Privacy Policy

1. Introduction

Dr. Fersan Marei Dentistry Professional Corporation ("we", "us", "our") is committed to protecting the privacy and confidentiality of personal information and personal health information entrusted to us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the clinic scheduling portal at marei.ca (the "Portal").

As a dental practice operating in Ontario, Canada, we are governed by the Personal Health Information Protection Act, 2004 (PHIPA) with respect to personal health information, and by the Personal Information Protection and Electronic Documents Act (PIPEDA) with respect to other personal information collected in the course of commercial activities.

2. Key Definitions

Personal Health Information (PHI)

As defined under PHIPA, personal health information includes information about an individual's physical or mental health, health care history, treatment plans, health care providers, and payments or eligibility for health care. In the context of our Portal, this includes:

• Optional patient reference information provided by the clinic for identification purposes on treatment estimates
• Procedure codes, treatment plans, and clinical notes
• Production records related to dental procedures performed
• Treatment estimates including procedure details and associated fees
• Uploaded documents such as production sheets, receipts, and clinical images
• The Portal does not independently collect or store patient medical histories, diagnoses, or treatment records beyond what is necessary for scheduling, production tracking, and estimate generation

Health Information Custodian

The referring dental clinic is the health information custodian under PHIPA and is responsible for the personal health information in its custody or control. Dr. Fersan Marei acts as an agent of the clinic under PHIPA when providing dental services at the clinic. As an agent, Dr. Marei collects, uses, and discloses personal health information only as authorized by the clinic and in accordance with PHIPA.

Personal Information

Information that does not relate to health care but identifies an individual, such as business contact details, clinic registration information, and account credentials.

3. Information We Collect

Personal Health Information

• Optional patient reference information provided by the clinic for identification purposes on treatment estimates
• Dental procedure codes, descriptions, and fees from the ODA fee guide
• Production records: procedure counts, production totals, clinical notes
• Treatment estimates with procedure details, tooth numbers, and cost breakdowns
• Uploaded clinical documents and images (production sheets, receipts)

Production sheets and other documents uploaded to the Portal are stored as image files. Patient information that may appear on these documents is NOT extracted into the Portal's database. The OCR system only extracts aggregate financial data such as total production amounts and procedure counts.

Personal Information

• Clinic name, address, phone number, and email
• Contact person name, email, and phone number
• Account credentials (email and hashed password)
• Financial information: collection amounts, payment methods, cheque numbers

Automatically Collected Information

• Usage data such as pages visited and features used
• Device information including browser type, operating system, and IP address
• Cookies and similar technologies for session management

4. Consent

Under PHIPA, we collect, use, and disclose personal health information only with your consent, or as permitted or required by law. By registering for and using the Portal, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy.

You may withdraw your consent at any time by contacting us at privacy@marei.ca. Please note that withdrawing consent may affect your ability to use the Portal and may not apply to information we are required to retain by law or for regulatory purposes.

Where we act as an agent of a referring dental clinic (the primary health information custodian), we collect and use personal health information on their behalf and in accordance with PHIPA.

5. How We Use Your Information

We use the information we collect for the following purposes:

• Providing and maintaining Portal access and account authentication
• Facilitating scheduling and booking between clinics and Dr. Marei
• Generating treatment estimates and tracking production records
• Processing and recording collection payments
• Sending transactional emails such as booking confirmations, reminders, and notifications
• Storing uploaded documents as audit records attached to production and collection entries
• Analyzing usage patterns to improve the Portal experience

6. Disclosure of Information

We do not sell, rent, or trade personal information or personal health information. We may disclose information in the following circumstances:

• To the referring dental clinic for purposes of coordinated patient care
• To third-party service providers who process data on our behalf (see Section 8)
• As required by law, regulation, court order, or regulatory body (including the RCDSO)
• To protect the rights, safety, or property of our practice, our patients, or the public

7. Cookies & Tracking Technologies

We use cookies and similar technologies to operate and improve the Portal:

Session Cookies

Essential cookies required for authentication and session management. These are necessary for you to log in and use the Portal securely. They expire when you close your browser or after your session times out.

Preference Cookies

These cookies store your preferences such as theme settings and cookie consent choices. They improve your experience by remembering your selections across visits.

Analytics Cookies (Future)

We may implement analytics cookies in the future to understand how the Portal is used. If implemented, these cookies will collect anonymized usage data. This policy will be updated before enabling analytics tracking.

8. Third-Party Services

We use the following third-party service providers to operate the Portal. These providers act as our agents and are contractually obligated to protect the confidentiality and security of your information:

• Vercel — Hosting and deployment infrastructure (Canada/US servers)
• Neon — PostgreSQL database hosting. All data is encrypted at rest and in transit.
• Vercel Blob — Secure file storage for uploaded documents and images (Montreal, Canada region)
• Resend — Transactional email delivery for booking confirmations, notifications, and system communications
• Google — OAuth authentication. If you sign in with Google, we receive your name, email, and profile picture from your Google account.
• Anthropic (Claude AI) — OCR processing for production sheet scanning. Uploaded images are sent to the Claude API for text extraction and are not stored by Anthropic after processing.

9. Data Retention

We retain personal health information and personal information in accordance with our legal and regulatory obligations:

• Health records: Retained for a minimum of 10 years from the date of the last entry, as required by the RCDSO and applicable Ontario regulations
• Financial records: Retained for a minimum of 7 years as required by the Canada Revenue Agency
• Account data: Retained for as long as your account is active. Upon account deletion, personal information is removed except where retention is required by law
• Uploaded documents: Retained as part of the associated production or collection record and subject to the same retention periods

10. Your Rights Under PHIPA

Under the Personal Health Information Protection Act (PHIPA), you have the following rights with respect to your personal health information:

• Right of Access — You have the right to request access to your personal health information in our custody or control. We will respond to your request within 30 days.
• Right of Correction — You may request that we correct any inaccurate or incomplete personal health information. If we do not agree with the correction, you may attach a statement of disagreement to the record.
• Right to Withdraw Consent — You may withdraw your consent for us to collect, use, or disclose your personal health information at any time, subject to legal or regulatory restrictions. Withdrawing consent may limit your ability to use the Portal.
• Right to Complain — If you believe your privacy rights have been violated, you have the right to file a complaint with the Information and Privacy Commissioner of Ontario (IPC). The IPC can be reached at 1-800-387-0073 or www.ipc.on.ca.

Your Rights Under PIPEDA

For personal information that is not health information, you also have rights under PIPEDA, including the right to access, correct, and request deletion of your personal information, and to withdraw consent. To exercise any of these rights, contact us at privacy@marei.ca.

11. Data Breach Notification

In accordance with PHIPA, if a breach of personal health information occurs that poses a risk of significant harm, we will:

• Notify affected individuals at the first reasonable opportunity
• Report the breach to the Information and Privacy Commissioner of Ontario
• Take immediate steps to contain the breach and prevent further unauthorized access
• Notify the regulatory college (RCDSO) where required

12. Data Security

We implement appropriate technical and organizational safeguards to protect personal health information and personal information:

• All data transmitted between your browser and the Portal is encrypted using TLS (Transport Layer Security)
• Database content is encrypted at rest through our database provider (Neon)
• Uploaded files are stored securely in Vercel Blob (Montreal, Canada region)
• Passwords are hashed using bcrypt with 12 rounds and are never stored in plain text
• Role-based access controls restrict access to sensitive data based on user permissions
• Rate limiting protects against unauthorized access attempts
• Security headers (HSTS, X-Frame-Options, CSP) are enforced on all pages

While we strive to protect your information using commercially reasonable safeguards, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.

13. Children's Privacy

The Portal is designed for use by dental professionals and clinic administrators. It is not directed at individuals under the age of 18. We do not knowingly collect personal information directly from children. Patient information entered into the Portal (including for minor patients) is collected and managed by the treating dental professionals in accordance with PHIPA.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we provide. Changes will be posted on this page with an updated "Last updated" date. Your continued use of the Portal after any changes constitutes your acceptance of the revised policy. We encourage you to review this policy periodically.

15. Contact & Privacy Officer

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how your information is handled, please contact our Privacy Officer:

If you are not satisfied with our response, you may contact the Information and Privacy Commissioner of Ontario at 1-800-387-0073 or visit www.ipc.on.ca.