The resources on this page are specific to Canada.
Last updated: January 23, 2026
Understanding your privacy obligations
Data protection requirements for healthcare providers vary across Canada, so we expect you have questions about staying compliant while using Upheal. This guide:
Breaks down the requirements for several Canadian provinces and explains how Upheal's features and policies are designed to support you.
Provides templates and statements to help you stay compliant with your local regulations.
Please note: This information is for guidance only and does not constitute legal advice. We recommend consulting with a legal professional who specializes in health and privacy law in your province to ensure you are fully compliant.
Where does Upheal store data?
Data provided to Upheal is transferred to our storage servers in the U.S. in the presence of adequate safeguards provided for by the applicable law. Some provinces require you to disclose this information to clients — look for yours below in Province-specific requirements.
How is my data protected while stored on servers located in the US?
How is my data protected while stored on servers located in the US?
We are committed to ensuring that you, as the provider, maintain control over your clients’ information. The Upheal platform is designed so that decisions about disclosure of client data remain with you, regardless of where the data is geographically stored.
We achieve this in several ways:
Data minimization: Upheal is designed to store personal information only for limited, defined purposes and for the minimum period necessary to carry out the requested action (e.g, transcribe a session). Personal information is stored in a pseudonymized format, and access by the Upheal team is strictly controlled.
Data protection agreements: We enter into data protection agreements (DPAs) with subprocessors who we disclose personal information to. These agreements are of a comparable level of protection to what is required by Canadian federal and provincial laws, including PHIPA and PIPEDA.
Provider control over disclosure: As the provider and custodian of personal information, you retain control over decisions to disclose client information. Upheal does not voluntarily disclose customer data to authorities, and any legally binding request would be carefully assessed and limited to what is strictly required by law.
Technical and organizational safeguards: We use appropriate technical and organizational measures, including encryption and strict access controls, to reduce the risk of unauthorized or disproportionate access to client personal information. We also undergo annual independent audits against SOC 2 Type II and ISO/IEC 27001.
Learn even more here about how we protect personal data.
Collecting client consent
If you want to use your own documents to collect consent for processing personal data, rather than emailing your clients through Upheal, we offer two options. Choose the one that best suits your practice:
Add a simple statement to your existing documents.
or
Use and distribute our template as-is or modified to your practice's needs. The template is the same form that you can email to your clients through Upheal.
Statement for existing forms
If you already have your own informed consent documents, you can include Upheal in your forms by adding these statements to remain PHIPA/PIPEDA compliant while using Upheal.
Remember, check your province below to see if you need a different statement.
Make sure to replace [Name of the practice] with your own practice.
[Name of the practice] uses external providers to enhance our services, including the Upheal platform, which helps us concentrate on our time with you by offering automated notes and analytics for our conversations.
As a part of this process, your personal and health information is stored and processed on secure servers located in the United States. We have a signed data protection agreement with Upheal that contractually requires them to provide a comparable level of protection to what is required by Canadian federal and provincial laws, including PHIPA and PIPEDA. This agreement ensures that your electronic health information is safeguarded through appropriate administrative, physical, and technical measures to maintain its confidentiality, integrity, and security at all times.
You can learn more about Upheal and its privacy practices at www.upheal.io/privacy.
Template for new forms
If you need a new consent form, you can download and use our template.
Remember, check your province below to see if you need to make a change to our provided form to stay compliant in your region.
Please note:
The template is intended to serve as a basis for client consent and might require customization according to your specific operation and obligations. You as a Provider are responsible for the accuracy and applicability of the document.
Last Update: January 23, 2026
📄 Text version No need to request access, see instructions below
If you'd like to make changes to the form, make a copy or download the document:
How to make a copy in your Google Drive
Click File > Make a copy.
Rename the document, choose the folder to save it in, and click Copy.
How to download for editing on your computer
Click File > Download.
Choose which file type you want to download, such as Microsoft Word (.docx).
The download starts automatically, and then you can edit the new file on your computer.
Province-specific requirements
Alberta
Alberta
Under Alberta’s Personal Information Protection Act (PIPA Alberta), when you begin collecting or transferring their PHI, you’re required to:
Inform your clients: Notify your client that their PHI will be transferred and stored outside of Canada in the US, and explain how to gain access to written information about the provider’s policies and practices with respect to service providers outside Canada.
Provide a point of contact: Provide the name/position name/title of a person who is able to answer on behalf of the provider questions about the collection, use, disclosure, or storage of personal information by service providers outside Canada for or on behalf of the organization.
In Canada’s Health Information Act (HIA) (Provincial law: HIA s. 66 Information Management Agreement, section 60(1)(b)), note:
You’re required to protect the privacy and confidentiality of clients who are providing their PHI as a custodian under the act.
This duty to protect covers health information that is transmitted or transported to other custodians (which includes Upheal) or to others outside the “controlled arena”, including persons outside Alberta.
Templates for Alberta
If you have your own documents:
If you practice in Alberta and already have your own consent documents, you can add the following statement. Make sure to provide a point of contact.
[Name of the practice] uses external providers to enhance our services, including the Upheal platform, which helps us concentrate on our time with you by offering automated notes and analytics for our conversations.
As a part of this process, your personal and health information is stored and processed on secure servers in the United States. We have a signed data protection agreement with Upheal that contractually requires them to provide a comparable level of protection to what is required by Canadian privacy laws. This ensures your information is protected through robust administrative, physical, and technical safeguards. For any questions about the collection, use, or storage of your information by our service providers, please contact: [insert name and title].
You can learn more about Upheal and its privacy practices at www.upheal.io/privacy.
If you're using our full template:
If you practice in Alberta and you’re using our consent template, replace the section “Where does Upheal process your data?” with the following. Make sure to provide a point of contact.
Where does Upheal process your data?
To provide its services, Upheal stores and processes your personal and health information on secure servers located in the United States. We have chosen this platform because it provides the level of protection required by Canadian privacy laws.
In accordance with Alberta's privacy laws, you can find more information about our policies regarding service providers outside Canada by contacting us at the email address at the top of this notice. The person responsible for answering your questions about this is [insert name and title].
For more information, see www.upheal.io/privacy, or contact support@upheal.io.
British Columbia
British Columbia
Under the Government of British Columbia’s Personal Information Protect Act (PIPA), you’re required to:
Inform clients: Let your clients know if their PHI is being transferred or stored outside of Canada.
Ensure comparable protection: You must ensure that any third party you use to store or process PHI provides a "comparable level of protection" to what is required under PIPA. This is typically achieved through strong contractual agreements and security measures, which Upheal provides.
If you practice in British Columbia, you can use our provided consent template as-is, or add the statement at the beginning of this article (applicable to practicing in Canada in general) to your existing documents.
Nova Scotia
Nova Scotia
In Nova Scotia, privacy requirements depend on if you work for a public institution or are in a private practice. (However, our provided templates and statements will cover both scenarios.)
Public institutions:
The Personal Information International Disclosure Protection Act (PIIDPA) applies to all public bodies that have custody over personal data.
If you work for a public institution, PIIDPA requires you to:
Obtain consent from clients to store and access their personal information outside of Canada. PIIDPA prohibits storing personal data outside of Canada without this consent.
Private practices:
If you’re a private professional or privately employed, you need to:
Obtain consent from clients to store and access their personal information outside of Canada.
Ensure comparable protection: You must ensure that any third party you use to store or process PHI provides a "comparable level of protection" to what is required under PIPEDA.
Templates for Nova Scotia
If you have your own documents:
If you practice in Nova Scotia, and already have your own consent documents, you can add this statement:
[Name of the practice] uses the Upheal platform to help us concentrate on our time with you by offering automated notes and analytics for our conversations. To provide this service, Upheal stores and processes information on secure servers in the United States.
Under Nova Scotia's Personal Information International Disclosure Protection Act (PIIDPA), we are required to obtain your explicit consent to store your personal information outside of Canada. By agreeing to this notice, you are providing your consent for us to use the Upheal service for your clinical documentation. We have a signed data protection agreement with Upheal that ensures your information is protected through robust administrative, physical, and technical safeguards to maintain its confidentiality, integrity, and security at all times.
You can learn more about Upheal and its privacy practices at www.upheal.io/privacy.
If you're using our full template:
If you practice in Nova Scotia, and you’re using our consent template, replace the section “Where does Upheal process your data?” with this:
Where does Upheal process your data?
Under Nova Scotia's Personal Information International Disclosure Protection Act (PIIDPA), we are required to obtain your explicit consent to store your personal information outside of Canada. To provide its services, Upheal stores and processes information on secure servers in the United States. By signing this notice, you confirm your consent for us to use Upheal for your clinical documentation under these conditions.
For more information, see www.upheal.io/privacy, or contact support@upheal.io.
Ontario
Ontario
Under Ontario’s Personal Health Information Protection Act, 2004 (PHIPA), you’re required to:
Get your client's consent: You must inform your clients that their PHI may be transferred outside of Ontario and receive their consent to do so.
Ensure adequate protection: As the health information custodian, you are responsible for making sure that any agent you use (like Upheal) protects the PHI in your custody. This includes assessing the protections we offer and ensuring they are adequate.
If you practice in British Columbia, you can use our provided consent template as-is, or add the statement at the beginning of this article (applicable to practicing in Canada in general) to your existing documents.
Quebec
Quebec
The Quebec Private Sector Act (QPSA), as modified by Bill 64, applies to all private organizations. Under this act, you’re required to:
Inform your clients: Clearly state at the time of collection that their information may be transferred outside of Quebec.
Complete a privacy assessment: You must conduct a Privacy Impact Assessment (PIA) to evaluate the risks associated with transferring the PHI. This assessment should consider:
How sensitive the information is
The purpose of the transfer
The legal privacy framework in the destination (in this case, the U.S.)
The data protection measures Upheal has in place
Ensure adequate protection: Based on your assessment, you can only transfer the information if you determine it will receive an adequate level of protection. Quebec doesn’t use an adequacy decision system, so it’s up to you to determine. This often involves having a strong contractual agreement, like your existing Terms of Service with Upheal.
The Act respecting health and social services information requires similar action as the last point above under the QPSA. It applies to public and private healthcare institutions, health professionals, and intermediaries. Under this act (Section 73), note:
A PHI assessment must be carried out before data is transferred or stored outside of Quebec to determine and mitigate the risks of the transfer of PHI information.
Templates for Quebec
If you have your own documents:
If you practice in Quebec and already have your own consent documents, you can add this statement:
[Name of the practice] uses external providers to enhance our services, including the Upheal platform, which helps us concentrate on our time with you by offering automated notes and analytics for our conversations.
As a part of this process, your personal and health information is stored and processed on secure servers in the United States. As required by Quebec law, we have conducted a Privacy Impact Assessment and have determined that Upheal provides an adequate level of protection for your information. This is enforced through a signed data protection agreement requiring them to adhere to Canadian privacy laws and maintain robust administrative, physical, and technical safeguards to ensure its confidentiality, integrity, and security.
You can learn more about Upheal and its privacy practices at www.upheal.io/privacy.
If you're using our full template:
If you practice in Quebec and you’re using our consent template, replace the section “Where does Upheal process your data?” with the following:
Where does Upheal process your data?
To provide its services, Upheal stores and processes your personal and health information on secure servers located in the United States. As required by Quebec law, we have conducted a Privacy Impact Assessment to ensure this transfer of information is secure. Our assessment confirmed that Upheal provides adequate protection for your information through its strong contractual and security measures.
For more information, see www.upheal.io/privacy, or contact support@upheal.io.