Privacy Policy — Makeomatic

Effective date: April 19, 2026

1. About this policy

This Privacy Policy explains how Makeomatic collects, uses, shares, and protects personal information. Makeomatic is a registered Canadian corporation (Makeomatic, Inc.), based in Vancouver, British Columbia, Canada. We provide AI and SaaS tool selection, setup, and management services for small businesses — primarily small professional practices in BC.

This policy covers two areas: (a) how we handle personal information during consulting engagements (audit, setup, and ongoing maintenance), and (b) how we handle data collected through this website. It applies to information about our clients (practice owners and their staff) — not their patients.

We comply with British Columbia's Personal Information Protection Act (PIPA) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

2. Privacy officer

The Privacy Officer responsible for compliance with privacy legislation is:

Anna Amineva, Privacy Officer
Email: hello@makeomatic.ca
Vancouver, BC, Canada

3. What we collect

We collect only the personal information needed to deliver our consulting services and operate this website:

Business contact information — your name, email address, phone number, and business address.
Billing and payment information — invoicing details and payment transactions, processed through Stripe. We do not store credit card numbers.
Business workflow information — your current tools, processes, and pain points, collected during the audit phase.
System configuration data — settings, templates, and automation rules within your practice management tools, collected during the setup phase.
Communication records — emails and messages exchanged during the engagement.
Website analytics — anonymous usage data as described in the Analytics section below.

Patient data that may transit our systems

During Setup and Operator engagements, patient scheduling data and funder compliance data (e.g., appointment counts, authorization limits, session records for insurer submissions) may transit Makeomatic's systems as part of automated workflows. This data is:

Processed solely per the client's instructions and the terms of the applicable Statement of Work.
Never stored or persisted — it passes through in-memory during workflow execution and is not written to any database, file system, or log.
Never used for any purpose other than delivering the specific workflow the client has authorized.
Deleted from memory immediately after processing.

During the Audit phase, Makeomatic does not access any patient data. The audit is conducted through interviews, questionnaires, and guided screen shares — no system access or data extraction occurs.

What we do NOT collect or store

We do not collect or store:

Patient health information (PHI) — no clinical notes, treatment plans, diagnoses, or medical records
Patient names or contact details in any persistent form
Clinical records or treatment data

Our work focuses on your business operations and workflows, not on clinical records. During Setup and Operator engagements, patient scheduling and funder data may transit our systems as described above, but is never persisted.

4. Why we collect it

To deliver consulting services — conducting audits, configuring systems, and providing ongoing maintenance.
To communicate about the engagement — responding to your questions, providing updates, and coordinating work.
To process payments and issue invoices — billing for services rendered.
To improve our services — developing anonymized case studies and refining our methods (only with your consent).
To comply with legal and tax obligations — meeting Canadian tax filing and record-keeping requirements.

5. Consent

We obtain your consent to collect and use your personal information when you sign the Consulting Services Agreement at the start of an engagement. For website visitors, consent is implied through use of the site.

You have the right to withdraw your consent at any time by contacting us in writing. Withdrawal of consent may affect our ability to continue providing services, and it does not apply to information we are legally required to retain (such as tax records).

6. System access during engagements

During consulting engagements, we may receive temporary access to your business systems, such as:

Jane App (practice management)
Microsoft 365 (email, SharePoint, Teams)
Slack (team communication)
Other tools relevant to the engagement scope

This access is governed by the following principles:

Limited scope — we only access what is necessary to complete the agreed-upon work.
No clinical data — we do not access patient records, clinical notes, or PHI within these systems, even if such data is technically available. Patient scheduling and funder data may transit our systems during automated workflows but is never persisted (see Section 3).
Temporary access — all access credentials are revoked or returned when the engagement is completed.
Documented — the specific systems and level of access are documented in the Consulting Services Agreement.

7. How we use and share information

We do not sell personal information. We never have and never will.

We may share your personal information with the following third-party service providers, solely to deliver our services:

Stripe (payment processing) — processes payments on our behalf. See Stripe's privacy policy.
Google Workspace or Microsoft 365 (communication and collaboration) — used for email and document sharing during engagements.
Airtable (client operational dashboards) — used to track aggregated business metrics and workflow summaries during engagements. Never contains patient-identifiable data. See Airtable's privacy policy.
Tally (intake forms) — used to collect business contact information and questionnaire responses during onboarding. See Tally's privacy policy.

During client engagements, we recommend and configure third-party SaaS tools on your behalf. Each tool has its own privacy policy. We only recommend tools that meet PIPEDA and BC PIPA compliance requirements, and we document all data flows in the written runbook delivered as part of every engagement.

We may also disclose personal information if required by law, regulation, or court order.

8. Security safeguards

All client data is stored in encrypted systems.
Access to client information is limited to authorized Makeomatic team members and contractors on a need-to-know basis, all of whom are bound by the same confidentiality obligations.
Strong passwords and multi-factor authentication (MFA) are used on all systems.
Client system access credentials are stored in 1Password (encrypted password manager) and destroyed immediately upon engagement completion.
We use secure, encrypted channels for all client communications.

9. Data retention

Type of information	Retention period
Financial and billing records (invoices, payment records)	7 years (Canadian tax law requirements)
System access credentials	Destroyed immediately upon engagement completion
Communication records	Retained for the duration of the engagement, then deleted within 90 days unless subject to a legal retention requirement
Engagement work products (workflow configurations, operational data)	Deleted within 30 days of engagement termination, unless earlier deletion is requested
Patient transit data (scheduling, funder compliance data)	Never stored; deleted from memory immediately after processing
Website analytics data	Session-scoped; not linked across visits

The 7-year retention period applies only to financial and tax records required by the Canada Revenue Agency. It does not apply to client operational data, workflow configurations, or any patient data.

You may request deletion of any personal information not subject to a legal retention requirement at any time by contacting the Privacy Officer.

10. Website analytics

This site uses PostHog to understand how visitors use the site. PostHog requests are reverse-proxied through p.makeomatic.ca, so analytics data flows first-party from your browser through our domain before reaching PostHog's servers. We collect:

Page views, referring URLs, and UTM campaign parameters
Anonymous interaction events (clicks, form interactions, navigation)
Session replays of your visit, with password inputs automatically masked
Browser, device, and approximate location derived from your IP address

We configure PostHog to discard client IP addresses at the point of ingestion and to store visitor identifiers in your browser's sessionStorage only. That means:

No cookies are set for analytics
Identifiers are cleared when you close the browser tab
Return visits are not linked to previous sessions

You can opt out at any time by enabling Do Not Track or Global Privacy Control in your browser, or by emailing hello@makeomatic.ca.

11. Your rights under PIPA

Under British Columbia's Personal Information Protection Act, you have the right to:

Access — request a copy of the personal information we hold about you.
Correction — request that we correct any inaccurate or incomplete information.
Withdraw consent — withdraw your consent to our collection, use, or disclosure of your personal information, subject to legal or contractual obligations.
Complain — file a complaint with BC's Office of the Information and Privacy Commissioner (OIPC) if you believe we have not handled your personal information properly.

To exercise your rights, contact the Privacy Officer at hello@makeomatic.ca. We will respond to access and correction requests within 30 business days.

Office of the Information and Privacy Commissioner for BC:
Website: www.oipc.bc.ca
Phone: 250-387-5629
Toll-free: 1-800-663-7867

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify active clients directly by email. The effective date at the top of this document will always reflect the most recent version.

13. Contact

Privacy Officer: Anna Amineva
Email: hello@makeomatic.ca
Business: Makeomatic
Location: Vancouver, BC, Canada