We handle your health data with the highest standard of care — because we understand how personal it is, and how much depends on keeping it safe.
HEAL28 Academy Corporation ("HEAL28", "we", "us", "our") is a health technology company incorporated in the Province of British Columbia, Canada. We develop and operate TravelCarePlans — an AI-powered travel health platform that generates personalised care plans for international travellers with pre-existing health conditions.
This Privacy Policy applies to all personal information collected through our website at travelcareplans.com, our platform, mobile applications, and any other interactions you have with us.
Name: Danison Buan, Co-Founder & CEO
Role: Accountable Individual for Privacy Compliance
Email: privacy@travelcareplans.com
General: hello@travelcareplans.com
We acknowledge all privacy inquiries within 5 business days and resolve them within 30 calendar days, as required under PIPEDA.
TravelCarePlans operates at the intersection of travel and personal health — which means we handle some of the most sensitive personal data that exists. We comply with all privacy frameworks applicable to our operations and the jurisdictions where our users are located.
Our primary privacy obligation is the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5), which governs the collection, use, and disclosure of personal information in the course of commercial activities — including our interprovincial and international operations. We adhere to all ten of PIPEDA's Fair Information Principles: Accountability, Identifying Purposes, Consent, Limiting Collection, Limiting Use / Disclosure / Retention, Accuracy, Safeguards, Openness, Individual Access, and Challenging Compliance.
As a company incorporated and headquartered in British Columbia, our provincially regulated activities are governed by the Personal Information Protection Act (PIPA, S.B.C. 2003, c. 63). BC PIPA has been recognised by the federal government as substantially similar to PIPEDA. Like PIPEDA, PIPA requires meaningful consent for the collection of personal information and heightened protections for sensitive information including health data.
For users located in the European Union or European Economic Area, we comply with the General Data Protection Regulation (EU 2016/679). Health data constitutes a "special category" under GDPR Article 9, requiring explicit consent as the legal basis for processing. Canada has received an EU adequacy decision in respect of organisations subject to PIPEDA, and we supplement this with Standard Contractual Clauses where required.
HEAL28 Academy Corporation is not currently a HIPAA-covered entity or business associate as defined under 45 CFR §160.103. However, we voluntarily align our health data security architecture with HIPAA's Administrative, Physical, and Technical Safeguard requirements as a baseline standard of care for all users and as a prerequisite for future enterprise partnerships with US-regulated health organisations.
For users located in Australia, we comply with the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs), including APP 8 governing cross-border disclosure.
All commercial electronic messages we send to Canadian recipients comply with Canada's Anti-Spam Legislation (S.C. 2010, c. 23), including the requirements for express or implied consent, sender identification, and a functioning unsubscribe mechanism.
We collect personal information in two categories: General Personal Information and Health Information, which receives additional protections as sensitive personal information.
We do not collect more information than is reasonably necessary for the purposes described in this policy (principle of data minimisation). You will always be told the purpose for collection at or before the point of collection.
| Category | Specific Data | How Collected |
|---|---|---|
| Identity | First name, last name | Registration, contact forms |
| Contact | Email address, phone number (optional) | Registration, contact forms |
| Profile | User type (traveller, carer, healthcare professional, partner) | Registration |
| Travel | Destination countries, travel dates, trip type | Care plan generation |
| Device & Usage | IP address, browser type, operating system, pages visited, session duration, referral source | Automatically via cookies and analytics |
| Communications | Messages, enquiries, feedback, demo request content | Contact form, email, platform messaging |
Health information you voluntarily provide is classified as sensitive personal information under PIPEDA and PIPA (BC), and as a special category of personal data under GDPR Article 9. It is collected only with your explicit, separate, and informed consent, and used solely to generate your personalised care plan.
What we never collect: Government-issued identification numbers (Social Insurance Number, Medicare number, passport number) unless you explicitly provide them for a specific purpose; genetic or biometric data; financial payment details (handled exclusively by our PCI-compliant payment processor, when billing is activated).
We do not purchase, obtain, or append personal information from data brokers or third-party commercial data sources. All personal information we hold was provided directly by you or collected through your direct use of our platform.
We collect and use personal information only with your knowledge and consent, except where the law permits otherwise (e.g. for safety or legal obligations). For health information, we require explicit, informed consent obtained separately at the point of collection. You may withdraw consent at any time subject to legal and contractual restrictions.
Our legal bases for processing personal data are:
| Processing Activity | Legal Basis (GDPR Article) |
|---|---|
| Providing the care plan service to you | Article 6(1)(b) — Performance of a contract |
| Processing health data to generate your care plan | Article 9(2)(a) — Explicit consent |
| Sending marketing and product update communications | Article 6(1)(a) — Consent |
| Analytics and platform improvement | Article 6(1)(f) — Legitimate interests |
| Fraud prevention and platform security | Article 6(1)(f) — Legitimate interests |
| Compliance with legal obligations | Article 6(1)(c) — Legal obligation |
Where we rely on legitimate interests, we have documented a Legitimate Interests Assessment (LIA) confirming that our interests are not overridden by your rights and freedoms. You may request a copy of any LIA by contacting our Privacy Officer.
Where we rely on explicit consent for health data, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of any processing that occurred before the withdrawal.
We use personal information only for the purposes identified at or before the time of collection. We do not use personal information for a new, incompatible purpose without your renewed consent.
Purposes we will never use your data for: Sale or rental of your personal data to any third party — ever. Targeted advertising by third-party advertisers on our platform. Profiling for purposes unrelated to your travel health. Employment background screening. Insurance underwriting decisions against you by any insurer partner.
TravelCarePlans uses artificial intelligence and automated processing to generate personalised care plans. We are transparent about how our AI works and what it does — and does not — do.
Our AI models cross-reference your health profile against destination-specific healthcare databases, medication availability registries, drug importation regulations, and emergency resource networks to produce your personalised care plan. The AI continuously learns from anonymised, aggregated data across users to improve recommendation quality and coverage accuracy.
Our AI-generated care plans are informational outputs, not clinical diagnoses. The platform does not diagnose medical conditions, prescribe treatments or medications, or provide a second opinion on medical decisions. All AI-generated content is designed to support — not replace — the guidance of your qualified healthcare professional. You should always consult your physician before making changes to your medications or care management while travelling.
Important medical disclaimer: TravelCarePlans is a health information tool. It is not a regulated medical device, a licensed clinical service, or a substitute for professional medical advice, diagnosis, or treatment. In a medical emergency, contact local emergency services immediately.
Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. To the extent our AI outputs may constitute such outputs, you may:
To exercise any of these rights, contact our Privacy Officer at privacy@travelcareplans.com.
We do not sell your personal data. We do not rent it. We do not trade it. We share personal information only in the limited circumstances described below.
We engage trusted third-party service providers who process personal data on our behalf, strictly under written data processing agreements that bind them to confidentiality, security, and purpose-limitation obligations at least as protective as this policy.
| Provider Type | Purpose | Location |
|---|---|---|
| Cloud infrastructure | Hosting, data storage, computing | Canada / United States |
| Analytics (Google Analytics) | Aggregate usage analytics, performance monitoring | United States |
| Form processing (Formspree) | Contact form and waitlist submission processing | United States |
| Transactional email delivery | Account, care plan, and security communications | United States / Canada |
For transfers to the United States, we rely on Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms where required under GDPR.
Where you give explicit consent, we may transmit relevant portions of your care plan to:
We will always ask for your explicit consent before any such transmission, except where the disclosure is necessary to prevent imminent danger to life as permitted under PIPEDA Section 7(3)(e) and equivalent provincial legislation.
We may disclose personal information without your consent only where:
We will notify you of any such disclosure unless we are legally prohibited from doing so.
If HEAL28 Academy Corporation undergoes a merger, acquisition, restructuring, or sale of all or substantially all of its assets, personal data may form part of the transferred assets. We will notify affected users before their personal information is transferred and becomes subject to a materially different privacy policy. You will have the opportunity to request deletion of your data before the transfer takes effect.
Given the sensitivity of health information and its potential to cause significant harm if mishandled, we apply the following specific protections beyond our general privacy commitments:
We obtain separate, specific, informed, and unambiguous consent before collecting any health information. This consent is not bundled into general terms acceptance. You may withdraw health data consent at any time; withdrawal will limit care plan personalisation but will not affect your access to general platform features.
Your health data is used exclusively to: (a) generate and maintain your travel care plan, and (b) support your in-journey health assistance via the AI nursing assistant. It is never used for marketing, profiling, advertising, or any purpose unrelated to your direct care.
We explicitly prohibit — by contractual obligation — any insurance or travel partner from using individual health data obtained via TravelCarePlans to underwrite, deny, limit, or price any insurance policy. Any aggregate or anonymised data shared with partners is de-identified to a standard that makes re-identification effectively impossible.
You may choose which health conditions to include in your care plan. You are never required to disclose all conditions to use the service, and partial disclosure will not result in reduced access to other platform features.
Health data is retained only for the duration of your active account, plus a maximum of 12 months following account closure (to enable account reactivation). After that period, all health data is permanently and irreversibly deleted using secure erasure methods. You may request immediate deletion at any time.
We implement administrative, physical, and technical safeguards commensurate with the sensitivity of the personal information we handle — including health data — and aligned with PIPEDA, PIPA (BC), GDPR, and HIPAA-equivalent standards.
No security measure is absolute. Despite our best efforts, no method of electronic storage or transmission over the internet is 100% secure. If you believe your account or data has been compromised, please contact us immediately at privacy@travelcareplans.com.
We are subject to mandatory privacy breach notification requirements under PIPEDA's Breach of Security Safeguards Regulations (SOR/2018-64), PIPA (BC), and — for EU users — GDPR Articles 33 and 34.
If we become aware of a breach of security safeguards involving personal information that creates a real risk of significant harm to individuals (as defined under PIPEDA), we will:
We retain personal information only as long as is necessary for the identified purpose or as required by applicable law. We apply the following retention schedules:
| Data Type | Retention Period |
|---|---|
| Account and profile data | Duration of active account + 12 months post-closure |
| Health information | Duration of active account + 12 months post-closure |
| Care plan history | Duration of active account + 12 months post-closure |
| Contact form and waitlist submissions | 24 months from submission date |
| Analytics data (anonymised aggregate) | 26 months (Google Analytics standard) |
| Security and access logs | 12 months |
| Privacy breach records | Minimum 24 months (PIPEDA SOR/2018-64 requirement) |
| Legal correspondence | 7 years from resolution |
When data is deleted, we use secure deletion methods (overwriting, cryptographic erasure, or equivalent) to ensure that deleted personal information cannot be recovered or reconstructed.
Depending on your location, you have the following rights regarding your personal information. We will verify your identity before processing any request.
Submit a written request to privacy@travelcareplans.com identifying the right you wish to exercise and the personal information concerned.
We will acknowledge your request within 5 business days and respond in full within 30 calendar days. Where an extension is required (permitted by law), we will notify you of the extended timeline before the 30-day period expires.
We will not charge a fee for most requests. For manifestly unfounded or excessive requests, we may charge a reasonable fee consistent with applicable law, or decline the request — and will explain our reasoning in writing.
We use cookies and similar tracking technologies on our website. Below is a full description of what we use and why.
| Cookie Type | Purpose | Opt Out? |
|---|---|---|
| Strictly Necessary | Session management, security (CSRF protection), form functionality, login state | No — required for the site to function |
| Analytics (Google Analytics) |
Aggregate usage patterns, page views, session duration, referral sources — used to improve the platform | Yes — via browser settings or Google's opt-out tool |
| Preference | Remembers your language, display, and accessibility preferences between sessions | No — needed to remember your settings |
| Marketing / Retargeting (Meta Pixel) |
Conversion tracking and retargeting advertising — currently disabled and not placed by default | Yes — will be opt-in only before activation |
For users in the EU or EEA, we will display a cookie consent banner before placing any non-essential cookies (analytics, preference, or marketing). Non-essential cookies will not be set until you affirmatively consent. You may withdraw cookie consent at any time by clicking the "Cookie Preferences" link in the footer or by clearing cookies in your browser settings.
Some browsers transmit "Do Not Track" (DNT) signals. We currently honour DNT signals by disabling analytics tracking for sessions where a DNT signal is detected.
TravelCarePlans is not designed for, directed at, or intended to be used by persons under the age of 18. We do not knowingly collect personal information from individuals under 18.
If you are a parent or legal guardian and you believe your child has provided us with personal information without your consent, please contact us immediately at privacy@travelcareplans.com. We will verify the report and delete the information promptly.
Where a minor travels with a carer or guardian who uses TravelCarePlans to manage the minor's travel health, consent to collection and processing of the minor's health information must be provided by the parent or legal guardian, who assumes responsibility for all authorisations made on the minor's behalf.
As a British Columbia–incorporated company serving users globally, your personal information may be transferred to, stored in, or processed in countries outside your country of residence — including Canada, the United States, and countries where our cloud infrastructure providers operate.
These countries may not have privacy laws equivalent to those in your jurisdiction. We address this through the following mechanisms:
We will only send you commercial electronic messages — newsletters, product updates, promotional content — if one of the following applies:
Every commercial electronic message we send includes: (a) clear identification of HEAL28 Academy Corporation as the sender; (b) valid contact information; and (c) a functional one-click unsubscribe link. We will process unsubscribe requests within 10 business days, as required by CASL Section 11.
Transactional communications — such as account confirmation, care plan delivery, security alerts, and responses to your direct enquiries — are not commercial electronic messages and are not subject to marketing consent requirements.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make changes:
Your continued use of TravelCarePlans after the effective date of any update constitutes your acceptance of the non-material changes. Material changes do not take effect without your affirmative acknowledgement.
Danison Buan — Co-Founder & CEO, HEAL28 Academy Corporation
Email: privacy@travelcareplans.com
General: hello@travelcareplans.com
If you are not satisfied with our response to a privacy inquiry or complaint, you have the right to escalate to the relevant regulatory authority:
| Jurisdiction | Authority | Contact |
|---|---|---|
| Canada (Federal — PIPEDA) | Office of the Privacy Commissioner of Canada (OPC) | priv.gc.ca · 1-800-282-1376 |
| British Columbia (PIPA) | Office of the Information and Privacy Commissioner for BC | oipc.bc.ca |
| European Union / EEA | Your local data protection supervisory authority | Find your authority |
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk |
| Australia | Office of the Australian Information Commissioner (OAIC) | oaic.gov.au |
Legal review note: This policy has been prepared to PIPEDA, PIPA (BC), and GDPR standards for a healthtech startup. It is substantive and designed to be defensible under regulatory scrutiny. However, as your operations scale — particularly if you begin processing health data in Ontario (PHIPA), engage US health system partners (HIPAA BAAs), or process significant EU data volumes (possible GDPR DPO requirement) — we recommend a formal review with a Canadian privacy lawyer specialising in health information law.