Privacy policy

When you use Dora, we collect the following categories of personal and health information:

• Identity: your name, date of birth, and phone number, collected at account creation and phone verification.
• Health coverage: your provincial health card number, used to match you to your clinic's records.
• Language preference: the languages you choose for translations of your health information.
• Clinic connections: which clinic(s) you are a patient of and what staff you have authorized to contact you.
• Clinical records: lab results, medications, referrals, and appointments, retrieved from your clinic's electronic medical record (EMR) via secure API connection.
• Device and usage data: minimum necessary device identifiers, IP address, and in-app navigation patterns used for security monitoring and service quality.

We do not collect biometric identifiers, location history, or data from third-party advertising networks.

We collect your information for a narrow and specific purpose: to give you access to your own health information in a form you can understand, and to let you share that information with providers you choose.

Specifically, we use your information to:

• Deliver lab results, medication details, and appointment reminders translated into your preferred language.
• Match you to your clinic and authenticate your identity when clinic staff need to contact you.
• Generate Health Passport summaries you can share with providers of your choosing.
• Secure the service, detect fraudulent access, and comply with legal obligations.

We never sell your data. We never share it with advertisers. We never use it to train third-party AI models.

Your personal health information is stored in Amazon Web Services Canada Central region (ca-central-1, Montréal). All personal data belonging to Canadian residents stays in Canada.

Translation models run inside Dora's own cloud environment; your clinical data is not sent to any consumer AI service.

By default, only you can see your health information inside the Dora app. Clinical data is shared with others only when you explicitly authorize a share, and only with the specific people or clinics you pick.

A small number of Dora employees — specifically our Security and Support teams — have access to systems containing personal health information, strictly for the purpose of keeping the service running and helping you with issues. All such access is role-based, logged, and audited.

We keep your information for as long as your account is active. When you close your account, we delete your personal health information according to our retention policy, typically within 30 days. Where legal or regulatory obligations require longer retention, we keep the minimum record needed and no more.

You can request deletion at any time by emailing privacy@dorahealth.ca.

Under Canadian privacy law you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Request deletion of your information.
• Export your information in a machine-readable format.
• Withdraw consent for any specific use of your data.

To exercise any of these rights, email privacy@dorahealth.ca. We respond to verified requests within 30 days.

We apply the following security controls to your information:

• Encryption at rest: AES-256 on all storage holding personal health information.
• Encryption in transit: TLS 1.2 or newer for every connection between your device, our servers, and your clinic's EMR.
• Audit logging: every read or write of personal health information is logged with actor, timestamp, and intent.
• Role-based access control: the principle of least privilege — employees see only what their role requires.
• Background-checked personnel: every team member with access to production systems is background-checked and bound by confidentiality obligations.
• Incident response: we maintain a documented breach response plan and will notify you without undue delay if an incident affects your information.

We will publish any material changes to this policy on this page with an updated effective date. If the change affects how we use information you've already given us, we'll contact you directly before the change takes effect.

Privacy questions and requests: privacy@dorahealth.ca

General support: hello@dorahealth.ca

Dora Health Inc., Toronto, Ontario, Canada.