Privacy Policy

1. Introduction

Digits Rehab Inc. (“Digits,” “we,” “us,” or “our”) is a company incorporated in Ontario, Canada, with its principal place of business in London, Ontario. We operate under the brand names Digits Health and Digits Research Connect, and we provide digital hand-health assessments that use computer-vision technology powered by the camera on your computer, tablet, or phone.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal information — including health-related information — when you visit digitshealth.com (the “Website”), use our hand-health assessment tools and applications (the “Services”), or participate in research through Digits Research Connect.

We are committed to protecting your privacy and handling your personal information in accordance with applicable privacy laws, including Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) and the privacy laws of the United States and its states. Please read this Policy carefully. By using our Services, you acknowledge that you have read and understood this Policy.

2. Scope of This Policy

This Policy applies to personal information we handle as a business in our own right — for example, when individuals use Digits Health directly, or when we operate Digits Research Connect.

In some cases, our Services are made available to you through a healthcare provider, clinic, employer, insurer, or research institution (each, an “Organization”). When we provide Services on behalf of an Organization, that Organization may be the party responsible for deciding how your information is used, and may be a “health information custodian” under PHIPA or a “covered entity” under U.S. health-privacy law. In those situations we generally act as a service provider, agent, or processor to the Organization, and the Organization’s own privacy policy and any consent you gave to it will also apply. If there is a conflict between this Policy and your agreement with the Organization, the arrangement we have with that Organization governs our handling of your information on its behalf.

If you are unsure whether you are using Digits directly or through an Organization, contact us at privacy@digitshealth.com.

3. Key Terms

• Personal information means information about an identifiable individual. Depending on the jurisdiction, this may also be called “personal data” or “personal information” under U.S. state laws.
• Personal health information means personal information about your physical or mental health, the health services you receive, or related matters — for example, the results of a hand-health assessment.
• Assessment data means the information generated when you complete a Digits hand-health assessment, primarily the derived measurements described in Section 5.
• Derived measurements means the numerical and analytical data (such as joint-angle estimates, range-of-motion values, landmark coordinates, and scores) that our computer-vision software calculates from the camera feed on your device.

4. Information We Collect

We collect the following categories of information:

4.1 Information you provide to us

• Account and contact information, such as your name, email address, password, and (where relevant) date of birth or age range.
• Profile and health-context information you choose to provide, such as the hand or condition being assessed, symptoms, or other details relevant to the assessment.
• Communications you send us, including support requests, survey responses, and feedback.
• Information related to research participation, where you join a study through Digits Research Connect (see Section 9).

4.2 Assessment data from the camera and computer vision

Our hand-health assessments use the camera on your device together with computer-vision software. Importantly, the computer-vision analysis runs locally on your device. We do not collect, transmit, or store the raw photographs or video of your hands. What leaves your device and is received by us is the derived measurements — the numerical results calculated from the camera feed — not the underlying images or video.

Section 5 explains how this works in more detail. If our technology ever changes such that images or video would be collected or transmitted, we will update this Policy and obtain any consent required before doing so.

4.3 Technical and usage information

• Device and connection information, such as device type, operating system, browser type, and IP address.
• Usage information, such as the features you use, the dates and times of assessments, and how you interact with the Website and Services.
• Cookies and similar technologies, as described in Section 18.

4.4 Information from Organizations and partners

If you access the Services through a healthcare provider, clinic, employer, insurer, or research institution, we may receive information about you from that Organization, such as identifiers used to associate your assessments with your care or with a study. We handle this information in accordance with our agreement with the Organization and applicable law.

5. How the Camera and Computer Vision Work

We want to be clear and transparent about the most sensitive part of our Services — the use of your device’s camera.

• On-device processing. When you complete an assessment, our software accesses your device’s camera with your permission and analyzes the live camera feed directly on your device. This analysis identifies hand landmarks and motion in order to calculate measurements.
• Only measurements are collected. The raw images and video frames are processed in real time on your device and are not sent to or stored by Digits. The information that is transmitted to and stored by us consists of the derived measurements and assessment results.
• Camera permission. Your device or browser will ask for permission before the camera can be used. You can decline or revoke camera access at any time through your device or browser settings, although the assessment cannot run without camera access.
• Your control. Because images and video are not collected, the privacy-sensitive biometric content stays on your device. We designed the Services this way to minimize the personal information we hold.

6. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and deliver the hand-health assessments and related Services.
• To generate, display, and store your assessment results and track changes over time.
• To create and manage your account and authenticate you.
• To make the Services available to and coordinate with the Organization through which you access them, where applicable.
• To respond to your inquiries and provide customer and technical support.
• To improve and develop our Services, including improving our computer-vision models as described in Section 7.
• To conduct research, where applicable and with appropriate consent, as described in Section 9.
• To monitor, maintain, and secure our systems, prevent fraud or misuse, and ensure the Services function properly.
• To comply with our legal and regulatory obligations and to establish, exercise, or defend legal claims.

7. Consent and Legal Basis

Under Canadian privacy law, we collect, use, and disclose personal information with your knowledge and consent, except where permitted or required by law. Depending on the sensitivity of the information and the circumstances, your consent may be express (for example, when you agree to an assessment or to research participation) or implied (for example, your continued use of features you have requested).

Because hand-health assessment results are sensitive health information, we seek your express consent for the collection and use of that information for assessment purposes. You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice, by contacting us as described in Section 20. Withdrawing consent may mean we can no longer provide some or all of the Services to you.

8. Use of Data to Improve Our Computer-Vision Models

We use data to develop and improve the accuracy and performance of the computer-vision models that power our assessments. The data used for this purpose consists of the derived measurements described in Section 5 — not raw images or video, which (as noted) are processed on your device and are not collected by us.

Where we use this measurement data to train or improve our models, we take steps to limit the information to what is necessary for that purpose and, wherever practical, to aggregate or de-identify it. We do not sell your personal information.

9. Research and Digits Research Connect

Through Digits Research Connect, we and our research partners may conduct studies that use assessment data and related information. Participation in research is voluntary.

• Where research involves your identifiable personal information, we will obtain your informed consent separately and in accordance with applicable research-ethics requirements before enrolling you.
• Research is typically conducted using de-identified or coded data wherever possible, so that you cannot reasonably be identified from the data used.
• Research conducted with or for academic, clinical, or institutional partners may be subject to review and approval by a research ethics board (REB) or institutional review board (IRB), and to the terms of the consent you provide for that study.
• You may withdraw from a study in accordance with the consent materials for that study, although data already used or de-identified may not be retrievable.

10. How We Share and Disclose Information

We do not sell your personal information. We share personal information only as described below:

• Service providers. We use third-party service providers (such as cloud hosting, data storage, analytics, and customer-support providers) to help us deliver the Services. They are permitted to use personal information only as needed to perform services for us and under contractual obligations to protect it.
• Organizations through which you access the Services. If you use Digits through a healthcare provider, clinic, employer, insurer, or research institution, we share relevant information with that Organization to provide the Services and your results.
• Research partners. Where you have consented to research participation, we may share data with research partners as described in Section 9 and in your study consent materials.
• Legal and safety reasons. We may disclose information if required by law, regulation, legal process, or governmental request, or where necessary to protect the rights, safety, or property of Digits, our users, or others.
• Business transactions. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to applicable law and appropriate confidentiality protections.

11. Where Your Information Is Stored

We store the personal information we collect on servers located in Canada. Our service providers may process limited information on our behalf; where any such processing occurs outside Canada, we take steps to ensure the information receives a comparable level of protection and remains subject to appropriate contractual safeguards.

12. Information for Users in the United States

If you access the Services from the United States, the following additional information applies.

12.1 Cross-border storage

Your information is stored in Canada. By using the Services, you understand that your information will be transferred to and processed in Canada, which may have data-protection laws that differ from those in your state. While stored in Canada, your information may be accessible to Canadian government authorities under Canadian law.

12.2 HIPAA

Where Digits provides Services to or on behalf of a U.S. healthcare provider, health plan, or other “covered entity” (or its business associate) under the U.S. Health Insurance Portability and Accountability Act (HIPAA), we will handle protected health information in accordance with the applicable business associate agreement and HIPAA. In those cases, the covered entity’s notice of privacy practices also applies to your information.

12.3 U.S. state privacy rights

Depending on your state of residence (for example, California under the CCPA/CPRA, and similar laws in other states), you may have rights to know about, access, correct, delete, and limit certain uses of your personal information, and to not be discriminated against for exercising those rights. We do not sell personal information or share it for cross-context behavioral advertising. To exercise applicable rights, contact us as described in Section 20.

12.4 Biometric information

Some U.S. state laws (such as the Illinois Biometric Information Privacy Act, or BIPA) regulate “biometric identifiers” and “biometric information.” As described in Section 5, our computer-vision analysis of your hands is performed on your device, and we do not collect or store photographs, video, or scans of hand geometry; we collect only the derived measurements. We do not use any information we collect to identify you biometrically.

13. Information for Use Through Ontario Health-Care Providers

Where Digits provides Services to or on behalf of an Ontario health information custodian (such as a clinic or healthcare practitioner) under PHIPA, we generally act as an agent or service provider to that custodian. In that role, we collect, use, and disclose personal health information only as permitted by the custodian and as necessary to provide the Services, and the custodian remains responsible for obtaining consent and for the overall management of your personal health information. The custodian’s own privacy practices will also apply.

14. How Long We Keep Your Information

We retain your personal information for as long as your account remains active and for as long as needed to provide the Services, including to maintain your assessment history so you and (where applicable) your provider can track changes over time.

When you close your account or ask us to delete your information, we will delete or de-identify your personal information, except where we are required or permitted by law to retain it (for example, to meet legal, regulatory, accounting, or legitimate research obligations, or to resolve disputes and enforce our agreements). De-identified data may be retained and used without further notice.

15. Your Privacy Rights and Choices

Subject to applicable law, you have the following rights regarding your personal information:

• Access. You can request access to the personal information we hold about you and information about how it has been used and disclosed.
• Correction. You can ask us to correct information that is inaccurate or incomplete.
• Withdraw consent. You can withdraw your consent to our collection, use, or disclosure of your information at any time, subject to legal or contractual restrictions and reasonable notice.
• Deletion. You can request that we delete your account and personal information, subject to the exceptions described in Section 14.
• Portability and other rights. Where applicable law provides additional rights (such as certain U.S. state rights described in Section 12), you may exercise those as well.

To exercise any of these rights, contact us at privacy@digitshealth.com. We will respond within the timeframes required by applicable law. We may need to verify your identity before acting on your request. If you access the Services through an Organization, we may direct your request to that Organization or ask you to contact it directly.

16. Children and Minors

Our Services may be used by individuals under the age of 18 (“minors”), but only with the involvement and consent of a parent or legal guardian, or, in a clinical setting, in accordance with the consent obtained by the supervising healthcare provider. We do not knowingly collect personal information directly from a minor without the appropriate consent.

If you are a parent or guardian and believe a minor has provided us with personal information without appropriate consent, please contact us and we will take reasonable steps to address it.

17. How We Protect Your Information

We use administrative, technical, and physical safeguards designed to protect personal information against loss, theft, and unauthorized access, use, disclosure, or modification. These measures include encryption in transit and at rest where appropriate, access controls, and storing data on servers located in Canada. The on-device design of our computer-vision technology also reduces risk by keeping raw images and video on your device.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a security breach that affects your personal information, we will notify you and the appropriate regulators where required by law.

18. Cookies and Similar Technologies

Our Website uses cookies and similar technologies to operate the site, remember your preferences, keep you signed in, and understand how the Website and Services are used. You can control cookies through your browser settings, although disabling some cookies may affect how the Website functions.

19. Third-Party Links and Services

Our Website and Services may contain links to third-party websites or services that we do not operate or control. This Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you use.

20. How to Contact Us

If you have questions, concerns, or requests about this Policy or our handling of your personal information, please contact our Privacy Officer:

21. Complaints and Regulators

If you are not satisfied with our response to a privacy concern, you may contact the relevant privacy regulator.

• Canada (federal): Office of the Privacy Commissioner of Canada (priv.gc.ca).
• Ontario (health information): Information and Privacy Commissioner of Ontario (ipc.on.ca).
• United States: your state attorney general or applicable state privacy regulator; for HIPAA matters, the U.S. Department of Health and Human Services, Office for Civil Rights.

22. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the “Last updated” date above and, where required by law, provide additional notice or seek your consent. We encourage you to review this Policy periodically.