VS_Logo_RGB

Privacy Policy

Last updated: March 31, 2026

Introduction

VeroSource Solutions Inc. (“VeroSource,” “we,” “us,” or “our”) is a HEALWELL AI Inc. company that provides secure digital health, interoperability, patient access, and data solutions for healthcare organizations, government partners, and health system stakeholders. VeroSource’s software securely connects people, data, and healthcare systems through its cloud-based VS Platform, including interoperability, data and AI, and access solutions.

This Privacy Policy explains how VeroSource collects, uses, discloses, retains, and safeguards personal information (“PI”) and personal health information (“PHI”) in connection with:

  • VeroSource products and services, and
  • The VeroSource website and related digital communications

Because VeroSource is part of the HEALWELL group, certain general privacy practices, including broader governance and privacy standards, are described in the HEALWELL AI Inc. master privacy notice . This notice provides additional details specific to VeroSource’s operations.

Our Role

VeroSource generally acts as an agent, information manager, or service provider on behalf of provincial health authorities, government departments, healthcare providers, or other authorized health information custodians (each, a “custodian”). Unless explicitly stated otherwise, VeroSource does not act as the health information custodian for patient PHI and does not own the data processed through its platform.

All patient PI and PHI is processed under the authority and direction of the applicable custodian and in accordance with contractual arrangements and applicable privacy and health information legislation.

VeroSource Products and Services that process PI and PHI

VeroSource provides a portfolio of digital health solutions that may process PI and PHI under custodian direction. These include:

  • VS Platform – a cloud-based, end-to-end, configurable platform built on modern microservices architecture that enables people, clinicians, and decision-makers to access and work with healthcare data.
  • Interoperability Solutions, including VS Gateway – standards-based solutions that enable interoperable, on-demand digital access to health information and facilitate the secure exchange of data across systems using modern interoperability standards such as HL7 and HL7 FHIR.
  • Data & AI Solutions, including VS Data-as-a-Service (VS DaaS) and Digital Twin functionality – tools that support advanced analytics, operational intelligence, and decision-making by turning healthcare data into actionable insights.
  • Access Solutions, including VS MyHealth, VS Digital ID, and VS Wellness Check – patient-facing and public-facing solutions that enable secure access to health information, digital front-door capabilities, and broader interaction with healthcare services.

Each VeroSource product processes PI and PHI only for the purposes described in this policy and only under custodian authority.

Sources of PI and PHI

VeroSource collects PI and PHI:

  • Directly from healthcare providers, health system partners, or authorized users,
  • Through interoperable integrations and authorized health information systems,
  • Automatically through platform usage, including logs and audit trails, and
  • Through website inquiries, contact forms, and related communications.

Patient PHI is generally made available to VeroSource by custodians through the use of our solutions and systems.

Information We Collect

Information Related to Healthcare Providers, Health System Partners, and Authorized Users:

When healthcare providers, health system partners, or their authorized users interact with VeroSource-enabled services or our website, we may collect:

  • Account and contact information, such as names, titles, organizations, email addresses, and phone numbers,
  • Credentials and authentication information,
  • Usage and access information, such as log data, access timestamps, IP addresses, device or browser information, and other diagnostic data used to monitor system performance, detect unauthorized access, and maintain security,
  • Communications with VeroSource, including support requests, implementation communications, and inquiries,
  • Aggregated administrative information used for analytics, system planning, and public-facing dashboards.

If you choose not to provide certain information necessary to establish an account, respond to an inquiry, or support implementation and operations, we may be unable to provide the requested services.

Information Related to Patients:

VeroSource does not typically collect PI or PHI directly from patients. Instead, custodians make patient PI and PHI available through VeroSource-enabled systems so that patients and authorized users may securely access health information and so authorized healthcare stakeholders may use VeroSource services. Patient PI and PHI processed through VeroSource services may include:

  • Health data originating from provincial or government electronic medical record systems,
  • Demographic details,
  • Immunization records, lab results, diagnostic imaging, dispensed medications, prescriptions, and other clinical information displayed through digital health portals such as VS MyHealth and related solutions,
  • Identifiers and administrative data, such as health card numbers or other unique patient identifiers necessary to accurately link, retrieve, and display health records,
  • Interoperability data exchanged between authorized systems and providers,
  • De-identified or aggregated data where authorized for analytics, planning, or public-facing health system reporting.

All patient PI and PHI is processed solely in accordance with the contractual arrangements made with the applicable custodian.

How We Use the Information We Collect

Information Related to Healthcare Providers and Authorized Users:

VeroSource uses provider-related PI to:

  • Deliver, configure, and administer VeroSource products and services,
  • Authenticate users and manage access controls,
  • Support interoperability between authorized health information systems and providers,
  • Operate, monitor, maintain, and secure VeroSource systems,
  • Provide onboarding, technical support, implementation assistance, and service communications,
  • Conduct analytics, planning, and reporting using non-identifiable or aggregated administrative information,
  • Support government dashboards and public access tools that rely on aggregated, non-identifiable administrative data,
  • Comply with contractual, legal, and regulatory obligations.

Information Related to Patients:

Patient PI and PHI are used to:

  • Enable patients and authorized users to securely view and access their health information through digital health portals and access tools,
  • Support continuity of care by facilitating the availability of accurate and up-to-date health information to authorized healthcare providers, as directed by the applicable custodian,
  • Enable secure interoperability and exchange of PI and PHI between authorized health information systems,
  • Support health system operations, analytics, and public-facing reporting using aggregated or de-identified information where authorized,
  • Maintain system integrity, security, reliability, and auditability.

VeroSource does not use identifiable patient PI or PHI for advertising, marketing, or independent commercial purposes.

Artificial Intelligence and Analytics

VeroSource solutions may include advanced analytics and data services, including VS DaaS and Digital Twin functionality, to help healthcare organizations uncover actionable insights, improve decision-making, and support operational transformation. Where analytics or AI-assisted functionality is used:

  • It is deployed under custodian direction and only for authorized purposes,
  • Identifiable patient PI or PHI is not used for independent commercial AI model training,
  • Any de-identified or aggregated data used for analytics or public reporting is handled in accordance with applicable law and contractual arrangements.

Disclosure of Information

VeroSource discloses patient PI and PHI only under custodian direction, where required or permitted by law or to authorized service providers supporting VeroSource operations under appropriate contractual safeguards.

Provider and Website Information

We may disclose PI collected from providers, authorized users, or website visitors to:

  • Contracted service providers supporting hosting, cloud infrastructure, security monitoring, analytics, implementation, and other operational functions,
  • Professional advisors, such as legal and accounting advisors,
  • Regulators, courts, law enforcement, or other public authorities, where required or permitted by law,
  • Business transaction counterparties in connection with mergers, acquisitions, reorganizations, or similar transactions, subject to appropriate confidentiality and continuity-of-protection safeguards.

Website Information and Cookies

When individuals visit our website, we may collect:

  • Contact information voluntarily submitted through forms or inquiries
  • Device, browser, and usage information
  • Cookies and analytics data

We use this information to respond to inquiries and provide information about our services, improve website performance and user experience and support functionality and analytics. Users may be able to browse parts of our website anonymously, but certain interactions require contact information. Users may manage cookie preferences through browser settings.

Cross-Border Data Transfers

Depending on service configuration, hosting arrangements, and support requirements, PI and PHI may be stored in or accessed from jurisdictions outside the location where the information was originally collected. Where this occurs, VeroSource applies appropriate technical, organizational, and contractual safeguards consistent with applicable privacy laws and its security program. These safeguards may include:

Contractual privacy, confidentiality, and security obligations with service providers,

  • Encryption of PI and PHI in transit and at rest,
  • Role-based access controls and data minimization principles,
  • Least-privilege access provisioning,
  • Monitoring, logging, and oversight of systems processing PI and PHI

Third-party service providers are assessed prior to engagement and periodically thereafter to help ensure that their privacy and security controls meet VeroSource’s standards and applicable legal obligations.

Data Security

VeroSource maintains administrative, technical, and physical safeguards to protect the information under its control. These measures are designed to help prevent unauthorized access, use, disclosure, modification, accidental loss, or destruction and include, where appropriate, encryption, access controls, audit logging, secure cloud infrastructure, monitoring and incident response procedures. No system is completely secure; however, VeroSource applies safeguards appropriate to the sensitivity of the information it processes.

Data Retention

VeroSource retains PI and PHI only as long as necessary to provide requested services, meet applicable legal, regulatory, and contractual obligations, and comply with authorized retention requirements of the applicable custodian. Where authorized, VeroSource may retain de-identified or aggregated data for analytics, system planning, public reporting, or product improvement purposes. VeroSource does not de-identify patient PHI without appropriate authorization from the applicable custodian.

Privacy Rights

Subject to applicable law, providers, patients, and staff may have rights to:

  • Access the PI or PHI held about them,
  • Request correction of inaccurate information,
  • Request deletion or disposal of information where permitted by law,
  • Object to certain processing,
  • Lodge a complaint with the relevant privacy or data protection authority.

Where VeroSource acts as an agent, information manager, or service provider, the applicable custodian remains responsible for responding to individual rights requests. VeroSource may direct an individual’s request to the appropriate custodian and support that custodian in responding in accordance with contractual arrangements and applicable law.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our services, legal obligations, or privacy practices. Continued use of VeroSource services or website after an update takes effect constitutes acceptance of the updated notice. For further questions or concerns about VeroSource’s privacy practices, please contact our Privacy Office at privacy@verosource.com.

crossmenu