Privacy Notice

ReproTrack is designed to document medical device reprocessing — what was reprocessed, by whom, in which cycle — not patient identities. The Service is not intended to collect Protected Health Information (PHI), and clinics are instructed not to enter it. We do not act as a health information custodian for a clinic. The personal information we do handle is mainly about clinic staff and account users, not patients.

We collect:

• Account & staff information — names, usernames, work email addresses, role, and the clinic you belong to.
• Authentication & device information — login times, one-time-passcode events, trusted-device identifiers, browser/user-agent, and IP address, used to keep accounts secure.
• Records you enter — reprocessing activity, equipment, results, and related notes and photos (which should describe processes, not patients).
• Assistant / AI inputs — questions you ask our AI features and the relevant record context used to answer them.
• Website & contact information — details you submit through our contact or demo forms, and basic technical logs needed to run the site.

We do not use third-party advertising or analytics trackers.

We use personal information to: provide and secure the Service; authenticate users and prevent unauthorized access; deliver onboarding and support; send service and account emails; operate AI features you choose to use; respond to enquiries; meet legal obligations; and maintain the integrity of compliance records. We use the information for these purposes and compatible purposes only.

We collect, use, and disclose personal information with consent, except where the law permits or requires otherwise. For staff users, the clinic that creates the account directs how the Service is used within its organization. You can withdraw consent or close an account, subject to legal and contractual limits, by contacting us — though doing so may mean we can no longer provide the Service.

We do not sell personal information. We share it only with service providers who help us run the Service, under agreements that limit their use of it:

• Supabase — database, authentication, and file storage (database hosted in a Canadian region).
• Vercel — application hosting and content delivery.
• Resend — sending transactional and report emails.
• Anthropic — powering AI features (processes the text of your AI requests).

We may also disclose information if required by law, to protect rights and safety, or in connection with a business transfer.

We store core records in a Canadian region. Some of our service providers (Section 5) are located in or process data in the United States or other countries, which means your information may be processed outside Canada and could be subject to the laws of those jurisdictions. We use providers that offer appropriate protections.

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information — including encrypted transport, access controls, and one-time-passcode authentication. No method of storage or transmission is completely secure, and we cannot guarantee absolute security.

We keep personal information for as long as needed to provide the Service and for a reasonable period afterward to meet legal, audit, and record-integrity needs, then delete or de-identify it in the ordinary course. Compliance records may be retained for the period your regulations require; clinics are responsible for keeping their own exported copies.

Subject to applicable law, you may request access to the personal information we hold about you and ask us to correct it if it is inaccurate. To make a request, or to ask a question or raise a concern, contact us using Section 11. We will respond within the timeframes the law requires. If you are not satisfied, you may contact the Office of the Privacy Commissioner of Canada.

We use only the cookies needed to run the Service — for example, to keep you signed in, remember a trusted device, and enforce session limits. We do not use advertising or third-party tracking cookies.

For privacy questions, access or correction requests, or concerns, reach us through our contact page. We may update this notice from time to time; material changes will be posted here with a new effective date.