Privacy Policy
1. Introduction
Last updated: April 2026
The Artificial Intelligence & Data Science Business Unit (“AI & DS”) is part of HEALWELL AI Inc. and brings together Khure Health and Pentavere Research Group Inc. operations under a unified operating model. AI & DS develops and operates advanced analytics, clinical decision support, natural language processing, and real-world evidence solutions that support healthcare providers, health systems, research institutions, and life sciences partners.
This Privacy Policy explains how AI & DS collects, uses, discloses, retains, and protects personal information (“PI”) and personal health information (“PHI”) in connection with its products and services. AI&DS is committed to protecting the PI and PHI that is held by us and operates in accordance with applicable privacy and health information legislations.
2. Our Role in Processing PI and PHI
In most cases, AI & DS acts as an agent, service provider, or information manager on behalf of healthcare providers, hospitals, research institutions, or other health information custodians (“custodians”). AI & DS does not independently determine the purposes for which patient PHI is collected. Patient PHI is processed:
- Under the authority and direction of the applicable custodian
- In accordance with contractual arrangements
- In accordance with Research Ethics Board (REB) approved protocols
- In compliance with applicable privacy and health information legislation
AI & DS does not use identifiable patient PHI for independent commercial purposes.
3. AI & DS Products and Services
The AI & DS business unit develops and delivers advanced digital health solutions that leverage clinical data, analytics, and artificial intelligence to support healthcare providers, health systems, researchers, and life sciences organizations. These solutions include:
- Clinical Decision Support (CDS) – AI-enabled tools integrated with EMR systems that analyze patient data to identify patients at risk of rare or complex diseases, surface guideline-based insights, support risk stratification and highlight potential clinical trial eligibility, where authorized.
- Real-World Evidence & Advanced Analytics – Data extraction, natural language processing, and analytics platforms that transform structured and unstructured clinical data, identify patient cohorts, generate population-level insights, support REB-approved studies, produce real-world evidence (RWE) outputs, and enable quality improvement and health system reporting.
- Data Enrichment and Structuring Services – Solutions that convert raw or unstructured PHI into structured formats, perform data standardization and validation, and support clinical operations and research analytics.
4. Information we collect and how we use it
A. Information related to healthcare providers and authorized users
When healthcare providers, researchers, or authorized users interact with AI & DS platforms, we may collect:
- Account and contact information: Names, job titles, email addresses, and other professional contact details provided by administrators, clinicians, or support users.
- Credentials and access-control information
- Usage data, system logs, and audit trails
- Communications with AI & DS (support inquiries, onboarding discussions)
- Technical information (IP address, device identifiers)
Provider related information and technical data is used for the following purposes:
- Provisioning and administering user access
- Providing onboarding, training and support
- Maintaining system security and reliability
- Improving product performance
- Meeting contractual and regulatory obligations
B. Information related to patients
AI & DS does not typically collect PHI directly from patients. Instead, custodians make patient PHI available through EMR systems or authorized data environments. Patient PHI processed by AI & DS may include:
- EMR data (including diagnoses, medications, laboratory results, clinical notes)
- Demographic and administrative identifiers
- Program or study-specific datasets
- Cohort identifiers
- Unstructured clinical text
All PHI processed by the AI & DS business unit is handled under the direction and authority of relevant custodians within the scope of defined protocols and contractual agreements and is used for the following purposes:
- Clinical care support: Supporting physician decision-making, facilitating early disease detection and risk identification and generating insights to improve patient care.
- Research and real-world evidence: Extracting and structuring data for REB-approved studies, identifying patient cohorts, producing aggregated analytics and research reports, supporting life sciences and population health initiatives.
- Quality improvement and analytics: Identifying care gaps, supporting workflow optimization, and generating aggregate reporting dashboards.
- Data structuring and enrichment: Transforming unstructured clinical text into structured data models, standardizing and validating datasets.
The AI & DS business unit applies strict data minimization principles and uses pseudonymized or aggregated data wherever feasible. We do not use identifiable PHI for advertising, unrelated product development or disclose identifiable PHI without custodian authorization.
5. Sharing of personal information
AI & DS business unit discloses patient PHI only under custodian direction or as required or permitted by law. Where analytics outputs are provided to research institutions or life sciences partners, such outputs are de-identified or aggregated unless the custodian expressly instructs otherwise and has the legal authority to do so.
AI & DS may use vetted third-party service providers to handle PI and PHI, including those supporting infrastructure and cloud hosting, security monitoring, data processing and analytics environments. All vendors are contractually bound to confidentiality and security obligations consistent with applicable healthcare privacy laws. We may be obligated to disclose the personal information we collect in response to lawful government requests or court orders or corporate transactions (subject to continuity of safeguards).
6. Artificial Intelligence and Analytics
AI & DS platforms may use machine learning or advanced analytics to generate insights. AI-assisted outputs are intended to support clinical and operational decision-making and are deployed under custodian authorization. Our AI-assisted solutions do not replace clinical judgement. We do not use identifiable PHI to train AI models, unless explicitly authorized by our contracts and permitted under applicable laws.
7. Cross-border Data Transfers
Depending on hosting and support configurations, information may be processed in jurisdictions outside where it was collected. Where cross-border processing occurs, AI & DS implements appropriate safeguards including, contractual privacy and confidentiality requirements, encryption and access controls, vendor assessments and monitoring, etc. Custodians remain responsible for ensuring compliance with applicable consent or notification obligations.
8. Data Security
AI & DS actively seeks to maintain the privacy of the information under our control. To prevent unauthorised use, maintain data accuracy, and ensure the appropriate use of information, we have put in place appropriate
physical, electronic, and administrative procedures to safeguard and secure the information we collect. These include encryption (in transit and at rest), RBAC, audit logging and monitoring, continuous oversight of processing environments, etc.
9. Data Retention
We retain PI and PHI for only as long as necessary to meet applicable legal, regulatory and contractual obligations. Aggregated data may be retained for analytics, reporting, or system improvement purposes, where authorized by the custodian.
10. Your Rights
Subject to certain limitations and depending on the applicable privacy laws, providers, patients and staff, as applicable, have rights under privacy laws to access the personal information that AI & DS holds regarding them, and have it corrected where necessary, subject to some exceptions. Depending on the country patients or providers reside in, they may also have rights to access their personal information in a portable, electronic format, a right to have their personal information erased, a right to know the third parties with whom their personal information has been shared with and/or a right to object to AI & DS processing their personal information. Individuals also have rights, under applicable laws, to lodge a complaint with the relevant data protection or privacy authorities if they believe we are not handling their personal information in accordance with the law. Where AI & DS acts as an agent/ service provider/ information manager, the applicable custodian remains responsible for responding to individual rights requests. AI & DS assists custodians as contractually required.
For any questions or concerns about our privacy practices or this policy, please contact our Privacy Office at [email protected]
11. Changes to this Privacy Policy
This policy may be updated from time to time. The date of the most recent revisions will appear on our page. If you do not agree to these changes, please do not continue to use our website or to submit personal information to AI & DS via our website.
Table of Contents
Privacy Policy
Last updated: July 12, 2022
Khure Health Inc. (“Khure”) is the developer and owner of a proprietary software used to assist physicians to identify and assess patients at risk of rare and complex conditions (“Services”). Khure is a subsidiary of HEALWELL AI.
This Privacy Policy describes how we collect, use, disclose and otherwise manage personal information during the use of our Services. It tells describes the privacy rights related to the personal information we collect and process, and how the law protects that information. Khure Services do not collect any personal information directly from patients. Khure is a clinical platform used by healthcare professionals in their assessments of their patients. If you are browsing Khure’s public website, we collect some limited personal information on you through cookies and similar technologies. See the section on cookies below for more details.
This Privacy Policy should be reviewed with our Terms and Conditions of Service or our End User License Agreement, whichever is applicable to you [www.khurehealth.ca/serviceagreement/]. Each and every time you access our Services, you consent to the collection, use and disclosure of your personal information by us in accordance with our Terms and Conditions of Service or our End User License Agreement, as the case may be, and this Privacy Policy.
Collecting Personal Information
Personal information is any information that can identify an individual or is about an identifiable individual, whether alone or combined with other information. Personal information includes personal health information. This section describes the category, type of information, and purpose for collection under the
Types of Data Collected and Purpose for Collection
| Category | Description | Purpose of collections |
|---|---|---|
| Account information |
• First and last name • Address • Phone • Email address |
• Verify your identity • Contact you • Register an account • Payments and Contracting |
| Personal health information | • Patient’s electronic medical record |
• Deliver our Services We collect this information in our capacity as an agent / information manager / Business Associate |
| Usage Information |
• Internet Protocol (IP) address) • browser type • browser version • mobile device • pages of our Service that you visit • time and date of your visit • time spent on those pages • unique device identifiers • diagnostic data |
• Deliver our Services • Improve our Services • User experience and quality improvement purposes |
Using and Disclosing Personal Information
Khure will only use and disclose personal information that we collect through our Services for the limited purposes described in this policy, and as agreed upon in our Terms and Conditions of Service and End User License Agreement.
Khure may use personal information for the purpose of de-identifying that data. De-identified data may be used on its own or aggregated for analytical and quality improvement purposes, and to better understand and report on trends about certain rare diseases or complex conditions. We use generally accepted best practices for de-identifying and aggregating personal information.
In addition to how we may use personal information, we may also share personal information with third parties for the following reasons:
Professional services
We may be required to share some business information with our professional advisors such as our lawyers or accountants. Whenever we share personal information, we do so under a confidentiality agreement. We do not share personal health information with professional services.
Law enforcement
Under certain circumstances, Khure may be required by law to disclose personal information, including in response to valid requests by public authorities such as a court or government agency.
Other legal requirements
Khure may disclose your personal information to:
- comply with a legal obligation
- protect and defend the rights or property of Khure
- prevent or investigate possible wrongdoing in connection with the Service
- protect the personal safety of users of the Service or the public
- protect against legal liability
Business Transactions
If Khure is involved in a merger, acquisition, or asset sale, personal information may be transferred as part of that sale. We will provide notice before personal information is transferred and becomes subject to a different Privacy Policy.
Retaining Personal information
Khure will retain personal information, including personal health information, only for as long as is necessary for the purposes set out in this Privacy Policy or as agreed to in our contractual arrangement with you. We will retain and use personal information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
Khure will also retain your technical information for internal analysis purposes. Technical information includes your browsing history of the use of our software collected using Cookies and is generally retained for a shorter period of time, except when this data is used to strengthen data security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.
Transferring Personal Information
In the case of Khure’s cloud Service, personal information, including personal health information, may be transferred to — and maintained on — computer servers located outside of the place where you reside, to a jurisdiction where the data protection laws may be less stringent than the ones that apply where you are located.
Khure takes data security seriously. Khure will enter into contracts with all processors to ensure that all personal information is treated securely and in accordance with this Privacy Policy, and that no transfer of personal information from our Services will take place to an organization or a country unless there are adequate controls in place.
Securing Your Personal Information
As part of the Khure’s commitment to privacy, we take appropriate and reasonable technical, physical, and administrative security measures to safeguard the personal information in our custody and control from such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction.
No method of transmission over the internet or method of electronic storage is guaranteed secure. We strive to use commercially acceptable means to protect your personal information, but we cannot warrant its absolute security. You understand and agree that any information you transmit to us is at your own risk.
Tracking Technologies and Cookies
Our Services use limited essential and functionality cookies (defined below) for the sole purpose of authenticating users. Our website uses limited performance cookies (defined below) for analytics about our website.
You can instruct your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if you do not accept Cookies, you may not be able to use some parts of our Service.
Definitions:
- Type: Session Cookies
- Administered by: us
- Purpose: these Cookies are essential to provide you with our Services and to enable you to use some of its features. They help to authenticate users and prevent fraudulent use of Accounts. Without these Cookies, the services that you have asked for cannot be provided, and we only use these Cookies to provide you with those services.
- Type: Persistent Cookies
- Administered by: us
- Purpose: these Cookies allow us to remember choices you make when you use our Service, such as remembering your login details or language preference. The purpose of these Cookies is to provide you with a more personal experience and to avoid you having to re-enter your preferences every time you use our Service.
- Type: Persistent Cookies
- Administered by: third parties
- Purpose: these Cookies are used to track information about traffic to our Service and how users use our Service. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access our Service. We may also use these Cookies to test new advertisements, pages, features or new functionality of our Service to see how our users react to them.
Links to Other Websites
Our Services may contain links to other websites that are not operated by us. If you click on a third party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party websites or services.
Changes to this Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.
We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the “Last updated” date at the top of this Privacy Policy.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.