iHEAL App Privacy Policy

GENERAL

iHEAL is a hybrid app, meaning that one source code is deployed for both the mobile and web versions.

As referenced in this Privacy Policy, personally identifying information (“PII”) is defined in accordance with Canadian privacy legislation, whether federally (PIPEDA), or provincially. In principle, for pieces of information to be personally identifying, it must be possible to trace them to an individual: this is not possible in the iHEAL app, because personal identifiers (such as name, contact information, gender) are not collected and the username and password, which is developed by the user, are immediately converted to an anonymous hash on submission.

DATA COLLECTION AND USE

The iHEAL app does not prompt a user to provide any PII as defined by Canadian privacy legislations, whether federally or provincially. Users simply create a username and password that is then converted to an anonymous hash (encrypted series of numbers and letters) and saved on our server. Users are encouraged to develop a username that does not identify them. Once the username and password are established, we cannot decode or alter this hashed entry. Therefore, we cannot offer a ‘Forgot Your Password’ feature. When users enter the username and password together, they will gain access to the user ID associated with this hash.

Only limited information about the user’s situation (i.e., province, language, user type) is collected to allow the app to deliver information that is appropriate and relevant to that user. For example, when an anonymous user chooses a province or territory to filter their results, the province selection will be stored in the database connected to their user ID. This allows the app to deliver information appropriate for that specific province. On the next use, the user does not have to select the province or territory again but continue to receive information that is applicable to that location.

Further, when the app is used, our servers automatically collect information (log data) about which items are saved as favorites by users and how often, along with any feedback users provide in the ‘Tell Us How We Did’ feature. Log data are not linked to individual users. We use this information to improve the app’s functionality and to inform long-term dissemination strategies.

We receive summary information about use of the app through Google Analytics (i.e., the number of visits, average time spent on the app, and provinces/territories/regions of users). This is based on traffic to the app or website. We receive this information in order to improve the app and promote its use. Google analysis does not have any access to the app or any associated user data.

DATA STORAGE AND PROTECTION

Log data collected by the iHEAL app are stored on a secure server hosted in Canada. This server is encrypted with an SSL certificate and only authorized members of the iHEAL app team have access through SSH to these data.

When a user enters information into the app, these data entries are transmitted, with SSL encryption, to a data base hosted though Digital Ocean. This environment is PIPEDA compliant with suitable security for collecting identifying information, even though we are not collecting such. We use TLS 1.2 encryption to encrypt data between the device and the secure web server. Once it arrives to the server, it is unencrypted and stored in a database. Since there is no identifying information in the data, it can be stored safely unencrypted.

The only data stored on the user’s device (i.e., mobile phone, computer, tablet) is the username and password they create. When a user enters the correct password, the app sends the password to the server to retrieve the data they have entered when using the app (e.g., responses to questions or activities). The device storage mechanism is called localStorage which is a universal data storage construct available in most browsers and protected thought browser ‘sandboxing.’

Some provincial legislation (e.g. in BC) prohibits the storage of personally identifying information on U.S servers. For a summary, see: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/. While we are not collecting PII, as an additional security measure, the app (including log data) is hosted on a virtual server located physically in Canada.

DATA SHARING

Log data collected by the iHEAL app are not shared with any other entities or third parties.

We allow access to the app’s files to a third party, who are bound by confidentiality terms, for the purposes of providing technology support only, and for no other use or purpose.

DATA RETENTION AND DESTRUCTION

Log data collected by iHEAL app will be retained for up to 7 years. It will then be destroyed in a secure manner by deleting individual user entries in the app’s Content Management System. Access to this system is password protected and restricted to the app team.

OTHER WEBSITES

iHEAL contains links to other websites. Please note that clicking one of these links results in accessing another website for which the iHEAL app has no responsibility and does not endorse. Further, any information that you provide to these other websites is at your own discretion and risk.

We highly encourage users to read privacy statements on all such sites prior to use, and prior to providing any personal information to them, as their policies may differ from ours.

ACCOUNTABILITY

If users have questions or concerns regarding this Privacy Policy, they may contact the iHEAL team at ihealapp@uwo.ca, or anonymously from the ‘Tell Us How We Did” tab from ‘your account’ inside the app.