Privacy Policy

Clavus Technologies Inc. (“Clavus”, “we”, “us”, or “our”) operates the Clavus clinical documentation platform. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our services, and describes your rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

By using Clavus, you agree to the collection and use of information as described in this policy. If you are using Clavus on behalf of a healthcare organization, you confirm you have authority to bind that organization to these terms.

Clavus Technologies Inc. is a Canadian company providing AI-assisted clinical documentation tools for healthcare practitioners. Our servers are hosted in Canada (ca-central-1) through Supabase and Amazon Web Services. We act as a data processor with respect to any patient-related information submitted through the platform, and as a data controller with respect to practitioner account data.

Questions or concerns about this policy should be directed to our Privacy Officer at privacy@clavus.ca.

• To provide, operate, and improve the Clavus service.
• To generate clinical notes from your transcribed recordings.
• To personalize note output based on your documented style profile.
• To manage your subscription and process payments through Stripe.
• To send transactional emails (receipts, password resets, team invitations) through Resend.
• To detect and prevent fraud, abuse, or violations of our Terms of Service.
• To comply with legal obligations.

We do not sell your personal information. We do not use your clinical content to train AI models without your explicit, written consent.

Clavus uses third-party AI services to provide core functionality. These services act as data processors under data processing agreements and are not permitted to use your data to train their models:

• OpenAI (Whisper) — Transcription of voice recordings. Audio is sent via encrypted API call and is subject to OpenAI’s zero-data-retention policy for API usage.
• Anthropic (Claude) — Note generation, specialty detection, and style extraction. Content sent to Anthropic is subject to their API data handling policy.

Both OpenAI and Anthropic are treated as sub-processors under PIPEDA. We maintain Data Processing Agreements with both providers. Because these processors may be located outside Canada, your data may be subject to the laws of those jurisdictions during processing.

All persistent data (accounts, notes, audit logs) is stored in Supabase’s Canadian region (AWS ca-central-1, Montreal). Stripe billing data is stored by Stripe in accordance with their privacy policy and PCI DSS compliance. Transactional email logs are stored by Resend, a Canadian-friendly provider, for up to 30 days.

We retain your account data and clinical notes for as long as your account is active. If you close your account, your data is retained for 90 days to allow for recovery, then permanently deleted unless we are required by law to retain it longer. Audit logs are retained for 2 years to support compliance obligations. You may request early deletion of your data at any time by contacting privacy@clavus.ca.

We implement industry-standard security practices including TLS encryption in transit, AES-256 encryption at rest, row-level security enforcing tenant isolation, and role-based access controls. Finalized notes are immutable — our database enforces that they cannot be edited after finalization.

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we take all reasonable steps to protect your information.

You have the right to:

• Know what personal information we hold about you.
• Request access to your personal information.
• Request correction of inaccurate information.
• Withdraw consent to processing (subject to legal and contractual obligations).
• File a complaint with the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, contact us at privacy@clavus.ca. We will respond within 30 days.

Clavus uses session cookies required for authentication (managed by Supabase Auth). We do not use advertising cookies, cross-site tracking, or third-party analytics that share data with advertisers. You can disable cookies in your browser, but this will prevent you from logging in.

Clavus is intended exclusively for healthcare professionals aged 18 and over. We do not knowingly collect information from minors.

We may update this policy from time to time. We will notify you of material changes by email and update the effective date above. Continued use of Clavus after the effective date constitutes acceptance of the updated policy.

Privacy Officer
Clavus Technologies Inc.
privacy@clavus.ca