Launch Offer

Founding 100 View terms

Grace App, AI practice management for Canadian mental health professionals

Privacy Policy

Disclaimer: This Privacy Policy is provided as a plain-language template and should be reviewed by legal counsel for your specific obligations. Last updated: March 2026

Who we are

Grace App ("Grace App", "we", "us") provides a practice management and EHR platform for mental health professionals in Canada.

Contact: privacy@joingrace.ai

Scope

This policy covers:

  • Visitors to our website (joingrace.ai)
  • Prospective customers and demo requests
  • Customers using Grace App services

What information we collect

Website

  • Contact details you submit (name, email, clinic name, province, message)
  • Basic analytics events (page views, form submissions) as configured

Service (customers)

  • Account information (users, roles, authentication data)
  • Client and clinical data entered by customers (including personal health information) as required to provide the service
  • Audit logs of key system events

How we use information

  • Provide and secure the service
  • Respond to demos, support requests, and sales inquiries
  • Improve product performance and reliability
  • Meet legal and compliance obligations

Legal basis for processing

Grace is designed to support applicable Canadian privacy frameworks:

  • PIPEDA (federal): Processing is grounded in PIPEDA's ten fair information principles, including consent, limiting collection, and safeguards.
  • PHIPA (Ontario): For customers in Ontario, PHIPA provides the legal framework for the processing of personal health information by health information custodians.
  • Quebec's Law 25: For customers in Quebec, processing is based on consent and contractual necessity as required by Law 25.
  • Provincial laws: Customers in other provinces may be subject to additional legislation such as Alberta's HIA or BC's PIPA.

AI features and your control

  • AI features are designed to produce drafts that require clinician review before becoming part of the clinical record.
  • AI workflows may require explicit consent (e.g., audio transcription).
  • Customers control feature enablement and use.

Data residency and storage

Grace App is designed for Canadian data residency, with primary hosting and storage in the Montreal region, Canada. All health data is stored in Canada, no health data crosses the border.

While PIPEDA at the federal level permits cross-border transfers with adequate safeguards, Ontario's PHIPA requires that personal health information be stored in Canada unless specific cross-border transfer conditions are met. Grace adopts the stricter standard by design.

For more details, see our Canadian Data Residency .

Sharing and subprocessors

We use vetted service providers ("subprocessors") to deliver parts of the service:

  • Cloud hosting and storage (Montreal region, Canada)
  • Payment processing
  • Email delivery
  • SMS (if enabled)
  • Telehealth video (if enabled)
  • Insurance claims (if enabled)

We aim to limit sharing and apply least-privilege access. Clinical data and personal health information remain in Canada. All subprocessors are bound by data processing agreements.

Security safeguards

We use administrative, technical, and physical safeguards appropriate for protecting sensitive data, including encryption at rest and in transit, audit logging, multi-factor authentication, and role-based access controls.

Breach notification

In the event of a data breach involving personal information, Grace commits to notifying affected practices promptly so they can fulfill their own notification obligations. Notification requirements vary by jurisdiction:

  • PIPEDA (federal): Notification to affected individuals and the Office of the Privacy Commissioner of Canada (OPC) "as soon as feasible" after determining a breach poses a real risk of significant harm.
  • Quebec's Law 25: Notification to the Commission d'acces a l'information (CAI) within 72 hours when there is a risk of serious injury.
  • PHIPA (Ontario): Notification to the Information and Privacy Commissioner (IPC) in the event of theft, loss, or unauthorized access to personal health information.

In accordance with PIPEDA, we maintain records of all data breaches for a minimum of 24 months.

Retention

We retain information as needed to provide the service and meet legal and compliance obligations.

  • Breach records: Retained for a minimum of 24 months in accordance with PIPEDA.
  • Clinical records: Mental health professional colleges typically require record retention for 7 to 10 years after the last service, depending on jurisdiction and college guidelines.
  • Grace is designed to support configurable retention periods to match practice and regulatory requirements.

Data portability

Under PIPEDA's data mobility framework (March 2025 amendment), individuals have the right to request transfer of their personal information in a structured, commonly used format. Quebec's Law 25 also provides data portability rights.

Grace is designed to support data portability requests, including structured data export.

Children's privacy

Grace is designed for use by adult mental health professionals to serve their clients. The platform is not directed at children under 18. Where a practice serves minors, the practice is responsible for ensuring appropriate guardian consent is obtained per applicable law.

Your choices and provincial rights

  • Marketing communications: opt out anytime.
  • Access and correction: contact privacy@joingrace.ai.
  • Cookies: manage via cookie banner/preferences (where applicable).

Specific rights vary by province:

  • PHIPA (Ontario): Right to access your own health records and request corrections.
  • Law 25 (Quebec): Right to data portability, right to erasure, right to be informed of automated decisions.
  • HIA (Alberta): Right of access and right to request corrections.
  • PIPEDA (federal): Right of individual access and right to challenge compliance.

Data Processing Agreement

For customers using Grace App to process personal health information, our Data Processing Agreement (DPA) outlines responsibilities, security measures, and data residency obligations. View DPA

Contact the Privacy Commissioner

If you have concerns about how your personal information is handled, you may contact the relevant privacy commissioner:

Updates

We may update this policy and will post changes on this page.

Book a demo Join Founding 100

Join the Founding 100

3 months fully free. No commitment. No credit card.

3 months freeNo commitmentNo credit cardThen $99/mo, rate guaranteed

Limited to the first 100 founding partners.