Vaid MD
This policy is currently pending formal legal review.

Last Updated: May 3, 2026

Privacy Policy

Vaid MD — Privacy Policy

Effective Date: May 3, 2026     Last Updated: May 3, 2026

IMPORTANT: This Privacy Policy is a draft prepared for legal review and does not constitute final legal advice. Vaid MD recommends a review by a qualified Canadian lawyer prior to publication.

1. Introduction

Vaid MD Inc. ("Vaid MD", "we", "us", or "our") is committed to protecting the privacy of the physicians who use our Platform. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation.

The safest data is the data that was never collected. Vaid MD was designed from the ground up to minimize the information that enters our system. We collect only what is necessary to provide the Platform and nothing more.

2. Two Distinct Data Environments

Vaid MD operates two completely separate data environments. Understanding this distinction is the foundation of our privacy architecture.

2.1 Clinical AI Inputs — No Patient Identifiers

The structured fields transmitted to Vaid MD's AI engine contain no patient identifiers by design. The AI sees only:

  • Patient age range (e.g., 41–60) — never exact date of birth
  • Biological sex
  • Symptom selections from structured checklists — no free text
  • Symptom duration from a duration selector
  • Relevant clinical history from structured checkboxes

These inputs are de-identified by the architecture of the system itself. The AI never receives, processes, or stores any field that could identify a specific patient.

In addition to structured inputs, physicians may enter brief free-text descriptions of symptoms, relieving factors, or additional clinical context. Physicians are reminded at the point of entry that this field should contain only de-identified clinical descriptions and never patient-identifiable information such as names, dates of birth, health card numbers, or any other personal identifiers. Vaid MD does not technically restrict free-text input in this field but relies on physician professional judgment and the in-app reminder to ensure no PHI is entered. Vaid MD accepts no liability for any patient-identifiable information a physician voluntarily enters into free-text fields in violation of this policy.

2.2 Physician Case Notes — Physician-Controlled Storage

Vaid MD provides optional case reference fields for physician organizational use only. A physician may choose to enter a case label, chart reference, or other notation in these fields for their own recordkeeping purposes.

These fields are:

  • Never transmitted to or processed by Vaid MD's AI systems
  • Never accessed, reviewed, or used by Vaid MD for any business purpose
  • Stored encrypted on Canadian servers (Supabase Canada Central, AES-256) under the physician's account
  • Deleted within 30 days upon physician request
  • Displayed in the Platform UI only — no Vaid MD employee accesses this content

Physicians are responsible for ensuring their use of case note fields complies with their provincial college's obligations regarding patient record management and privacy. Vaid MD's role with respect to case note content is analogous to an encrypted storage service — we store the content the physician enters but do not access, analyze, or use it.

Case note fields are clearly labeled within the Platform as physician-use-only fields that are never sent to the AI.

3. Physician Account Information

When you create a Vaid MD account, we collect:

  • Your name
  • Your email address
  • Your provincial medical registration number (used solely as an account-sharing deterrent — not shared with any regulatory authority or third party)
  • Your medical specialty
  • Your province of practice
  • Payment information (processed by Stripe — Vaid MD does not store raw card data)

4. What We Never Collect

Vaid MD does not intentionally collect personal health information. Our structured input system was designed specifically to minimize patient identifiability by accepting only age ranges, biological sex, symptom selections, duration, and brief de-identified clinical descriptions. However, Vaid MD cannot guarantee that patient re-identification is impossible in all circumstances. Physicians practicing in small populations or entering inputs relating to rare conditions should exercise additional caution and are responsible for assessing re-identification risk in their specific clinical context. Vaid MD's design minimizes this risk but does not eliminate it entirely.

5. How We Use Your Information

We use the information we collect to:

  • Create and manage your Vaid MD account
  • Provide the clinical decision support features of the Platform
  • Process subscription payments via Stripe
  • Send you account-related communications including billing notifications
  • Improve and maintain the Platform
  • Comply with applicable Canadian law

We do not use your information for advertising. We do not sell your personal information to any third party. We do not share your information with pharmaceutical companies, insurance companies, or any commercial entity.

6. AI Training and Feedback Data

By agreeing to these Terms and this Privacy Policy upon account creation, you consent to Vaid MD using de-identified, aggregated clinical feedback data to improve and train Vaid MD's AI systems and clinical decision support outputs.

Specifically:

  • Physician feedback submitted through in-Platform feedback prompts (e.g., "Was this differential clinically useful?") is stored in de-identified form
  • No feedback data is linked to individual physician accounts in any dataset used for AI training
  • No patient data of any kind is used for AI training
  • Physician case note content (Section 2.2) is never used for AI training under any circumstance
  • De-identified feedback data may be used to improve AI model outputs and clinical reasoning quality

You may withdraw consent for AI training data use by contacting support@vaidmd.ca. Withdrawal of consent does not affect prior data already incorporated into training datasets.

7. Data Residency and Storage

All Vaid MD data — including physician account information, AI inputs, and physician case notes — is stored exclusively on Canadian servers located in the Canada Central region, operated by Supabase. Data does not leave Canadian jurisdiction under any circumstance.

Technical safeguards include:

  • AES-256 encryption at rest for all stored data
  • TLS 1.3 encryption in transit
  • Role-based access controls limiting internal data access
  • No cross-border data transfers
  • Row-level security policies ensuring physicians can only access their own data

8. Data Deletion

Physician account information is retained for as long as your account is active. Upon account deletion, your personal account data and all associated case notes are deleted within 30 days.

De-identified, aggregated feedback data that has been incorporated into AI training datasets is not subject to individual deletion requests, as it exists only in aggregated form without individual identifiers.

9. Your Rights Under PIPEDA

As a Canadian resident, you have the right to:

  • Access the personal information Vaid MD holds about you
  • Request correction of inaccurate personal information
  • Request deletion of your personal information and case notes within 30 days
  • Withdraw consent to data processing (subject to legal and contractual restrictions)
  • File a complaint with the Office of the Privacy Commissioner of Canada

To exercise any of these rights, contact us at privacy@vaidmd.ca.

10. Third-Party Services

Vaid MD uses the following third-party services:

  • Supabase — database and authentication (Canada Central servers). Stores account data and encrypted case notes.
  • Stripe — payment processing (subject to Stripe's Privacy Policy). Vaid MD does not store raw payment card data.
  • Anthropic — AI model provider powering clinical decision support outputs. Receives de-identified structured inputs only. No case note content or patient identifiers are transmitted to Anthropic.
  • Vercel — application hosting.

Vaid MD does not integrate with any electronic medical record (EMR) system. The Platform has no access to any EMR or hospital information system.

11. Mainpro+ Self-Learning Log

The Pulse research feed generates a monthly self-learning log of articles read through the Platform. This log includes article titles, sources, dates, and specialties. It is generated for physician use in self-reporting under CFPC Mainpro+ Section 2 Self-Learning.

Vaid MD does not issue Mainpro+ credits and is not affiliated with or accredited by the College of Family Physicians of Canada. Physicians are responsible for their own self-reporting to CFPC.

12. Changes to This Policy

Vaid MD may update this Privacy Policy at any time. You will be notified of material changes by email at least 14 days before they take effect. Continued use of the Platform following notice constitutes acceptance of the updated Policy.

13. Contact Information

If you have any questions or concerns about this Privacy Policy, please contact us at privacy@vaidmd.ca.

Read our Terms of Service