What it is
PIPEDA — the Personal Information Protection and Electronic Documents Act — is Canada’s federal private-sector privacy law. It’s built on ten fair-information principles: accountability, consent, limiting collection and use, accuracy, safeguards, openness, individual access, and challenging compliance.
What it requires
- Collect and use personal information only for identified, reasonable purposes.
- Obtain meaningful consent and limit collection to what’s needed.
- Protect information with safeguards appropriate to its sensitivity.
- Be open about practices, and let individuals access and correct their data.
- Be accountable — a designated owner and a way to raise concerns.
Where Coldstream stands
We build for healthcare, so privacy is a design constraint, not an add-on:
- Patient data is encrypted at rest and in transit, and handled only by services approved for healthcare.
- We minimize what we collect and never sell personal information or use it for advertising.
- AI that processes health information runs only under our providers’ data-protection terms (Google’s Cloud Data Processing Addendum; a BAA with OpenAI), with a preference for Canadian regions where supported.
- Audit logging records access to sensitive records.
- In clinical use, the clinic is the custodian of patient information; Coldstream processes it on the clinic’s behalf.
What we’re doing
Our formal, customer-facing privacy policy is being finalized with legal counsel. When published it will detail consent, retention, access requests, subprocessors, and breach notification in full.
See also: Data protection & residency · Subprocessors. Privacy contact: Brett Poulin — contact@coldstream.info.