Xacte - Privacy Policy

Last update: November 2025

Petal Solutions Inc., Petal Medical Billing Inc. (operating under the corporations named Xacte (Zone3W inc.), StatGo Corp., Dobsi Medical, or Medi-Com Consulting), Medcom Billing Systems, Petal Health Inc. and Petal Solutions Europe B.V. and its Affiliates (collectively, “Petal” or “we”) are committed to protecting the privacy of personal information as defined below and in applicable laws (hereinafter “Personal Information” or “PI”).

In order to bring the privacy practices regarding Petal’s websites and, where applicable, its mobile apps (each a “Website”) to the attention of visitors (“you”, “your”, or “yours”), Petal has developed this privacy policy (the “Policy”), which summarizes in particular: (i) the types of Personal Information collected and the situations in which it may be collected; (ii) the ways in which this PI is used and protected; (iii) the situations in which it may be shared; (iv) how it is stored and destroyed; (v) the rights that may be exercised by the data subjects with respect to this information; and (vi) the security measures put in place and the procedure applicable in the event of a privacy breach.

This Policy does not apply to Services for professionals. Click here to read the privacy policy applicable to those Services.

For the purposes of this Policy, “Personal Information” means any information about a natural person that can be used to identify them, either directly (e.g. last name, first name, email address, mailing address) or indirectly (that is, when combined with other information).

This Privacy Policy is provided for information and transparency purposes, and for no other purpose. It applies solely to the handling of Personal Information. Some of the data referred to in this Policy may not be Personal Information, and therefore may not be protected under the laws that apply to you.

1. When does this Policy apply?

This Policy applies to anyone browsing or using any of our Websites and to PI that may be processed, in particular: (i) when you use these sites; (ii) as part of our digital marketing activities, such as the use of cookies; or (iii) when you interact with us on our Websites, through our social networks or by email (collectively, our “Digital Services”) as set out in point 2 below.

Personal Information collected or provided in connection with our Digital Services is obtained, used, disclosed, stored, destroyed and otherwise handled as set forth in this Policy.

This Policy does not apply:

To Services for professionals, including the processing of Personal health information or the Personal Information of healthcare professionals.

For those Services, see the applicable policy here.

When you use third-party sites. Third parties include social networks as well as services referenced on our Websites/Digital Services (e.g. if you click on a third-party link on one of our Websites/Digital Services). This Policy does not apply to the handling of PI by such third parties. Petal is not the owner of these sites, is not responsible for them and has no control over their content or features. Please read the privacy policies of these third parties to learn how they handle your PI before using their sites.

2. What Personal Information do we collect and for what purposes?

Petal collects only the Personal Information it needs to conduct its activities, including information about your identity (e.g. name, address, contact details and demographic information) or your use of its Websites (e.g. your IP address, location or browsing data), as well as Personal Information you provide to us, in particular to:

Get a demo of our Services and products: You’ll have to share your name, profession, organization and business contact information with us. We need this information to provide the demo.

Allow us to process and administer your file: Depending on your needs, we’ll probably have to confirm the accuracy of your Personal Information, check your eligibility for our products and Services, and confirm your identity.

Join our mailing list: We use your email address and other personal details (e.g. graduation year, role in the organization and topics of interest) to send you information through our newsletter. In Europe/UK and some other jurisdictions, these messages are sent only with your express consent. You can unsubscribe anytime.

Participate in marketing events organized by Petal where we will need your Personal Information to ensure your registration/participation. Your PI may be used to share details of past and future events.

Apply for a job: We collect the Personal Information you provide (e.g. your professional and academic background, letters of recommendation, resumé, letters of intent and other related information), mainly in order to analyze your application and be able to contact you. If your application is selected, you may be required to provide additional PI enabling us to check your criminal record and work experience, for example. We will only process your PI to review your application and subsequently:

to manage our employer-employee relationship if you are hired; or

unless you indicate otherwise, for a few months if you are not hired but we believe that reasonably related positions will be available in the near future.

Submit comments, questions or requests: If you contact Petal, you may decide to provide certain Personal Information (e.g. your name and email address) along with your opinions/comments. We’ll use them to follow up on your message.

Enable us to ensure risk management and operations: We may use your PI to prevent and detect fraud, conduct due diligence or business transactions, analyze the performance of our products and Services, design or modify our products, improve our ways of doing business or develop new ones;

Enable us to meet our legal and regulatory requirements.

3. What do we mean by consent to the collection and use of your Personal Information?

Before collecting, using and disclosing your Personal Information, Petal will obtain your consent in accordance with applicable requirements, except in specific cases provided by law.

Petal is transparent and will clearly inform you, when it collects your Personal Information, of the uses that will be made of it, of the means by which it is being obtained if not collected directly from you, of your rights as well as the categories of third parties to whom it may be disclosed, and the possibility that it may be transferred outside Quebec, so that your consent is clear, free and informed.

You may withdraw your consent to Petal’s use of your PI for purposes that are not essential to the Websites/Digital Services provided by Petal, for example to send you promotional material, invite you to events, generate statistics or analyze your information. At your request, Petal will stop using it for those purposes. You may withdraw your consent by contacting the Privacy Officer at the address given in section 9.2 of this Policy.

However, for uses deemed essential to the management and administration of some of our Services, you cannot withdraw your consent without terminating your business relationship with Petal (e.g. your employment or job application). The consequences can be explained to you at the appropriate time to help you make an informed choice.

4. How is Personal Information collected?

Petal collects Personal Information from users in a variety of ways, including verbally, in writing or electronically, through its Service platforms and mobile applications where applicable, by telephone, mail, email or chat, through its authorized partners or otherwise, including but not limited to when they:

Request a quote, submit a query or make a payment;

Participate in our programs, events and/or marketing activities;

Contact our representatives to make a service request. Because some of our Services are offered by telephone, calls may be recorded to ensure the quality of our Services and to protect both parties in the event of a disagreement.

4.1. Personal Information obtained through “cookies”

A “cookie” contains data collected from the websites you visit and stored as a small text file in your browser. In this Policy, “cookie” includes tracking technologies such as tracker pixels and web beacons. If you want to know more about cookies, you can consult this article on the website of the Office of the Privacy Commissioner of Canada. 

Cookies store information on your computer or device to improve and maintain your experience on websites. They may contain PI about user preferences in order to personalize browsing.

Cookies are categorized as follows:

Cookies	Reason
Essential	Enable use of the Websites/Digital Services by ensuring they function properly, including navigation from one page to another, maintaining integrity, and interacting with features. These cookies are always active and cannot be turned off. They record your actions on Websites (login, language preferences, navigation, automated forms).
Functional	Enable certain features, i.e. remembering your choices, preferences and settings to improve and personalize your experience. These cookies are disabled by default and will only be downloaded if you explicitly consent. You may withdraw your consent at any time as explained below.
Analytics	Allow us to track how you use and interact with the Websites/Digital Services (e.g. Google Analytics for performance statistics) on a non-identifiable basis by collecting technical logs, IP addresses, device IDs, types and configurations of browsers, devices and operating systems, data on visitor numbers/pages viewed/visit duration/peak hours/conversion rates, usage frequency, etc. These cookies are disabled by default and will only be downloaded if you explicitly consent and in any other applicable jurisdiction. You may withdraw your consent at any time as explained below.
Marketing	We set targeted advertising cookies such as those used by Google Tag Manager, Search Console, Google Ads, Facebook Ads, Meta Ads and LinkedIn Ads in order to process some of your Personal Information (e.g. your browser preferences, profession, browsing habits, interests and email addresses) and to show you ads that are more relevant to you. More specifically: Facebook Ads: allows us to tailor our advertising to your behavioural patterns. We do not share your PI or behavioural patterns with Facebook. Instead, the tool converts your email address into a unique number that Facebook uses for real-time sales of automated ad placement. With your permission, we may also use the Facebook conversion tracking pixel to analyze the effectiveness of our ad placements for statistical and research purposes. The data collected does not give access to identifiable information. Facebook may collect data through your Facebook account for the purposes of its own marketing practices, in accordance with its own privacy policy. Google Ads: Google Ads is used to target marketing audiences. We use this feature to create market segments based on the data we’ve obtained, and we use this data for targeted marketing campaigns through our Google Ads account. Without these cookies, you would still see advertisements, but they would not be personalized to your interests. These cookies are disabled by default and will only be downloaded if you explicitly consent and in any other applicable jurisdiction. You may withdraw your consent at any time as explained below.

The data is saved in the form of cookies, which are small text files in your browser. Session cookies are deleted as soon as you close your browser, while persistent cookies remain on your device for some time. For example, Google Analytics cookies remain on your device or computer for two years. However, they can be blocked or deleted.

You can disable some or all cookies at any time in your browser’s advanced settings.

Managing cookie preferences 

As part of the AdChoice program, the Digital Advertising Alliance of Canada offers tools and plug-ins to help you control your cookies. 

To manage preferences on your computer, use the WebChoices Consumer Choice Tool.

To manage preferences on your mobile device, use the AppChoices tool.

If you opt out of personalized ads, you may still receive ads from Petal, but they will not be personalized. 

In addition, browsers and devices have tools for controlling cookies; you can block them, be notified when they’re loaded, and control the ones already placed on your device or computer. However, if you block all cookies, you may not be able to access all the features of the Websites/Digital Services. 

Cookie control tools vary depending on the browser you use. To learn more, click on the link for your browser: 

Google Chrome

Firefox

Safari

Microsoft Edge

Opera

Brave

 You can also use the “Limit Ad Tracking” feature on iOS devices or opt out of “Ads Personalization” on Android devices. 

Finally, you can prevent your web activity from being used by Google Analytics by installing the Google Analytics opt-out browser add-on. This add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sending information to Google Analytics about your web activity. For more information about Google’s privacy practices, please visit Google Analytics. 

If you encounter any problems, please contact us.

4.2 Social media 

Petal uses social media platforms so you can follow us and add us to your contact list. Petal can access your Web pages and profiles according to your settings, as set out in the privacy policies and terms of use applicable to those platforms. Petal also receives notifications and access to links and/or other publications mentioning it. You should review the privacy settings applicable to these accounts/pages, check the information your contacts have access to, and limit access if necessary.

This will enable you to control the information shared, such as Personal Information, and protect your privacy. Please note that Petal is not responsible for the PI practices of social media sites. We therefore strongly recommend that you read their privacy policies.

5. To whom do we disclose your personal information?

Subject to legal requirements, Petal does not share or disclose PI or use it for purposes other than those identified in this Policy or allowed or required by law. Any use of PI for purposes not set out in this Policy will take into account whether the PI is sensitive and how it will be used.

Personal Information collected by Petal is accessible to staff members on a strict “need to know” basis.

We may need to share your PI with service providers and other third parties who may assist us with our Websites and delivery of our Digital Services.

This may include:

any entity of Petal or subsidiary;

partners who assist us with the Websites/Digital Services or business development, advertising partners, e.g. Google AdWord, Meta or LinkedIn), analytical services, etc;

technology service providers;

data, server and system hosting providers;

recruiting firms;

companies specializing in compliance or criminal and credit background checks;

government, tax and regulatory authorities (Commission d’accès à l’information, regulators, public bodies responsible for administering the legislation) and any other persons authorized by law to obtain such information.

When this happens:

Those who have access to your PI know the importance of keeping it confidential; they agree to use it only for the purposes stated in the agreement with Petal and to provide the agreed level of protection, in accordance with the law.

We limit any disclosure to what is strictly necessary and respect the terms and conditions of the consent obtained, subject to the purposes allowed or required by law.

Under no circumstances does Petal sell, exchange or market Personal Information.

Petal is committed to deploying all reasonable and necessary safeguards to protect your PI and preserve its integrity, availability and confidentiality.

Our partners may also share certain PI with their own partners, unless otherwise stipulated in contracts with our Customers.

In the event of a sale or merger, the assignees or successors of Petal or its assets may use and disclose your Personal Information, as obtained by Petal, only for the purposes set out in this Policy, unless they obtain your consent for other purposes.

Petal reserves the right to report fraudulent activity by Customers or Service users. This may require us to disclose the person’s PI to the appropriate authorities.

6. Where do we store your personal information?

Petal uses technology service providers and systems that ensure your PI is stored securely and kept confidential.

PI generally stays in the jurisdiction where it was collected, but not always. Some PI may be hosted or processed outside your country or region (i.e. Canada, Europe or the United States). When we transfer PI to another jurisdiction, we do it in accordance with applicable laws and we make sure appropriate safeguards are in place to provide it with protection similar or equivalent to what it would have in your country of residence.

7. How long do we keep your personal information?

Subject to applicable laws, Petal will retain Personal Information for as long as needed to provide the required access or use of the Websites/Digital Services or otherwise fulfill the purposes set out in the Policy. Petal may retain PI after completion of the specific purposes for which it was collected, if reasonably necessary to: (i) comply with applicable laws or prevent any violation; (ii) resolve any dispute; or (iii) ensure the application of this Policy. When Personal Information is no longer needed, we will take reasonable steps to destroy it in a secure manner, subject to exceptions provided by law.

An anonymized copy may be created from PI collected for serious and legitimate purposes and may be used by Petal to develop products and services, including our Websites/Digital Services and related algorithms.

In accordance with best practices and the criteria and conditions set by regulation, an irreversible anonymization protocol is applied to prevent the data subject from being identified directly or indirectly. Once anonymized, the data no longer constitutes Personal Information and is therefore no longer covered by privacy laws.

8. How do we ensure the security of your Personal Information?

We have reasonable and proportional security measures that take into account the PI’s sensitivity, purpose of use, quantity and distribution, as well as the medium used to process it. These measures include:

Limited processing: Except as provided by law, Petal limits the collection and processing of PI to the purposes stated in this Policy.

Limited access: Subject to applicable laws, access to any Personal Information is granted to Petal employees, representatives and partners on a strict “need to know” basis, with the appropriate measures in place and according to applicable law.

Authorized partners: Authorized partners are bound by contracts that stipulate the PI protection measures required, and therefore have an obligation of protection and legal compliance.

Privacy Impact Assessment (“PIA”): We conduct PIAs (or notify our Customers that they must conduct PIAs) as needed and as required by law.

Security during transit: When we send Personal Information, we use the HTTPS transfer protocol, which encrypts the data and keeps it confidential and integral.

Secure data centres: The Websites are hosted on secure private platforms.

Privacy incident: If Petal has reason to believe that a privacy incident involving Personal Information has occurred, it will take reasonable steps to reduce the risk of serious harm, prevent further incidents and comply with applicable laws.

Training and awareness: Petal provides training to its employees to make sure they handle data properly and apply security measures on an ongoing basis in the course of their duties.

Nevertheless, while the security of Personal Information is important to us, please remember that no Website/Digital Service, including any method of electronic storage or Web transmission, is 100% secure.

It is each individual’s responsibility to take reasonable steps to protect his or her Personal Information. If you have reason to believe your PI has been compromised, please contact the Privacy Officer at the address given in section 9.2.

9. What are your rights regarding your Personal Information?

9.1 Requests to exercise the rights of data subjects:

Your rights in terms of your PI vary according to the laws applicable to you and the specific circumstances of your request. You may exercise your rights in the manner provided by law (subject to the limitations and conditions therein), and we will respond within the prescribed time limit.

Right of access and rectification: You may review the PI Petal has collected about you, check its accuracy and make any necessary changes, subject to exceptions provided by law. Such requests will be processed free of charge, but reasonable fees may be charged for reproduction requests.
Right to withdraw consent: See section 3 above.
Decision based on automated processing: If Petal implements decision-making based exclusively on PI processing that is automated (without human involvement), relies solely on an algorithm, and has a specific effect on you such as contract cancellation or ineligibility for employment, you will be informed of this, of the decision made and of your right to submit observations on that decision.
Right to portability: When we have collected Personal Information from you and hold it in a digital format, you may request that it be transferred to a third party in that same format.

Other requests from data subjects in Europe/UK:

Right to information: You may ask how your PI is processed and any related questions.
Right to object to PI processing: You may request that we stop processing your PI, including for profiling purposes, and object at any time to receiving marketing communications from Petal.
Right to erasure / Right to be forgotten: You may request deletion of your PI at any time.

You may exercise your rights in the manner provided by law (subject to the limitations and conditions therein), and we will respond within the prescribed time limit but no later than thirty (30) days after receiving your request. For security reasons, we may ask you to provide proof of identity. If your request is denied, we will notify you in writing, giving detailed reasons. We will retain your Personal Information until you have exhausted your recourse.

If you are not satisfied with the way we handled your request, you can:

File a complaint with our Privacy Officer, indicating your name, the type of complaint and all relevant details. The Privacy Officer will examine the complaint and contact you if any further information is needed. Once the investigation has been completed, you will be informed of the outcome.

File a formal complaint with the appropriate authorities (e.g. in Europe, go here; in Canada, here).

The rights outlined above do not apply to patient records or other patient PI; click here to read the privacy policy for Services.

9.2 Questions and comments

To exercise your rights or if you have any questions about how we handle your Personal Information, you can contact our:

Privacy Officer or Delegate
mailto: privacy@petal-health.com
350 Charest Blvd East, Suite 300
Quebec City, Quebec  G1K 3H5

10. Will this privacy policy be updated?

This Policy may be updated from time to time. The date of the last update appears at the top of the Policy.

11. What laws govern this Policy and the Websites?

This Policy and the Websites/Digital Services are governed by and subject to the laws in force in the Province of Quebec, apart from any principles or rules that may require the application of foreign laws. Any dispute that cannot be resolved through direct negotiations in good faith will be submitted to the courts of the Province of Quebec, which shall have exclusive jurisdiction to settle such dispute; however, it is understood that the foregoing does not limit or prevent Petal from bringing a proceeding before any other court/arbitrator(s) having jurisdiction to grant an injunction or other interim relief, or from filing a counterclaim, defence or other proceeding.

Petal can in no way be held liable for any damage caused by force majeure or any direct or indirect damages, including any special, incidental or consequential damages. Some jurisdictions do not allow liability to be excluded or limited for certain types of damages; in such jurisdictions, our liability will be limited to the lowest amount permitted by law.