Rumini

Menu
Join Rumini

Privacy Policy

Effective Date: 08/19/2025 Last Updated: 08/19/2025

1. INTRODUCTION AND SCOPE

Rumini.ca (“we”, “our”, “Rumini”) is committed to protecting the privacy and security of our users’ personal and health information. This Privacy Policy describes how we collect, use, disclose, and protect personal and health information in compliance with:

  • Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada
  • Personal Health Information Protection Act (PHIPA) – Ontario
  • General Data Protection Regulation (GDPR) – European Union
  • California Consumer Privacy Act (CCPA) – California, USA
  • Health Insurance Portability and Accountability Act (HIPAA) – USA (where applicable)

2. DEFINITIONS

  • “Personal Information”: any information that can identify an individual.
  • “Personal Health Information (PHI)”: information relating to an individual’s physical or mental health.
  • “Sensitive Data”: health information, medical records, medical prescriptions, diagnoses.
  • “Data Controller”: Rumini.ca.
  • “Data Subject”: the user of our services.

3. INFORMATION WE COLLECT

3.1 Information provided directly by the user:

  • Registration data: first name, last name, date of birth, gender.
  • Contact information: email address, phone number, postal address.
  • Identity documents: health card (OHIP), government documents.
  • Health information:
    • Medical history and medical records.
    • Medical conditions (weight loss, erectile dysfunction, hair loss).
    • Current medications and allergies.
    • Test and analysis results.
    • Medical consultation notes.
  • Payment information: credit/debit card data (processed through secure providers).
  • Communications: messages, emails, video consultation recordings (with consent).

3.2 Information collected automatically:

  • Browsing data: IP address, browser type, operating system.
  • Cookies and similar technologies: preferences, sessions, analytics.
  • Usage data: pages visited, time spent, clicks.
  • Device information: model, unique identifiers.

3.3 Information from third parties:

  • Healthcare professionals: medical reports, prescriptions.
  • Laboratories: test results.
  • Pharmacies: prescription history.
  • Health insurance: coverage and claims.

4. LEGAL BASIS AND PURPOSE OF PROCESSING

4.1 Legal bases (GDPR/PIPEDA):

  • Explicit consent for health data.
  • Performance of a contract to provide services.
  • Legal obligation for regulatory compliance.
  • Vital interests in medical emergency situations.
  • Legitimate interest to improve services.

4.2 Processing purposes:

  • Provide telemedicine services and medical consultations.
  • Manage appointments and medical visits.
  • Process prescriptions and medication orders.
  • Maintain electronic medical records.
  • Communicate with users regarding their treatments.
  • Billing and payment processing.
  • Compliance with legal and regulatory obligations.
  • Medical research (only with specific consent and anonymized data).
  • Fraud prevention and security.

5. INFORMATION SHARING AND DISCLOSURE

5.1 Who we share information with:

  • Healthcare professionals: doctors, specialists involved in care.
  • Pharmacies: for prescription fulfillment.
  • Laboratories: for tests and analyses.
  • Service providers: hosting, payments, communications (with confidentiality agreements).
  • Government authorities: when required by law.
  • Insurance companies: for service reimbursement (with consent).

5.2 We NEVER sell or rent personal or health information to third parties for marketing purposes.

6. DATA SECURITY

We implement strict technical and organizational security measures to protect your personal information, in line with international standards and PHIPA and PIPEDA regulations.

  • SSL/TLS Encryption: All data traffic on our site is encrypted via HTTPS to ensure your information is transmitted securely.
  • Secure Data Hosting: To ensure compliance with PHIPA, your data is securely stored on servers physically located in Canada.
  • WordPress Hardening: We keep WordPress, plugins (such as Wordfence and iThemes Security), and themes constantly updated to prevent vulnerabilities. We also apply advanced login protections, including limiting login attempts.
  • Form Data Collection: We use Forminator for data collection. To ensure security:
    • Full submission data is not included in email notifications. Instead, a notification is sent that requires an administrator to securely log in to view the details.
    • Data submitted through forms is stored securely in the WordPress database.
    • Data retention is enabled, and data is automatically deleted after a maximum of 30 days.
    • Database backups are encrypted and stored securely.
  • Access Controls: Access to data is protected by multi-factor authentication (2FA) and role-based access.
  • Audit Trail: We maintain a log of all access to health data.
  • Staff Training: Our staff receives regular training on privacy and security.
  • Periodic Security Assessments: We periodically perform security assessments and penetration testing.

7. DATA RETENTION

7.1 Retention periods:

  • Medical records: minimum 10 years from the last interaction (as required by PHIPA Ontario).
  • Minors’ data: until 10 years after reaching the age of majority.
  • Prescriptions: 2 years from the date of issue.
  • Billing data: 7 years for tax requirements.
  • Communications: 2 years, unless the content is medically relevant.
  • Cookies: maximum 13 months.

7.2 After the retention period, data is:

  • Securely and irreversibly deleted.
  • Anonymized for statistical use (with consent).

8. DATA SUBJECT RIGHTS

8.1 Under PIPEDA/PHIPA (Canada):

  • Right of access: to personal and health information.
  • Right to rectification: to correct inaccurate information.
  • Right to portability: to receive a copy of data.
  • Right to object: to processing for direct marketing.
  • Right to erasure: (with limitations for medical records).

8.2 Under GDPR (for EU residents):

  • Right to be forgotten: (limited for health data).
  • Right to restriction of processing.
  • Right not to be subject to automated decision-making.
  • Right to withdraw consent at any time.

8.3 Under CCPA (for California residents):

  • Right to know what information is collected.
  • Right to deletion.
  • Right to opt-out of sale (not applicable – we don’t sell data).
  • Right to non-discrimination.

8.4 How to exercise rights:

  • Email: privacy@rumini.ca
  • Phone: [Number]
  • Online form: [URL]
  • Mail: [Address]

We will respond within 30 days (45 for complex requests).

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 Types of cookies used:

  • Essential: for site functionality.
  • Functional: to remember preferences.
  • Analytics: to improve services (Google Analytics with anonymized IP).
  • Marketing: only with explicit consent.

9.2 Cookie management:

  • GDPR/PECR compliant consent banner.
  • Ability to modify preferences at any time.
  • Instructions for disabling cookies in the browser.

10. INTERNATIONAL TRANSFERS

10.1 Data is primarily stored in Canada. In case of transfer:

  • USA: we use standard contractual clauses.
  • EU: adequacy is recognized for Canada (PIPEDA).
  • Other countries: only with appropriate safeguards and consent.

11. MINORS

We do not provide services to minors under 18 without parental consent. For minors aged 14-17 in Ontario, we respect PHIPA consent rules. We verify age during registration, and parents/guardians can access data of minors under their custody.

12. TELEMEDICINE AND SPECIAL CONSIDERATIONS

12.1 Video consultations:

  • We use PHIPA/HIPAA compliant platforms.
  • End-to-end encryption.
  • Recordings only with explicit consent and stored securely.

12.2 Electronic prescriptions:

  • Compliance with PrescribeIT™ (Canada Health Infoway).
  • Digital signature by physicians and a complete audit trail.

12.3 Mobile app:

  • Local data encryption and biometric authentication available.

13. DATA BREACHES

13.1 In case of a breach:

  • Notification to authorities within 72 hours (GDPR) or “without delay” (PIPEDA).
  • Notification to data subjects if there is a high risk to their rights.
  • Breach register and immediate corrective measures

13.2 Notification content:

  • Nature of the breach and data involved.
  • Measures taken and recommendations for users.

14. MARKETING AND COMMUNICATIONS

14.1 Marketing communications:

  • Only with explicit consent (opt-in) and an opt-out option.
  • Separate from service communications

14.2 Service communications:

  • Appointments, reminders, test results, and security updates.

15. ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING

15.1 Use of AI:

  • Diagnostic support (always with medical supervision).
  • Predictive health analytics and a chatbot for initial support.
  • Transparency: we inform when AI is involved.
  • Right to human review for automated decisions.

16. SPECIFIC REGULATORY COMPLIANCE

16.1 Ontario - PHIPA:

  • Designation of a Privacy Officer.
  • Documented policies and procedures, and regular compliance audits.

16.2 Canada - PIPEDA:

  • Fair information principles and data accountability.
  • Meaningful consent and collection limitation.

16.3 GDPR (EU users):

  • Designation of an EU representative.
  • Data Protection Impact Assessments (DPIA) for high-risk processing.
  • “Privacy by design” and “privacy by default.”

17. CHANGES TO THE PRIVACY POLICY

Email notification for substantial changes, with 30 days’ notice before taking effect. Previous versions will be archived, and new consent will be requested if necessary.

18. CONTACT AND COMPLAINTS

18.1 Privacy Officer:

  • Name: [Privacy Officer Name]
  • Email: privacy@rumini.ca
  • Phone: [Number]
  • Address: [Complete Address]

18.2 Supervisory Authorities:

  • Canada: Office of the Privacy Commissioner of Canada – www.priv.gc.ca
  • Ontario: Information and Privacy Commissioner of Ontario – www.ipc.on.ca
  • European Union: Data protection authority of the country of residence.

19. FINAL CLAUSES

19.1 Severability:

If any provision is deemed invalid, the other provisions remain in effect.

19.2 Governing Law:

Laws of the Province of Ontario and Canada. For EU users, GDPR prevails.

19.3 Language:

The policy is available in English and French. In case of discrepancies, the English version prevails.

CONSENT STATEMENT

By using Rumini.ca services, the user confirms having read, understood, and accepted this Privacy Policy. For sensitive health data, separate explicit consent will be requested before collection.
Publication Date: 08/19/2025 Version: 1.0

Rumini is certified by LegitScript

The LegitScript certificate (pictured on the left of our site footer) indicates that a company has undergone in-depth evaluation and monitoring to ensure that it’s service can be trusted. Platforms must demonstrate the utmost commitment to maintaining high quality care for patients before a LegitScript certificate is issued.

Many of the largest digital health companies in the world chose to undergo this rigorous process to make sure that patients can feel safe when seeking care. But Phoenix hasn’t stopped there – we are constantly working to improve our patient experience and make sure that men throughout Canada are able to access medical care in a convenient and sensitive manner.

Still have any unanswered questions regarding the Rumini platform, don’t hesitate to contact us at admin@rumini.ca. We’re always happy to help!

If you would like to learn more about how our service works, please visit our How it works or FAQ page.

Scroll to Top