Privacy Policy

1. Who We Are

Grove Health Inc. is a Canadian company incorporated in British Columbia. We operate the Grove practice management platform at getgrovemd.com. Our registered address is in British Columbia, Canada.

For the purposes of applicable privacy legislation, Grove Health Inc. is the data processor and the subscribing healthcare practice is the data controller with respect to patient health information.

2. What We Collect

Practice account data: Name, email, practice name, specialty, billing information. Used to operate your account.

Patient data entered by your practice: Names, dates of birth, health card numbers, contact information, medical notes, test results, appointment history, invoices. We process this data on your behalf. You control it.

Usage data: Pages visited, features used, error logs. Used to improve the platform. Not linked to patient records.

Payment data: Processed by Stripe. We never see or store full card numbers.

3. How We Use Data

• To operate and improve Grove
• To send transactional emails (account confirmation, password reset, billing receipts)
• To provide customer support
• To comply with legal obligations

We do not use patient health data to train AI models, build advertising profiles, or share with third parties for marketing purposes.

4. Data Residency

All patient data is stored on servers located in Canada (ca-central-1, Montreal) via Supabase. We do not transfer patient health information outside of Canada except as required to provide the service (e.g., email delivery via Resend, payment processing via Stripe — both of which process only non-health data).

5. Compliance Frameworks

Grove is designed to support compliance with:

• HIPAA — US Health Insurance Portability and Accountability Act (Business Associate Agreement provided at signup)
• PIPEDA — Canada's Personal Information Protection and Electronic Documents Act
• HIPAA — US Health Insurance Portability and Accountability Act (Business Associate Agreement provided at signup)
• UK GDPR — United Kingdom General Data Protection Regulation
• Australian Privacy Act — Including the Australian Privacy Principles (APPs)

A Business Associate Agreement (BAA) is signed automatically at signup. A copy is available in your dashboard under Settings.

6. Your Rights

As a Grove subscriber, you have the right to:

• Access all data held about you and your practice
• Export your data in CSV format at any time from your dashboard
• Correct inaccurate information
• Delete your account and all associated data
• Object to processing
• Data portability

Your patients have equivalent rights with respect to their health information. Requests can be made by emailing privacy@getgrovemd.com.

7. Data Retention

Active practice data is retained for the duration of the subscription. Upon cancellation, data is retained for 90 days to allow for export, then permanently deleted. Backup copies are deleted within 30 days of the scheduled deletion.

8. Security

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to patient data requires authentication. Role-based access controls limit who within a practice can access sensitive records. All data access is logged in an immutable audit trail.

We maintain a security incident response plan. In the event of a breach affecting patient data, affected practices will be notified within 72 hours as required by applicable law.

9. Third-Party Services

• Supabase — database infrastructure (Canada)
• Stripe — payment processing (no patient health data shared)
• Resend — transactional email (no patient health data shared)
• Netlify — web hosting (no patient health data stored)
• Anthropic — AI features (no patient health data sent; practice aggregate data only with consent)

10. Contact

Privacy questions and data requests: privacy@getgrovemd.com

Grove Health Inc. · British Columbia, Canada · getgrovemd.com