Privacy policy

PRIVACY POLICY

Your privacy is important to The Boardwalk Pharmacy ("the Pharmacy", "we", "our", "us"). We are a Health Information Custodian under Ontario's Personal Health Information Protection Act, 2004 ("PHIPA") and are also governed by Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA").

This policy explains what personal and personal health information we collect, how we use and protect it, who we share it with, and your rights. It covers information you give us in person at our store, through our website, by phone (including through our automated phone assistant), or through any other interaction with us.

This policy was last updated on May 21, 2026.


1. What information we collect

Depending on how you interact with us, we may collect:

  • Identifying information ‚Äî name, date of birth, mailing address, phone number, email, OHIP/health card number, and other government-issued identifiers required to dispense prescriptions.
  • Health information ‚Äî prescription history, medications, allergies, medical conditions you choose to share, prescriber information, and any clinical notes the pharmacy team makes while caring for you.
  • Transaction information ‚Äî purchases, refill requests, prescription pick-up and delivery details, insurance and billing details.
  • Communications ‚Äî voice recordings, transcripts, and messages from calls handled by our automated phone assistant (see Section 3), emails you send us, and messages from our online forms.
  • Website analytics ‚Äî basic usage data when you visit theboardwalkpharmacy.com, including pages viewed, device type, and approximate location. Our website uses cookies and similar technologies for security, functionality, and analytics.


2. How we use your information

We use your information to:

  • Dispense, deliver, and manage your prescriptions and pharmacy services;
  • Communicate with you about your care, refills, and pickup readiness;
  • Bill your insurance and process payments;
  • Comply with regulatory, professional, and legal obligations (including the Ontario College of Pharmacists' record-keeping requirements);
  • Operate, secure, and improve our store and online services;
  • Conduct quality assurance, including reviewing transcripts of calls handled by our automated assistant.

We do not sell your personal information. We do not use your personal health information for marketing without your express consent.


3. Automated after-hours phone assistant ("Sam")

When you call our pharmacy line outside of business hours, your call may be answered by an artificial-intelligence voice assistant we call Sam. Sam is an automated system — not a human pharmacist or staff member — and identifies itself as such at the start of every call.

Sam can capture the following kinds of information you choose to share: your name, date of birth, prescription number or medication name, callback phone number, pickup or delivery preference, and the reason for your call. Our pharmacy team reviews these capture records the next business morning and follows up with you.

Calls handled by Sam are processed and stored in the United States by our voice-agent infrastructure provider and its sub-processors (see Section 4). For each call we keep the call audio, transcript, and structured capture data for no longer than 60 days, after which they are permanently deleted from our voice-agent provider's systems. Capture emails delivered to our pharmacy mailboxes are auto-purged after 60 days under a retention rule we maintain.

Sam does not give clinical or medical advice. Sam does not access your prescription record during the call — every refill or message is reviewed by a member of our team before any action is taken.

If you prefer not to interact with an automated assistant, you may call back during business hours (Monday–Thursday 9 AM–6 PM; Friday–Saturday 9 AM–4 PM) to speak with a member of our team, or visit us in person at 430 The Boardwalk, Waterloo, ON.


4. Service providers and cross-border processing

We use a small number of trusted service providers to operate our pharmacy and after-hours phone system. Each provider with access to personal health information has signed a written agreement (a Business Associate Agreement or equivalent) requiring them to protect your information consistent with this policy and applicable law.

The principal categories of service providers, and where they process your information, are:

  • Kroll (Telus Health) ‚Äî pharmacy management and prescription record system. Processed and stored in Canada.
  • Daytime phone system (GoTo Connect) ‚Äî handles inbound calls to our pharmacy line during business hours and forwards calls after hours to our automated assistant. Processed in North America.
  • After-hours automated assistant (Retell AI, Inc.) ‚Äî provides the voice-agent infrastructure for Sam. Calls are processed in the United States (Oregon).
  • Voice technology sub-processors used by Retell: Twilio (telephony), Deepgram (speech-to-text), OpenAI (large language model), ElevenLabs and MiniMax (text-to-speech). All process call audio and/or transcripts in the United States.
  • Cloud infrastructure (Amazon Web Services) ‚Äî hosts our backend services and email delivery. Sam's backend runs in AWS Canada (Central). Voice-agent storage runs in AWS US West (Oregon).
  • Email and document storage (Google Workspace) ‚Äî hosts our pharmacy email inboxes (including capture emails from Sam) under a signed Business Associate Agreement, with a 60-day auto-delete rule for Sam-generated emails.
  • E-commerce platform (Shopify) ‚Äî hosts theboardwalkpharmacy.com.

By using our pharmacy services, including Sam, you understand that some of your personal health information will be processed in the United States and may be subject to U.S. laws. We have selected providers that contractually commit to PHIPA-aligned safeguards, but you should be aware that information stored outside Canada may be accessed by foreign governments under their laws.

Your data is not used to train AI models. Our voice-agent provider has contractually committed, in writing, not to use your call audio, transcripts, or any derivatives (including aggregated, de-identified, anonymized, or embedded forms) to train, improve, or develop any artificial intelligence or machine learning system.


5. How long we keep your information

We retain your prescription and health records for the period required by the Ontario College of Pharmacists and applicable law (currently a minimum of 10 years from the date of the last entry, or longer for minors). Other information is kept only as long as we need it for the purpose for which it was collected, after which we delete or destroy it securely. Specific retention periods include:

  • Sam call audio, transcripts, and capture data ‚Äî 60 days, then permanent deletion.
  • Pharmacy mailbox emails generated by Sam ‚Äî 60 days, then auto-purged.
  • Prescription records ‚Äî minimum 10 years (regulatory requirement).


6. Your rights under PHIPA

You have the right to:

  • Access the personal health information we hold about you;
  • Request that we correct information you believe is inaccurate or incomplete;
  • Withdraw consent for certain uses or disclosures of your information (subject to legal and clinical-safety limits);
  • Request that we not use the automated after-hours assistant for your calls ‚Äî if you make this request, we will note it on your file and our team will return your call the next business day instead;
  • File a complaint with us or with the Information and Privacy Commissioner of Ontario.

To exercise any of these rights, contact our Privacy Officer (Section 9).


7. How we protect your information

We use administrative, physical, and technical safeguards to protect your information, including: access controls on our pharmacy system, encryption of data in transit and at rest, signed agreements with all service providers, regular staff training, and audit logging. Where we use cloud providers, we select providers that are SOC 2 certified and offer HIPAA-eligible services under signed Business Associate Agreements.


8. Children's information

We collect information about minors only as needed to dispense prescriptions and provide pharmacy services, and only with consent of a parent or substitute decision-maker.


9. Privacy Officer / Contact us

If you have questions about this policy, want to access or correct your information, or want to file a privacy complaint, please contact our Privacy Officer:

Andrew Awadalla, Privacy Officer
The Boardwalk Pharmacy
430 The Boardwalk, Suite 102
Waterloo, ON N2T 0C1
Phone: (519) 578-3000
Email: andrew@theboardwalkpharmacy.com

You may also contact the Information and Privacy Commissioner of Ontario at www.ipc.on.ca or 1-800-387-0073.


10. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. We will post any updated version on this page and update the "last updated" date at the top. If we make material changes, we will notify you through a prominent notice on theboardwalkpharmacy.com.