Opticalm Inc. – VSCAT Privacy Policy
Visual Stress & Colorimetry Assessment Tool (VSCAT)

Last update: January 20, 2023

Opticalm Inc. (collectively “Opticalm”, “we”, “us”, “our”) is proud to offer you the Visual Stress and Colorimetry Assessment Tool (the “VSCAT”). We are committed to protecting your personal information and complying with applicable data protection and privacy laws.  This “Privacy Policy” tells you how we do so and the choices you can make about the way your information is collected and used.

We will update this Privacy Policy as necessary. Please check it regularly. Please submit inquiries pertaining to this Statement by contacting us.

Opticalm’s Authorized Colorimetry Providers (“Providers”) use the VSCAT to offer their patients Visual Stress and Colorimetry Assessment services. The Providers have their own privacy policies pertaining to the collection, use and disclosure of personal information, including personal health information. We encourage you to review their privacy policies to understand how your personal information is protected.

1. What information do we collect?

VSCAT Application

Opticalm Inc. is the creator and operator of the “VSCAT” application, which includes a full suite of virtual and in-clinic patient engagement tools for practitioners that are part of our Provider network. The VSCAT includes the following key components:

  1. Pre-screening test (Free test)
  2. Visual Stress Assessment (VSA)
  3. Intuitive Colorimeter Assessment (ICA)
  4. Tint update (ICA-TU)
  5. Precision tinted lens (PTL) colour and prescription details

These tools enable the collection of essential personal health information and provide the ability to store and retrieve the data and information collected during the various assessments.

As a patient of a Provider or referring practitioner that is using the VSCAT, all personal health information in relation to your assessments or referral is collected and securely stored through our third-party partner platforms.

VSCAT – Cookies and other tracking technologies

As is true of most websites, we and our third-party partners, use “Cookies” and other automatic data collection technologies (web beacons, device identifiers and similar technologies) to recognize you across the VSCAT and provide essential functionality, such as maintaining the security of authenticated user sessions. With your consent, we collect personal information whenever you visit or interact with the VSCAT, including unique identifiers and preference information such as IP address, technical usage, browser type, time zone settings, language preferences, operating system, unique device identifiers, search history, page response times and length of visit, pages viewed, marketing preferences or navigation.

While you can disable cookies used in the VSCAT at the browser level, it is not recommended because certain features and/or controls may not function as designed or as required to effectively and securely use the Service.

These cookies help us understand how you use the VSCAT and the content of the application to make improvements. We do not use these Cookies to promote our services through marketing and advertising. These Cookies are only accessed or disclosed to service providers and third-party partners for the purpose of maintaining the functionality of the VSCAT.

Contact us

When you submit a form on the Website or contact us directly by calling us or emailing us, we may collect information like your name, e-mail, phone number, clinic/organization, the province in which you are located, and any other information you may voluntarily provide us. This information will be used by Opticalm Inc. and its Colorimetry Providers to communicate with you to provide you with the information you requested.

Direct marketing

If you sign up to receive direct marketing or promotional communications through the VSCAT, Opticalm will collect your name and e-mail to inform you about products and services.

2. Why do we use personal information?

We use your personal information to:

  1. manage our relationship with you and provide you with the information or services you request,
  2. conduct research and evaluate research and development on the Website, including analyzing testing data to improve our services,
  3. communicate with you regarding inquiries for information or customer service,
  4. detect, prevent or investigate security breaches,
  5. process credit card or other payment information as agreed to on the VSCAT,
  6. validate requests and confirm identities,
  7. protect our business, and
  8. maintain appropriate records for internal administrative purposes.
  9. Opticalm reserves the right to aggregate and anonymize account information (or other information) and use such aggregated information as it sees fit to improve services or release valuable information about Visual Stress to Providers or the public.

3. Who do we share personal information with?

Opticalm only shares your personal information with service providers and third-party providers to operate the VSCAT and offer you the information or services you request. This includes sharing your personal information for:

  • providing requested services or information,
  • customer service and support,
  • communications with your identified medical contacts,
  • payment processing,
  • operating the VSCAT, and
  • fraud prevention.

We only use service providers that ensure a comparable level of protection for your personal information, as provided in this Privacy Policy. Our contracts with our service providers ensure they comply with that obligation and use your personal information for the services requested.

Exceptionally, as allowed or required by law, we may have to disclose your personal information to law enforcement agencies where they demonstrate they have the legal authority to request it.

The VSCAT enables allied healthcare practitioners, educators, insurance companies and lawyers to securely refer patients to Opticalm or Providers using the application. Patients will need to authorize Opticalm or their Provider before any personal information may be shared back with the referrer. We encourage you to also review your healthcare practitioner’s privacy policy on how your personal information may be used and shared. Opticalm Inc. will never disclose your personal health information without your consent.

4. How long do we keep personal information?

We retain personal information, such as Provider and Patient account information, for as long as required to provide the services for which it was collected, otherwise, in accordance with applicable legal and regulatory requirements. Providers and referrers using the VSCAT are required to comply with different statutory and regulatory requirements and store personal health information for a minimum length of time. We encourage you to speak with your healthcare practitioner directly on how long they are required to store your personal information.

5. How do we keep personal information accurate?

We take reasonable steps to ensure that any personal information in our custody is accurate and up to date but we mostly rely on you to notify your healthcare practitioner of any changes to the personal information you provided us. Once your Provider updates your information, it will be automatically updated in the VSCAT as well.

6. Where do we store and protect your personal information, and respond to breaches?

We use reasonable and appropriate physical, administrative and technical measures designed to help you secure your personal information against accidental or unlawful loss, access or disclosure.  Only staff and service providers who have a legitimate business purpose for accessing the personal information collected by us are authorized to do so.

Infrastructure

The VSCAT infrastructure is secured through a defence-in-depth multi-layered approach. It logically isolates, stores and secures Data in a data center located in Montreal, Quebec, Canada, and operated by Amazon Web Services (AWS). AWS is a SOC 2-certified cloud service provider.

The environment consists of database servers, applications servers, tasks and operational servers, firewalls, load balancers and storage.

Personnel working for our third-party partners will not access without authorization. They only process customer data for the purpose of providing the services, utilizing the Sub-Processors. Security controls provided by these Sub-Processor facilities include but are not limited to:

  • 24/7 security guard services
  • Physical entry restrictions to the property and the facility like biometric identification, metal detection, vehicle barriers, laser-based intrusion detection systems
  • Full CCTV surveillance coverage externally and internally for the facility
  • Battery and generator backup
  • Generator fuel carrier redundancy
  • Secure loading zones for the delivery of equipment

Access Controls

The network components and supporting network infrastructure are contained within AWS infrastructure and managed by AWS. We do not have physical access to the network components. Only select third-party Engineering team members have access to the backend infrastructure. Access is provided through multi-factor authentication based on job role utilizing the principle of least privilege.

Data Transmission and Encryption

Industry-standard encryption schemes and protocols are used to encrypt data transmissions between data centers. This is intended to prevent reading, copying or modification of the data. The VSCAT application is built on a service that enforces TLS (Transport Layer Security) encryption while data is in transit and full disk encryption while data is at rest.

Incident Response

The VSCAT platform implements a security incident response process to consistently detect, respond, and report incidents, minimize loss and destruction, mitigate the weaknesses that were exploited, and restore information system functionality and business continuity as soon as possible. Our third-party partner’s security personnel will promptly react to discovered security incidents and inform the involved parties.

Even though we take all necessary steps to protect your personal information, security breaches cannot be eliminated, and we cannot guarantee a breach will never occur. If a breach is ever suspected or confirmed (an “Incident”), such Incident is immediately reported to Opticalm Inc.’s president and privacy officer and investigated. During their investigation of the Incident, any personal information at risk may be secured or deleted, and all audit logs are secured to assist with a follow-up investigation. If an Incident is confirmed as a breach, Opticalm Inc. will follow all statutory and regulatory requirements, including all guidance from the relevant privacy commissioners of the jurisdiction in which the breach occurred.

Depending on the breach, such response may involve notifying the relevant Providers whose patient data was contained within the breach, notifying the individual directly of such breach, and/or reporting the breach to the relevant privacy body or commission.

For more information please contact us.

7. Do we have a disaster recovery plan?

Yes. The infrastructure has been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. It maintains physical, operational and contingency procedures to back up, retain and recover account data. replicates data across multiple systems to help protect against accidental destruction of loss and regularly tests its business continuity and disaster recovery programs. All disaster recovery sites are operated within Canada.

8. Links to third-party sites

The VSCAT may lead you to third-party websites, including Provider websites. Further, your healthcare practitioner may have their own website and privacy policies. These organizations are separate and distinct from Opticalm Inc. We are not responsible in any way for how any third-party collects, uses or discloses your personal information, so it is important to familiarize yourself with the privacy policies of these websites before providing your personal information to them.

Any personal information processed by a third party may be done outside Canada. While outside of Canada, personal information is subject to that jurisdiction’s laws, which may permit governmental authorities the right to access your personal information.

9. Direct marketing

You may sign up to receive marketing or promotional communications from Opticalm.  Where you have expressly consented, we may use your personal information to inform you about us and our products and our services, including promotional offers and events. If you no longer wish to receive marketing or promotional communications from us, you can opt out at any time by contacting us.

10. Your rights

You also have the right to:

  • make a written request to access your personal information,
  • request us to restrict our use or disclosure of your personal information,
  • object to our use or disclosure of your personal information,
  • request that we edit, but not remove, certain information (like an e-mail address),
  • request that we transfer to another organization the personal information you have provided us, and
  • request us to delete the personal information we hold about you.

If you would like to exercise any of these rights, please login to your account or contact your Provider. If you encounter any problems, contact us and we will connect you with the individual capable of assisting with your request. We will respond within 15 business days. If we cannot grant your request directly or through your Provider, we will give you a reason.

Your requests to access, correct, or delete Personal Data may be restricted in certain situations, for example, if fulfilling the request would compromise Personal Data about another individual, or if you ask to delete information which Opticam Inc. or Opticalm business partners are permitted by law or have compelling legitimate interests to keep.

We will address all requests with equal attention.

11. Contacting us

Accountability with respect to your personal information is important to Opticalm. If you have any questions about how we manage your personal information, comments, complaints or concerns about this Privacy Policy, or if you have reason to believe that we may have failed to adhere to it, please contact us.

Questions regarding your rights and responsibilities under this Privacy Policy can also be directed to our privacy officer at privacy.officer@opticalm.ca or by mail to:

Opticalm Inc.
Attention: Privacy Officer
160 Terence Matthews Crescent, Suite A1
Kanata, Ontario  K2M 0B2
Canada

If after contacting us you are still not satisfied, you have the right to file a complaint with your local privacy authority.