Governing Jurisdiction: Ontario, Canada Consistency: This Privacy Policy uses the defined terms of, and is to be read together with, the Terms of Service, the Cookie Policy, the Acceptable Use Policy, the Master Host Agreement, the Master Practitioner Agreement, the Click-Through Booking Agreement, and the Cancellation Policy. Where this Policy describes how RoomaMD handles personal information, it controls; where it describes a Platform feature governed by another document, that other document controls the underlying obligation.
Plain-language summary
RoomaMD respects your privacy. This summary explains, in plain language, what we collect and why. It is for convenience only: it does not replace the full text below, and the numbered Sections govern in the event of any difference.
- Who we are. RoomaMD Inc. operates an online marketplace at roomamd.com that connects Hosts (who list clinical space) with Practitioners (who book it). We are the organization responsible for the marketplace account and transaction information you give us. We are not your clinic, your regulator, or a party to the booking contract between a Host and a Practitioner.
- The single most important rule. RoomaMD is built so that Personal Health Information (PHI) never travels through it. We are not a health-information custodian for clinical care, the Practitioner is. Do not put patient information into messages, listings, notes, support tickets, or any other field on the Platform.
- What we collect. Account and contact details, the information needed to list space and to book it, the documents a Practitioner chooses to share with a Host who requires them, payment-related data handled by our payment processor, and standard technical and usage data.
- Why we collect it. To run the marketplace, process bookings and payments, keep users safe, meet our legal and tax obligations, and (only with your separate consent) to send marketing.
- Who we share it with. A short, named list of service providers that help us run the Platform (set out in Section 8), other users to the limited extent the marketplace requires, and authorities where the law requires it. We do not sell your personal information.
- Automated tools. We use automated tools to help keep the Platform safe (for example, prompting you to remove patient information before you send a message, and helping us spot fraud or abuse). These tools assist our team; they do not replace human review, and you can ask a person to review a decision that significantly affects you.
- Your rights. You may ask for a copy of your information, ask us to correct it, withdraw consent, and ask us to delete your account. If a breach ever creates a real risk of significant harm to you, we will tell you. You may also complain to the Office of the Privacy Commissioner of Canada.
- Cross-border. Our primary database and file storage are in Canada. Some service providers process limited data in the United States. Section 8 names each one and the country involved.
Section 1. Scope and the personal information this Policy governs
1.1 This Privacy Policy describes how RoomaMD Inc. ("RoomaMD", "we", "us", "our", or the "Platform") collects, uses, discloses, retains, and protects personal information in connection with the online marketplace operated at roomamd.com and the related applications, communications, and services (together, the "Services").
1.2 "Personal Information" means information about an identifiable individual, as that term is understood under the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA"), the Act respecting the protection of personal information in the private sector (Quebec) (CQLR c P-39.1, as amended by Quebec's Law 25), and any other substantially similar provincial private-sector privacy law that applies to RoomaMD or to the individual concerned. It includes a User's name, contact details, professional College and registration number, photograph, biographical details, listing and Premises details, message Content, payment-method metadata, device identifiers, IP addresses, and inferences reasonably drawn from any combination of these.
1.3 "Personal Health Information" or "PHI" has the meaning given to it in the Personal Health Information Protection Act, 2004 (Ontario) ("PHIPA"). PHI includes identifying information about an individual that relates to the individual's physical or mental health, to the provision of health care to the individual, to the individual's health-card number, or to the individual's substitute decision-maker.
1.4 Capitalized terms used but not defined in this Policy (including Host, Practitioner, User, Premises, Listing, Booking Request, Confirmed Booking, College, Public Register, Content, and the money terms) have the meanings given to them in the Terms of Service.
1.5 This Policy applies to Hosts, Practitioners, prospective Users, and visitors to roomamd.com. It does not govern the conduct of any Host or Practitioner in their own clinical practice, which each of them controls independently (see Section 4).
Section 2. Who is responsible for your personal information
2.1 RoomaMD Inc. is the organization accountable, under PIPEDA, for the marketplace account, listing, booking, and transaction Personal Information collected through the Services. Our contact details, and the contact details of our Privacy Officer, appear in Section 16.
2.2 RoomaMD is a neutral online marketplace and intermediary. It is not a party to the booking contract between a Host and a Practitioner, not a real-estate broker, landlord, sublandlord, tenant, or agent, not a healthcare provider or clinic, and not a regulator. RoomaMD does not perform Primary Source Verification of any Practitioner's licence or registration and makes no representation that any Practitioner is licensed or in good standing, or that any Premises is safe or compliant. This intermediary posture shapes the limited role RoomaMD plays in handling Personal Information.
2.3 Independent responsibility. Where a Host and a Practitioner process Personal Information about one another in the course of a booking relationship (for example, a Host's reception staff handling a Practitioner's arrival-day contact information, or a Practitioner reviewing a Host's listing-page contact details), the Host, the Practitioner, and RoomaMD each act as independent organizations accountable for the Personal Information each of them handles, and not as joint controllers. Each party is solely responsible for its own compliance with the privacy and data-protection laws that apply to its own processing, including PIPEDA and, where applicable, Quebec's Law 25. RoomaMD is not responsible for, and accepts no responsibility for, Personal Information that a Host or Practitioner collects, uses, or discloses outside the Platform.
2.4 Where Personal Information is collected from an individual located outside Ontario, RoomaMD remains responsible for that information and may, in addition, be subject to the data-protection laws of the individual's location (for example, Quebec's Law 25 for an individual in Quebec). Where applicable law in that location requires RoomaMD to provide the individual with rights or protections greater than those set out in this Policy, RoomaMD will provide those additional rights or protections in respect of that individual's Personal Information to the extent the law requires.
Section 3. The personal information we collect
3.1 Account and identity information. To create an account and use the Services, we collect: name, email address, and a password (or, where you sign in with Google, the basic profile and email released by that sign-in). We require Users to be at least 18 years of age (see Section 12) and to have authority to bind any entity they represent.
3.2 Practitioner profile information. For a User acting as a Practitioner, we collect the regulatory College and current registration number the Practitioner self-attests at onboarding, the Practitioner's profession and display name, and any biography, photograph, or other profile Content the Practitioner chooses to provide. The Platform surfaces the self-attested College and registration number together with a one-click link to that College's free Public Register, which is the authoritative source of licensure. RoomaMD does not verify the attestation.
3.3 Host and Listing information. For a User acting as a Host, we collect: the Host's display name and business details, the address and descriptive details of each Listing, photographs and amenity information, the Host's self-attested confirmation of commercial general liability ("CGL") insurance of not less than CAD $2,000,000 per occurrence and CAD $2,000,000 in the aggregate (RoomaMD does not verify or approve insurance as a condition of listing), the cancellation tier selected for each Listing, and the credentials the Host configures as required of Practitioners for that Listing. The exact street address and exact location coordinates of a Listing are withheld from non-transacting Users and are disclosed in precise form only as necessary to coordinate a Confirmed Booking.
3.4 Payment and payout information. Payments are processed by our payment processor (see Section 8). When a Practitioner pays for a booking, the payment-card details are collected and stored by that processor, not by RoomaMD; RoomaMD stores the booking amounts in integer cents, a tokenized reference to the saved payment method (used for off-session charges on multi-month bookings), and the outcome metadata returned by the processor. When a Host receives a Payout, the banking and tax-identification details required to pay the Host are collected and held by the payment processor under its own onboarding ("know your customer") process; RoomaMD stores only the connected-account identifier and the payout, transfer, and tax-reporting data the processor returns to us.
3.5 Credential documents shared with Hosts (host-driven, with consent). A Practitioner may upload to a private credential vault their certificate of registration, professional liability insurance certificate, specialty certifications, or other documents a Host's Listing requires. These documents are stored securely in our Canadian-region file storage. They are disclosed to a Host only when the Practitioner expressly elects, at checkout, to share a specific document with that Host to satisfy that Host's stated requirements. Hosts view shared documents through an audit-logged, watermarked credential viewer. The Practitioner can see, in the Practitioner's own dashboard, each instance in which a credential was shared or viewed, with timestamps and the receiving Host's identifier, and the Practitioner may revoke a Host's ongoing access. These documents are Personal Information handled under PIPEDA with consent, watermarking, and audit logging; they are not, and must not be, PHI.
3.6 Content you provide voluntarily. Profile photographs and biographies, Listing descriptions and photographs, in-platform messages, booking notes, reviews, support correspondence, and any other Content you choose to submit. A review you submit about a counterparty is published on that counterparty's profile or Listing once the double-blind review window resolves, and is visible to other Users.
3.7 Information collected automatically. When you use the Services we automatically collect technical and usage information, including IP address, browser and device identifiers, pages and Listings viewed, search filters used, booking-funnel interactions, timestamps, and referring URLs, in each case for the purposes set out in Section 4. Cookies and similar technologies used to collect some of this information are described in the Cookie Policy.
3.8 Information from service providers. We receive payment, payout, dispute, and tax-document data from our payment processor; map-tile and geocoding interactions from our mapping provider; email-deliverability data from our email provider; product-usage analytics from our analytics provider; error and performance telemetry from our error-monitoring provider; and edge and security data (such as request IP, request method, and response code) from our network and hosting providers. Each provider is described in Section 8.
3.9 What RoomaMD does not collect. RoomaMD does not collect government-issued identification documents, dates of birth (beyond the age confirmation in Section 12), biometric data, or other identity-verification artefacts from Practitioners, and it does not perform Primary Source Verification of any Practitioner's identity or registration. RoomaMD does not use any third-party electronic-signature service; every agreement on the Platform is accepted by a timestamped, audit-logged click-to-acknowledge interaction with the Platform itself. RoomaMD does not knowingly collect PHI, and the Platform is not a permitted channel for it (see Section 7).
3.10 Time-limited access to counterparty contact details. A Host's access to a Practitioner's direct contact details (and a Practitioner's access to a Host's direct contact details) is limited to the booking-coordination window. After a booking's scheduled end, RoomaMD reduces each side's view to what the marketplace continues to require (for the Host, the Practitioner's display name, profession, and self-attested registration number; for the Practitioner, the Host's Listing-page details). This is a privacy-by-design measure intended to prevent either side from accumulating a counterparty database beyond what booking coordination requires.
Section 4. How we use personal information
4.1 RoomaMD uses Personal Information only for the following purposes:
- (a) operating the Services: creating and authenticating accounts, presenting Listings, processing Booking Requests and Confirmed Bookings, computing pricing, sending service notifications, and providing customer support;
- (b) structured credential exchange: storing a Practitioner's uploaded credentials and disclosing a specific document to a specific Host only when the Practitioner elects to share it to satisfy that Host's Listing requirements, through the audit-logged, watermarked credential viewer; and surfacing the Public Register link as the authoritative source of licensure. RoomaMD does not perform, and does not represent that it performs, Primary Source Verification;
- (c) payments and payouts: authorizing and capturing Practitioner charges (including off-session charges for the later months of multi-month bookings), computing the Service Fee, the HST, and the Platform Fee, releasing Host Payouts, processing refunds, and issuing receipts and tax documents, in each case through our payment processor;
- (d) trust and safety: operating the send-time PHI-detection nudge and off-platform-circumvention detection on Content, reviewing flagged Content, investigating and resolving disputes, enforcing the Acceptable Use Policy, applying anti-abuse limits (such as the cancellation cap described in the Cancellation Policy), and responding to safety and abuse reports;
- (e) service improvement: analyzing usage (in aggregated or de-identified form where practicable) to understand and improve the Services, including limited testing of user-facing changes;
- (f) communications: sending transactional and service messages about your account, bookings, payouts, and agreements; and, only where you have given separate express consent, sending marketing communications you may withdraw at any time (see Section 13);
- (g) legal, tax, and regulatory compliance: meeting RoomaMD's obligations under PIPEDA, applicable consumer-protection law, the marketplace-facilitator (deemed-supplier) HST provisions under which RoomaMD collects HST at point of sale, the Income Tax Act (Canada), and any lawful order or production demand; and
- (h) establishing, exercising, or defending legal claims: investigating and responding to incidents, complaints, and disputes on or arising from the Services.
4.2 Automated processing. Some of the trust-and-safety and fraud-prevention activity described in Section 4.1(d) is carried out with automated tools, including the send-time PHI-detection nudge, off-platform-circumvention detection, automated fraud and abuse signals, and automated enforcement of anti-abuse limits. These tools assist RoomaMD's team; they do not replace human review. RoomaMD does not make any decision that produces a legal effect, or a similarly significant effect, concerning you (such as suspending or terminating your account, or denying a refund) solely by automated means without a person involved in the decision and without giving you the ability to request that a person review it. Where applicable law gives you a right to be informed of, or to contest, automated decision-making, this Section is intended to satisfy it.
4.3 RoomaMD will not use Personal Information for any purpose materially different from those in Section 4.1 without first obtaining the necessary consent or giving you a meaningful opportunity to decline.
Section 5. Consent and legal bases
5.1 RoomaMD collects, uses, and discloses Personal Information on one or more of the following bases:
- (a) your consent, which may be express (for example, your opt-in to marketing, or your election to share a specific credential document with a specific Host) or implied from your use of the Services for a purpose that would be obvious to a reasonable person in the circumstances;
- (b) performance of a contract with you (for example, processing the booking you yourself requested, or paying a Payout you are owed);
- (c) a use or disclosure required or authorized by law (for example, PIPEDA subsection 7(3), the Income Tax Act (Canada), a court order, or a regulatory production demand); and
- (d) the limited circumstances in which PIPEDA permits use or disclosure without consent, including to investigate a breach of an agreement or a contravention of the law, to detect, suppress, or prevent fraud, or to protect a vital interest of an individual.
5.2 Withdrawing consent. Subject to legal and contractual restrictions and to reasonable notice, you may withdraw your consent to a use or disclosure that rests on consent. Some processing is necessary to operate your account or to perform a contract with you; if you withdraw consent to that processing, RoomaMD may be unable to continue providing the Services to you and may close your account, subject to the retention rules in Section 9. Withdrawing consent to marketing does not affect any other processing.
5.3 RoomaMD does not sell Personal Information, and does not rent or trade Personal Information to third parties for their own marketing.
Section 6. Disclosure of personal information
6.1 To other Users. Marketplace information is disclosed to other Users only to the extent the marketplace requires. A Practitioner viewing a Listing sees the Host's display name and Listing details; the Host of a Confirmed Booking sees the booking Practitioner's display name, profession, self-attested registration number, the Public Register link, any credential documents the Practitioner has elected to share, and the messages exchanged about the booking. Section 3.10 limits this access in time.
6.2 To service providers and sub-processors. RoomaMD discloses Personal Information to the service providers listed in Section 8 for the limited purposes described there. Each is engaged under a written agreement that requires it to protect Personal Information with safeguards consistent with PIPEDA, to process it only on RoomaMD's instructions and for the stated purpose, and to return or destroy it at the end of the engagement.
6.3 To regulatory Colleges and authorities. Where RoomaMD receives a request from a regulatory College or a government authority concerning a User, RoomaMD may disclose the User's self-attested College and registration number, the Public Register link the Platform displays, listing or booking activity, and the existence (but not the substance) of any dispute. RoomaMD does not represent that it has independently verified any Practitioner's registration status with the College, consistent with the host-driven verification model. Where RoomaMD is compelled by a court order, subpoena, or statutory production demand, it will disclose the information specified and will, where it is lawfully able to do so, notify the affected individual.
6.4 For trust, safety, and legal protection. RoomaMD may use and disclose Personal Information as reasonably necessary to investigate suspected fraud, abuse, or a breach of an agreement, to protect the rights, property, or safety of a User, a member of the public, or RoomaMD, and to establish, exercise, or defend a legal claim, in each case to the extent permitted by PIPEDA.
6.5 Corporate transactions. If RoomaMD is involved in a financing, merger, acquisition, reorganization, sale of all or substantially all of its assets, or an insolvency proceeding, Personal Information may be disclosed to advisors, prospective acquirers or financiers, or court-appointed officers, in each case subject to confidentiality obligations and to the continued protection of the Personal Information consistent with this Policy. A successor that acquires the business will be bound by this Policy in respect of the Personal Information it acquires until it provides notice of any change.
6.6 No other public disclosure. RoomaMD does not publish Personal Information beyond what is intentionally surfaced on a User's public profile or Listing.
Section 7. PHIPA: RoomaMD is not a health-information custodian
7.1 RoomaMD is not a health-information custodian within the meaning of PHIPA, and is not a "person who provides goods or services to a custodian" acting in that capacity for the delivery of clinical care. The Practitioner remains the custodian of the Practitioner's own patient records. RoomaMD's role is limited to providing the marketplace, the credential viewer, the messaging surface, and the payment facilitation; clinical care is delivered by the Practitioner at the Premises and is outside the Services.
7.2 The Platform is not a permitted channel for delivering clinical care or for transmitting PHI. The Master Host Agreement, the Master Practitioner Agreement, and the Acceptable Use Policy each prohibit transmitting PHI through the Platform. Do not enter patient names, health-card numbers, diagnoses, clinical notes, or any other PHI into any message, Listing, booking note, review, support ticket, or other field on the Platform.
7.3 To reduce the risk that PHI is submitted even inadvertently, RoomaMD applies the following measures:
- (a) the messaging surface runs a send-time reminder, in the User's own browser, that recognizes common PHI patterns and prompts the User to review and remove them before sending. The reminder is a courtesy safeguard only: it runs client-side, its results are not transmitted to or recorded by RoomaMD, and it does not replace the User's obligation not to submit PHI. RoomaMD does not conduct server-side monitoring of message content for PHI;
- (b) where PHI comes to RoomaMD's attention (for example, through a User report or a support interaction), the affected Content may be reviewed and may be redacted under RoomaMD's incidental-exposure procedure;
- (c) administrative access to User Content is restricted to a defined operations role and is audit-logged; and
- (d) the deletion right in Section 11 removes User-authored message Content, subject to the retention exceptions in Section 9.
7.4 Each Host and each Practitioner remains individually responsible under PHIPA and applicable professional-regulatory rules for any patient-related information arising in connection with care delivered at the Premises. RoomaMD does not assume, and is not capable of assuming, the custodianship obligations that belong to the Practitioner.
Section 8. Service providers and sub-processors
8.1 RoomaMD relies on the service providers below to operate the Services. Each is listed so you can review the country in which it processes Personal Information and consult its own privacy policy. RoomaMD's primary application database and file storage are located in Canada. Where a provider processes Personal Information outside Canada, that data may be subject to lawful access by the courts, law-enforcement, and national-security authorities of the foreign jurisdiction. RoomaMD limits the Personal Information disclosed to each provider to what the stated purpose requires.
| Service provider | Purpose | Processing location |
|---|---|---|
| Supabase Inc. (database, authentication, file storage) | Primary application database, user authentication, and storage of uploaded files including credential documents | Canada (Montreal region) |
| Stripe, Inc. and Stripe Payments Canada Ltd. (payments, Connect, tax) | Payment authorization and capture, saved-card off-session charges, Host onboarding ("know your customer"), Payouts, refunds, and tax documents | Canada and United States |
| Resend, Inc. (email) | Delivery of transactional and (with consent) marketing email | United States |
| Mapbox, Inc. (maps) | Map tiles and geocoding for Listing locations | United States |
| PostHog Inc. (product analytics) | Product-usage analytics (event-level usage data, subsequently aggregated or de-identified for analysis) | United States |
| Functional Software, Inc. (Sentry) (error monitoring) | Error and performance telemetry to keep the Services reliable | United States |
| Namecheap, Inc. (domain registrar + DNS) | Domain registration and DNS resolution for RoomaMD's domains | United States |
| Vercel Inc. (hosting) | Application hosting and serving of the Services | Global edge network; serverless functions currently execute in the United States (US-East region); the application database and file storage remain in Canada with Supabase |
| Anthropic, PBC (AI writing assistance) | Generation of draft Listing titles and descriptions when a Host chooses to use the AI writing tool; receives only the Listing details the Host has entered (space type, location area, amenities, and similar Listing fields), never credentials, messages, or payment data | United States |
| Google LLC (sign-in) | Authentication for Users who choose "Continue with Google"; releases the basic profile and email address to RoomaMD | United States |
8.2 Before engaging or continuing with a provider that processes Personal Information outside Canada, RoomaMD assesses the provider's data-handling commitments for comparability with the protections required under PIPEDA, and engages the provider under contractual terms requiring that level of protection. By using the Services, you acknowledge that the limited cross-border processing described in this Section takes place. If you have a question about a specific provider's handling of your Personal Information, contact our Privacy Officer (Section 16).
8.3 The current list of service providers may change as the Services evolve. RoomaMD will keep this Section current and will update it before, or promptly after, a material change to the providers that process Personal Information.
Section 9. Retention
9.1 RoomaMD retains Personal Information only for as long as is reasonably necessary to fulfil the purposes in Section 4 and to meet legal, tax, accounting, audit, and limitation-period requirements, after which it is securely destroyed or de-identified. The principal retention periods are:
- (a) active-account information: for the life of the account, and then for the longer of the periods in paragraphs (b) to (g) or any applicable limitation period under Ontario law;
- (b) booking, payment, payout, refund, and per-booking-agreement records: seven (7) years from the date of the booking, consistent with Canada Revenue Agency requirements;
- (c) Master Host Agreement and Master Practitioner Agreement acknowledgement and content-hash records: seven (7) years from the date the agreement ceases to be in force;
- (d) Host CGL insurance attestations and Premises-authorization records: seven (7) years from the relevant document's expiry, for contract administration, dispute resolution, limitation-period, and trust-and-safety purposes;
- (e) Practitioner credential documents (registration certificate, professional liability insurance, specialty certifications, and other host-required documents): until twelve (12) months after the Practitioner removes the document or closes the account, whichever occurs first, plus any extension required by an active dispute or legal hold;
- (f) audit-log records of administrative actions, PHI flags, and disputes: ten (10) years from creation, as an append-only record that survives account deletion (where an account is deleted, the deleted account's identifiers are replaced in the audit log with a pseudonymous identifier that is not reversible); and
- (g) product-analytics and error-telemetry data: raw event data is not retained beyond thirteen (13) months, and is de-identified or destroyed within twenty-four (24) months.
9.2 Information retained under any of the above survives a deletion request to the extent the retention is required or permitted for tax, accounting, payment processing, fraud prevention, security, dispute resolution, legal claims, regulatory cooperation, audit-log integrity, or the completion of a routine backup-rotation cycle. A backup copy is retained only until the next routine backup-rotation cycle overwrites it.
9.3 At the end of an applicable retention period, RoomaMD destroys or anonymizes the Personal Information using methods reasonably designed to prevent its reconstruction.
Section 10. Security
10.1 RoomaMD maintains administrative, technical, and physical safeguards appropriate to the sensitivity of the Personal Information it holds, consistent with PIPEDA. These safeguards include:
- (a) encryption of Personal Information in transit, using Transport Layer Security, across the Platform;
- (b) encryption of Personal Information at rest in the Canadian-region database and file storage;
- (c) additional field-level encryption at rest of selected sensitive data, such as a Premises's exact location coordinates, together with access controls that withhold the exact street address from non-transacting Users until a booking is confirmed;
- (d) row-level access controls in the application database on a default-deny basis, with explicit, least-privilege grants;
- (e) multi-factor authentication available to all Users; once a User enrols a factor, it is enforced on every protected request for that User. RoomaMD does not currently mandate multi-factor authentication as a condition of administrative access;
- (f) append-only audit logging of administrative actions and of access to credential documents and User Content; and
- (g) a breach-response procedure consistent with PIPEDA's mandatory breach-reporting requirements, including reporting to the Office of the Privacy Commissioner of Canada and notifying affected individuals where a breach creates a real risk of significant harm.
10.2 No method of transmission or storage is perfectly secure. While RoomaMD works to protect Personal Information, it cannot guarantee absolute security, and you are responsible for keeping your account credentials confidential.
Section 11. Your rights
11.1 Access. You may request a copy of the Personal Information RoomaMD holds about you, in a structured, commonly used electronic format. We will respond within thirty (30) days as required by PIPEDA. We will not charge you for access without first telling you the approximate cost and giving you the opportunity to withdraw or narrow your request. Where applicable law gives you a right to receive your information in a portable format, this access mechanism is intended to satisfy it.
11.2 Correction. You may ask us to correct Personal Information that is inaccurate or incomplete. Where a correction is in dispute, we will note the disagreement on the record and, where appropriate, advise any third party with access to the disputed information.
11.3 Withdrawal of consent. You may withdraw consent to any processing that rests on consent, on the terms in Section 5.2.
11.4 Deletion. You may request deletion of your account and the Personal Information attached to it. Where reasonably practicable, RoomaMD will delete or de-identify active-account Personal Information within thirty (30) days, subject to the retention rules in Section 9. The categories listed in Section 9.1 may survive a deletion request for the periods stated there.
11.5 Objection to marketing. You may at any time object to the use of your Personal Information for marketing by contacting our Privacy Officer (and, once marketing messages are being sent, by using the unsubscribe link each one will contain).
11.6 Request for human review of an automated decision. Where an automated tool has been used in a decision that significantly affects you, you may ask a person to review that decision, on the terms in Section 4.2.
11.7 Complaint. If you are not satisfied with how RoomaMD has handled your Personal Information or a request under this Section, you may complain to RoomaMD's Privacy Officer (Section 16), and you may complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca. For a matter that falls under PHIPA, the Office of the Information and Privacy Commissioner of Ontario at ipc.on.ca is the relevant authority; as set out in Section 7, RoomaMD is not a health-information custodian and does not process PHI.
11.8 How to exercise your rights. Direct any request under this Section to our Privacy Officer (Section 16). We may ask you for information reasonably necessary to confirm your identity before acting on a request, in order to protect your Personal Information from disclosure to anyone else.
Section 12. Children
12.1 The Services are intended only for individuals who are at least 18 years of age. RoomaMD does not knowingly collect Personal Information from anyone under 18. If RoomaMD learns that it has collected Personal Information from a person under 18, it will delete that information promptly. If you believe a person under 18 has provided Personal Information to RoomaMD, contact our Privacy Officer (Section 16).
Section 13. Marketing and electronic communications
13.1 RoomaMD sends two categories of message:
- (a) service messages about your account, your bookings, your Payouts, and your agreements. These are necessary to provide the Services and are sent under the implied-consent provisions of Canada's anti-spam legislation; and
- (b) marketing messages, such as newsletters, product updates, and hosting tips, which RoomaMD sends only where you have given separate express consent (captured through a clear, non-pre-checked opt-in). RoomaMD does not currently send marketing messages. If and when it begins to, every marketing message will include an unsubscribe link, and you may withdraw consent at any time through that link or by contacting our Privacy Officer.
13.2 RoomaMD's electronic communications comply with Canada's anti-spam legislation, including its identification, consent, and unsubscribe requirements.
Section 14. Cookies and similar technologies
14.1 RoomaMD and the providers listed in Section 8 use cookies and similar technologies to operate the Services, remember your session, keep the Platform secure, and (with your consent where required) measure product usage. The categories of cookies, their purposes, their providers, and how to manage them are described in the Cookie Policy. The Cookie Policy forms part of this Privacy Policy.
Section 15. Changes to this Privacy Policy
15.1 RoomaMD may update this Privacy Policy from time to time. The current version is always posted at roomamd.com under the legal section, with the date it was last updated shown by the page.
15.2 Where a change is material, RoomaMD will give existing Users reasonable advance notice (ordinarily by email at least thirty (30) days before the change takes effect, except where a shorter period is required by law or by an urgent security or legal need). Your continued use of the Services after a change takes effect constitutes acceptance of the updated Policy, except where your separate consent is required by law, in which case RoomaMD will obtain that consent.
Section 16. Contact
RoomaMD Privacy Officer
Email: legal@roomamd.com
Mail: RoomaMD Inc., Attn: Privacy Officer, 155 Merchants Wharf, Unit 0528, Toronto, Ontario M5A 0Y4
For support, you may reach RoomaMD at support@roomamd.com; and for trust and safety matters, at safety@roomamd.com.
To complain to a regulator about RoomaMD's handling of Personal Information, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca. For a matter that falls under PHIPA, the Office of the Information and Privacy Commissioner of Ontario at ipc.on.ca is the relevant authority.
Section 17. Definitions and relationship to other documents
17.1 Capitalized terms used in this Policy and not defined here have the meanings given in the Terms of Service.
17.2 This Privacy Policy is to be read with the Terms of Service, the Cookie Policy, the Acceptable Use Policy, the Master Host Agreement, the Master Practitioner Agreement, the Click-Through Booking Agreement, and the Cancellation Policy. If there is a conflict between this Policy and another of those documents on how RoomaMD handles Personal Information, this Policy governs; on any other matter, the other document governs the underlying obligation it addresses.