Information Manager Services Agreement (Alberta HIA)

This agreement governs the electronic services that Phiusion Labs provides to you, the Alberta health-information custodian, under the Health Information Act (HIA), RSA 2000 c. H-5. It is specific to Alberta; if you also practice in another province or country, the Privacy Notice for Practitioners covers your account information across all jurisdictions, and the Privacy Notice for Patients covers patient-facing terms.

You accept this agreement when you sign up as an Alberta-based health professional. A new major version of this agreement requires your acceptance before you can continue using the application; see §12 of the Privacy Notice for Practitioners for the versioning rules.

Phiusion is B2B software sold for cosmetic and general wellness purposes. Nothing in this agreement should be read to suggest that the application performs a regulated clinical function; clinical judgment remains entirely yours under your professional licence.

1. Phiusion's role: Information Manager

Phiusion Labs acts as an information manager to you under HIA s.66. HIA s.1(1)(k) defines an information manager as a person or body that "(i) processes, stores, retrieves or disposes of health information, (ii) strips, encodes or otherwise transforms individually identifying health information to create non-identifying health information, or (iii) provides information management or information technology services." Phiusion falls within (i) and (iii) of that definition for the health information ("HI") you place into the application.

For clarity:

• Phiusion is not a custodian. HIA s.1(1)(f) defines "custodian" by reference to the entities and roles enumerated in the Act and its regulations — regional health authorities, designated health-service providers, licensed pharmacists, regulated members of named health professions, and similar bodies. Phiusion is none of these; you are the custodian of the HI records you create inside the application.
• Phiusion is not an affiliate. HIA s.1(1)(a) defines "affiliate" of a custodian to include employees, persons performing services under contract or agency, students, volunteers, and appointees. Although s.1(1)(a) is drafted broadly, the HIA distinguishes affiliates (who exercise the custodian's own functions inside the custodian's program) from external service providers governed by an information-manager agreement under s.66; Phiusion is the latter, not the former.
• HIA s.66 applies. Section 66 requires a written agreement between custodian and information manager before HI is disclosed to the manager; the agreement must set out the manager's duties under the Act, and is the foundation for the safeguards in §4, the directives in §5, and the audit framework in §6. This agreement is the s.66 instrument between you and Phiusion.

This role applies only to HI that you, as an Alberta custodian, place into the application. Phiusion's own administrative records about you (account, billing, support) sit under the Privacy Notice for Practitioners; they are not HI under HIA, although they may be personal information under Alberta's Personal Information Protection Act (PIPA AB) and PIPEDA at the federal level.

Internal documents referenced in this agreement — the Retention Schedule, the Breach Notification Playbook, and the privacy-incident register — are available to regulators and to data subjects on request.

2. Services Phiusion provides

Phiusion supplies the following electronic services to you as an Alberta custodian:

• Application hosting. Web application access from the Phiusion domain, including authentication, session management, and user-interface delivery.
• Patient-record storage. Storage of patient profiles, health-background fields, photo sessions, wellness-documentation sessions, and treatment selections that you enter or that the application generates on your behalf.
• Photo storage and processing. Secure object storage for patient photos, including a background-removal preprocessing step performed before storage.
• SkinXS API access. Routing of patient photos to the SkinXS analysis service for skin-feature scoring, with results returned to your workspace for your professional review and curation.
• Telemetry and reliability monitoring. Error reporting, performance counters, and feature-usage signals that allow Phiusion to keep the application running and to investigate problems you report.
• Breach detection. Monitoring for unauthorized access, abnormal query patterns, and credential compromise, plus the incident-response workflow described in the internal Breach Notification Playbook.
• Backups and restoration. Encrypted database and storage backups, with restoration available on your written request.

Phiusion does not make autonomous clinical decisions, does not generate prescriptions, and does not produce patient-facing output without your curation step. SkinXS suggests; you decide.

3. Health-information handling

Phiusion handles HI strictly within the four corners of your custodian authority. HIA s.27 limits use, and Part 4 (ss.34–40) governs disclosure; as an information manager, Phiusion's use and disclosure are both narrower still, confined to what you have authorized in this agreement and in any supplemental written instructions.

• Collection. Phiusion collects only HI that you, the custodian, choose to enter into the application (or that the application generates on your behalf — for example, SkinXS scores computed from photos you upload). Phiusion does not solicit HI from any other source and does not purchase data about your patients.
• Use. HI is used only to deliver the services in §2 and to discharge Phiusion's information-manager duties under HIA. This includes operational uses such as error investigation, capacity planning, and security monitoring. HI is not used for marketing, advertising, profiling, or model training without a separate written authorization grounded in patient consent (see the AI Improvement Consent and the Privacy Notice for Patients).
• Disclosure. Phiusion does not disclose HI to third parties except to the sub-processors disclosed at Sub-Processors (each acting on documented instructions, see §8) or where legally compelled by a valid Alberta or Canadian instrument. If compelled, Phiusion will, where lawful, give you advance notice so that you may challenge the demand.
• Retention. HI is retained for the period you set as custodian. Phiusion's default retention windows for backups and operational logs are published in the internal Retention Schedule; if you require shorter retention for a specific dataset, write to privacy@phiusionlabs.app.
• Destruction. When you direct destruction (account closure, a specific deletion request, or end of retention), Phiusion deletes the active record and isolates any backup copy that cannot be targeted-deleted, letting the backup age out under the schedule. A destruction confirmation is available on request.
• No secondary use. Phiusion does not use HI for any purpose outside the services in §2 and the s.66 duties described in this agreement. Any new use requires your prior written authorization, which you may give or withhold consistent with HIA s.27.

4. Safeguards

HIA s.60 requires custodians to take reasonable steps to maintain administrative, technical, and physical safeguards that protect the confidentiality, integrity, and availability of HI. Phiusion, as your information manager under s.66, contractually adopts equivalent safeguards so that your s.60 duty is supported end-to-end. The safeguards are commensurate with the sensitivity of the data and consistent with Office of the Information and Privacy Commissioner of Alberta ("OIPC AB") guidance. The categories are:

• Technical. TLS 1.2 or higher in transit; AES-256 at rest; row-level security in the database so that each custodian sees only its own records; mandatory multi-factor authentication on every practitioner account; signed-URL access controls on photo storage; key management with rotation; segmented production environments.
• Organizational. A named Privacy Officer at Phiusion (Jonathan Garbutt, privacy@phiusionlabs.app); a documented information-security programme; annual penetration testing; vulnerability-management with severity-keyed SLAs; mandatory privacy and security training for all personnel with production access.
• Administrative. Background checks and confidentiality undertakings for engineering and support staff; role-based access control ("RBAC") with least-privilege defaults; access logging on every read and write of HI; quarterly access reviews; written sub-processor agreements; written vendor agreements with Universkin SAS (BAA and DPA, available to you on request).

These safeguards are operationalized through the personnel directives in §5 and the Sub-Processors listing. Phiusion is prepared to respond in writing to any safeguard-related question you, or the OIPC AB on your behalf, may pose under HIA s.60 or s.66.

5. Directives to Phiusion's agents

HIA s.62.1, read with the Health Information Regulation and OIPC AB guidance, requires custodians to establish policies and procedures (including training expectations) for their affiliates. HIA s.62 requires log capture sufficient to support the user-access reporting and audit duties imposed on custodians. Although Phiusion is not itself a custodian or an affiliate, Phiusion adopts equivalent directives for its own personnel — including personnel of Universkin SAS, the French company that builds and operates the platform on Phiusion's behalf — so that the chain from you to the people who touch HI is unbroken:

• Need-to-know. No member of Phiusion or Universkin staff may access HI except where the access is required to deliver a service listed in §2 or to respond to a written request from you.
• Role-based access. Production access is granted by role, with the smallest possible privilege envelope for each role. Privileges are reviewed quarterly and revoked on role change.
• Training. Every individual with any path to HI completes privacy and security training at onboarding and annually thereafter, in line with HIA s.62.1's training expectations. Records of completion are kept for the period set in the internal Retention Schedule.
• Confidentiality. Every individual signs a confidentiality undertaking that survives termination. Breach of the undertaking is grounds for dismissal and, where applicable, civil action.
• Logging and review. Access to HI is logged in line with HIA s.62. Logs are reviewed on a defined cadence and on demand following any incident, and are available to you under §6.
• No secondary use. Personnel may not use HI for any purpose outside the services described in §2, and may not export HI from the production environment except where doing so is required to deliver a service you have requested.

These directives apply equally to Universkin SAS staff. The BAA and DPA between Phiusion Labs and Universkin SAS make the directives contractually binding on Universkin.

6. Audit and access logs

HIA s.62 requires custodians to maintain records of user access to electronic HI sufficient to know who has accessed what, when, and (where the system supports it) for what purpose. HIA s.66, and this agreement, give you the right to audit Phiusion's compliance with the safeguards in §4 and the directives in §5.

• Access logs. Phiusion captures access events on read and write of HI in the application. The log fields include actor, timestamp, record identifier, and the operation performed. Logs are retained for the period set in the internal Retention Schedule and are available to you under the audit process below. Alberta does not require a separate published audit-summary artifact under HIA — the s.66 agreement itself, together with §4 and §5, is the audit surface, and Phiusion's responses to written information-requests are the first-line audit channel.
• Custodian audits. You may, on reasonable notice (ordinarily 30 days), audit Phiusion's compliance with this agreement either through (i) Phiusion's responses to a written information-request, (ii) review of third-party assurance reports we hold (SOC 2 Type II, penetration-test summaries, vendor questionnaires), (iii) targeted log extracts for HI in your workspace, or (iv) on-site or virtual interviews with named Phiusion staff. Audits must be scoped to HIA-relevant controls, conducted during business hours, and subject to confidentiality protections.
• Cost. Phiusion absorbs the cost of a routine annual audit at the information-request and assurance-report level. Out-of-scope or repeat audits within the same year may be invoiced at our reasonable cost.
• OIPC AB audit. Phiusion will cooperate with any OIPC AB audit, review, or investigation under HIA Part 8 and will keep you informed in line with the breach-notification expectations in §7.

7. Breach notification

HIA s.60.1 establishes the breach-notification chain for HI. The chain runs from the information manager to the custodian and from the custodian onward to the OIPC AB, the Minister, and affected individuals where the prescribed threshold is met. Phiusion's role in the chain is as follows:

• Information manager → custodian. If Phiusion has reason to believe that HI under your custody has been lost, stolen, or accessed or disclosed contrary to HIA, Phiusion will notify you at the first reasonable opportunity. "First reasonable opportunity" means: as soon as Phiusion confirms the incident's scope sufficiently to inform you usefully, and in any event without undue delay. We do not wait for a full forensic report before notifying.
• Information provided. The notification will identify, to the extent then known: what data was affected, how many records, the nature and timing of the incident, the steps Phiusion has taken in response, and a contact at Phiusion for follow-up.
• Custodian → OIPC AB, Minister, and individuals. HIA s.60.1 reserves to you, the custodian, the decision and the obligation to notify the OIPC AB, the Minister responsible for the HIA (currently the Minister of Health), and affected individuals where the statutory threshold is met. Phiusion does not notify the OIPC AB directly except where Phiusion is contacted as a witness or evidence-holder. Phiusion will assist you in preparing your s.60.1 notification on request.
• Playbook. The end-to-end workflow — internal triage, custodian notification, OIPC AB support, individual notification templates, post-incident review — is documented in the internal Breach Notification Playbook.

Phiusion logs confirmed and suspected privacy incidents in an internal register and retains the register for the period set in the internal Retention Schedule.

8. Sub-processors and pass-through obligations

Phiusion uses the sub-processors listed at Sub-Processors to deliver the services. Each sub-processor is bound by a written agreement that flows down, in substance, the same restrictions Phiusion accepts under this agreement — confidentiality, security safeguards, breach notification, restrictions on secondary use, and audit cooperation.

• Material-change notification (two-tier). Routine sub-processor changes affecting HI — adding a new sub-processor or materially changing the scope of an existing sub-processor's HI access — are notified at least 15 days in advance by in-app banner and email to the address on your account. Emergency or risk-driven changes (vendor outage, vendor security incident, regulator order, vendor insolvency, or similar) are notified as soon as practicable (typically within 24 hours) and may take effect before notice. If you object on reasonable HIA grounds — during the routine notice window or after an emergency change — write to privacy@phiusionlabs.app; if the objection cannot be resolved, you may terminate this agreement under §9 without penalty.
• Platform-operator sub-processor. Universkin SAS (France) operates the application on Phiusion's behalf and is the most significant sub-processor. The BAA and DPA between Phiusion and Universkin are available on request to you, the OIPC AB, or the Office of the Privacy Commissioner of Canada ("OPC") for federal-stream review.
• Cross-border transfers. Where HI is transferred to a sub-processor outside Canada, the contractual flowdowns required by PIPEDA Schedule 1 Principle 4.1.3 are in place. Alberta imposes no provincial cross-border restriction beyond PIPEDA's Schedule 1 flow-down, and HIA does not prohibit cross-border processing where the s.66 agreement and s.60 safeguards are in place. Transfer details are part of the safeguard package in §4.

9. Termination and data return

You may terminate this agreement at any time by closing your account in the application or by writing to privacy@phiusionlabs.app. Phiusion may terminate on 90 days' written notice, or sooner where you materially breach this agreement and fail to cure within 30 days.

On termination:

• Return or destruction. You direct whether the HI in your workspace is returned to you (export in a structured, machine-readable format) or destroyed. The default, absent your direction within 60 days of termination, is destruction.
• Backups. Backup copies that cannot be targeted-deleted are isolated, access-restricted, and aged out on the backup schedule published in the internal Retention Schedule.
• Confirmation. A written destruction or export confirmation is provided on request.
• Survival. The breach-notification, audit-cooperation, and confidentiality provisions of this agreement survive termination to the extent necessary to address pre-termination conduct.

10. Governing law and dispute resolution

This agreement is governed by the laws of the Province of Alberta and the federal laws of Canada applicable therein. The Court of King's Bench of Alberta has non-exclusive jurisdiction over any dispute that cannot be resolved informally or through the dispute-resolution provisions of the Terms of Service §13.

Nothing in this agreement limits the OIPC AB's statutory jurisdiction or your statutory rights under HIA.

11. Contact and supervisory authorities

• Phiusion Labs Privacy Officer: Jonathan Garbutt, privacy@phiusionlabs.app. Mailing address: 29 East Wilmot, Richmond Hill, Ontario, Canada.
• Universkin SAS Data Protection Officer (sub-processor leg): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com.

If you are not satisfied with Phiusion's response, you may contact a supervisory authority:

• Office of the Information and Privacy Commissioner of Alberta (OIPC AB) — primary. https://www.oipc.ab.ca/. The OIPC AB is the regulator for HIA matters and is the body to whom you, as custodian, would notify a reportable breach under HIA s.60.1.
• Office of the Privacy Commissioner of Canada (OPC) — federal backup. https://www.priv.gc.ca/. The OPC has jurisdiction over PIPEDA-stream matters, which may apply to Phiusion's administrative records about you (the account-level data covered by the Privacy Notice for Practitioners) even though HI itself flows under HIA.

For related documents, see the Privacy Notice for Practitioners, the Privacy Notice for Patients, the Sub-Processors page, the HIPAA Business Associate Agreement, and the Terms of Service.