Information Manager Services Agreement (Manitoba PHIA)

Version 1.0.0·Effective 2026-05-26

Information Manager Services Agreement (Manitoba PHIA)

This agreement governs the electronic services that Phiusion Labs provides to you, the Manitoba health-information trustee, under The Personal Health Information Act (PHIA), CCSM c. P33.5. It is specific to Manitoba; if you also practice in another province or country, the Privacy Notice for Practitioners covers your account information across all jurisdictions, and the Privacy Notice for Patients covers patient-facing terms.

You accept this agreement when you sign up as a Manitoba-based health professional. A new major version of this agreement requires your acceptance before you can continue using the application; see §12 of the Privacy Notice for Practitioners for the versioning rules.

Phiusion is B2B software sold for cosmetic and general wellness purposes. Nothing in this agreement should be read to suggest that the application performs a regulated clinical function; clinical judgment remains entirely yours under your professional licence.

1. Phiusion's role: Information Manager

Phiusion Labs acts as an information manager to you under PHIA s.25. PHIA s.1 defines an information manager, in substance, as a person or body that processes, stores or destroys personal health information for a trustee, or that provides information management or information technology services to a trustee in respect of personal health information. Phiusion falls within both limbs of that definition for the personal health information ("PHI") you place into the application.

For clarity:

  • Phiusion is not a trustee. PHIA s.1 defines "trustee" by reference to an enumerated list — health professionals, health-care facilities, public bodies, health-services agencies, and similar entities to whom PHIA assigns the primary custodial duties. Phiusion is none of these; you are the trustee of the PHI records you create inside the application.
  • Phiusion is not an agent. PHIA s.1 defines "agent" of a trustee as a person who, with the trustee's authorization, performs services for the trustee, including under a contract. Although s.1 is drafted broadly, PHIA distinguishes agents (who exercise the trustee's own functions inside the trustee's program) from external service providers governed by an information-manager agreement under s.25; Phiusion is the latter, not the former.
  • PHIA s.25 applies. Section 25 requires a written agreement between trustee and information manager before PHI is provided to the manager; the agreement must require the manager's compliance with PHIA and the regulations, and is the foundation for the safeguards in §4, the directives in §5, and the audit framework in §6. This agreement is the s.25 instrument between you and Phiusion.

This role applies only to PHI that you, as a Manitoba trustee, place into the application. Phiusion's own administrative records about you (account, billing, support) sit under the Privacy Notice for Practitioners; they are not PHI under PHIA, although they may be personal information under PIPEDA at the federal level.

Internal documents referenced in this agreement — the Retention Schedule, the Breach Notification Playbook, and the privacy-incident register — are available to regulators and to data subjects on request.

2. Services Phiusion provides

Phiusion supplies the following electronic services to you as a Manitoba trustee:

  • Application hosting. Web application access from the Phiusion domain, including authentication, session management, and user-interface delivery.
  • Patient-record storage. Storage of patient profiles, health-background fields, photo sessions, wellness-documentation sessions, and treatment selections that you enter or that the application generates on your behalf.
  • Photo storage and processing. Secure object storage for patient photos, including a background-removal preprocessing step performed before storage.
  • SkinXS API access. Routing of patient photos to the SkinXS analysis service for skin-feature scoring, with results returned to your workspace for your professional review and curation.
  • Telemetry and reliability monitoring. Error reporting, performance counters, and feature-usage signals that allow Phiusion to keep the application running and to investigate problems you report.
  • Breach detection. Monitoring for unauthorized access, abnormal query patterns, and credential compromise, plus the incident-response workflow described in the Breach Notification Playbook.
  • Backups and restoration. Encrypted database and storage backups, with restoration available on your written request.

Phiusion does not make autonomous clinical decisions, does not generate prescriptions, and does not produce patient-facing output without your curation step. SkinXS suggests; you decide.

3. Personal-health-information handling

Phiusion handles PHI strictly within the four corners of your trustee authority. PHIA s.20 limits the use of PHI to the purpose for which it was collected (or a directly related purpose), and s.21 limits the disclosure of PHI to the cases the Act permits; as an information manager, Phiusion's use and disclosure are both narrower still, confined to what you have authorized in this agreement and in any supplemental written instructions.

  • Collection. Phiusion collects only PHI that you, the trustee, choose to enter into the application (or that the application generates on your behalf — for example, SkinXS scores computed from photos you upload). Phiusion does not solicit PHI from any other source and does not purchase data about your patients.
  • Use. PHI is used only to deliver the services in §2 and to discharge Phiusion's information-manager duties under PHIA s.25. This includes operational uses such as error investigation, capacity planning, and security monitoring. PHI is not used for marketing, advertising, profiling, or model training without a separate written authorization grounded in patient consent (see the AI Improvement Consent and the Privacy Notice for Patients).
  • Disclosure. Phiusion does not disclose PHI to third parties except to the sub-processors disclosed at Sub-Processors (each acting on documented instructions, see §8) or where legally compelled by a valid Manitoba or Canadian instrument. If compelled, Phiusion will, where lawful, give you advance notice so that you may challenge the demand.
  • Retention. PHI is retained for the period you set as trustee. Phiusion's default retention windows for backups and operational logs are published in the Retention Schedule; if you require shorter retention for a specific dataset, write to privacy@phiusionlabs.app.
  • Destruction. When you direct destruction (account closure, a specific deletion request, or end of retention), Phiusion deletes the active record and isolates any backup copy that cannot be targeted-deleted, letting the backup age out under the schedule. A destruction confirmation is available on request.
  • No secondary use. Phiusion does not use PHI for any purpose outside the services in §2 and the s.25 duties described in this agreement. Any new use requires your prior written authorization, which you may give or withhold consistent with PHIA ss.20–21.

4. Safeguards

PHIA s.18 requires trustees to take reasonable steps to maintain administrative, technical, and physical safeguards that protect the confidentiality, integrity, and availability of PHI. Phiusion, as your information manager under s.25, contractually adopts equivalent safeguards so that your s.18 duty is supported end-to-end. The safeguards are commensurate with the sensitivity of the data and consistent with Office of the Manitoba Ombudsman guidance under PHIA. The categories are:

  • Technical. TLS 1.2 or higher in transit; AES-256 at rest; row-level security in the database so that each trustee sees only its own records; mandatory multi-factor authentication on every practitioner account; signed-URL access controls on photo storage; key management with rotation; segmented production environments.
  • Organizational. A named Privacy Officer at Phiusion (Jonathan Garbutt, privacy@phiusionlabs.app); a documented information-security programme; annual penetration testing; vulnerability-management with severity-keyed SLAs; mandatory privacy and security training for all personnel with production access.
  • Administrative. Background checks and confidentiality undertakings for engineering and support staff; role-based access control ("RBAC") with least-privilege defaults; access logging on every read and write of PHI; quarterly access reviews; written sub-processor agreements; written vendor agreements with Universkin SAS (BAA and DPA, available to you on request).

These safeguards are operationalized through the personnel directives in §5 and the Sub-Processors listing. Phiusion is prepared to respond in writing to any safeguard-related question you, or the Manitoba Ombudsman on your behalf, may pose under PHIA s.18 or s.25.

5. Directives to Phiusion's agents

PHIA s.18(2), read with the PHIA Regulations and Office of the Manitoba Ombudsman guidance, requires trustees to ensure that their agents (including external information managers) comply with the safeguard duties and undergo appropriate training. PHIA s.27 requires trustees to maintain a record of access to and use of PHI sufficient to support oversight and audit. Although Phiusion is not itself a trustee or an agent in the s.1 sense, Phiusion adopts equivalent directives for its own personnel — including personnel of Universkin SAS, the French company that builds and operates the platform on Phiusion's behalf — so that the chain from you to the people who touch PHI is unbroken:

  • Need-to-know. No member of Phiusion or Universkin staff may access PHI except where the access is required to deliver a service listed in §2 or to respond to a written request from you.
  • Role-based access. Production access is granted by role, with the smallest possible privilege envelope for each role. Privileges are reviewed quarterly and revoked on role change.
  • Training. Every individual with any path to PHI completes privacy and security training at onboarding and annually thereafter, in line with the training expectations the PHIA Regulations and Ombudsman guidance read into s.18(2). Records of completion are kept for the period set in the Retention Schedule.
  • Confidentiality. Every individual signs a confidentiality undertaking that survives termination. Breach of the undertaking is grounds for dismissal and, where applicable, civil action.
  • Logging and review. Access to PHI is logged so that you can discharge your s.27 record-keeping and access-audit duty. Logs are reviewed on a defined cadence and on demand following any incident, and are available to you under §6.
  • No secondary use. Personnel may not use PHI for any purpose outside the services described in §2, and may not export PHI from the production environment except where doing so is required to deliver a service you have requested.

These directives apply equally to Universkin SAS staff. The BAA and DPA between Phiusion Labs and Universkin SAS make the directives contractually binding on Universkin.

6. Audit and access logs

PHIA s.27 requires trustees to maintain records of access to and use of PHI sufficient to support audit and oversight. PHIA s.25, and this agreement, give you the right to audit Phiusion's compliance with the safeguards in §4 and the directives in §5.

  • Access logs. Phiusion captures access events on read and write of PHI in the application. The log fields include actor, timestamp, record identifier, and the operation performed. Logs are retained for the period set in the Retention Schedule and are available to you under the audit process below. Manitoba does not require a separate published audit-summary artifact under PHIA — the s.25 agreement itself, together with §4 and §5, is the audit surface, and Phiusion's responses to written information-requests are the first-line audit channel.
  • Trustee audits. You may, on reasonable notice (ordinarily 30 days), audit Phiusion's compliance with this agreement either through (i) Phiusion's responses to a written information-request, (ii) review of third-party assurance reports we hold (SOC 2 Type II, penetration-test summaries, vendor questionnaires), (iii) targeted log extracts for PHI in your workspace, or (iv) on-site or virtual interviews with named Phiusion staff. Audits must be scoped to PHIA-relevant controls, conducted during business hours, and subject to confidentiality protections.
  • Cost. Phiusion absorbs the cost of a routine annual audit at the information-request and assurance-report level. Out-of-scope or repeat audits within the same year may be invoiced at our reasonable cost.
  • Ombudsman audit. Phiusion will cooperate with any Office of the Manitoba Ombudsman audit, review, or investigation under PHIA and will keep you informed in line with the breach-notification expectations in §7.

7. Breach notification

PHIA s.42 establishes the breach-notification framework for PHI. The chain runs from the information manager to the trustee and from the trustee onward to affected individuals and, where appropriate, the Office of the Manitoba Ombudsman. Phiusion's role in the chain is as follows:

  • Information manager → trustee. If Phiusion has reason to believe that PHI under your trusteeship has been stolen, lost, or accessed by an unauthorized person, Phiusion will notify you at the first reasonable opportunity. "First reasonable opportunity" means: as soon as Phiusion confirms the incident's scope sufficiently to inform you usefully, and in any event without undue delay. We do not wait for a full forensic report before notifying.
  • Information provided. The notification will identify, to the extent then known: what data was affected, how many records, the nature and timing of the incident, the steps Phiusion has taken in response, and a contact at Phiusion for follow-up.
  • Trustee → individuals and Ombudsman. PHIA s.42 reserves to you, the trustee, the decision and obligation to notify affected individuals where the statutory threshold is met; trustee reporting to the Office of the Manitoba Ombudsman follows PHIA, the PHIA Regulations, and Ombudsman guidance. Manitoba's regulator pathway under PHIA is solely the Ombudsman; there is no separate Minister-of-Health notification requirement equivalent to Alberta's. Phiusion does not notify the Ombudsman directly except where Phiusion is contacted as a witness or evidence-holder. Phiusion will assist you in preparing your notification on request.
  • Playbook. The end-to-end workflow — internal triage, trustee notification, Ombudsman support, individual notification templates, post-incident review — is documented in the Breach Notification Playbook.

Phiusion logs confirmed and suspected privacy incidents in an internal register and retains the register for the period set in the Retention Schedule.

8. Sub-processors and pass-through obligations

Phiusion uses the sub-processors listed at Sub-Processors to deliver the services. Each sub-processor is bound by a written agreement that flows down, in substance, the same restrictions Phiusion accepts under this agreement — confidentiality, security safeguards, breach notification, restrictions on secondary use, and audit cooperation.

  • Material-change notification (two-tier). Routine sub-processor changes affecting PHI — adding a new sub-processor or materially changing the scope of an existing sub-processor's PHI access — are notified at least 15 days in advance by in-app banner and email to the address on your account. Emergency or risk-driven changes (vendor outage, vendor security incident, regulator order, vendor insolvency, or similar) are notified as soon as practicable (typically within 24 hours) and may take effect before notice. If you object on reasonable PHIA grounds — during the routine notice window or after an emergency change — write to privacy@phiusionlabs.app; if the objection cannot be resolved, you may terminate this agreement under §9 without penalty.
  • Platform-operator sub-processor. Universkin SAS (France) operates the application on Phiusion's behalf and is the most significant sub-processor. The BAA and DPA between Phiusion and Universkin are available on request to you, the Office of the Manitoba Ombudsman, or the Office of the Privacy Commissioner of Canada ("OPC") for federal-stream review.
  • Cross-border transfers. Where PHI is transferred to a sub-processor outside Canada, the contractual flowdowns required by PIPEDA Schedule 1 Principle 4.1.3 are in place. Manitoba imposes no provincial cross-border restriction beyond PIPEDA's Schedule 1 flow-down, and PHIA does not prohibit cross-border processing where the s.25 agreement and s.18 safeguards are in place. Transfer details are part of the safeguard package in §4.

9. Termination and data return

You may terminate this agreement at any time by closing your account in the application or by writing to privacy@phiusionlabs.app. Phiusion may terminate on 90 days' written notice, or sooner where you materially breach this agreement and fail to cure within 30 days.

On termination:

  • Return or destruction. You direct whether the PHI in your workspace is returned to you (export in a structured, machine-readable format) or destroyed. The default, absent your direction within 60 days of termination, is destruction.
  • Backups. Backup copies that cannot be targeted-deleted are isolated, access-restricted, and aged out on the backup schedule published in the Retention Schedule.
  • Confirmation. A written destruction or export confirmation is provided on request.
  • Survival. The breach-notification, audit-cooperation, and confidentiality provisions of this agreement survive termination to the extent necessary to address pre-termination conduct.

10. Governing law and dispute resolution

This agreement is governed by the laws of the Province of Manitoba and the federal laws of Canada applicable therein. The Court of King's Bench of Manitoba has non-exclusive jurisdiction over any dispute that cannot be resolved informally or through the dispute-resolution provisions of the Terms of Service §13.

Nothing in this agreement limits the Office of the Manitoba Ombudsman's statutory jurisdiction or your statutory rights under PHIA.

11. Contact and supervisory authorities

  • Phiusion Labs Privacy Officer: Jonathan Garbutt, privacy@phiusionlabs.app. Mailing address: 29 East Wilmot, Richmond Hill, Ontario, Canada.
  • Universkin SAS Data Protection Officer (sub-processor leg): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com.

If you are not satisfied with Phiusion's response, you may contact a supervisory authority:

  • Office of the Manitoba Ombudsman — primary. https://www.ombudsman.mb.ca/. The Manitoba Ombudsman is the regulator for PHIA matters and is the body to whom you, as trustee, would notify a reportable breach under PHIA s.42 where the statutory threshold is met.
  • Office of the Privacy Commissioner of Canada (OPC) — federal backup. https://www.priv.gc.ca/. The OPC has jurisdiction over PIPEDA-stream matters, which may apply to Phiusion's administrative records about you (the account-level data covered by the Privacy Notice for Practitioners) even though PHI itself flows under PHIA.

For related documents, see the Privacy Notice for Practitioners, the Privacy Notice for Patients, the Sub-Processors page, the HIPAA Business Associate Agreement, and the Terms of Service.