Privacy Policy

ClaimNexus is operated by ClaimNexus Inc., a Canadian corporation. We provide tools to help Canadian workers manage their workers' compensation claims with WorkSafeBC.

Information You Provide Directly

• Account information: Name, email address, authentication credentials (passwords handled by Clerk)
• Profile information: Organization name (if applicable), jurisdiction, preferences
• Claim data: claim numbers, accident dates, injury details
• Documents: Files you upload (compensation board forms, medical reports, correspondence)
• Communications: Messages to our support team, emails you send to us, chat conversations with AI
• Training data (optional): Data you explicitly opt in to use for assistant training

Information Collected Automatically

• Usage data: Pages visited, features used, time spent
• Device information: Browser type, operating system, IP address
• Cookies: Session identifiers, preferences (see Cookie section)

We use your personal information for the following purposes:

• Providing the Service: Managing your claims, storing documents, generating timelines, calculating LOE estimates
• AI Features: Processing your queries and documents to provide AI-assisted guidance (see AI Processing section)
• Account Management: Creating and maintaining your account, processing payments
• Communications: Sending service updates, responding to inquiries, processing support emails, providing customer support
• Security: Detecting and preventing fraud, abuse, and unauthorized access
• Improvement: Analyzing usage patterns to improve the Service (aggregated and anonymized). If you opt in, we may use redacted or anonymized data to improve AI features.
• Legal Compliance: Meeting our legal and regulatory obligations

What AI Processes

• Your chat messages and questions about workers' compensation claims
• Document content (redacted when possible) for analysis, summaries, and search (when you request it)
• Claim timeline data to provide contextual assistance
• Support emails you send to us (if you contact us by email)

AI Providers

We use third-party AI providers, including Anthropic's Claude andOpenAI models, to power assistant and document intelligence features. Depending on the feature and configuration, your requests may be processed by one or more providers in the United States.

Data Minimization and Redaction

We apply best-effort redaction to remove common identifiers before sending text to external AI providers. Redaction is not perfect; please avoid sharing sensitive details you do not want processed by AI systems.

Data Retention by AI Providers

AI providers may temporarily retain prompts and outputs for abuse prevention and service monitoring. We have data processing agreements that limit their use of your data, and they do not use your data to train their public models without explicit opt-in consent.

AI Training (Opt-In)

You can choose to allow redacted or anonymized data to improve our assistant. This setting is off by default and can be controlled in Settings and per claim.

We use trusted third-party services to operate ClaimNexus. These providers process your data on our behalf and are contractually bound to protect your information.

ClaimNexus stores your core data (claims, documents, and application data) in Canada. When you use certain services (including authentication, billing, email delivery, malware scanning, and AI features), limited personal information may be processed in the United States or other jurisdictions by those service providers. Cloudflare's global network may process network traffic and security logs in multiple countries. While outside Canada, that data may be subject to foreign laws and may be accessible to foreign government authorities.

We ensure that all cross-border transfers comply with PIPEDA requirements through contractual safeguards with our service providers. These contracts require providers to protect your data to a standard comparable to Canadian privacy laws.

We implement industry-standard security measures to protect your personal information:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access, principle of least privilege
• Authentication: Secure authentication via Clerk, optional two-factor authentication
• Monitoring: Security logging and anomaly detection
• Malware scanning: Uploaded files are scanned for threats using third-party detection services
• Vendor Security: Key service providers maintain SOC 2 or equivalent security standards

In accordance with PIPEDA and Ontario privacy requirements, we maintain comprehensive breach detection and response procedures:

• Detection: We employ continuous monitoring to detect unauthorized access or disclosure of personal information
• Assessment: Upon discovering a potential breach, we immediately assess the scope and risk of harm to affected individuals
• Notification: If a breach poses a real risk of significant harm, we will:
  • Notify affected individuals as soon as feasible
  • Report to the Privacy Commissioner of Canada
  • Notify relevant organizations (e.g., law enforcement if appropriate)
• Mitigation: We take immediate steps to contain the breach and prevent further unauthorized access
• Documentation: We maintain records of all breaches, including those that do not meet the notification threshold

What Health Information We Process

Your workers' compensation claim documents may contain personal health information (PHI), including:

• Medical diagnoses and treatment records
• Healthcare provider names and treatment notes
• Physical and psychological injury descriptions
• Functional abilities and restrictions
• Return-to-work assessments

How We Protect Health Information

• Purpose Limitation: We only use health information to provide the Service you've requested and never for marketing or unrelated purposes
• Access Controls: Health information is accessible only to you and authorized personnel with a need to know
• Encryption: All health information is encrypted at rest and in transit
• Audit Logging: We maintain logs of all access to health information
• Document Isolation: Your documents are stored in secure, isolated storage containers specific to your account

Your PHIPA Rights

Under PHIPA, you have additional rights regarding your health information:

• Access: Request access to your health information records
• Correction: Request correction of inaccurate health information
• Withdrawal: Withdraw consent for health information processing (this may limit our ability to provide certain services)
• Complaints: File a complaint with the Information and Privacy Commissioner of Ontario (IPC)

We retain your personal information only as long as necessary to provide the Service and comply with legal obligations:

• Account data: Retained while your account is active, deleted within 30 days of account closure
• Claim documents: Retained while your account is active; you may delete individual documents at any time
• Support emails: Retained as needed to provide support and maintain records
• Usage logs: Retained for 90 days for security and debugging
• Billing records: Retained for 7 years as required by tax laws

Under PIPEDA, you have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Withdrawal of Consent: Withdraw consent for processing where consent is the legal basis
• Data Portability: Request your data in a machine-readable format
• Complaint: File a complaint with the Privacy Commissioner of Canada

To exercise your rights, contact our Privacy Officer at privacy@claimnexus.ca. We will respond to your request within 30 days.

We use cookies and similar technologies to:

• Essential cookies: Required for authentication and security
• Functional cookies: Remember your preferences
• Analytics cookies: Understand how you use the Service (anonymized)

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Service.

ClaimNexus is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and updating the "Last Updated" date. For significant changes, we may also notify you by email or require you to re-consent.

If you have questions about this Privacy Policy or wish to exercise your privacy rights: