privacy policy
1. Our Privacy Commitment
Thank you for visiting Ambio Life Sciences’ (“Ambio”, “we”, “us”, “our”) Website (“Website”) and learning more about our mission to provide world-class treatment for addiction, traumatic brain injury, emotional trauma, chronic pain, and neurodegenerative conditions. Ambio Life Sciences [insert full legal name and form, e.g., "Ambio Life Sciences Inc."], with its registered address at [insert registered address, Canada], is the controller of your Personal Information for the purposes of applicable Privacy Laws. The Website is designed to provide information about the services we offer.
Guarding your privacy is of utmost importance to us.
2. Purpose & Scope
The purpose of this Notice is to:
- Explain how we collect, use, disclose, process, store and delete/dispose of Personal Information and analytics data in accordance with applicable Privacy Laws;
- Provide transparency on our data practices and the measures we take to protect your Personal Information; and
- Outline how you can contact us if you have any questions, inquiries, or complaints.
This Notice applies to information we collect:
- On our Website;
- In email, text or other electronic messages between you and the Website or with our Employees;
- In person at our points of service, or by telephone when you contact us.
3. Definitions
Anonymized Information means information that has been irreversibly modified such that no individual can be identified, whether directly or indirectly, by any means reasonably likely to be used by Ambio or any other person. This requires consideration of all objective factors, including the costs and time required for identification, and the technology available at the time of processing. Anonymized Information is not Personal Information and is not subject to this Notice.
Chief Privacy Officer (CPO) means the individual designated by Ambio as accountable for Ambio's privacy compliance program across all jurisdictions in which Ambio operates.
Collect means to gather, acquire or obtain information by any means from any source.
Data Protection Officer (DPO) means the individual designated by Ambio as responsible for overseeing compliance with the GDPR and applicable EU/EEA privacy laws, in accordance with Articles 37–39 of the GDPR. The DPO's contact details are published and communicated to the relevant supervisory authority.
Disclose means to make information available to, or to release it to, another individual or organization.
Employees include Ambio’s permanent and temporary workers, volunteers, contractors, and anyone else authorized to act on Ambio’s behalf.
Consent means a freely given, specific, informed, and unambiguous indication by an Individual of their wishes, expressed through a clear statement or affirmative action, signifying agreement to the processing of their PI. Consent must not be bundled as a condition of receiving a service, must be as easy to withdraw as it is to give, and cannot be inferred from silence, pre-ticked boxes, or inactivity.
GDPR refers to the General Data Protection Regulation (EU/EEA).
Individuals means any person whose information Ambio collects, uses, or discloses, including but not limited to prospective, current and past patients, visitors to the Ambio website, persons who request information about Ambio services, and any other person who interacts with Ambio in any capacity.
Personal Information (“PI”) means information in any form relating to an identified or identifiable natural person, including personal health information. An identifiable natural person is one who can be identified, either directly or indirectly, in particular by reference to an identifier (e.g., name, identification number, location data, online identifier) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
PIPEDA refers to the Personal Information Protection and Electronic Documents Act (Canada).
Privacy Laws means any legislation and regulations, as amended or supplemented from time to time, now in force or that may in the future come into force governing the protection of PI applicable to Ambio and in relation to the obligations under this Notice.
Processing or Processed or Process means any operation or set of operations performed on PI, whether or not by automated means. It includes the collection, use, disclosure, storage, retention, modification, de-identification, and disposal of PI.
Special-Category PI means PI revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data processed for the purpose of uniquely identifying a person, health information, and data concerning a person's sex life or sexual orientation, as set out in the GDPR. Special-Category Personal Information is subject to additional protections under this Notice.
Use means to handle or deal with the PI or to apply the PI for any purpose, including for the purpose of aggregation and anonymization.
4. Accountability
Ambio is responsible for information in our custody or control. We have a designated CPO who is accountable for Ambio’s privacy compliance program across all jurisdictions. For Individuals in the EU/EEA, Ambio has appointed a Data Protection Officer (DPO) in accordance with the GDPR, who independently oversees compliance with applicable EU/EEA privacy laws. Contact details for the CPO and DPO are provided in the Contact Information section of this Notice.
5. Personal Information We May Collect
Ambio limits its collection of Personal Information to the minimum amount that is required for its business operations and services.
Where Personal Information is not collected directly from you, we will inform you of the source of the personal information and the categories of personal information obtained, unless doing so proves impossible or would involve a disproportionate effort.
The types of information collected by Ambio may include, but are not limited to:
a.Prospective, Current and Past Patients
If you are a prospective or current patient, the types of information we may collect about you include:
- Name,
- Contact details (personal address, email address, phone number),
- Biographical details (sex, age, race, date of birth),
- Demographic information (religion, marital status, education),
- Financial information (credit card or banking information),
- Health information, and
- Any other recorded information about an identifiable patient.
Some of the information listed above, as well as other information Ambio may collect, may constitute Special-Category PI as defined in the Definitions section of this Notice, and is subject to additional protections.
Providing your Personal Information is generally required in order for Ambio to deliver healthcare services to you. If you choose not to provide certain Personal Information, Ambio may be unable to provide some or all of its services to you. Where the provision of Personal Information is required by law, or is a condition of entering into a treatment agreement, this will be communicated to you at the time of collection.
b. Google Analytics Usage Data
When you visit our Website, we may collect usage statistics about your interaction with the Website, including IP address (processed by Google), device and browser type, operating system, pages visited, time spent on pages, referrer URL, session duration and approximate geographic region.
We use Google Analytics to help analyze how visitors use the Website and to compile statistical reports on website activity. Google Analytics uses cookies (small text files placed on your device) to collect standard internet log information and visitor behaviour information. Google Analytics collects the IP address assigned to you when you visit the site, and this information is transmitted to Google. It places a persistent cookie on your web browser to identify you as a unique user the next time you visit the site and recognizes you when you visit other sites that use Google Analytics. Google’s ability to use and share information collected by Google Analytics about your visits to the Website and other sites is governed by the Google Analytics Terms of Use. To see an overview of privacy at Google and how to opt out of certain Google practices, visit Google’s Privacy Policy.
Ambio’s website blocks cookie collection until consent is given.
Google Analytics is provided by Google LLC. Information collected through Google Analytics may be transferred to and processed in countries outside of the jurisdiction in which it was collected. For information about the safeguards in place for international transfers, see the Cross Border Transfers section of this Notice.
c. Information We Collect If You Contact Us or Sign Up to Receive Our Newsletter:
The Website provides various ways for you to contact us and provide additional information to us about you. If you choose to subscribe to our newsletter, you will receive periodic email updates about our mission, activities, resources. You can unsubscribe from our Newsletter at any time.
You can “opt out” of receiving our emails at any time via the unsubscribe link in the footer of each of our email messages.
6. Accuracy
Ambio makes every reasonable effort to ensure that the Personal Information we collect, use and disclose is accurate and complete.
Where we become aware that Personal Information is inaccurate or incomplete, we will take reasonable steps to correct or complete it without delay.
Ambio is only responsible for ensuring the accuracy of the Personal Information in its possession for the duration of the relationship between it and you.
You may request rectification of inaccurate or incomplete Personal Information at any time by contacting Ambio.
7. Consent
Ambio obtains your consent for the collection, use or disclosure of your Personal Information. Under the General Data Protection Regulation, our legal basis for processing your Personal Information is your consent (Article 6(1)(a) GDPR; Article 9(2)(a) GDPR for Special-Category PI such as health information). For the provision of healthcare services, processing of your health information may also be supported by Article 9(2)(h) GDPR (processing necessary for the provision of health care under the responsibility of a health professional bound by professional secrecy).
Where Ambio collects, uses, or discloses Special-Category PI, for example in circumstances of care delivery, consent must be explicit. Explicit consent requires a clear, affirmative statement specifically directed at the Special-Category PI in question and the purposes for which it will be processed.
You may withdraw consent at any time by providing notice to Ambio. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
8. Limiting Use And Disclosure Of Personal Information
Data Minimization
Ambio uses and discloses the minimum amount of Personal Information needed and does not use or disclose more Personal Information than is necessary in the circumstances.
Use of Personal Information
Ambio uses the above-noted Personal Information we collect about you for the purposes listed below. All processing is based on your consent, as described in the Consent section of this Notice.
- Providing our health care services to you,
- Providing you with use of our Website and its contents,
- Ensuring the Website remains functioning and secure,
- Providing you with products or services that you request from us,
- Responding to your questions and information requests,
- Sending you notifications,
- Delivering a personalized user experience, which may include stored preferences collected through cookies, if you choose to enable them,
- Describing additional uses at the time you provide the information,
- To comply with any applicable laws and to assist law enforcement agencies as required, and
- Pursuing any other purpose with your consent.
Disclosure of Personal Information
Ambio may disclose Personal Information to contractors (for example, computer file management and back-up services) with whom we have a contractual relationship to perform their obligations pursuant to contractual obligations with us, but for no other purpose. If so, the contractors will only be given access to Personal Information that is needed to perform the related function and will not be permitted to use the information for any other purpose.
In addition, we may disclose Personal Information that we collect or that you provide:
- To fulfill the purpose for which you provided the information,
- For any other purpose disclosed when you provide the information,
- With your consent,
- To comply with legal obligations, including court orders, laws, or regulatory requests, and
- To protect the rights, property, or safety of our Employees, our contractors, our patients, or others, including sharing information with organizations for fraud prevention and credit risk reduction.
Ambio does not trade, rent, or sell any Personal Information to third parties.
9. Data Retention and Disposal
Ambio retains Personal Information only for so long as is reasonably necessary to achieve the purpose for which it was collected or as required to comply with legal, regulatory, or contractual obligations. Different categories of Personal Information may be subject to different retention periods.
When the purpose has been fulfilled and the applicable retention period has expired, your Personal Information will be securely destroyed or anonymized in accordance with Ambio's information disposal procedures, unless continued retention is required by law. In limited circumstances, Personal Information may be retained beyond the applicable retention period where it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to appropriate safeguards.
For information about the retention period that applies to your Personal Information, or the criteria used to determine it, you may contact us using the details in the Contact Information section of this Notice.
10. Safeguards and Security
Ambio ensures that Personal Information in its custody or control is secured in a manner appropriate to the sensitivity of the information. Ambio ensures that records containing Personal Information are protected from unauthorized collection, access, use, disclosure, destruction, and disposal by putting in place reasonable administrative, physical and technical security measures. All Ambio Employees ensure that Personal Information which they handle as part of their job is secure from unauthorized access, collection, use; that disclosure of Personal Information is minimized and that records are managed in accordance with an established records retention and disposal system.
Safeguards include:
- Physical safeguards (such as locked filing cabinets and rooms),
- Organizational/administrative safeguards (such as permitting access to personal information by staff on a “need-to-know” basis only, privacy training, confidentiality agreements, and fulsome privacy policies and practices), and
- Technical safeguards (such as the use of passwords, active monitoring, encryption and audits).
11. Cross Border Transfers
Currently, Ambio stores Personal Information on a secure server located in Canada. Your Personal Information may be transferred to, and processed in, countries other than the country in which it was collected, including Canada.
For transfers of Personal Information from the European Union and the European Economic Area to Canada, Ambio ensures that an appropriate transfer mechanism is in place in accordance with the GDPR. Depending on the circumstances, this may include reliance on an adequacy decision by the European Commission or the implementation of appropriate safeguards such as Standard Contractual Clauses. You may request information about the specific safeguards in place for any transfer by contacting us using the details in the Contact Information section of this Notice.
12. Your Rights
Right to Object. Where Ambio processes your Personal Information on a basis other than your consent, you have the right to object to that processing at any time, on grounds relating to your particular situation. Upon receiving an objection, Ambio will cease the processing unless it demonstrates compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims.
You also have the following rights regarding your Personal Information under applicable Privacy Laws:
- Withdraw your consent at any time. You have the right to withdraw consent where you have previously given your consent to the processing of your information.
- Restrict the processing of your Personal Information. You have the right, under certain circumstances, to restrict the processing of your Personal Information.
- Access your Personal Information. You have the right to inspect and/or receive copies of records that are in Ambio’s custody (i.e., direct possession) or control (e.g., in the possession of a third party acting on behalf of Ambio) containing your Personal Information.
- Verify and seek rectification. You have the right to verify the accuracy of your Personal Information and ask for inaccurate or incomplete Personal Information to be updated or corrected.
- Erasure of Personal Information. You have the right to request that Ambio erase your Personal Information without undue delay.
- Right to data portability. Where your Personal Information is processed on the basis of your consent and by automated means, you have the right to receive that information in a structured, commonly used, and machine-readable format, and to request its transfer to another organization.
Right to Complain. You have the right to lodge a complaint with the relevant privacy commissioner or supervisory authority. Ambio encourages you to contact Ambio's Chief Privacy Officer first so Ambio can address the concern directly.
13. How To Exercise Your Rights
To exercise the rights described above, you need to submit your verifiable request to us by contacting us using the contact information provided below. For us to respond to your request, it’s necessary that we know who you are. Therefore, you can only exercise the above rights by making a verifiable request which must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or establish that you are an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We will not be able to respond to any request if we are unable to verify your identity and therefore confirm the Personal Information in our possession relates to you.
Ambio will respond to your request within 30 days of receiving it. If your request is unusually complex, Ambio may extend the response period by a further 30 days, provided you are informed of the extension and the reasons for it within the initial 30-day period.
14. Contact Information
If you have any questions about our privacy practices, would like to access or change the Personal Information we have collected about you, or would like to make a complaint, contact:
Ambio’s Chief Privacy Officer:
Privacy@ambio.life
15. Changes To This Privacy Notice
We may update this Privacy Notice from time to time to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. Where we make material changes to this Privacy Notice, we will notify you by appropriate means (such as by posting a prominent notice on our Website or by email) before the changes take effect. We encourage you to review this Privacy Notice periodically for the latest information about our privacy practices.
