Privacy Policy

1. Introduction and our privacy commitment

Workforce Wellness Inc. (“Workforce Wellness,” “we,” “us,” or “our”) provides wellness and health-related services, including AI-enabled agents that interact with individuals by voice and text. Much of the information we handle in delivering these Services is sensitive, and a meaningful amount of it is personal health information. We treat the protection of that information as fundamental to the trust patients, clients, and the organizations we serve place in us.

This Privacy Policy explains what personal information we collect, why we collect it, how we use, disclose, secure, retain, and dispose of it, how our AI systems handle it, and the rights and choices available to individuals. It is written to meet our obligations under British Columbia and Canadian privacy law and to reflect current regulator guidance on the use of artificial intelligence in healthcare settings.

2. Scope and structure of this policy

Unlike our previous policy, which covered only our marketing website, this Policy covers both our website and our AI agent Platforms. It is organized so that each audience can find what applies to them:

• Part B – Website: how we handle information from visitors to workforcewellness.com.
• Part C – AI agent services: how we and our AI systems handle personal information — including voice recordings and personal health information — collected through the Platforms.
• Part D – Protections that apply across everything: security, retention, individual rights, breach response, governance, and children’s privacy.

Companion Documents: For organizational customers, further details regarding Trust & Security are detailed in our Trust & Security page. Where this Policy and a signed agreement with a customer differ, the signed agreement governs the information handled under it.

3. Legal framework we follow

Workforce Wellness is a private-sector organization based in British Columbia. The following laws and guidance shape this Policy:

• BC PIPA1 — our primary privacy law as a BC private-sector organization. It governs how we collect, use, and disclose personal information, requires that our purposes meet a “reasonable person” standard, and requires consent unless an exception applies.
• Federal PIPEDA2 — applies to personal information that flows across provincial or national borders in the course of commercial activity.
• BC FIPPA (flow-down)3 — where we provide Services to a BC public body (such as a health authority or most hospitals), that body is governed by FIPPA and its obligations — including assessments for storing sensitive personal information outside Canada — flow to us by contract.
• OIPC guidance on AI in healthcare4 — the BC Commissioner’s January 2026 best-practice guidance on AI tools that transcribe and summarize clinical conversations sets the expectations our healthcare customers will hold us to as a vendor. We have designed this Policy and our practices to answer the questions that guidance tells healthcare organizations to ask of their vendors.
• Federal/provincial generative-AI principles5 — the joint regulator principles for responsible, trustworthy, and privacy-protective generative AI (legal authority and consent, appropriate purposes, necessity and proportionality, openness, accountability, individual access, and robust safeguards).

A note on “compliance” claims. There is no accreditation program in Canada that certifies an organization as “PIPA compliant,” and compliance with U.S. HIPAA or with PIPEDA alone does not satisfy BC PIPA. Where our Services are used in BC, BC law applies to the personal information involved even if data flows outside the province. We therefore describe our actual practices rather than relying on labels.

4. Key definitions

To keep this Policy clear, the following terms are used throughout:

Personal information

Information about an identifiable individual. It does not include business contact information or work-product information, but it does include sensitive details and personal health information.

Personal health information

Personal information relating to an individual’s physical or mental health, the health services they receive, and related details disclosed in the course of care.

Biometric / voice data

Characteristics embedded in a voice recording — accent, pitch, tone, cadence, and speech patterns — that can identify a person and from which other attributes may be inferred. Voice data is highly sensitive and very difficult to anonymize.

AI agent / Service

Our AIOS Voice Agents, AIOS Support Agent, and related Platform features that use generative AI to interact with individuals, and to transcribe, summarize, route, or respond to those interactions.

De-identified information

Information from which direct identifiers have been removed. We treat such information as still being personal information whenever it could reasonably be re-combined to identify an individual.

Customer / organization in control

An organization that uses our Platforms to provide services to its own patients, clients, or staff, and that decides the purposes for which personal information is processed.

5. Information we collect through the website

Information you provide. When you complete a contact or demo-request form, or register to download content, we collect the information you submit — typically your name, email address, phone number, organization name, and any message you include.

Information collected automatically. When you visit workforcewellness.com we automatically collect limited technical and usage data through cookies and similar technologies: general geographic location (such as country or region), browser type and version, device and operating-system details, time zone, referring URLs, IP address, and the pages you view. We use this to operate, secure, and improve the website and to understand how it is used.

6. How we use website information

We use website information to respond to inquiries and demo requests; to deliver content you have registered for; to follow up on interest in our Services; to understand traffic and improve the website’s performance and usability; and to analyze the effectiveness of our marketing. We do not sell or rent personal information.

7. Cookies and tracking

We use session cookies (which expire when you close your browser) and persistent cookies (which remain until they expire or you delete them) for website functionality, analytics, and to understand interactions that may lead to a sales conversation. Where required, we obtain consent for non-essential cookies and offer a cookie-preference control. You can also adjust your browser to refuse cookies, though some features of the website may not function as intended.

8. Information processed through the Platforms

When individuals interact with our AI agents — or when an organization uses our Platforms to deliver services — we may process several categories of personal information, depending on the configuration and the nature of the interaction:

• Identifiers and contact details (name, contact information, account or file identifiers).
• Voice recordings and the biometric characteristics embedded in them, where voice interactions are used.
• Transcripts and AI-generated summaries of conversations.
• Personal health information disclosed during an interaction (for example, symptoms, conditions, medications, or the services a person is seeking).
• Information about clinicians, staff, or other participants whose voices or details are captured during an interaction.
• Technical, security, and audit-log data generated by the Platforms.

Data minimization. We configure the Platforms to collect and process only the personal information reasonably required for the agreed purposes. Features that are not needed for a given deployment can be disabled, and we work with customers to limit recording and capture to what is necessary.

9. Purposes, legal authority, and consent

We process personal information through the Platforms only for purposes that a reasonable person would consider appropriate in the circumstances, and only where there is authority to do so under applicable law. In a healthcare context that authority is, in almost all cases, the individual’s consent.

9.1 Specific purposes

We will identify the specific purposes for which information is collected at or before the time of collection. A general label such as “healthcare” is not specific enough; purposes are described concretely (for example: transcribing a conversation, generating a summary for a record, routing a request to the right team, or following up on a request).

9.2 Express, informed consent

For interactions involving personal health information or voice/biometric data, the organization in control should obtain express consent — a clear “yes” — from the individual before an AI agent is used, rather than relying on implied or “don’t opt out” consent. Our Platforms are built to support a consent-first workflow: consent can be captured and documented before an AI interaction begins, and the agent should not record or process until that step is complete. Consent must be meaningful, which means individuals are given a plain-language explanation of what the AI does and how their information will be handled.

• Consent should also be obtained from others whose voices may be captured (for example, a family member present during a call).
• Where a minor is involved, the individual’s own capacity to consent must be considered; a guardian consents on a minor’s behalf only where the minor is not capable of doing so. We do not assume a fixed age of capacity.

9.3 The right to decline or withdraw

Individuals may decline the use of an AI agent, or withdraw consent at any time, without affecting the quality of the service or care they receive. Where consent is declined or withdrawn, the organization should be ready to deliver the service by another method, and we provide configuration options to support that.

9.4 Consent is ongoing

Consent is treated as a dynamic, ongoing process. If the capabilities of an AI agent change in a way that affects how personal information is handled, individuals should be informed so they can re-evaluate their choice. Prior consent to a transcription function, for example, does not extend to a materially new function such as AI-generated recommendations.

10. How our AI works: transparency, accuracy, and human oversight

We believe people are entitled to understand, in plain terms, how an automated system is being used to handle their information and whether it influences decisions about them.

10.1 What our AI does — and does not do

Our AI agents currently function primarily to interact with individuals and to transcribe, summarize, route, and respond to general inquiries. None of our AI agents suggest diagnoses, treatments, or other recommendations. Where an agent contributes to a decision that affects an individual, we disclose the extent of that role.

10.2 Accuracy and its limits

Generative AI produces probabilistic outputs that are not always factually correct. Known failure modes include hallucinations (inventing content), omissions, misinterpretations and misspellings (including of names, conditions, and medications), and bias. Background noise, complex conversations, accents, and speech differences — all common in real-world settings — can increase error rates. In a health context even a low error rate can cause serious harm, so we do not present AI output as inherently reliable.

10.3 Human-in-the-loop

Transcripts, summaries, and other AI outputs are intended to be reviewed and, where necessary, corrected by a responsible person before they are relied upon, entered into a record, or used to guide care. Introducing AI does not shift responsibility for what ends up in a record. We support this through editable outputs, review workflows, and audit logging, and we encourage customers to guard against over-reliance (“automation bias”) through training and periodic audits.

10.4 Monitoring and “function creep”

We monitor the performance of our models for drift over time, and we will not silently expand what an AI agent does with personal information. Where an update would change how personal information is collected, used, disclosed, or stored, we will notify affected customers in advance and, for material changes, give them a meaningful opportunity to review and to accept or decline the change before it takes effect.

11. AI model training and secondary uses

We do not use customer or patient personal information to train or improve AI models except with authorization. Personal information processed through the Platforms is used to deliver the Service to the relevant organization and the individuals it serves. We do not use it for our own unrelated product development, model training, advertising, or other secondary purposes, and we do not sell it, unless we have clear authority to do so (for example, the documented authorization of the organization in control and any consent that the law requires).

“De-identified” data. We are deliberately conservative about so-called de-identified data. Because much of what is described as de-identified can still be re-combined to identify an individual — voice data especially — we treat such information as personal information unless and until we are satisfied it cannot reasonably identify anyone, and we do not use or disclose it for new purposes without proper authority.

12. Data residency and cross-border processing

Data location matters in Canadian healthcare, and many of our customers expect personal information to remain in Canada. Workforce Wellness stores and processes platform personal information — including voice recordings, transcripts, and health information — within Canada on Amazon Web Services (AWS). We will not place sensitive personal information in a jurisdiction that lacks adequate privacy protection or respect for the rule of law. For deployments serving public bodies, or otherwise on request, we support completion of a privacy impact assessment and we make our processing locations available and known to customers.

13. Sub-processors and service providers

We use a limited set of vetted service providers (for example, cloud hosting and AI model providers) to deliver the Platforms. We remain accountable for personal information handled on our behalf, and we require each sub-processor by contract to protect personal information to a standard consistent with this Policy and applicable law, to use it only for the purposes we specify, and to report incidents to us.

14. Security safeguards

Given the sensitivity of the information we handle, we maintain a high standard of security and multiple layers of physical, technical, and administrative safeguards. These include, at a minimum:

• Encryption of personal information in transit and at rest.
• Multi-factor authentication and strong-password requirements for system access.
• Role-based access controls so that personal information is accessible only to those who need it.
• Audit logging of access to and changes in personal information, retained so that access can be reviewed.
• Controls and protocols to prevent inadvertent recording or capture by AI agents.
• Continuous monitoring and a documented process to detect, contain, and respond to privacy and security incidents.
• Regular internal security reviews, operational controls, and privacy and security training for personnel who handle personal information or AI outputs.

Independent Assurance. Workforce Wellness maintains a list certifications/audits completed or underway, and we will share the outcomes of relevant assessments with customers under appropriate confidentiality terms.

No method of electronic transmission or storage is perfectly secure, and we cannot guarantee absolute security; however, we work continuously to protect personal information and to improve our safeguards.

15. Data retention and secure disposal

We retain personal information only as long as needed for the purposes for which it was collected and for applicable legal or business requirements, after which it is securely destroyed or de-identified to a standard we are satisfied prevents re-identification.

• Voice recordings: because embedded voice biometrics are especially sensitive, recordings are not retained after a transcript has been produced unless there is a clear, documented, and reasonable purpose for keeping them.
• Decision-affecting information: where personal information has been used to make a decision that directly affects an individual, it is retained for at least one year so the individual has a reasonable opportunity to access it.
• Customer-directed retention: for information we hold on behalf of an organization, we follow that organization’s documented retention and destruction instructions, and we return or delete information at the end of the engagement as agreed.

16. Your privacy rights and choices

Individuals have important rights regarding their personal information. Subject to law, you may:

1. Access the personal information we hold about you, and ask how it has been used and to whom it has been disclosed.
2. Request correction of information that is inaccurate or incomplete.
3. Withdraw consent (where processing is based on consent), recognizing that some consequences may follow for the related service.
4. Make a complaint about our handling of your information.

To exercise these rights, contact our Privacy Officer using the details in Section 21. We will respond within the timeframe required by law (generally 30 days under PIPA). If we hold your information on behalf of an organization (such as your clinic or provider), we may direct your request to that organization, which is the party in control of the information, and assist them in responding.

17. Privacy breach management and notification

We maintain a documented incident-response process to detect, contain, investigate, and remediable privacy breaches. Where a breach occurs in information we hold on behalf of a customer, we notify the affected customer promptly so that they can meet their own notification obligations. Where Workforce Wellness has direct obligations, we notify affected individuals and the appropriate authorities as required by law, without unreasonable delay. We also require our sub-processors to report breaches to us promptly.

18. Children’s and minors’ privacy

We do not direct our website to children, and we do not knowingly collect personal information from a child through the website without appropriate authority. In service contexts where a minor may interact with our Platforms, consent is approached based on the minor’s capacity to understand and decide — not a single fixed age — with a guardian consenting on the minor’s behalf only where the minor is not capable of doing so. If we learn we have collected a minor’s personal information without proper authority, we will take steps to delete it.

19. Accountability and privacy governance

We are responsible for the personal information under our control, including information handled by our service providers. Our privacy management program includes:

• A designated Privacy Officer accountable for compliance and the primary contact for questions and complaints.
• Written privacy policies and practices, reviewed regularly — and in particular whenever an AI capability or vendor practice changes in a way that affects personal information.
• Privacy impact assessments before adopting or materially changing AI features that process personal information, updated as those features evolve.
• Contracts that hold our service providers to standards consistent with this Policy.
• Mandatory privacy and AI-awareness training for personnel, so that the way our AI handles information is not a mystery to those who work with it or to the people they serve.

20. Changes to this policy

We may update this Policy to reflect changes in our practices, our technology, or legal requirements. We will post changes here with a revised effective date and version, and where changes materially affect how personal information is handled, we will take reasonable steps to notify affected individuals and customers. We encourage you to review this Policy periodically.

21. Contact us and how to complain

If you have questions or concerns about this Policy or our privacy practices, or if you wish to exercise a privacy right, please contact our Privacy Officer:

You also have the right to complain to the independent regulator. In British Columbia, that is the Office of the Information and Privacy Commissioner for BC:

Legal references

• Personal Information Protection Act, SBC 2003, c. 63 (“PIPA”), administered by the Office of the Information and Privacy Commissioner for BC (“OIPC”). ↩
• Personal Information Protection and Electronic Documents Act, SC 2000, c. 5 (“PIPEDA”), which governs personal information that crosses provincial or national borders in the course of commercial activity. ↩
• Freedom of Information and Protection of Privacy Act, RSBC 1996, c. 165 (“FIPPA”), which governs BC public bodies including health authorities and most hospitals. Obligations flow to service providers by contract. ↩
• OIPC for BC, “PIPA and AI scribes: best practices for healthcare organizations in BC” (January 2026). ↩
• Canadian federal, provincial and territorial privacy regulators, “Principles for responsible, trustworthy and privacy-protective generative AI technologies” (December 2023). ↩