Epiphany360 Fair Information Policy
Epiphany360 abides by
the American Health Information Portability and Accountability Act (HIPAA)
the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
the European Union General Data Protection Regulations (GDPR)
These set out the ground rules for how businesses must handle personal health information in the course of commercial activity.
Our adherence to these acts is our acknowledgement that Epiphany360 has an overriding obligation to ensure that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would deem appropriate given the circumstances.
Epiphany360 is responsible for the protection and fair handling of personal information at all times. This applies throughout our organization and in dealings with third parties. We believe that care in the handling of personal information is essential to continued consumer confidence and good will.
As such our policies align with the following obligations
Epiphany360 is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
Personal information must be protected by appropriate security relative to the sensitivity of the information.
Obidou will make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.
Epiphany360 ethical collection and use of research data policy
Epiphany360 provides benefits to multiple stakeholders
The clinician/ counsellor/ collector/ workgroup who assesses mental health
The patient/ student/ user of the program who has their mental health assessed
Secondary users of data (Ministry of , Insurance, Employers, School boards, Pharma)
Epiphany360 therefore has a number of overlapping goals and obligations as a company
Collect relevant data that can be used primarily for the benefit of the patient/ student/ user and secondarily for the clinician/ counsellor and other stakeholders.
Ensure the accuracy and accessibility of data for the benefit of all users
Ethical collection of data
Welfare and safety of participants when data is used for research
Privacy and security of data in collection, transmission, storage and secondary use
To meet these obligations, we are guided by the following policies, procedures and principles as, documented below.
Tri-council Policy on Ethical Conduct for Research Involving Humans
Canadian Institutes of Health Research
Natural Sciences and Engineering Research Council of Canada
Social Sciences and Humanities Research Council of Canada, 2014
California Bill of Rights
Experimental Research Subject’s Bill of Rights
California law, under Health & Safety Code Section 24172, requires that any person asked to take part as a subject in research involving a medical experiment, or any person asked to consent to such participation on behalf of another, is entitled to receive the following list of rights written in a language in which the person is fluent. This list includes the right to:
1. Be informed of the nature and purpose of the experiment.
2. Be given an explanation of the procedures to be followed in the medical experiment, and any drug or device to be utilized.
3. Be given a description of any attendant discomforts and risks reasonably to be expected from the experiment.
4. Be given an explanation of any benefits to the subject reasonably to be expected from the experiment, if applicable.
5. Be given a disclosure of any appropriate alternative procedures, drugs or devices that might be advantageous to the subject, and their relative risks and benefits.
6. Be informed of the avenues of medical treatment, if any, available to the subject after the experiment if complications should arise.
7. Be given an opportunity to ask any questions concerning the experiment or the procedures involved.
8. Be instructed that consent to participate in the medical experiment may be withdrawn at any time and the subject may discontinue participation in the medical experiment without prejudice.
9. Be given a copy of the signed and dated written consent form. California Subject’s Bill of Rights 08/2011
10. Be given the opportunity to decide to consent or not to consent to a medical experiment without the intervention of any element of force, fraud, deceit, duress, coercion, or undue influence on the subject’s decision.
Consent for participation and secondary use of data
The consent process must be include the following:
a restatement of the purpose of the study and the provision of a clear description of study tasks and conditions
sufficient prompts to encourage participants to ask questions
a reminder of their right to refuse to do anything they find disturbing or uncomfortable
an assurance of their right to leave the study at any time without penalty
a statement indicating that by consenting, participants do not waive any legal rights
the provision of contact information for the researcher and the REB that approved the study
Consent for participation of minors and vulnerable populations
Assent & Dissent
Even when an individual’s authorized third party (parent) gives consent, it is important to involve the individual (student) to the greatest extent possible.
As prospective research participants they may agree (assent) or not agree (dissent) with their parents' decision to consent.
Parents may consent to have their children participate in at the mental health assessment at their school, but if any children choose not to participate, their decision will be respected.
Obidou allows both parents and students the opportunity to independently provide or refuse consent.
We will only use your personal information in order to verify your identity or meet regulatory requirements
The only one who can connect your mental health information and your name is you.
2.1 Our consent policy is intended to give you the who, what, where, when, how, risk and benefits of your participation. Our goal is to make sure that you know what you are consenting to, have had time to make an informed decision and the opportunity to ask questions.
2.2 Consent can only be provided in writing, electronically or through an authorized representative.
2.3 There are no cases of implied consent.
2.4 You can withhold or withdraw your consent at any time.
2.5 Refusing or withdrawing consent will not affect your care in any way.
3.1 We will only use or disclose your personal information as mentioned above and only when necessary to fulfill the purposes identified at the time of collection, which would include contacting you to offer you the opportunity to connect to care.
3.2 We may be required to disclose your personal information to third parties when...
The disclosure is required by law
In an emergency that threatens an individual's life, health, or personal security
In any situation where child protection would be warranted
3.3 We will not use or disclose your personal information for any additional purpose unless we obtain consent to do so.
3.4 We will ask you for permission to use, store or disclose information in order to do research, improve the treatments we provide or improve the healthcare system.
3.5 We will not sell your de-identified information without your specific consent and a specific reasonable, mutually agreed upon, financial compensation.
Retaining Personal Information
4.1 If we use personal information to make a decision that directly affects you, we will retain that information for at least one year, so that you have a reasonable opportunity to request access to it.
4.2 Subject to policy 4.1, we will retain client, customer, patient personal information only as long as necessary to fulfill the identified purposes above.
5.1 We will make reasonable efforts to ensure your personal information is accurate and complete, where it may be used to make a decision about you or disclosed to another organization.
5.2 Patients may request correction to their personal information in order to ensure its accuracy and completeness. A request to correct personal information must be made in writing and in sufficient detail to identify the correction being sought.
5.3 If the personal information is demonstrated to be inaccurate or incomplete, we will correct the information as required and send the corrected information to any organization to which we disclosed the personal information. If the correction is not made, we will note the patients’ correction request in the file.
6.1 We are committed to ensuring the security of client, customer and patient personal information in order to protect it from unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.
6.2 The following security measures will be followed to ensure that patient personal information is appropriately protected, including:
physically securing offices where personal information is held
the use of user IDs, passwords, encryption, firewalls; restricting employee access to personal information as appropriate (i.e., only those that need to know will have access);
contractually requiring any service providers or third parties who requires access, to provide confidentiality agreements or comparable security measures.
6.3 We will use appropriate security measures when destroying patient’s personal information such as shredding documents and permanently deleting electronically stored information.
6.4 We will continually review and update our security policies and controls as technology changes to ensure ongoing personal information security.
7.1 Patients have a right to access their personal information, subject to limited exceptions, such as, solicitor-client privilege, disclosure would reveal personal information about another individual, health and safety concerns.
7.2 A request to access personal information must be made in writing and provide sufficient detail to identify the personal information being sought.
7.3 Upon request, we will also tell patients how we use their personal information and to whom it has been disclosed if applicable.
7.4 We will make the requested information available within 30 business days, or provide written notice of an extension where additional time is required to fulfill the request.
7.5 A fee may be charged for providing access to personal information. Where a fee may apply, we will inform the patient of the cost and request further direction from the patient on whether or not we should proceed with the request.
7.6 If a request is refused in full or in part, we will notify the patient in writing, providing the reasons for refusal and the recourse available to the client, customer, member.
Questions and Complaints
8.1 The Privacy Officer or designated individual is responsible for ensuring Obidou Health Informatics’ and Sage Virtual Mental Health's compliance with this policy and the Personal Information Protection Act.
8.2 Clients, customers, patients should direct any complaints, concerns or questions regarding Epiphany360's compliance in writing to the Privacy Officer. If the Privacy Officer is unable to resolve the concern, the client, customer, patient may also write to the Information and Privacy Commissioner of British Columbia.
Epiphany360 Privacy Officer
Ms. Astrid Sherman
End-User License Agreement
updated September 2020
By downloading or using Epiphany360, you agree that your use the application is subject to the terms and conditions of this license agreement and you agree to be bound by them. Epiphany360 is licensed to you and not sold.
Through downloading Epiphany360 (the product) by Epiphany360 (the owner), with offices in Canada at #304- 3151 Woodbine Dr. NorthVancouver, BC V7R 2S4 and in the US at #1520 - 13924 Marquesas Way, Marina Del Rey CA, 90290, grants you, a non-exclusive, non-transferable, and limited license to download and use Epiphany360 for your personal or institutional use on a static or mobile device that you own or control. Re-licensing or commercial use is strictly prohibited. Epiphany360 and the content thereof may not be copied, reproduced, republished, posted, transmitted, reverse-engineered, modified or distributed in any way, in whole or in part, without the express prior written permission of Epiphany360.
The term of this license agreement commences on the date that you agree to the Epiphany360 End-User License Agreement and ends when you request that we permanently delete your anonymous, de-identified information. If Epiphany360 terminates this license, you must permanently delete all copies of Epiphany360 in your possession or control. This term will survive termination of this license agreement.
Reservation of Rights
All of the content contained, including but not limited to information, algorithms, text, logos, graphics, pictures, images, software, icons and other elements, is owned exclusively by Epiphany360 or, as applicable, its suppliers, licensors and partners, and are protected under the intellectual property laws of Canada and other countries and by international treaties. All rights are reserved. You may not remove, modify or obscure any intellectual property notices. Unauthorized use of any content is strictly prohibited.
Epiphany360's trademarks, including but not limited to OBIDOU, OBIDOU HEALTHCLOUD, EPIPHANY360, OBIDOU HEALTH INFORMATICS and many others are valuable assets of Epiphany360. Any unauthorized use or infringement of the associated rights is taken very seriously and is grounds for legal action. All names, marks, brands, titles, slogans, logos, icons, graphics, look and feel, trade dress or trade names, designs and other designations (collectively, "Trademarks") contained within are registered and unregistered trademarks or official marks and, as applicable, other parties. Trademarks, content or graphics may not be used in any way, including in advertising, without prior written permission. Nothing on our site should be construed as granting, by implication, estoppel, or otherwise, any license or permission or other right to use any Trademark displayed without the written permission.
Protection of your personal information our first priority. Obidou Health Informatics will not disclose any personally identifiable information about you to any third party.
The information we collect (other than your consent to participate) is anonymous and de-identified at the source.
Neither your name, email nor IP address is collected, transmitted or stored.
Only you can connect your name and your User ID#
Equipment and Internet Access
You are responsible for providing your own computer or mobile device, internet connection and other necessary products and services to facilitate your download and use of Epiphany360. Your telecommunications service provider may charge you fees for data, messaging and other wireless services. We do not guarantee that Epiphany360 is available for use in all geographic locations or that all components will be accessible at all times.
Viruses and Malware
You agree that Epiphany360 has no responsibility or liability for any damages to or viruses and malware that may infect your computer, mobile phone or other property as a result of your use.
There may be hyperlinks to websites on Epiphany360, and these linked sites which are not under the control of Epiphany360 and should not in any manner be construed as having any affiliation with or endorsement, representation or warranty of such website or entity or its respective products, services, information, materials, opinions or links to such websites, unless specifically and expressly stated. We do not review or monitor such websites and are not responsible or liable for the content or accuracy thereof. The reproduction and use of and reliance upon of any content linked to such websites is completely at your own risk and is subject to the conditions that the respective website owners may impose. You are encouraged and advised to review the posted terms and conditions and privacy policies of all websites you visit.
Third Party Apps
Epiphany360 has the functionality to launch and/or interact with third party applications on your mobile device. Your use of such third party applications is subject to and must be in compliance with the respective terms and conditions of those applications.
TO THE FULL EXTENT OF APPLICABLE LAW, Epiphany360 is provided to you "AS IS" without warranty, performance assurances or guarantees of any kind, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. Epiphany360 DOES NOT GUARANTEE OR WARRANT THAT YOUR USE WILL BE UNINTERRUPTED, OR BE ERROR FREE OR THAT Epiphany360 WILL CORRECT ALL SOFTWARE ERRORS. This term will survive termination of this license agreement.
Limitation of Liability
FOR ALL EVENTS AND CIRCUMSTANCES, OBIDOU HEALTH INFORMATICS AND ITS LICENSORS' AGGREGATE AND CUMULATIVE LIABILITY ARISING OUT OF OR RELATING TO THIS LICENSE AGREEMENT, INCLUDING WITHOUT LIMITATION ON ACCOUNT OF PERFORMANCE OR NON-PERFORMANCE OF OBLIGATIONS, REGARDLESS OF THE FORM OF THE CAUSE OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STATUTE OR OTHERWISE WILL BE LIMITED TO DIRECT DAMAGES AND WILL NOT TO EXCEED THE AMOUNT THAT YOU PAID UNDER THIS LICENSE AGREEMENT. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THIS LICENSE AGREEMENT, IN NO EVENT WILL OBIDOU HEALTH INFORMATICS , ITS AFFILIATES OR LICENSORS BE LIABLE TO YOU FOR DAMAGES OTHER THAN DIRECT DAMAGES, INCLUDING, WITHOUT LIMITATION, ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, INDIRECT, EXEMPLARY OR PUNITIVE DAMAGES WHETHER ARISING IN TORT, CONTRACT, OR OTHERWISE; OR FOR ANY DAMAGES ARISING OUT OF OR IN CONNECTION WITH ANY MALFUNCTIONS, LOSS OF DATA, LOST PROFITS, LOST SAVINGS, INTERRUPTION OF SERVICE, LOSS OF BUSINESS OR ANTICIPATORY PROFITS, EVEN IF Epiphany360, ITS AFFILIATES OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. This term will survive termination of this license.
Governing Law and Jurisdiction
If any provision of this license agreement is held to be invalid or unenforceable for any reason, then the provision will be deemed to be severed from this license agreement and the remaining provisions will continue in full force and effect without being impaired or invalidated in any way, unless as a result of any such severance this license agreement would fail in its essential purpose.
If you have any questions or comments about Epiphany360, contact us by e-mail message at
You represent and warrant that: (i) you are not located in a country that is subject to a U.S. Government embargo, or that has been designated by the U.S. Government as a "terrorist supporting" country; and (ii) you are not listed on any U.S. Government list of prohibited or restricted parties.
This license agreement does not entitle you to receive any hard-copy documentation, support, maintenance, telephone assistance, enhancements, upgrades or updates.
Third Party Beneficiary
You agree that there are no third party beneficiaries of this license agreement and that, upon your acceptance of the terms and conditions of this license agreement, Epiphany360 will have the right (and will be deemed to have accepted the right) to enforce this license agreement against you.
This license agreement constitutes the entire agreement between you and Epiphany360 and supersedes all prior or contemporaneous understandings regarding such matter. No amendment to or modification of this license agreement will be binding unless made in writing and signed by Epiphany360.
Acceptable Uses Policy
Updated September 2020
You must use the Epiphany 360 ("the Services" in compliance with, and only as permitted by, applicable law. The use of our Services in conjunction with other tools or resources in furtherance of any of the unacceptable uses described herein is also prohibited.
You are responsible for your conduct, Customer Data, and communications with others while using the Services. You must comply with the following requirements when using the Services. If we become aware of survey content that falls outside the bounds of what is acceptable under this policy, we may remove it and report it. We also take steps to prevent uses of our services that are contrary to the spirit of this policy.
(a) You may not use the Services to commit an unlawful activity; use the Services for activities where use or failure of the Services could lead to physical damage, death, mental harm, or personal injury.
(b) You may not provide any person under the age of 13 with access to the Services.
(c) You may not purchase, use, or access the Services for the purpose of building a competitive product or service or for any other competitive purposes.
(d) You may not misuse our Services by interfering with their normal operation, or attempting to access them using a method other than through the interfaces and instructions that we provide.
(e) You may not circumvent or attempt to circumvent any limitations imposed on your account (such as by opening up a new account to create or distribute a survey, form, application, or questionnaire that we have closed for a violation of our terms or policies).
(f) Unless authorized in writing, you may not probe, scan, or test the vulnerability or security of the Services or any system or network.
(g) Unless authorized , you may not use any automated system or software to extract or scrape data from the websites or other interfaces through which we make our Services available.
(h) You may not deny others access to, or reverse engineer, the Services, or assist anyone else to do so, to the extent such restriction is permitted by law.
(i) You may not store or transmit any viruses, malware, or other types of malicious software, or links to such software, through the Services.
(j) You may not use the Services to infringe the intellectual property rights of others.
(k) Unless authorized in writing, you may not resell or lease the Services.
(l) If your use of the Services requires you to comply with industry-specific regulations applicable to such use, you will be solely responsible for such compliance, unless Epiphany360 has agreed with you in writing otherwise. You may not use the Services in a way that would subject Epiphany360 to those industry-specific regulations without obtaining prior written agreement.
(m) We may offer content like images or video that are provided by third parties. You may use that material solely in your survey content. Epiphany360 may modify or revoke that permission at any time in our sole discretion. In using such material, you may not imply that your surveys are affiliated with or run or endorsed by any company, product, brand or service depicted in that material unless you have obtained their permission.
Phishing and Security
We strive to protect the security of all our users. We take specific measures to ensure respondents are not misled by surveys or forms used for fraudulent or malicious purposes. We will suspend any use of the Services which come to our attention that:
attempts to collect social security numbers, credit card numbers (other than solely for collecting payment through an authorized payment processor as permitted by the Services), passwords, or other similar types of sensitive information;
publishes a person’s sensitive identifying information against their wishes;
is intended to deceive or mislead respondents, including by linking to websites with malicious software such as malware;
knowingly and artificially boosts or inflates a website or webpage’s search engine ranking; or
hosts content that is downloadable, live-streamed, or merely intended to solicit clicks to other sites.
Privacy and Impersonation
Users provide responses and information with the expectation that their information will be handled respectfully and not abused. Accordingly, you are responsible for complying with all applicable data protection laws and regulations with respect to any data that you submit to or collect through our Services.
We encourage you to disclose your privacy practices when you use the Services and, if you do, we require you to act in accordance with those practices.
You may not claim that a survey or other use of our Services is anonymous when it is not.
You may not impersonate others when using the Services or collecting information.
We treat our users’ email addresses and mobile numbers with respect and expect our users who collect email addresses and mobile numbers to do the same.
Emails you send via the Services must have a valid reply-to email address owned or managed by you.
Texted survey invitation messages you send via the Services must have a valid reply “Stop”. All recipients of these text messages must have provided you consent in accordance with applicable law.
We prohibit the use of harvested mailing lists.
We prohibit the use of third-party, purchased, or rented mailing lists unless you are able to provide proof that individuals on the list have opted-in to receiving emails of the type you will be sending them.
You must not use the Services to send emails with deceptive subject lines or false or misleading header information.
Violence and Hate Speech
We remove content and may report information related to that content to law enforcement authorities if we become aware of, or believe that, a genuine risk of harm or threat to public safety exists.
Our Services may not be used to directly or indirectly threaten or attack others, or to organize or incite violence, harassment, or property damage.
Our services may not be used for hate speech, or to promote or fund such acts. Examples of hate speech include attacking or advocating for the abuse or exclusion of people based on their ethnicity, national origin, political or religious affiliations, gender, sexual orientation, genetic predisposition, disability, medical or physical condition, veteran status, or any other protected classes under applicable law.
Our Services may not be used to promote or glorify self-harm.
Bullying and Harassment
Our Services may not be used to bully or harass others.
Pornography and Offensive Graphic Material
Nudity, pornography and gore do not have a legitimate place in our Services.
You may not include gratuitous graphic violent material or pornography in connection with the use of our Services.
We recommend adding a conspicuous warning screen before displaying any material which may be offensive in nature.
We strictly prohibit and report to law enforcement any display of sexual or pornographic content (including in cartoon form) involving minors.
Intellectual Property Infringement
Please respect the intellectual property rights of others. You must have the appropriate rights to any content included in your responses.
How to Report Policy Violations
If you identify content which you believe is in violation of this policy, you may file an abuse report. Please include the URL of the survey or form at issue.
Built by Physicians. Backed by Science.
Powered by Technology.