OncoForma Privacy Policy

Effective Date: Nov 4, 2025 | Last Updated: Nov 4, 2025

Introduction

OncoForma ("we," "our," or "us") is committed to protecting your privacy and handling your personal information responsibly. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website or use our precision oncology services.

This policy is structured in two parts:

  • Part 1: General Privacy Policy for all website visitors
  • Part 2: Clinical Services Privacy Notice for patients and healthcare providers

We comply with:

  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Saskatchewan's Health Information Protection Act (HIPA)
  • Other applicable federal and provincial privacy laws

PART 1: General Privacy Policy (Website Visitors)

1.1 Scope

This section applies to anyone who visits our website at oncoforma.com. If you are a patient or healthcare provider using our clinical services, please also review Part 2 below.

1.2 Information We Collect

Information You Provide Directly

When you contact us through our website, we may collect:

  • Contact Information: Name, email address, phone number, organization/affiliation
  • Communication Content: Messages, questions, or requests you submit through contact forms
  • Professional Information: Role, institution, or specialty (if you identify yourself as a healthcare provider)

Information Collected Automatically

Currently, we do not use cookies, analytics tools, or tracking technologies on our website. We collect only basic server log information necessary for website operation and security:

  • Technical Data: IP address, browser type, device type, operating system
  • Access Data: Pages visited, date and time of access, referring website
  • Error Logs: Technical errors for troubleshooting purposes

This information is collected and stored by our hosting provider (Netlify) in accordance with their privacy practices.

1.3 How We Use Your Information

We use the information collected through our website to:

  • Respond to Inquiries: Answer questions and provide information about our services
  • Business Communications: Send requested information about OncoForma's services
  • Website Operation: Maintain, secure, and improve website functionality
  • Legal Compliance: Meet legal and regulatory obligations
  • Security: Detect and prevent fraud, abuse, or security incidents

1.4 Legal Basis for Processing

Under PIPEDA, we process your personal information based on:

  • Consent: You provide information voluntarily through contact forms
  • Legitimate Interests: Website security and operational requirements
  • Legal Obligations: Compliance with applicable laws

1.5 Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share information only in the following circumstances:

Service Providers:

  • Netlify (website hosting) - servers located in the United States
  • Email service providers for responding to inquiries
  • These providers are contractually obligated to protect your information

Legal Requirements:

  • When required by law, court order, or legal process
  • To protect our rights, property, or safety, or that of others
  • In connection with the investigation of fraud or illegal activity

Business Transfers:

  • In the event of a merger, acquisition, or sale of assets, your information may be transferred (you will be notified)

1.6 Cross-Border Data Transfer

Our website is hosted on Netlify servers, which may be located in the United States. By using our website, you consent to your information being transferred to, stored, and processed in the United States, where privacy laws may differ from Canadian laws. We ensure our service providers maintain appropriate safeguards for your information.

1.7 Data Retention

We retain contact form submissions and related communications for:

  • Active Inquiries: Duration of the conversation plus 1 year
  • Business Development: Up to 3 years for potential partnership or service discussions
  • Legal Requirements: Longer if required by law

After the retention period, information is securely deleted or anonymized.

1.8 Your Rights Under PIPEDA

You have the right to:

  • Access: Request a copy of personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Withdrawal of Consent: Withdraw consent for future communications (does not affect prior lawful processing)
  • Complaint: File a complaint with the Privacy Commissioner of Canada

To exercise these rights, contact our Privacy Officer (see Section 3 below).

1.9 Security Measures

We implement reasonable security measures to protect your information:

  • Secure HTTPS encryption for all website communications
  • Access controls limiting who can view submitted information
  • Secure email practices for responding to inquiries
  • Regular security reviews and updates

However, no method of internet transmission is 100% secure. We cannot guarantee absolute security.

1.10 Third-Party Websites

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to review their privacy policies.

1.11 Children's Privacy

Our website and services are not directed to individuals under 18. We do not knowingly collect personal information from minors without parental consent.

PART 2: Clinical Services Privacy Notice (Patients & Healthcare Providers)

2.1 Scope

This section applies to patients whose samples and health information are processed through OncoForma's precision oncology testing services, and to healthcare providers who refer patients to our services.

This notice complies with Saskatchewan's Health Information Protection Act (HIPA) and PIPEDA.

2.2 What Health Information We Collect

When you (or your healthcare provider) use OncoForma's services, we collect:

From Patients:

  • Identifying Information: Name, date of birth, health card number, contact information
  • Medical History: Cancer diagnosis, stage, prior treatments, medical history relevant to testing
  • Biological Samples: Tumor tissue, biopsy samples, blood samples
  • Genomic Data: DNA sequencing results, genetic mutations, molecular profiling
  • Clinical Data: Test results, pathology reports, imaging reports
  • Treatment Outcomes: Response to therapies (if tracked for validation)

From Healthcare Providers:

  • Provider Information: Name, license number, contact information, institution
  • Clinical Orders: Test requisitions, clinical questions, treatment history

2.3 How We Collect Health Information

Information is collected:

  • Directly from You: Through consent forms and patient intake questionnaires
  • From Your Healthcare Provider: Via test requisition forms and clinical records
  • From Laboratory Testing: Through our organoid testing and genomic analysis processes
  • From Partner Institutions: University of Saskatchewan laboratory (fee-for-service arrangement)

2.4 Why We Collect and Use Your Health Information

Primary Purpose - Clinical Testing:

  • Perform precision oncology testing on your tumor samples
  • Analyze drug responses using patient-derived organoids
  • Conduct genomic sequencing and analysis
  • Generate personalized treatment recommendation reports
  • Communicate results to your healthcare provider

Secondary Purposes (with separate consent):

  • Research and Development: Improve testing methodologies and develop new assays
  • AI Model Development: Train artificial intelligence algorithms to predict drug responses
  • Quality Improvement: Monitor test accuracy, turnaround times, and clinical outcomes
  • Scientific Publication: Contribute to medical literature (with de-identified data)
  • Regulatory Submissions: Support validation studies for regulatory approval

We will always obtain your explicit consent before using your information for secondary purposes.

2.5 Legal Basis for Processing Health Information

Under HIPA and PIPEDA, we process your health information based on:

  • Express Consent: You provide written, informed consent for testing
  • Healthcare Provider Authorization: Your oncologist orders testing as part of your care
  • Legitimate Clinical Purpose: Testing is performed to guide your cancer treatment

2.6 How We Share Your Health Information

We share your health information only as necessary and with appropriate safeguards:

With Your Healthcare Provider:

  • Test results and treatment recommendations are sent to the ordering oncologist
  • Clinical reports are delivered through secure, encrypted channels

With Laboratory Partners:

  • University of Saskatchewan: Samples and associated clinical data are sent to USask laboratory for organoid culture and drug testing under a fee-for-service agreement
  • Data Processing Agreement ensures USask protects your information and uses it only for contracted testing services
  • USask does not retain rights to your data or samples beyond the testing period

With Service Providers:

  • Genomic Sequencing Labs: External labs performing DNA analysis (Canadian providers where possible)
  • Secure IT Infrastructure: Cloud storage and data processing services with Canadian data residency
  • Courier Services: For secure sample transport
  • All service providers sign Business Associate Agreements ensuring PIPEDA/HIPA compliance

When Required by Law:

  • Public health reporting (cancer registries, if required)
  • Court orders or legal proceedings
  • Regulatory authorities (Health Canada, if applicable)

With Your Explicit Consent:

  • Research collaborators (for studies you agree to participate in)
  • Second opinions or consultation with other specialists (at your request)

We do NOT:

  • Sell your health information
  • Use it for marketing purposes
  • Share it with insurance companies without your consent
  • Disclose it publicly in any identifiable form

2.7 Data Security and Protection

We implement comprehensive safeguards to protect your health information:

Technical Safeguards:

  • Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access - only authorized personnel can view your information
  • Audit Logs: All access to patient data is logged and monitored
  • Secure Infrastructure: Firewalls, intrusion detection, regular security assessments
  • De-identification: Data is de-identified whenever possible for research/AI purposes

Physical Safeguards:

  • Sample Storage: Biological samples stored in locked, access-controlled freezers
  • Facility Security: Laboratory facilities require keycard access and visitor logs
  • Document Security: Paper records stored in locked cabinets in secure areas

Administrative Safeguards:

  • Policies and Procedures: Comprehensive privacy and security policies
  • Staff Training: All employees trained on privacy obligations and HIPA requirements
  • Confidentiality Agreements: All staff, contractors, and partners sign confidentiality agreements
  • Incident Response Plan: Documented procedures for responding to privacy breaches
  • Regular Audits: Periodic privacy and security compliance reviews

2.8 Data Retention and Destruction

We retain your health information as follows:

Information Type Retention Period Rationale
Clinical test results and reports 10 years after last service Standard medical records retention
Biological samples Up to 5 years or until exhausted May be needed for repeat/confirmatory testing
Genomic data (identifiable) 10 years after last service Clinical and validation purposes
De-identified research data Indefinitely Research and AI development (cannot re-identify)
Consent forms 10 years after last service Legal compliance

After the retention period:

  • Physical samples are destroyed via appropriate biohazard disposal
  • Electronic records are permanently deleted using secure data destruction methods
  • Paper records are shredded or incinerated
  • De-identified data may be retained indefinitely (no re-identification possible)

You may request earlier destruction of your samples and data (see Section 2.11).

2.9 Cross-Border Data Considerations

Current Operations:

  • We prioritize Canadian data storage and processing wherever possible
  • Website hosting uses Netlify (servers may be in USA)
  • Clinical data and samples remain in Canada (Saskatchewan)
  • Genomic sequencing performed by Canadian laboratories when available

If International Transfer Becomes Necessary:

  • We will notify you and obtain specific consent
  • Data will be subject to foreign laws (e.g., USA PATRIOT Act, EU GDPR)
  • We ensure appropriate safeguards (standard contractual clauses, data transfer agreements)

Our goal is to keep all clinical data within Canadian jurisdiction.

2.10 Use of Health Information for AI and Research

OncoForma's long-term vision includes developing AI models to predict drug responses based on patient data.

How This Works:

  • We aggregate drug-response data from many patients' organoid tests
  • Data is de-identified (removing names, dates, identifiers) before use in AI training
  • AI models learn patterns to predict which drugs work for which tumor types
  • This helps future patients receive faster, more accurate treatment predictions

Your Consent Options:

  • Primary Testing Only: Your data is used only for your clinical report (opt-out of research/AI)
  • Research and AI Development: Your de-identified data contributes to improving cancer treatment (opt-in)

You choose your preference on the consent form. You can change your mind at any time by contacting us.

Additional Protections:

  • Research Ethics Board (REB) approval for research studies
  • All research follows Tri-Council Policy Statement (TCPS2) ethical guidelines
  • Scientific publications use only aggregate, de-identified data
  • You will never be personally identified in any publication

2.11 Your Rights Under HIPA and PIPEDA

As a patient, you have the right to:

Access Your Information

  • Request a copy of your health records, test results, and reports
  • Review what information we hold about you
  • Receive a copy in a readable format (paper or electronic)
  • Timeframe: We respond within 30 days (may extend to 60 days if complex)
  • Cost: No charge for your first request; reasonable fees for additional copies

Correct Your Information

  • Request correction of inaccurate or incomplete information
  • We will amend records or append a note if we disagree with the correction
  • Corrections are shared with anyone who previously received the incorrect information

Withdraw Consent

  • Withdraw consent for secondary uses (research, AI) at any time
  • Request that we stop using your information (where legally permissible)
  • Note: Withdrawal does not affect past uses made with valid consent
  • We may need to retain some information for legal/regulatory requirements

Request Destruction

  • Request early destruction of your samples and identifiable data
  • We will comply unless legally required to retain information
  • De-identified data in research datasets cannot be deleted (no longer linked to you)

Restrict Disclosure

  • Request limits on who can access your information
  • We must comply except where required by law or necessary for your care

Receive an Accounting of Disclosures

  • Request a list of who we've shared your information with
  • Covers disclosures in the past 3 years (excluding routine care communications)

File a Complaint

  • If you believe your privacy rights have been violated, you can file a complaint (see Section 3.3)

To Exercise Your Rights:
Contact our Privacy Officer using the information in Section 3.1 below.

2.12 Breach Notification

In the event of a privacy breach involving your health information, we will:

Immediate Actions:

  • Contain the breach and prevent further unauthorized access
  • Investigate the cause, scope, and impact
  • Implement corrective measures

Notification:

  • To You: Notify you directly if the breach poses a real risk of significant harm
  • To Regulators: Report to Saskatchewan Privacy Commissioner and Office of the Privacy Commissioner of Canada as required by law
  • Timeframe: As soon as reasonably possible, typically within 72 hours of discovery

Information Provided:

  • Description of the breach (what information was involved)
  • Date or timeframe of the breach
  • Steps we're taking to mitigate harm
  • Steps you can take to protect yourself
  • How to contact us for more information

2.13 Consent Process

Before we collect or use your health information, we will:

Provide You With:

  • This Privacy Notice
  • A clear consent form explaining what we'll do with your information
  • Opportunity to ask questions and discuss concerns
  • Options for primary testing vs. research participation

Obtain Your:

  • Signature on informed consent form
  • Separate consent for any secondary uses (research, AI)
  • Acknowledgment that you've received and understand this Privacy Notice

You Can:

  • Take time to review before deciding
  • Discuss with your healthcare provider
  • Consent to clinical testing but decline research participation
  • Change your mind about research participation later

Consent is voluntary. However, we cannot provide testing services without consent for primary clinical use.

PART 3: General Provisions

3.1 Privacy Officer Contact Information

For questions, concerns, or to exercise your privacy rights, contact:

OncoForma Privacy Officer
Email: privacy@oncoforma.com
Mail: Oncoforma, 4191 Middleton Road, Grasswood, S7T 1A9
Phone: +1 306 262 1967

We will respond to your inquiry within 30 days.

3.2 How to Access or Correct Your Information

To request access to or correction of your personal information:

  1. Submit a written request to our Privacy Officer (contact information above)
  2. Include sufficient detail to help us locate your information
  3. Provide proof of identity (we may request government-issued ID to prevent unauthorized disclosure)
  4. Specify the information you wish to access or correct

We may charge a reasonable fee for copies beyond your first request.

3.3 How to File a Complaint

If you believe we have not complied with privacy laws or this policy:

Step 1: Contact Us

  • First, contact our Privacy Officer to resolve the concern informally

Step 2: File a Formal Complaint

If not satisfied with our response, you may file a complaint with:

Saskatchewan Privacy Commissioner
Office of the Saskatchewan Information and Privacy Commissioner
503 - 1801 Hamilton Street
Regina, SK S4P 4B4
Phone: 306-787-8350
Toll-free: 1-877-748-2298
Email: webmaster@oipc.sk.ca
Website: https://www.oipc.sk.ca

Office of the Privacy Commissioner of Canada (for PIPEDA complaints)
30 Victoria Street
Gatineau, QC K1A 1H3
Toll-free: 1-800-282-1376
Website: https://www.priv.gc.ca

Filing a complaint does not affect any legal rights you may have.

3.4 Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our practices
  • Changes in privacy laws
  • New services or technologies
  • Feedback from regulators or patients

When We Update:

  • Revised policy will be posted on our website with a new "Last Updated" date
  • Material changes will be communicated to active patients via email or letter
  • Continued use of our services after changes constitutes acceptance

Version History:
We maintain previous versions of this policy. Contact us if you need to review a prior version.

3.5 Definitions

  • Personal Information: Information about an identifiable individual (name, email, phone number, etc.)
  • Personal Health Information (PHI): Information about an individual's health status, health care, or payment for health care that identifies or could identify the individual
  • De-identification: Removing or encrypting identifying information so that an individual cannot reasonably be identified
  • Consent: Voluntary agreement to collection, use, or disclosure of personal information
  • HIPA: Saskatchewan's Health Information Protection Act
  • PIPEDA: Canada's Personal Information Protection and Electronic Documents Act
  • Trustee: Under HIPA, an individual or organization that has custody or control of health information
  • Privacy Breach: Unauthorized access to, collection, use, disclosure, retention, or disposal of personal information

3.6 Effective Date and Acknowledgment

This Privacy Policy is effective as of November 4, 2025.

By using our website or services, you acknowledge that you have read, understood, and agree to this Privacy Policy.

For clinical services, you will also sign a separate informed consent form that references this policy.

OncoForma is committed to protecting your privacy. Thank you for trusting us with your information.

This privacy policy was prepared in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Saskatchewan's Health Information Protection Act (HIPA). It is not legal advice. OncoForma recommends consulting with legal counsel for specific privacy compliance questions.