Privacy Policy | Hyperfocus

Privacy Policy

Last Updated: February 02, 2026

Thank you for using Hyperfocus. Hyperfocus is a software service developed by Hyperfocus (“we,” “our,” or “us”). We are fully committed to protecting your privacy. This Privacy Policy explains the information we collect from and about you, how we collect it, how and why we use that information, and how it may be shared with third parties.

This Privacy Policy governs and applies to your use of, and any content, products, or services made available from or through, the website hyperfocus.online, including any subdomains thereof (“Website” or “Service”). The Website and Service are owned and operated by us.

Please read this entire Privacy Policy before using or submitting information to or through the Service. By accessing the Service on any device, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Service.

This Privacy Policy applies only to our Service and not to any other websites you may access from it, which may have different data practices. When you leave our Service via a link, you are subject to that site's policies.

We may update this policy; changes will be posted here with the updated date. Your continued use of the Service affirms your agreement to such changes.

The Service is intended primarily for users in Canada and complies with applicable Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA).

Section 1 – What Information Do We Collect?

We collect two types of information: Personally Identifiable Information (“PII”) and Non-Personally Identifiable Information (“Non-PII”). PII identifies you as an individual, such as your name, email address, date of birth, or other identifiers. Non-PII includes aggregated, demographic, or technical data (e.g., IP addresses, device information) that does not reveal your identity.

PII and Non-PII may be collected when you access or use the Service, during interactions with us (e.g., emails, calls), or through cookies (see Section 4).

As a clinician or clinic user, we may collect:

• Account details (e.g., username, name, email, professional credentials).

• Billing information if applicable (e.g., payment details for subscriptions).

As a client user, we may collect (on behalf of your clinician):

• PII such as name, email, date of birth, and contact details.

• Self-report information, including responses to history forms, questionnaires, and details about mental health conditions or disorders for clinical assessments.

We collect this information when you register, respond to clinician-requested forms or questionnaires, or interact with the Service. You may visit anonymously, but full functionality requires providing information.

We do not collect sensitive health information directly from clients without clinician involvement and your consent. We do not collect data directly from children; parents/guardians or clinicians create accounts and provide responses on their behalf.

Section 2 – How Do We Use Your Information?

We use your information to provide and improve the Service, including:

1. Enabling clinicians to capture and manage client self-report information for mental health assessments.

2. Allowing clinicians to request and review client responses to forms and questionnaires.

3. Supporting AI tools for analyzing self-report information and generating summaries (see Section 11 for details).

4. Processing subscriptions, responding to inquiries, and providing customer support.

5. Administering Service features, such as secure sharing between clinicians and clients (only at clinician request).

6. If opted-in, sending newsletters or updates. (See Section 11 for opt-out.)

We process health-related data solely for the purposes requested by clinicians, with their oversight.

Section 3 – How Do We Protect Your Information?

We implement robust security measures to safeguard your information, especially sensitive health data. This includes:

• Secured networks with encryption (e.g., SSL/TLS).

• Access limited to authorized personnel bound by confidentiality.

• Regular security audits and compliance with Canadian privacy laws (e.g., PIPEDA).

• Data stored in secure, compliant databases.

For third-party providers (e.g., Google Cloud for storage, Vertex AI for LLM processing), we use their Canadian regions and contractual agreements ensuring comparable protection under PIPEDA. For health data, we adhere to additional protections under applicable provincial health privacy laws.

Section 4 – Do We Use “Cookies”?

Yes, we use cookies to enhance your experience, remember preferences, and gather usage data. We may use third-party analytics (e.g., Google Analytics) for this, but they are restricted to helping us improve the Service. You can manage cookies via your browser settings, though this may limit functionality.

Section 5 – Do We Disclose the Information We Collect to Third Parties?

We may share PII in limited circumstances:

• With clinicians or clinics: For healthcare referrals or to facilitate assessments (e.g., sharing client self-reports with authorized professionals).

• With clients: Only at the clinician's request, such as sharing approved summaries.

• With service providers (e.g., hosting, payment processors) who are contractually obligated to confidentiality.

• If required by law (e.g., court orders, public safety).

• In a business transfer (e.g., merger), where the acquirer assumes our obligations.

• With your express consent.

We do not sell, trade, or rent PII for marketing. Non-PII may be shared for analytics or advertising. Health data is shared only within the healthcare context and with clinician or client approval.

Section 6 – Who is Responsible for Safeguarding Usernames and Passwords?

You are responsible for maintaining the confidentiality of your account credentials. Do not share them. You are liable for activities under your account. Notify us immediately of any breach at team@hyperfocus.online. We are not liable for losses from your failure to comply.

Section 7 – Who Owns Submissions to the Service?

Submissions (e.g., feedback, ideas) are non-confidential and become our property, granting us royalty-free rights to use them. Client self-reports are owned by the client or clinician as per healthcare laws, but we may use de-identified data for Service improvement (see Section 8).

Section 8 – AI Tools and Data Processing

Clinicians may use our AI tools (powered by third-party LLMs on Canadian servers) to analyze self-reports and generate summaries.

• Data Processed: Only clinician-requested self-report data.

• Oversight: Clinicians must review/approve outputs before sharing. AI is advisory; clinicians are responsible for accuracy and clinical decisions.

• Improvements: If used for system enhancement, only de-identified data (names/emails/school names/addresses/phone numbers/health card numbers/etc replaced with labels, DOB day removed, etc, ensuring no re-identification).

• Protections: Processing on secure Canadian servers; third-party providers bound by agreements.

• No Automated Decisions: Outputs require human review.

Section 9 – Data Retention

We retain data as necessary for the Service or legal obligations. Retention of client records is the clinician's responsibility per their professional rules (e.g., BC psychologists often require 7+ years post-last contact, longer for minors). We delete or anonymize data upon clinician request, account closure, or when no longer needed, subject to legal holds.

Section 10 – Children's Data

Children do not directly access the Service. Parents/guardians or clinicians manage accounts and provide data. Retention follows clinician/professional guidelines.

Section 11 – Your Rights

Under PIPEDA, you may access, correct, or request deletion of your data. Contact team@hyperfocus.online. We respond promptly (typically within 30 days).

Section 12 – Security Certifications

We prioritize strong security and are considering or pursuing certifications to demonstrate compliance:

• ISO 27001

• SOC 2

• HITRUST CSF

These involve significant documentation, audits, and ongoing maintenance. We evaluate them based on business needs and client requirements.

Section 13 – Data Breaches

In the event of a breach of security safeguards involving personal information under our control, we will respond in accordance with PIPEDA and applicable provincial laws.

If we determine that the breach creates a real risk of significant harm to one or more individuals (considering factors such as the sensitivity of the information, likelihood and potential harm, and whether the data was encrypted or anonymized), we will:

• Report the breach to the Office of the Privacy Commissioner of Canada (OPC) as required.

• Notify affected individuals directly (or indirectly if permitted by law) as soon as feasible after the determination. Notifications will include details about the breach, steps we are taking to mitigate harm, and contact information for further questions or assistance.

• Maintain records of all breaches (including those not meeting the reporting threshold) for at least two years, as required by PIPEDA.

We maintain incident response protocols to detect, contain, investigate, and remediate breaches promptly. If you believe your information may have been compromised, contact us immediately at team@hyperfocus.online. We encourage clinicians to have their own breach response plans for client data under their professional obligations.

Section 14 – Contact Us

For questions, email team@hyperfocus.online.