Privacy Policy – Professional Services

Last update: November 2025

Petal Solutions Inc., Petal Medical Billing Inc. (doing business as Xacte (Zone3W inc.), StatGo Corp., Dobsi Medical, or Medi-Com Consulting), Medcom Billing Systems, Petal Health and Petal Solutions Europe B.V. and its Affiliates (“Petal” or “we”) are committed to protecting the privacy of personal data and personal information, including health information where applicable, as these terms are defined below and in applicable laws (“Personal Information” or “PI”).

In order to bring the privacy practices regarding the Services to the attention of users (“you”, “your” or “yours”), Petal has developed this privacy policy (the “Policy”), which summarizes in particular: (i) the types of Personal Information collected and the situations in which it may be collected; (ii) the ways in which this information is used and protected; (iii) the situations in which it may be shared; (iv) how it is stored and destroyed; (v) the rights that may be exercised by the data subjects with respect to this information; and (vi) the security measures put in place and the procedure applicable in the event of a privacy incident.

For the purposes of this Policy, “Personal Information” means any information about a natural person that can be used to identify them, either directly (e.g. last name, first name, email address, mailing address) or indirectly (that is, when combined with other information).

This Privacy Policy is provided for information and transparency purposes, and for no other purpose. It applies solely to the handling of Personal Information. Some of the data referred to in this Policy may not be Personal Information, and therefore may not be protected under the laws that apply to you.

1. When does this Policy apply?

This Policy applies to our professional services and products, including medical billing services (i.e. medical billing management and optimization, automated data entry and document filing/management), workforce and schedule management services, appointment management services, security and compliance services, Web applications and platforms, hosting and technical support services, and training and support services (collectively, our “Services”).

We provide our Services to healthcare professionals, public and private institutions, and public and government bodies (our “Customers”).

Personal Information collected or provided in connection with our Services is obtained, used, disclosed, stored, destroyed and otherwise handled as set forth in this Policy.

This Policy does not apply:

To activities, products or services that are not part of the Services, including (i) our marketing activities; (ii) when you interact with us outside of our Services; (iii) when you sign up for our newsletter; (iv) when you browse our websites other than for the Services; and (v) when you apply for a job with us.

For these activities, see the applicable policy available here.

When you use third-party sites, including social networks and services referenced through our Services. This Policy does not apply to the handling of your PI by such third parties. Petal is not the owner of these sites, is not responsible for them and has no control over their content or features. Please read the privacy policies of these third parties to learn how they handle your PI before using their sites.
To our Customers’ activities, which may involve collection, use, retention and processing of your Personal Information; these are governed by our Customers’ own privacy policies.

2. Types of Personal Information handled in connection with the Services

Types of PI	Purpose	Justifications
Patients’ PI	Our Customers collect patients’ Personal Information in the course of their business activities. Petal may handle patients’ PI as a “service provider” (or “subcontractor” in Europe/UK) in connection with the Services offered, but our Customers remain the “data controllers” (or have “legal possession”) of the PI.	Customers are responsible for establishing the purpose they wish to achieve by collecting patients’ PI and are therefore responsible for the necessary data processing and for responding to requests from the data subjects (patients). Patients should consult the Customer’s privacy policy to understand how their PI is handled. Customers are responsible for establishing safeguards to protect patients’ PI, responding to individuals’ requests to exercise their rights, and implementing legal requirements throughout the information life cycle (collection, use, storage, retention, transfer and destruction).
Customer employees’ PI	Customers collect Personal Information on their employees in the course of their business activities. Petal may handle Customer employees’ PI as a “service provider” (or “subcontractor” in Europe/UK) in connection with the Services offered, but our Customers remain the “data controllers” (or have “legal possession”) of the PI.	Customers are responsible for establishing the purpose they wish to achieve by collecting employees’ PI and are therefore responsible for the necessary data processing and for responding to requests from the data subjects (employees). Employees should consult the Customer’s privacy policy to understand how their PI is handled. Customers are responsible for establishing safeguards to protect employees’ PI, responding to individuals’ requests to exercise their rights, and implementing legal requirements throughout the information life cycle (collection, use, storage, retention, transfer and destruction).
Service users’ PI	In the case of Service users, Petal is the “data controller” or the entity having “legal possession”, and as such, collects and processes their Personal Information in order to deliver the Services to them. (“Personal Information” could exclude some information such as professional/business contact information)	Users of the Services submit their information to gain access to the platforms and systems that make up the Services. By submitting your PI to Petal, you consent to its collection and processing in accordance with this Policy. You can withdraw your consent by contacting us; however, some Services may then become unavailable.

3. What Personal Information do we collect and for what purposes?

If you choose to use our Services, we will need certain Personal Information as described below, unless otherwise required by law. Petal considers that if you provide us with information, including Personal Information, then you have consented to our collecting/processing it for the purposes for which it was provided (or as otherwise required or allowed by law). Personal Information may also be collected and used as described below.

Account information. To open or renew an account, you must provide certain information depending on the nature of the account and its intended use (e.g. email address, password, preferences, settings, date of account opening). If you like, you can also add a photograph visible to other users. We use this information to create your account, update it as needed, allow you to interact with other users, link you to your organization and enable you to use the features of our Services.
Information on healthcare professionals. We collect information, including Personal Information, as applicable, to enable healthcare professionals’ members to use our Services. This includes telephone numbers, medical specialty, licensure number and issuing authority, organization, professional contact information, schedules, absences, events, information sent by secure message through the Services, documents, billing information, distribution lists, and data on professional activities. The information required varies according to the Service provided; for example, schedule management requires the processing of employment-related information, and our medical billing services require information on services provided and to be billed, as well as applicable rates. To pay for our Services, you have the option to select a one-time payment from your bank account or recurring automated payments. If you pay online, you pay through a Stripe secure digital portal; Petal only has access to your payment history.
Employee information. We collect data, including Personal Information, about your employees when needed to provide the Services (e.g. employee scheduling). This includes name, business contact information, job/employee category and other required information where applicable (e.g. licensure number). The information required varies according to the Service provided.
Patient information. Through our Services, healthcare professionals may handle Personal Information about their patients, mainly for billing or appointment management purposes. This Information is not accessible to Petal unless we have to process it in order to deliver the Services (e.g. retranscription/downloading of billing information on behalf of professionals). In that case, processing will be automated if possible. We do not use this Personal Information for marketing or resale purposes.
Use of the Services. We collect Personal Information from users about their use of the Services as instructed by our Customers (e.g. aggregating data to provide an overview of activities, for security purposes or to respond to requests for technical support and manage Service performance). The data processed includes daily logs, information on the user’s use of the Services, bugs and technical errors associated with the account, connection durations, pages visited and content of technical support requests.
Comments, questions and requests. If you contact Petal, you may decide to provide certain information, including Personal Information (e.g. your name and email address) along with your opinions/comments. We’ll use them to follow up on your message.

4. What do we mean by consent to the collection and use of your PI?

Before collecting, using and disclosing your Personal Information, Petal will obtain your consent in accordance with applicable requirements, except in specific cases provided by law.

Petal is transparent and will clearly inform you, when it collects your Personal Information, of the uses that will be made of it, of the means by which it is being obtained if not collected directly from you, of your rights as well as the categories of third parties to whom it may be disclosed, and the possibility that it may be transferred outside Quebec, so that your consent is clear, free and informed.

You may withdraw your consent to Petal’s use of your PI for purposes that are not essential to the Services provided by Petal, for example to send you promotional material, invite you to events, generate statistics or analyze your information. At your request, Petal will stop using it for those purposes. You may withdraw your consent by contacting the Privacy Officer at the address given in section 10.4 of this Policy.

However, for uses deemed essential to the management and administration of some of our Services, you cannot withdraw your consent without terminating your business relationship with Petal. The consequences can be explained to you at the appropriate time to help you make an informed choice.

Furthermore, uses other than those initially foreseen when the Personal Information was collected could possibly be implemented to provide Customers with the Services agreed to.

To sum up, if the PI is in the legal possession

of Petal, it may be used for other purposes as allowed or required by law, especially if compatible with the purposes for which it was originally collected. Compatible purposes include the development of our Services and their algorithms. In that case, PI is used on a non-identifiable basis wherever possible.
of a Customer, it is not used by Petal for other purposes, except in the case of (i) the point above; and (ii) automated processing by the Services (machine learning without keeping a copy and in a non-identifiable way).

5. How is Personal Information collected?

Petal collects Personal Information from Customers and users in a variety of ways, including verbally, in writing or electronically, through its Service platforms and mobile applications where applicable, by telephone, mail, email or chat, through its authorized partners or otherwise, including but not limited to when they:

Request a quote, sign up for a Service, submit a query or make a payment;
Become a Customer or renew their subscription;
Participate in our programs, events and marketing activities;
Sign up for or agree to receive our newsletters, promotional material and messages about our products and Services;
Contact our representatives to make a service request. Because some of our Services are offered by telephone, calls may be recorded to ensure the quality of our Services and to protect both parties in the event of a disagreement.

When you access or use our Services, we automatically collect usage and technical connection information through cookies and other technologies (e.g. web beacons or pixel tags) (collectively, “Cookies”):

Cookies	Reason
Essential	Enable use of the Services by ensuring they function properly, including navigation from one page to another, maintaining integrity, and interacting with features. These cookies are always active and cannot be turned off. They record your actions on Service platforms (login, language preferences, navigation, automated forms).
Functional	Enable certain features, i.e. remembering your choices, preferences and settings to improve and personalize your experience. These cookies are disabled by default and will only be downloaded if you explicitly consent. You may withdraw your consent at any time as explained below.
Analytics	Allow us to track how you use and interact with the Services (e.g. Google Analytics for performance statistics) on a non-identifiable basis by collecting technical logs, IP addresses, device IDs, types and configurations of browsers, devices and operating systems, data on visitor numbers/pages viewed/visit duration/peak hours/conversion rates, usage frequency, etc. These cookies are disabled by default and will only be downloaded if you explicitly consent. You may withdraw your consent at any time as explained below.

The data is saved in the form of cookies, which are small text files in your browser. Session cookies are deleted as soon as you close your browser, while persistent cookies remain on your device for some time. For example, Google Analytics cookies remain on your device or computer for two years. However, cookies can be blocked or deleted.

You can disable some or all cookies at any time in your browser’s advanced settings.

PI is saved in the form of cookies, which are small text files in your browser. If you encounter any problems, please contact us.

6. To whom do we disclose Personal Information?

Subject to legal requirements, Petal does not share or disclose PI or use it for purposes other than those identified in this Policy or allowed or required by law. Any use of PI for purposes not set out in this Policy will take into account whether the PI is sensitive and how it will be used.

Personal Information collected by Petal is accessible to staff members on a strict “need to know” basis.

We may need to share your PI with service providers and other third parties who may assist us in delivering our Services.

This may include:

any entity of the Petal or its subsidiaries;
partners who assist us with the Services or business development;
technology service providers;
data, server and system hosting providers;
government bodies and authorities (e.g. the Régie de l’assurance maladie du Québec) as required under applicable laws;
government, tax and regulatory authorities (Commission d’accès à l’information, regulators, public bodies responsible for administering the legislation) and any other persons authorized by law to obtain such information.

When this happens:

Those who have access to your PI know the importance of keeping it confidential; they agree to use it only for the purposes stated in the agreement with Petal and to provide the agreed level of protection, in accordance with the law.
We limit any disclosure to what is strictly necessary and respect the terms and conditions of the consent obtained, subject to the purposes allowed or required by law.
Under no circumstances does Petal sell, exchange or market Personal Information.
Petal is committed to deploying all reasonable and necessary safeguards to protect your PI and preserve its integrity, availability and confidentiality.

Our partners may also share certain PI with their own partners, unless otherwise stipulated in contracts with our Customers.

In the event of a sale or merger, the assignees or successors of Petal or its assets may use and disclose your Personal Information, as obtained by Petal, only for the purposes set out in this Policy, unless they obtain your consent for other purposes.

Petal reserves the right to report fraudulent activity by Customers or Service users. This may require us to disclose the person’s PI to the appropriate authorities.

7. Where do we store Personal Information?

Petal uses technology service providers and systems that ensure your PI is stored securely and kept confidential.

PI generally stays in the jurisdiction where it was collected, but not always. Your PI may be hosted or processed outside your country or region (i.e. Canada, Europe or the United States). When we transfer PI to another jurisdiction, we do it in accordance with applicable laws and we make sure appropriate safeguards are in place to provide it with protection similar or equivalent to what it would have in your country of residence.

8. How long do we keep Personal Information?

Subject to applicable laws, Petal will retain Personal Information for as long as needed to provide the Services or otherwise fulfill the purposes set out in the Policy. Subject to contracts with Customers, Petal may retain PI after completion of the specific purposes for which it was collected, if reasonably necessary to: (i) comply with applicable laws or prevent any violation; (ii) resolve any dispute; or (iii) ensure the application of this Policy. When Personal Information is no longer needed, we will take reasonable steps to destroy it in a secure manner, subject to exceptions provided by law.

An anonymized copy may be created from PI collected for serious and legitimate purposes and may be used by Petal to develop products, Services and related algorithms.

In accordance with best practices and the criteria and conditions set by regulation, an irreversible anonymization protocol is applied to prevent the data subject from being identified directly or indirectly. Once anonymized, the data no longer constitutes Personal Information and is therefore no longer covered by privacy laws.

Subject to the applicable laws and each organization’s requirements, Customers may request deletion of their accounts at any time by sending an email to the Privacy Officer (privacy@petal-health.com). To meet its obligations, Petal will ensure that the PI linked to the deleted account will also be destroyed.

Information that is deleted (whether at a user’s request, when an account is closed or otherwise after its retention period) is subjected to a “soft deletion process”: Rather than being permanently deleted, it is put in a recoverable state for a short period of time so it can still be retrieved if the deletion was done in error. A limited number of Petal employees can access this information, and only at the authorized user’s express request.

9. How do we ensure the security of Personal Information?

We have reasonable security measures that take into account the PI’s sensitivity, purpose of use, quantity and distribution, as well as the medium used to process it. These measures include:

Limited processing: Except as provided by law, Petal limits the collection and processing of PI to the purposes stated in this Policy.
Limited access: Subject to applicable laws, access to any Personal Information is granted to Petal employees, representatives and partners on a strict “need to know” basis, with the appropriate measures in place and according to applicable laws.
Authorized partners: Authorized partners are bound by contracts that stipulate the PI protection measures required, and therefore have an obligation of protection and legal compliance.
Privacy Impact Assessment (“PIA”): We conduct PIAs (or notify our Customers that they must conduct PIAs) as needed and as required by law.
Security during transit: When we send Personal Information, we use the HTTPS transfer protocol, which encrypts the data and keeps it confidential and integral.
Secure data centres: The Services are hosted on secure private platforms.
Privacy incident: If Petal has reason to believe that a privacy incident involving Personal Information has occurred, it will take reasonable steps to reduce the risk of serious harm, prevent further incidents and comply with applicable laws.
Training and awareness: Petal provides training to its employees to make sure they handle PI properly and apply security measures on an ongoing basis in the course of their duties.

Nevertheless, while the security of Personal Information is important to us, please remember that no Service, including any method of electronic storage or transmission, is 100% secure.

It is each individual’s responsibility to take reasonable steps to protect his or her Personal Information. If you have reason to believe your PI has been compromised, please contact the Privacy Officer at the address given in section 10.4.

10. What are your rights regarding the processing of your Personal Information?

10.1 Patients’ Personal Information

The rights outlined in 10.3 do not apply to patients’ records or other Personal Information, since Petal will not collect this PI unless required by law. Patients who wish to access their own PI must request it from their healthcare professional or clinic. A patient who contacts Petal will be redirected to the appropriate entity according to the type of request.

10.2 Customer employees’ and Service users’ Personal Information

The rights outlined in section 10.3 do not apply to the records or other Personal Information of Customer employees or Service users, since Petal will not collect this PI unless required by law. Employees or users who wish to access their own PI must request it from their healthcare professional or clinic. An employee or user who contacts Petal will be redirected to the appropriate entity according to the type of request.

10.3 Customers’ Personal Information

Your rights in terms of your Personal Information vary according to the laws applicable to you and the specific circumstances of your request. You may exercise your rights in the manner provided by law (subject to the limitations and conditions therein), and we will respond within the prescribed time limit.

Right of access and rectification: You may review the PI Petal has collected about you, check its accuracy and make any necessary changes, subject to exceptions provided by law. Such requests will be processed free of charge, but reasonable fees may be charged for reproduction requests.

Right to withdraw consent: See section 4 above.

Decision based on automated processing: If Petal implements decision-making based exclusively on PI processing that is automated (without human involvement), relies solely on an algorithm, and has a specific effect on you, such as contract cancellation, you will be informed of this, of the decision made and of your right to submit observations on that decision.

Right to portability: When we have collected Personal Information from you and hold it in a digital format, you may request that it be transferred to a third party in that same format.

Other requests from data subjects in Europe/UK:

Right to information: You may ask how your PI is processed and any related questions.

Right to object to PI processing: You may request that we stop processing your PI, including for profiling purposes, and object at any time to receiving marketing communications from Petal.

Right to erasure / Right to be forgotten: You may request deletion of your PI at any time.

Post-mortem digital rights: You can either give instructions for processing your PI when you die, including a request for deletion, or designate someone to do so.

You may exercise your rights in the manner provided by law (subject to the limitations and conditions therein), and we will respond within the prescribed time limit but no later than thirty (30) days after receiving your request. For security reasons, we may ask you to provide proof of identity. If your request is denied, we will notify you in writing, giving detailed reasons. We will retain your Personal Information until you have exhausted your recourse.

If you are not satisfied with the way we handled your request, you can:

File a complaint with our Privacy Officer, indicating your name, the type of complaint and all relevant details. The Privacy Officer will examine the complaint and contact you if any further information is needed. Once the investigation has been completed, you will be informed of the outcome.
File a formal complaint with the appropriate authorities (in Europe, go here; in Canada, here).

10.4 Questions and comments

To exercise your rights or if you have any questions about how we handle Personal Information, you can contact our:

Privacy Officer or Delegate

mailto: privacy@petal-health.com

350 Charest Blvd East, Suite 300

Quebec City, Quebec G1K 3H5

11. Will this privacy policy be updated?

This Policy may be updated from time to time. The date of the last update appears at the top of the Policy.

12. What laws govern this Policy and the Services?

This Policy and the Services are governed by and subject to the laws in force in the Province of Quebec, apart from any principles or rules that may require the application of foreign laws. Any dispute that cannot be resolved through direct negotiations in good faith will be submitted to the courts of the Province of Quebec, which shall have exclusive jurisdiction to settle such dispute; however, it is understood that the foregoing does not limit or prevent Petal from bringing a proceeding before any other court/arbitrator(s) having jurisdiction to grant an injunction or other interim relief, or from filing a counterclaim or defence.

Petal cannot be held liable for any (i) defect or damage caused by force majeure; or (ii) direct or indirect damages, including any special, incidental or consequential damages. Some jurisdictions do not allow liability to be excluded or limited for certain types of damages; in such jurisdictions, our liability will be limited to the lowest amount permitted by law.