Privacy Notice

This Privacy Notice describes how personal information is collected, used, and stored by MRX Solutions Corp. (“MRX,” “we,” “us,” or “our”) in connection with the use of our clinic management platform, as well as our websites and other web-based resources (collectively, the “Services”).

In this Privacy Notice:

• “Client” refers to any individual or entity that has subscribed to and paid for access to our clinic management platform, such as a health clinic or health practitioner, and includes any authorized individual users acting on the Client’s behalf.
• “You” or “your” refers to any individual who accesses or uses the Services, including practitioners, staff members, patients of a Client, or individuals who browse or otherwise interact with our web-based resources.
• “Patient” refers to any individual who uses or interacts with MRX’s clinic management platform to book, receive, or manage services provided by a Client.

Notice to Patients

If you are a Patient of one of our Client clinics or practitioners, your clinic or practitioner is responsible for and controls your patient information, including your contact information, billing details, and patient records. Any questions, requests, or concerns regarding your patient information should be directed to your clinic or practitioner.

For additional details regarding how patient information is handled, please refer to the
section titled “Patient Data” below.

PATIENT DATA

Clients use MRX’s clinic management platform to collect personal information from their patients and to create and maintain patient records. These records may include a patient’s name and contact information, health insurance and billing details, medical charts and notes, appointment history, and other information relating to the patient
(collectively, “Patient Data”).

Depending on the Client’s location and the privacy laws applicable to them, Patient Data
may be referred to as personal health information, protected health information, data concerning health, or sensitive personal data. If you are a Patient, Patient Data is collected directly from you when you attend a Client’s clinic or practitioner, and when you create a profile, request services, or book appointments with a Client through MRX’s online booking features within the Services.

Client’s Role and Responsibilities

Clients retain sole responsibility and decision-making authority with respect to Patient Data. Depending on the applicable legal framework, a Client may be characterized as a health information custodian, covered entity, or controller. In this role, Clients determine, among other things:

• what Patient Data is collected;
• the purposes for which Patient Data is used or disclosed;
• which individuals or entities are authorized to access Patient Data;
• how long Patient Data is retained; and
• when and on what basis Patient Data is deleted or anonymized.

Clients are responsible for complying with all applicable privacy, health information, and data protection laws governing the collection, use, disclosure, and retention of Patient Data, including establishing the appropriate legal authority and consent for such processing.

MRX’s Role

MRX acts as a service provider to its Clients and may be described, depending on the applicable legal framework, as an “agent,” “service provider,” or “processor” acting on behalf of the Client. In this capacity, MRX processes personal information, including Patient Data, solely in accordance with the Client’s instructions.

Patient Data is stored on the Client’s secure on-premises server and is made accessible to the Client and its authorized users through MRX’s clinic management platform. The Client is solely responsible for the operation, maintenance, security, offsite backups and physical and logical safeguards of its server and for ensuring compliance with applicable privacy and health information laws. MRX does not independently determine the purposes or means of processing Patient Data and does not exercise ownership or direct control over such data.

MRX may access Patient Data only:

• at the documented direction of the Client or its authorized representatives;
• as necessary to provide technical support, troubleshoot system issues, patient account issues or respond to Client requests; or
• where access is required or permitted by applicable law, regulation, or court
  order.

To protect the confidentiality and security of Patient Data, MRX may take reasonable steps to verify the identity and authority of any individual requesting access to a Client account or its associated data before acting on such a request.

Patient Rights

Patients have certain rights with respect to their Patient Data under applicable privacy and health information laws. These rights may include the right to request access to the Patient Data held by Client’s clinic or practitioner, to request correction of any inaccurate or incomplete Patient Data, and to obtain a copy of your Patient Data. In
limited circumstances, Patients may also have the right to request deletion, removal, or anonymization of Patient Data. Please note, however, that Client clinics and practitioners are subject to legal, regulatory, and professional record-keeping obligations that may restrict their ability to delete or remove Patient Data.

Questions about Patient Data

If you have any questions about your Patient Data or wish to exercise any of your patient rights, please contact your Client clinic or practitioner directly, as they are responsible for your Patient Data. If a Client clinic or practitioner requires assistance in responding to a Patient request relating to the management of Patient Data within the
Services, they may contact MRX, and MRX will provide reasonable support in accordance with the Client’s instructions.

To protect the confidentiality and security of Patient Data, MRX may access Patient Data only upon the documented instruction of the Client’s authorized account owner or representative.