and error-only. The application of these expectations to specific cookies is a matter on which RoomaMD continues to take advice. RoomaMD presents a consent banner on a visitor's first session, through which product-analytics technology (PostHog) is enabled only if the visitor accepts; the visitor's choice is remembered for later visits. RoomaMD will gate any further non-essential technology by the same affirmative-consent approach before enabling it, except where a technology is strictly necessary for security, fraud prevention, or service delivery.
6.4 Removing cookies already on your device. Withdrawing your participation in non-essential cookies, or removing functional preferences, is done through your browser's cookie and site-data controls. Blocking strictly necessary cookies will prevent you from signing in to or using the Platform.
6.5 Effect of declining. Declining or removing non-essential cookies does not reduce your access to bookings, payments, messaging, or any core feature. It reduces convenience (functional preferences such as your currency and last-used search filters are not remembered) and it reduces the diagnostic and usage information RoomaMD receives.
Section 7. Advertising and Marketing Cookies
7.1 The Platform does not set advertising, remarketing, or cross-site behavioural-advertising cookies, and RoomaMD does not sell, rent, or disclose for third-party advertising any personal information collected through cookies.
7.2 If RoomaMD ever introduces advertising or remarketing technology, this Policy will be updated before that technology is enabled, RoomaMD will obtain consent appropriate to the category and the jurisdiction, and existing Users will be given the opportunity to make a fresh choice at least thirty (30) days before the change takes effect. Marketing email is a separate matter governed by Canada's Anti-Spam Legislation and is addressed in the Privacy Policy, not by cookies.
Section 8. Cookies, Personal Health Information, and Clinical Care
8.1 The Platform is a marketplace for clinical space. It is not a channel for delivering clinical care and is not to be used to transmit Personal Health Information ("PHI"). Cookies are not used to collect, infer, or process PHI, and RoomaMD does not act as a health-information custodian through any cookie or analytics technology. The product-analytics and error-monitoring technologies described above are configured to mask inputs, text, and media so that a stray entry never reaches those providers. Practitioners remain the custodians of their own patient records, which are never handled through the Platform's cookies or analytics.
Section 9. Children
9.1 The Platform is intended only for individuals who are at least eighteen (18) years of age. RoomaMD does not knowingly use cookies to collect information from anyone under eighteen.
Section 10. Relationship to Other Documents
10.1 This Cookie Policy is part of the broader privacy and terms framework that governs your use of the Platform. It should be read together with:
- (a) the Privacy Policy, which is the controlling document on how RoomaMD collects, uses, discloses, and safeguards personal information, on the service providers listed above, on data residency, and on your privacy rights and how to exercise them;
- (b) the Terms of Service, which set out the overall agreement between you and RoomaMD; and
- (c) the Acceptable Use Policy, which governs conduct on the Platform.
10.2 If anything in this Cookie Policy appears to conflict with the Privacy Policy on a matter the Privacy Policy addresses in substance, the Privacy Policy governs. This Cookie Policy is the more specific document on the cookie categories and the cookie-management choices described in Section 6.
Section 11. Changes to This Policy
11.1 RoomaMD may update this Cookie Policy from time to time to reflect changes in the technologies we use, the consent mechanisms we offer, or the law. The current version is always posted at roomamd.com.
11.2 Where an update introduces a new category of tracking (for example, advertising cookies) or otherwise materially changes how non-essential cookies are used, RoomaMD will give existing Users the opportunity to make a fresh choice at least thirty (30) days before the change takes effect, as also described in Section 7.
Section 12. Contact
12.1 For questions about this Cookie Policy or your cookie choices, contact RoomaMD's Privacy Officer:
- Email: legal@roomamd.com
- Mail: RoomaMD Inc., Attn: Privacy Officer, 155 Merchants Wharf, Unit 0528, Toronto, Ontario M5A 0Y4
12.2 You may also lodge a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca and, in respect of Ontario matters within its jurisdiction, with the Office of the Information and Privacy Commissioner of Ontario at https://www.ipc.on.ca.