Contact
About
What we do
What is Psilocybin
What is Psilocybin
Psilocybin-Assisted Therapy
Consulting
Products
Our Story
Investors
Press
Contact Us
Our Story
For Investors
Press
Psilocybin-Assisted Therapy
Products
Consulting

Privacy Policy

Effective Date: July 30, 2025

At SAGE by Bluestem API Inc., your privacy is of the utmost importance to us. This Privacy Policy outlines how we collect, use, disclose, and protect your personal and health information when you use the SAGE platform ("Service"). It also reflects best practices from the cannabis sector and complies with Canadian privacy legislation.

1. Overview

Bluestem API Inc. is committed to ensuring the accuracy, confidentiality, and security of all personal and personal health information (PHI) in its custody. This Privacy Policy is designed to meet or exceed the requirements of:

  • The Personal Information Protection and Electronic Documents Act (PIPEDA)
  • The Personal Health Information Protection Act (PHIPA) (Ontario)
  • Other applicable provincial and federal laws

We ensure that no personal or health data is stored or accessed outside of Canada without appropriate legal and contractual safeguards, especially for users or clinics based in Nova Scotia.

2. Application

This policy applies to all users of the SAGE platform, including healthcare providers, patients, caregivers, and authorized representatives. It also applies to any Bluestem staff, contractors, or service providers handling personal data on our behalf.

3. Definitions

  • Personal Information: Any information about an identifiable individual.
  • Personal Health Information (PHI): Information about an individual’s health status, healthcare history, or health services.
  • User: Anyone who accesses or uses the Service.
  • Privacy Officer: The individual responsible for ensuring compliance with this policy.

4. Information We Collect

We may collect the following:

  • Personal Information: Name, contact details, credentials, login info.
  • Health Information: Medical history, treatment plans, clinical notes, SAP-related documentation.
  • Usage Data: Device type, browser, IP address, platform activity logs.
  • Patient-Supplied Data: Intake information submitted by patients via onboarding workflows.

We may also use cookies or analytics tools (e.g., Google Analytics) to improve the platform experience. All such data is anonymized and aggregated where possible.

5. Consent

  • Consent is obtained before collecting, using, or disclosing information.
  • Consent may be written, verbal, or implied through platform use.
  • Users may withdraw consent at any time by emailing: info@bluestem.co. Withdrawal may impact our ability to deliver services.

6. Use and Disclosure of Information

Personal and health data is only used for:

  • Supporting SAP and similar application processes
  • Facilitating communication between users
  • Conducting anonymized platform analytics
  • Ensuring service quality and legal compliance

We do not sell or rent data to third parties. Disclosure may occur:

  • With your explicit consent
  • To care teams, therapists, or authorized caregivers
  • When required by law or court order
  • To defend legal claims or collect a debt
  • To integrated services such as Electronic Health Record (EHR) platforms and secure eFax services, which are contractually bound to maintain data confidentiality and compliance with PHIPA, PIPEDA, and PIIDPA

7. Data Retention and Accuracy

  • Data is retained only as long as required to fulfill service purposes or comply with legal obligations. Clinical records are typically retained for at least 10 years from the date of last modification or access.
  • Users can request corrections by submitting a written request to the Privacy Officer.
  • Corrections will be processed within 30 business days and shared with parties who received inaccurate information in the past year.

8. Data Security

We maintain robust safeguards, including:

  • AES-256 encryption for data at rest and in transit
  • Password-protected and access-controlled systems
  • Encrypted network communications
  • Commercial-grade firewalls and intrusion detection
  • Secure physical storage of any hardcopy records
  • Regular internal audits and access reviews

All employees and contractors are bound by confidentiality agreements. Data destruction protocols include shredding and secure deletion.

9. Use of AI and Automation

Parts of the SAGE platform use artificial intelligence (AI) to generate summaries, pre-fill SAP forms, and analyze uploaded content.

  • AI-generated content is intended to assist and must be reviewed and validated by users before submission.
  • No automated decisions affecting treatment or clinical judgment are made without human oversight.
  • De-identified data may be used to train and fine-tune internally developed AI models, in addition to supporting real-time assistance.
  • We do not use third-party models to train on identifiable user data.
  • AI features do not replace clinical or legal judgment.

10. Access and Control

  • Users may request access to their personal data at any time.
  • Requests must be in writing and include sufficient detail.
  • We respond within 30 business days or provide written explanation for delays.
  • We reserve the right to deny access if required by law (with justification).

11. Protecting Children's Privacy

The SAGE platform is not intended for use by individuals under 18 years of age without parental or guardian consent. Any data collected from minors without such consent will be deleted upon discovery.

12. Legal Basis for Processing

We act solely as an agent to licensed healthcare providers. The healthcare provider is responsible for obtaining valid patient consent before entering any PHI into the platform.

We process PHI on behalf of and at the direction of the healthcare provider (the HIC) in accordance with PHIPA (Ontario), PIPEDA, and PIIDPA (Nova Scotia).

If we ever require access to or reuse of de-identified data for purposes like improving AI models, we will ensure:

  • Explicit authorization from the HIC
  • De-identification protocols that meet applicable legislation

13. International Data Transfers

All user data is stored in secure data centers located in Canada. We do not transfer personal or health data internationally unless explicitly required by law and with appropriate safeguards in place.

14. Sanctions

Violations of this policy (e.g., data misuse, unauthorized access) may result in disciplinary action, service termination, and/or referral to law enforcement where applicable.

15. Updates to this Policy

We may revise this Privacy Policy periodically. Material changes will be announced through the platform or by email. Continued use constitutes acceptance of the revised policy.

16. Contact Us

SAGE by Bluestem API Inc.
Chief Privacy Officer: Austin Miller
info@bluestem.co

Bluestem API Inc.
Address:
Suite 1600
1 First Canadian Place
100 King St W
Toronto, Ontario
M5X 1G5

DisclaimerNDAPrivacy Policy
Copyright © 2025