PRIVACY POLICY
Security and privacy at the heart of our operations
From design, to deployment, to operation; security and privacy are part of the equation. Nothing is left to chance in order to protect your data throughout its lifecycle, using practices and processes that follow the best industry standards.
Last updated: June 18, 2026
1. Our Commitment
At Lime Health Inc. (“Lime Health,” “we”), the protection of personal information is a top priority. From design to deployment and operation, security and privacy are an integral part of the equation. Nothing is left to chance in protecting your data throughout its life cycle, using practices and processes aligned with the best industry standards.
This policy aims to inform you of our practices regarding the collection, use, disclosure, and retention of your personal information, in compliance with the applicable Data Protection Laws, including Law 25 (Quebec), PIPEDA (Canada), the General Data Protection Regulation of the European Union (GDPR), the new Swiss Federal Act on Data Protection (nFADP), and, where applicable, the Health Insurance Portability and Accountability Act of the United States (HIPAA).
It applies to our corporate website, the processing of data related to the use of the Lime platform, and any interaction with an authorized Lime Health employee, representative, or subcontractor, including by email, telephone, in person, or by videoconference.
1.1 Who we are
Lime Health is a health technology company whose mission is to measure and improve the patient experience. We develop digital tools that facilitate communication between users and the healthcare network. In this context, we collect and use certain personal data.
1.2 Who this policy is for
Our practices vary according to your relationship with Lime Health. We distinguish three profiles:
Platform Users: persons authorized by a client institution to use the PREMs, PROMs, or messaging modules, with distinct permissions and access rights.
Respondents: persons invited to respond to a survey or communication (often patients, users, or caregivers). A Respondent may be solicited through various channels, including a patient portal (Lime Health’s portal, including votreexperience.ca, or a Client portal integrating the Platform), a text message, an email, the Emilia mobile application, or a third-party application provided or orchestrated within a Client’s environment.
Corporate website Visitors: persons who consult our website without necessarily using the platform.
2. What Data We Collect
“Personal information” means any information that allows a person to be identified or made identifiable. This includes “health information,” which encompasses any information related to a person’s health, including diagnosis, treatments, and care received.
2.1 Corporate website
When you visit our website or interact with us for communication, information, or recruitment purposes, we may collect, without limitation:
First and last name
Email address
Telephone number
IP address
Content of messages sent via forms, chat, or email
Information provided in connection with a newsletter subscription, contest, survey, or recruitment process
2.2 Lime Platform
For the operation of the Lime platform, we collect only the personal information necessary to measure the patient experience and improve care pathways. The types of information may include, without limitation:
First and last name
Email address
IP address
Unique identifier
Language
Questionnaire or experience-measurement results
Demographic data enabling personalized support
For Respondents, certain collected information is administered and retained under the sole responsibility of the healthcare institution that supports you. Lime Health then acts as a processor and retains no copy and exercises no control over such data. This data may include information relating to your medical status and care pathway.
3. Why We Collect Your Data and on What Basis
Depending on the purpose, Lime Health and, where applicable, its partner healthcare institutions act as controllers or as processors. The following table sets out the purposes, categories of data, controller, and legal basis.
Purpose
Category of data
Controller
Legal basis
Retention
Communication and response to requests (website)
Contact details, message content
Lime Health
Consent / legitimate interest
As long as necessary for the request
User account management
Identifiers, contact details
Lime Health
Performance of contract
Term of the service contract
Processing of survey responses
Responses, experience data
Client institution
Explicit consent
According to the retention schedule of the healthcare institution responsible for the processing
Aggregated indicators to partners
Aggregated (non-identifying) data
Client institution
Explicit consent
Retained only in aggregated, non-identifying form, for the period necessary to monitor performance
Internal research and development
Aggregated data, navigation data
Lime Health
Legitimate interest
For the period necessary for the development, improvement, and proper functioning of the systems, based on aggregated or anonymized data
Legal and regulatory obligations
As required by the obligation
Lime Health
Legal obligation
As required by law
We will not retain your personal data longer than necessary to achieve the purposes for which it was collected, including any legal requirement.
3.1 Anonymized data
In all cases, personal data may be used without the user’s knowledge or consent where the law requires or permits it, or where it has been rendered anonymous or pseudonymous so that it is no longer associated with an identifiable person.
4. Consent
We process personal data with your consent, and you have the right to withdraw your consent for specific purposes. By submitting information to the corporate website or by using the Lime platform, you consent to its collection, use, and disclosure in accordance with this policy, within the limits permitted by law. You may withdraw your consent at any time by contacting our privacy officer. If you provide information concerning another person, you warrant that you have the necessary authorization.
5. How We Share Your Data
Your personal data may be shared with regulatory authorities in accordance with legal requirements, or with third parties where necessary to provide the Services. Third parties include service providers, professional advisors, and other members of the Lime Health network.
All third parties are contractually required to respect the confidentiality and security of the data and have no right to use it beyond the required services. The services concerned include web hosting, IT and cloud services, consulting, bug reporting, logging, and analytics.
We do not sell or trade your personal data to third parties. We share only aggregated data with our partners, not linked to the identity of an individual user.
6. Where We Process Your Data
If you use the corporate website or the Lime platform, you send information to our servers. The location depends on your region:
Country / Region
Category of data
Reason
Canada
Client Data
Hosting for Canadian clients and primary hosting for the delivery of the Services
Switzerland (Zurich)
Client Data
Hosting for European (including Belgian) and Swiss clients; Switzerland benefits from an adequacy decision of the European Commission
United States
Client Data
Hosting for American clients
United States
Cookie data
Marketing, website functionality, bug reporting, analytics, logging
For our European (including Belgian) and Swiss clients, Client Data is hosted in Zurich, Switzerland. Switzerland benefits from an adequacy decision of the European Commission: it is recognized as ensuring a level of data protection equivalent to that of the European Union, so that the transfer of data of European Economic Area residents to Switzerland takes place within a lawful framework. We have implemented security measures and controls to ensure appropriate protection in each of these jurisdictions.
7. How Long We Keep Your Data
We will retain personal data only for the period necessary to achieve the purposes for which it was collected. It may be retained for longer periods where it is intended solely for archiving in the public interest, for scientific or historical research, or for statistical purposes. To determine the appropriate period, we comply with the relevant legal requirements.
8. How We Protect Your Data
The protection of your data is a priority. We implement strong measures, validated as part of our SOC 2 Type II attestation, to prevent personal data from being lost, misused, accessed, altered, or disclosed by unauthorized parties.
8.1 Technical and organizational measures
Encryption of data at rest (AES 256-bit) and in transit (TLS 1.2 or higher);
Role-based access control, with periodic access reviews;
Access on a strict need-to-know basis, limited to the minimum necessary;
Confidentiality agreements signed by all employees and annual training on the handling of sensitive data;
Annual penetration testing by an external team and continuous vulnerability monitoring;
Monitoring of security and compliance controls through the Vanta platform;
Documented and tested data breach management procedures, ensuring that affected individuals and regulatory bodies are informed.
8.2 Certifications
Lime Health holds a SOC 2 Type II attestation and the TGV certification from the Quebec government’s cloud broker office. For American clients subject to HIPAA, Lime Health maintains a HIPAA compliance program and enters into a Business Associate Agreement with each covered entity.
9. Protected Health Information (HIPAA)
Where Lime Health processes protected health information on behalf of an American Client that constitutes a covered entity, it acts as a business associate within the meaning of HIPAA. In this context:
the Parties enter into a Business Associate Agreement (BAA) governing the use and disclosure of such information;
Lime Health maintains the administrative, physical, and technical safeguards required by the Security Rule;
Lime Health has carried out a Security Risk Analysis and has designated a security officer and a privacy officer;
the associated controls are continuously monitored through Vanta;
in the event of a breach affecting protected health information, Lime Health complies with the notification obligations of the Breach Notification Rule.
10. Artificial Intelligence and Transparency
Certain features of the Services use artificial intelligence systems, including large language models provided by third parties. In accordance with Regulation (EU) 2024/1689 on artificial intelligence and the applicable transparency principles:
we inform you when you interact with an artificial intelligence system or when content is generated by such a system;
we retain human oversight over generated content relevant to clinical or administrative decisions;
where possible, we take measures so that your data is not used to train models operated by third parties;
content generated by artificial intelligence may contain errors and does not replace the judgment of a qualified professional.
11. Use of Cookies
Our website uses cookies. You can at any time review the types of cookies used, learn their purposes, and manage your preferences by clicking the cookie icon located in the bottom-left corner of every page of our website.
12. Provisions for European and Swiss Residents
Lime Health operates from its head office at 212 du Grand-Hunier, Saint-Augustin-de-Desmaures, Quebec, Canada, G3A 2J2. The personal data of European and Swiss residents is hosted in Zurich, Switzerland, and may be accessed from Canada. Both Switzerland and Canada benefit from an adequacy decision of the European Commission, recognizing that they ensure a level of data protection equivalent to that of the European Union.
Lime Health also acts as a processor under the instructions of each healthcare institution (client) for data collected through online forms and processed in connection with the assessment of the patient experience. Lime Health acts as a controller for: the research and development of its software; processing outside the purposes defined with the client; its website and associated trackers; internal audit and its legal obligations.
We undertake to comply with the applicable transfer rules, either by transferring your data to countries recognized as adequate by the European Commission, or by implementing appropriate safeguards such as the European Union’s standard contractual clauses.
We, together with our European partner healthcare institutions, undertake to comply with:
Law 25 on the protection of personal information of Quebec citizens;
the Personal Information Protection and Electronic Documents Act (PIPEDA);
the General Data Protection Regulation (EU) 2016/679 (the “GDPR”);
the UK GDPR and the UK Data Protection Act 2018 (as amended in 2020);
the new Swiss Federal Act on Data Protection (nFADP), which came into force on September 1, 2023;
all applicable laws and regulations relating to data protection (collectively, the “Data Protection Laws”).
13. Your Rights
We strive to keep accurate and up-to-date data. If your information changes, please notify us or update your profile page. The law protects you and gives you several rights:
Access your data: find out whether we hold information about you and obtain a copy of it.
Correct your data: have inaccurate information rectified.
Request erasure: in certain cases, have your data deleted.
Restrict use: request that the use of your data be restricted in certain situations.
Receive or transfer your data: obtain your data in a readable format or have it transmitted to another organization (portability).
Object: for personal reasons, object to the use of your data.
Withdraw your consent: reverse your agreement at any time, without having to justify it.
To exercise these rights, contact us using the details in the “How to Contact Us” section. These rights are subject to certain rules and will be reviewed individually by our privacy officer.
13.1 Right to lodge a complaint
You have the right to lodge a complaint if you believe your data is not being processed in accordance with the applicable laws:
In Quebec: Commission d’accès à l’information du Québec (CAI), https://www.cai.gouv.qc.ca/plaindre
In Canada: Office of the Privacy Commissioner of Canada (OPC), https://www.priv.gc.ca
In the European Economic Area: the data protection authority of your country (contact details at https://edpb.europa.eu).
In Switzerland: the Federal Data Protection and Information Commissioner (FDPIC), https://www.edoeb.admin.ch
14. How to Contact Us
Lime Health has appointed Jonathan Santerre as privacy and access-to-information officer. He also serves as data protection officer and responds to questions, requests, and complaints regarding this policy as well as the collection and processing of your data.
Email: [email protected]
Toll-free telephone: 1 877 503-LIME
14.1 European representative (GDPR, Article 27)
In accordance with Article 27 of the GDPR, Lime Health has appointed European Data Protection Office (EDPO) as its representative in the European Union. You may contact EDPO using its online request form or by mail at EDPO, Avenue Huart Hamoir 71, 1030 Brussels, Belgium.
15. Changes to This Privacy Policy
This policy comes into effect on the date indicated at the top of this page. Lime Health reserves the right to modify or update it at any time. Any change will be published on our website, and the revised version will be available on request from the privacy officer. We encourage you to review this policy regularly. You may access earlier versions on request.