top of page

Privacy Policy

For Clients/Patients

Effective Date: April 11, 2025
​
This Privacy Policy is a living document designed to reflect our ongoing commitment to protecting your information and complying with all applicable legal standards. We encourage you to review it periodically and provide feedback.
​

Cognitai Health Inc. (“Cognitai,” “we,” “us,” or “our”) is committed to protecting your personal and health-related information. This Privacy Policy explains how we collect, use, store, and share your data through our health analytics platform and mobile/web applications. We strive to comply with all applicable privacy laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA) (U.S.), the Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), and Quebec’s Law 25.

This policy is provided in English; a French version may be provided for Quebec users as required.

​

1. Introduction

Cognitai integrates data from wearable devices and user inputs to provide decision support and patients’ mental health insights to mental health professionals. Our platform collects both active (e.g., mood ratings, worksheet inputs, journal entries, symptoms) and passive (e.g., heart rate, sleep patterns, activity data) information. This data supports analytics that assist licensed professionals in monitoring mental health but does not substitute for professional clinical judgment.

​

For clarity, here are key definitions:
  • Personal Data: Any information relating to an identified or identifiable individual.
  • Protected Health Information (PHI) (for HIPAA compliance): Individually identifiable health information transmitted or maintained in any form.
  • De-Identified Data: Information that cannot reasonably be used to identify you.
  • Aggregated Data: Information that has been combined with other data so it does not identify you as an individual.

​​

2. Data Collection

2.1. Types of Data Collected
  • Active Data (User-Provided):

    • Mood Ratings: Scale-based ratings (0–10).

    • Worksheets and assessments input: Assigned by mental health professionals through the platform.

    • Symptoms & Life Events: Selected from predefined categories or entered as custom inputs.

    • Journal Entries: Text or voice-based descriptions.

  • Passive Data (From Wearable Devices & Sensors):

    • Heart Rate & Variability

    • Sleep Patterns & Disturbances

    • Activity Levels (steps, exercise, sedentary time)
      Data from wearable devices is collected and handled securely only after you provide explicit consent through secure OAuth 2.0 authentication.

​

2.2. Data Subject Categories
  • Primary Data Subjects:

    • Adult users (18 years and older) who register and use our platform.

  • Sensitive Personal Data:

    • Health-related information, as defined under HIPAA, PIPEDA and Quebec’s Law 25, is collected only with your explicit, informed consent.

  • Minors:

    • Our services are intended for adult users (18 years and older). If personal data from individuals under the age of 18 is inadvertently collected, we will implement additional safeguards in compliance with applicable law and either obtain the necessary parental consent or promptly delete the data.

​

3. How We Use Your Data

3.1. Purposes of Processing
  • Mental Health Insights & Decision Support:

    • We analyze collected data using AI and machine learning models (including Natural Language Processing for journal entries, anomaly detection, and predictive analytics) solely to provide insights and decision support for mental health professionals.

    • No automated decision-making occurs; final clinical decisions are made exclusively by licensed professionals.

    • Where permitted by law, we may fulfill data deletion requests by permanently removing all identifiers from your data so that it is no longer associated with you or reasonably re-identifiable. The resulting anonymized data may be retained.

  • Service Improvement and Research:

    • Your de-identified or aggregated data may be used to enhance platform performance and features.

    • Research: With your explicit opt-in, de-identified or aggregated data may be shared with research institutions for scientific studies.

    • If you consent to share your data for research purposes, it will be retained only in de-identified or aggregated form, and only for as long as necessary to achieve the specified research objectives. You may withdraw your research consent at any time, and no additional data will be shared after your withdrawal.

​

3.2. Legal Bases for Processing

Our data processing is founded on:

  • Consent:

    • Obtained explicitly during onboarding and whenever new functions are introduced, or new forms of data handling is being used.

    • Separate, explicit consent is obtained during onboarding for specific functions that require it, including the use of AI-powered analytics on the user’s data. These consents may be withdrawn independently at any time.

  • Compliance with Legal Obligations:

    • To meet our obligations under HIPAA (U.S.), PIPEDA (Canada), and Quebec’s Law 25

  • Legitimate Interests:

    • Processing necessary to provide and improve our services, balanced against your rights and freedoms.

​

3.3. AI and Algorithm Transparency
  • Accountability & Bias Mitigation:

    • We conduct regular audits of our AI algorithms to ensure fairness, accuracy, and transparency. Detailed documentation of our AI processes is maintained, and we offer explainable outputs to licensed professionals.

  • No Fully Automated Decisions:

    • AI-driven insights serve as decision support; all final decisions remain with healthcare professionals.

  • Cloud-Based AI and Processing Location:

    • We use secure, cloud-based AI tools to analyze anonymized or pseudonymized data and support mental health insights. Some data may be processed outside your region. This processing is based on your initial consent and/or legal grounds permitted under applicable privacy laws.

​

4. Data Sharing

  • Between Patients and Providers:

    • Your data is shared only with your designated mental health professionals or clinics to facilitate care. In the event a user wishes to revoke or modify a provider’s access to their information (for example, if the user changes mental health professionals), they can do so via the ‘Account Settings’ or ‘Provider Access’ section of our application. Once the user removes a provider from their approved list, the mental health professional will no longer have the ability to view or receive updates on user’s data.

  • AI-Based Processing:

    • We use trusted cloud providers to support AI-based analysis of anonymized or pseudonymized data. Some of this processing may occur in other jurisdictions. These subprocessors operate under strict contractual, technical, and legal safeguards and are not permitted to use your data for any other purpose. 

    • All cross-border processing of personal and health-related data is subject to contractual, technical, and organizational safeguards designed to ensure an equivalent level of protection as required under Canadian federal and Quebec privacy laws. These safeguards include agreements with third-party vendors that bind them to comply with PIPEDA and Law 25.

  • Third-Party Sharing:

    • We do not share your identifiable data with any unrelated third parties, such as advertisers or external business partners, without your explicit, informed consent.

    • We may engage trusted service providers (subprocessors) to process de-identified or pseudonymized data strictly on our behalf. These subprocessors are bound by contract to use the data only for authorized purposes and in compliance with applicable privacy regulations, including HIPAA, PIPEDA, and Law 25.

  • Subprocessors: 

    • We use trusted third-party vendors (e.g., compliant cloud hosting) under strict contractual agreements. These subprocessors are prohibited from using your data for any purpose other than providing agreed-upon services.
      We maintain a current list of our data subprocessors, which includes their processing purpose and geographic location. This list is available on our website or upon request.

  • Research Purposes:

    • Should you opt in, your data may be shared, always in a de-identified or aggregated form, with research institutions under strict confidentiality and compliance protocols.

​

5. Data Security

Commitment to Privacy and Security
We are deeply committed to safeguarding your personal and health-related data. Our security framework is designed and maintained by security and privacy professionals who continually monitor emerging risks and adopt appropriate safeguards.

​

Administrative, Technical, and Physical Measures

  • We apply industry-recognized encryption methods to protect data in transit and at rest, ensuring that your information remains secure throughout its lifecycle.

  • We use role-based and need-to-know access controls, allowing only authorized personnel with a legitimate operational need to handle user data.

  • Our administrative policies require routine security awareness training, background checks for relevant personnel, and ongoing risk assessments to ensure we continuously address any vulnerabilities.

​

Privacy by Design
In accordance with Quebec’s Law 25 and other applicable privacy regulations, we integrate Privacy by Design principles into the architecture of our platform. This ensures that:

  • Privacy Settings by Default: We configure user settings to the highest standard of privacy upon account creation.

  • Data Minimization: We collect and process only the data necessary to provide and improve our services.

  • Ongoing Evaluations: We regularly audit our processes and technologies to maintain alignment with evolving legal standards and best practices.

​

Monitoring and Incident Response

We maintain an incident response plan designed to quickly identify, isolate, and resolve security events. In the unlikely event of a data breach, we will promptly notify affected individuals and relevant authorities in accordance with applicable laws and regulatory requirements.

​

Continuous Improvement

As threats evolve, we periodically review and update our security controls to maintain a robust defense against unauthorized access, data loss, or misuse. While no security measure can guarantee absolute protection, we strive to minimize risks through vigilant monitoring, proactive mitigation strategies, and a culture of accountability.

​

6. Data Retention and Deletion

  • Retention Period:

    • We retain your data for a limited time according to the local compliances until you request deletion. Where HIPAA or other local laws require a longer retention period, we comply accordingly. If you request deletion but we are legally obligated to keep the data, we will retain it as required by law.

  • Deletion Process:

    • Upon your request and consent, your data will be permanently deleted within the retention period.

    • We also ensure that backup copies and logs are purged or anonymized in accordance with applicable law.

  • Legal Compliance:

    • Our data retention and deletion practices comply with local compliance (HIPAA, PIPEDA, and Quebec’s Law 25).

​

7. User Rights and Consent

7.1. Your Rights

You have the right to:

  • Access: Request access to view and download your personal data in structured formats.

  • Rectification: Request correction of inaccurate or incomplete information.

  • Deletion: Request deletion of your data.

  • Portability: Export your data for use in other services.

  • Consent Withdrawal: Withdraw your consent as whole or partially at any time (note that this may limit certain functionalities).

​

7.2. Obtaining and Managing Consent
  • Initial Consent:

    • Captured during onboarding via our mobile and web applications.

  • Ongoing Consent:

    • Required whenever new features or data collection functions are introduced.

    • During onboarding and/or by accepting this Privacy Policy, you provide consent for the use of AI technologies and the secure processing of your personal or health-related data, including in jurisdictions outside your own. This processing is carried out with safeguards and in accordance with the privacy laws that apply to you. Additional consent is not requested each time.

  • Record-Keeping:

    • We maintain detailed records of all consents in compliance with PIPEDA and Law 25.

​

8. Jurisdiction-Specific Disclosures

8.1. United States (HIPAA Compliance)

  • We adhere to HIPAA’s Privacy and Security Rules, ensuring that all Protected Health Information (PHI) is processed, stored, and transmitted securely. In the event of a data breach affecting PHI, our breach notification procedures will comply with HIPAA requirements. We have executed Business Associate Agreements (BAAs) with covered entities, where applicable, to ensure all relevant compliances for business associates are met.

​

8.2. Canada (PIPEDA Compliance)

  • Our practices are aligned with PIPEDA, ensuring that personal information is collected, used, and disclosed only with your informed, explicit consent. We allow you access to, correction of, and deletion of your data.

​

8.3. Quebec Law 25 Compliance

Under Quebec’s Act Respecting the Protection of Personal Information in the Private Sector Law 25, we have implemented additional measures:

  • Privacy Officer:

    • A dedicated Privacy Officer is appointed to ensure compliance.

      • Cognitai's Privacy Officer: Forough (Fora) Fereydouni
  • Privacy Impact Assessments (PIAs):

    • We conduct PIAs for projects involving sensitive data or new technologies.

  • Default Privacy Settings:

    • Our systems are designed with “Privacy by Design,” setting defaults to the highest privacy standards.

  • Sensitive Data Consent:

    • Explicit, informed consent is required for the collection and use of sensitive personal data, including health information.

  • Breach Notification:

    • In the event of a data breach posing a significant risk of harm, we will promptly notify the Commission d’accès à l’information (CAI) and affected individuals.

  • Cross-Border Data Transfers:

    • We follow the most updated regulations about any data transfer.

​

8.4 Data Residency and Processing Locations

  • We store and process your data in locations that align with legal and operational requirements. In some cases, data may be securely processed outside your region. Regardless of location, we apply strong technical, contractual, and organizational safeguards to ensure that your personal and health-related information is protected in accordance with the privacy laws of your jurisdiction.

​

9. Data Breach and Incident Response

In the event of a data breach, we will act promptly to mitigate harm and notify you and the relevant authorities as required by law.

​

9.1 Pre-Breach Prevention & Detection

  • Technical Measures: Continuous monitoring systems, intrusion detection, and firewalls.

  • Staff Training: Ongoing security awareness and privacy best practices.

  • Access Controls: Strict RBAC, logging, and regular security audits.

​

9.2 Internal Escalation & Investigation

  • Upon detection, our Incident Response Team (led by the Privacy Officer) will investigate.

  • We document the nature, scope, and impact of the breach and take measures to contain and mitigate further exposure.

​

9.3 Notification Timelines & Procedures

  • HIPAA: Notification to affected individuals (and, if necessary, HHS and media) within 60 days of discovery.

  • PIPEDA: Notification to the Office of the Privacy Commissioner and affected individuals as soon as feasible after a breach posing a real risk of significant harm.

  • Law 25 (Quebec): Notification to the Commission d’accès à l’information (CAI) and to affected individuals as soon as possible in the event of a breach presenting a serious risk of harm.

  • Templates: We maintain standard notification templates to ensure consistent and comprehensive communication.

​

9.4 Jurisdiction-Specific Differences

  • We will follow the strictest timeline applicable. Where multiple laws overlap, we will harmonize notifications to ensure full compliance.

  • Where multiple laws apply, we follow the most stringent notification timeline required under the circumstances.

​

10. Compliance Monitoring and Audits

  • Regular Audits:

    • We conduct periodic reviews and audits of our data security, privacy, and AI systems to ensure compliance with all applicable regulations.

  • Training:

    • Our staff receive regular training on privacy best practices and compliance obligations.

  • Record-Keeping:

    • Detailed records of consents, data access requests, and breach notifications are maintained in accordance with legal requirements.

​

11. Updates and Amendments

We reserve the right to update or amend this Privacy Policy from time to time. When significant changes are made, we will notify you via email and/or in-app notifications at least fifteen (15) days prior to the new policy’s effective date. Your continued use of our Services constitutes acceptance of the updated Privacy Policy.

​

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: trust@cognitai.org
Address: 1250 Rue Guy Suite #600, Montréal, QC H3H 2L3

​

For further inquiries or to exercise your data rights, please reach out to our Privacy Office.

​

 

This Privacy Policy is a living document designed to reflect our ongoing commitment to protecting your information and complying with all applicable legal standards. We encourage you to review it periodically and provide feedback.

bottom of page