Privacy Policy

1. Overview & Commitment

Alora Health Inc. ("Alora," "we," "us," or "our") is committed to protecting the privacy of every person who uses our Platform. This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and the choices you have regarding your information.

As a Canadian company registered in British Columbia and as a provider of health services, we are subject to:

• The Personal Information Protection and Electronic Documents Act (PIPEDA), SC 2000, c. 5;
• British Columbia's Personal Information Protection Act (PIPA), SBC 2003, c. 63;
• British Columbia's E-Health (Personal Health Information Access and Protection of Privacy) Act, SBC 2008, c. 38;
• Applicable professional privacy obligations under the Health Professions Act, RSBC 1996, c. 183.

We do not sell your personal information. We do not share your health information with advertisers.

2. Data We Collect

We collect information in the following categories:

Account & Identity Information

• Full name, email address, date of birth, and province of residence;
• Account login credentials (passwords are hashed and never stored in plain text);
• Billing address and payment information (processed by our payment processor — see Section 4).

Health Information

• Intake questionnaire responses regarding hair loss history, symptoms, and severity;
• Current medications, supplements, and known allergies;
• Relevant medical history including hormonal conditions, thyroid function, nutritional deficiencies, and family history;
• Photographs of your scalp or hair you choose to submit for assessment;
• Consultation notes and treatment plans prepared by your ND;
• Lab results you choose to share with your ND.

Communications

• Messages exchanged with your ND or Alora support through the Platform;
• Feedback and survey responses.

Technical & Usage Information

• IP address, browser type, operating system, and device identifiers;
• Pages visited, features used, and time spent on the Platform;
• Referring URLs and click-path data.

3. How We Use Your Data

We use the information we collect for the following purposes, each of which has a lawful basis under PIPEDA and BC PIPA:

Providing Services

• Creating and managing your account;
• Matching you with a licensed ND and facilitating consultations;
• Sharing relevant health information with your treating ND (with your consent);
• Coordinating prescription or product fulfillment where applicable;
• Sending appointment reminders and care follow-ups.

Billing & Account Management

• Processing subscription payments and issuing receipts;
• Detecting and preventing fraud;
• Resolving billing disputes.

Platform Improvement

• Analysing aggregated, de-identified usage data to improve the Platform;
• Conducting user experience research (participation is voluntary);
• Monitoring and improving Platform security.

Communications

• Sending transactional communications about your account and care;
• Sending marketing communications with your explicit consent (you may withdraw consent at any time by unsubscribing).

Legal & Regulatory Compliance

• Complying with applicable laws and regulatory requirements;
• Responding to lawful requests from government authorities;
• Enforcing our Terms of Service.

4. Third-Party Processors

We engage certain trusted third-party service providers to help operate the Platform. These processors may access your personal information only to perform services on our behalf and are contractually bound to handle data in accordance with applicable privacy laws.

Supabase

We use Supabase as our primary backend database and authentication provider. Supabase stores your account information, health questionnaire data, and consultation records. Supabase is configured to store data in servers located in Canada or the United States. Where data is stored in the United States, it is subject to US law, including laws that may permit government access. We have a Data Processing Agreement in place with Supabase that requires compliance with PIPEDA standards.

Payment Processing

Credit card and payment information is handled by a PCI-DSS compliant payment processor. We do not store full card numbers on our servers. The processor receives only the information necessary to process your transaction.

Video Conferencing

Where video consultations are offered, we use a HIPAA/PIPEDA-compatible video platform. Video sessions are not recorded without your explicit consent.

Email & Communications

Transactional and marketing emails are sent via a third-party email service provider. This provider processes your email address and engagement data (opens, clicks) to help us deliver communications.

Analytics

We may use privacy-respecting analytics tools to understand aggregate usage patterns. We configure these tools to anonymize or pseudonymize data where possible and to avoid transmitting health information.

Pharmacy & Fulfillment Partners

If your ND issues a prescription or recommends a product fulfilled through a partner pharmacy, we share the minimum necessary information (name, shipping address, prescription details) with that partner. Partner pharmacies are subject to their own professional privacy obligations.

A current list of significant sub-processors is available upon written request to legal@alorahair.ca.

5. Cookies & Tracking

Our website uses cookies and similar tracking technologies. Cookies are small text files stored on your device that help us provide and improve the Platform.

Types of Cookies We Use

• Strictly Necessary: Required for the Platform to function (e.g., maintaining your session after login). These cannot be disabled.
• Functional: Remember your preferences such as language and display settings.
• Analytics: Help us understand how visitors use the Platform by collecting anonymous, aggregated data. You may opt out.
• Marketing: Used only with your explicit consent to deliver relevant advertising. We do not use marketing cookies on authenticated health-related pages.

Managing Cookies

You can control cookies through your browser settings. Disabling strictly necessary cookies may affect Platform functionality. You may also opt out of analytics cookies through the cookie preference centre accessible in the Site footer.

Do Not Track

We honour browser-level Do Not Track (DNT) signals for analytics cookies. We do not cross-track your activity on third-party websites.

6. PIPEDA Compliance

Our privacy practices are built on the ten fair information principles under PIPEDA and the substantially similar requirements of BC's PIPA:

1. Accountability: Alora Health Inc. is responsible for all personal information under our control. Our Privacy Officer can be reached at legal@alorahair.ca.
2. Identifying Purposes: We identify the purpose for collection at or before the time we collect information (as described in this Policy).
3. Consent: We obtain your meaningful consent for the collection, use, and disclosure of personal information, except where PIPEDA permits otherwise.
4. Limiting Collection: We collect only the information necessary for identified purposes.
5. Limiting Use, Disclosure, and Retention: Information is used and disclosed only for the purposes for which it was collected. We retain information only as long as necessary.
6. Accuracy: We keep personal information as accurate, complete, and up-to-date as required. You may update your information through your account settings.
7. Safeguards: We protect personal information with security safeguards appropriate to its sensitivity, including encryption at rest and in transit.
8. Openness: We make this Privacy Policy readily available. Updates are communicated before they take effect.
9. Individual Access: Upon written request, we will inform you of the existence, use, and disclosure of your personal information and provide you access to that information.
10. Challenging Compliance: You may challenge our compliance with PIPEDA by contacting our Privacy Officer or the Office of the Privacy Commissioner of Canada.

Cross-Border Data Transfers

Some service providers process data in the United States. When personal information is transferred outside Canada, it may be accessible to foreign authorities under local laws. We take contractual steps to require comparable privacy protections, but we encourage you to review this risk before using the Platform.

7. Your Rights

Subject to applicable law, you have the following rights with respect to your personal information:

Access

You may request a copy of the personal information we hold about you. We will respond within 30 days of a written request.

Correction

If information we hold about you is inaccurate or incomplete, you may request a correction. You can update most account information directly in your settings.

Withdrawal of Consent

You may withdraw consent to non-essential processing (such as marketing emails) at any time. Note that withdrawing consent for essential processing (such as consent to share health information with your ND) may mean we can no longer provide services to you.

Deletion

You may request deletion of your account and associated personal information. We will fulfill deletion requests subject to legal retention requirements (for example, health records may need to be retained for a minimum period under provincial law, and financial records for tax purposes). Retained data will be clearly marked and not used for any other purpose.

Data Portability

You may request a machine-readable export of your account and health data. We will provide this in a common format (e.g., JSON or CSV) within 30 days.

Complaint

If you believe your privacy rights have been violated, you may file a complaint with:

• Our Privacy Officer at legal@alorahair.ca;
• The Office of the Information and Privacy Commissioner for BC at oipc.bc.ca; or
• The Office of the Privacy Commissioner of Canada at priv.gc.ca.

To exercise any of these rights, please email legal@alorahair.ca with your name, account email, and a description of your request. We may need to verify your identity before processing your request.

8. Data Retention

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, to provide services to you, and to comply with our legal obligations.

• Health records: Retained for a minimum of 10 years after the last entry (or until you turn 29 if you were a minor at the time), consistent with BC naturopathic practice standards;
• Financial records: Retained for 7 years for tax and accounting purposes;
• Account data: Retained for the duration of your account, plus 2 years after account closure;
• Marketing data: Retained until you withdraw consent or for 3 years of inactivity, whichever is sooner.

When data is no longer required, it is securely deleted or anonymized.

9. Security

We implement industry-standard technical and organizational security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction, including:

• TLS/SSL encryption for all data in transit;
• Encryption at rest for sensitive health data;
• Role-based access controls limiting data access to authorized personnel;
• Regular security assessments and penetration testing;
• Multi-factor authentication for practitioners and staff;
• Breach response and notification procedures compliant with PIPEDA's breach of security safeguards reporting requirements.

In the event of a privacy breach that poses a real risk of significant harm, we will notify affected individuals and the applicable privacy commissioner(s) as required by law.

No system is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

10. Contact & Complaints

If you have questions about this Privacy Policy or our privacy practices, please contact our Privacy Officer:

We commit to responding to privacy inquiries within 10 business days and to resolving complaints within 30 days. If we are unable to resolve a complaint to your satisfaction, you have the right to escalate to the Office of the Information and Privacy Commissioner for BC or the Office of the Privacy Commissioner of Canada.