This policy describes what personal and medical information Gaurik Health Inc. collects, why we collect it, how we store and use it, and the rights you have over it. Gaurik is Canadian-incorporated and aligns with Ontario's Personal Health Information Protection Act (PHIPA); we apply equivalent or stronger handling to patients in jurisdictions with their own health-data laws (GDPR, HIPAA, Australia's My Health Records Act).
This document is currently a working draft pending external legal review. Where wording is provisional, that's noted inline. If anything here materially affects a decision you're about to make, email hello@gaurikhealth.com and we'll answer in writing.
When you submit a case inquiry we collect: your name, contact information (email, phone), country, age band (not raw age), specialty and procedure of interest, timeline, and any case notes you choose to share.
Once you proceed past initial inquiry, we collect: medical records you upload (imaging, reports, prescriptions), your communications with our care team, and the booking and quote information associated with your case.
We do not collect raw birth dates, social-insurance / national-ID numbers, or payment-card details on our public website. Payment for surgical packages is handled directly with partner facilities once you proceed.
Lead-inquiry data lives in a Supabase project hosted in Canada Central (ca-central-1, Toronto). Uploaded medical records — when you provide them in a later stage — live in a private Supabase Storage bucket in the same region. Both stores enforce row-level security; only authorized Gaurik staff and admins can read your records.
Our application runs on Vercel. Function execution may occur in a U.S. edge region (Washington, D.C. / iad1) because Vercel does not currently offer a Canadian function region; however, your data is not persisted there. Compute is ephemeral; storage is Canadian.
Within Gaurik: your assigned care coordinator and the medical panel led by Dr. Vivek Dwivedi. We log every record-read in an append-only audit log that you can request access to.
Outside Gaurik, when you proceed: the partner hospital and treating surgeon you select for your case, who require records to deliver care. We obtain explicit consent before sharing records externally; the consent record is stored alongside the disclosure.
We do not sell your information to anyone, ever. Analytics on the public website (Plausible, Vercel Analytics) collect no personal information.
You have the right to access, correct, export, or delete your records at any time. Email hello@gaurikhealth.com and we respond within 30 days, usually within 5 business days.
You can withdraw consent for record sharing at any time, although doing so may prevent us from continuing to coordinate your care. Withdrawal does not affect records already shared in good faith with surgeons or hospitals under prior consent.
Lead inquiries we never act on are purged after 24 months. Active patient records are retained for 10 years from your last contact (matching medical- records-retention norms in most Western jurisdictions), then permanently deleted unless you ask for earlier deletion.
Privacy questions or complaints: email hello@gaurikhealth.com. If you're in Ontario and unsatisfied with our response, you can contact the Information and Privacy Commissioner of Ontario (IPC) at ipc.on.ca.