InjecTeam
Legal

Privacy Policy

Last updated: June 2026

InjecTeam is operated by Alex’s Beauty Bar (“InjecTeam”, “we”, “us”). We provide a mobile application and website that help medical-aesthetics injectors and their supervising medical directors manage consultations, medical directives, and scheduling. This policy explains what information we handle, how we use it, the choices you have, and who to contact.

Jurisdiction and our role

InjecTeam is based in Ontario, Canada and is designed for use in Canada. We handle personal information in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and, with respect to personal health information, Ontario’s Personal Health Information Protection Act (PHIPA) (and comparable provincial health-privacy laws where they apply).

For the patient health information that clinical users enter, the injector, medical director, clinic, or other provider is the health information custodian (or equivalent) and is responsible for that information. InjecTeam acts on their behalf — as a service provider, agent, and electronic service provider (and, where applicable, a health information network provider) under PHIPA — and handles that information only to provide the Service and on the custodian’s instructions. InjecTeam is not the custodian of patient information and does not use it for its own purposes. If you use InjecTeam from outside Canada, other laws (for example U.S. HIPAA, or the EU GDPR) may apply to you; contact us before doing so.

Information we collect

  • Account information — name, email, role, and professional details you provide.
  • Patient information entered by users — including health information such as medical history, allergies, contraindications, medications, treatments, consultation notes, and directives.
  • Patient photos — see “Patient photos” below; these are treated as sensitive health information.
  • Scheduling data — booking details, and, where a medical director connects Google Calendar, availability information (see “Google Calendar integration”).
  • Usage data — app activity needed to operate the Service (for example, when a case is submitted or reviewed) and access/audit logs.
  • Device data — basic technical information and push-notification tokens.

How we use information

  • To operate the consultation, review, directive, and scheduling workflow.
  • To send notifications about case and booking activity.
  • To secure the Service, maintain audit records, and prevent misuse.
  • To provide support and improve the product.
  • To meet legal, regulatory, and record-keeping obligations.

Health information

Patient health information is entered by clinical users acting under their own professional and regulatory obligations as custodians of that information. We handle it as their service provider and agent. Health information is encrypted and access is logged. Clinical users are responsible for obtaining any consents required from the patients whose information they enter, and for their own collection, use, and disclosure of that information.

Patient photos

Consultation records may include photographs of a patient’s face and body. These images are sensitive personal health information. We treat them with the same protections as other health information — per-patient encryption and access logging — and they are used only to support the consultation, review, and directive workflow. Clinical users are responsible for obtaining the patient consent required to capture and upload such images.

Google Calendar integration

InjecTeam offers an optional Google Calendar integration for medical directors who choose to connect their Google account. Connecting is entirely voluntary, and InjecTeam works without it.

When you connect Google Calendar, InjecTeam asks for permission to:

  • Read your availability (free/busy). We check when you are busy so the app only offers injectors times you are actually free. We do not read the titles, descriptions, attendees, locations, or other contents of your existing calendar events — only whether a given time block is busy or free.
  • Create and manage booking events. When a consultation is booked, we add a calendar event for that booking on your connected calendar, and update or remove it if the booking changes or is cancelled.

We request the narrowest Google scopes needed for these functions, matching what is shown on the Google consent screen.

How we use Google data. Information received from Google APIs is used only to provide the scheduling feature described above — to show your availability and to place booking events on your calendar. We do not use Google user data for advertising, we do not sell it, and we do not use it to develop, improve, or train generalized AI or machine-learning models.

No patient health information on your calendar. The booking events InjecTeam creates are intentionally free of patient health information; they contain only the minimum scheduling details needed for the appointment.

Storage and retention of Google data. We store the access and refresh tokens needed to keep your calendar connected, protected with the same safeguards as our other sensitive data. We do not store the details of your existing calendar events. Free/busy responses are used transiently to calculate availability and are not retained except as necessary for logs, security, or troubleshooting.

Revoking access. You can disconnect Google Calendar at any time from within InjecTeam, or from your Google Account at myaccount.google.com/permissions. When you disconnect, we delete the Google tokens we stored for you. Any events already placed on your calendar remain under your control.

Limited Use. InjecTeam’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. These commitments apply to raw, aggregated, anonymized, and derived data from Google APIs.

Security

We use technical and organizational measures designed to protect personal and health information, including per-patient encryption of sensitive records and access logging. No system can be guaranteed perfectly secure, but we work to protect your data and to respond to incidents as described below.

Service providers, sub-processors, and cross-border storage

We do not sell personal information. We use a limited set of vendors to operate the Service — for example cloud hosting and storage, push-notification delivery, transactional email and form handling, and (where you enable it) Google Calendar. These vendors are permitted to handle information only to provide services to us, under contracts that restrict their use of the information and require appropriate safeguards.

Some of these vendors, or their infrastructure, may store or process information outside your province or outside Canada (for example in the United States). Where that occurs, the information may be subject to the laws of those jurisdictions, and we use contractual and technical measures intended to keep it protected. A current list of our sub-processors is available on request at [email protected].

Data retention

  • Clinical records (consultations, directives, audit history) are retained to maintain an accurate, auditable clinical history consistent with professional record-keeping requirements and applicable law. Because the law often requires these records to be kept for a minimum period, they may be archived rather than deleted on request.
  • Account information is retained while your account is active. Inactive accounts may be closed and their account data deleted after 24 months of inactivity, subject to any records we must retain by law.
  • Deletion requests. We honour deletion requests where we are able to, but where clinical record-keeping or other legal obligations require retention, we will retain the minimum necessary and restrict access to it instead of deleting it, and we will tell you when this applies.
  • Backups are kept for a limited period and cycle out on a rolling basis.

Your rights and how to exercise them

Depending on your jurisdiction, you may have rights to access, correct, or request deletion of your personal information, and to withdraw consent.

  • Patients: please contact the clinic, injector, or medical director who entered your information — they are the custodian of your record. If a patient contacts InjecTeam directly, we will, where appropriate, redirect the request to the relevant provider and assist that provider in responding.
  • Account holders: to make a request about your own account data, contact our Privacy Officer below.

Breach and incident notification

If a privacy or security incident affecting personal information occurs, we will respond promptly and, as required by law and our agreements, notify affected individuals, the relevant clinics, medical directors, or custodians, and applicable regulators — which may include the Office of the Privacy Commissioner of Canada and/or the Information and Privacy Commissioner of Ontario. Custodians remain responsible for any notifications they are required to make to their patients and regulators.

Privacy Officer and contact

We have designated a Privacy Officer responsible for our compliance with this policy and applicable privacy law:

Privacy Officer: Tal
Email: [email protected]
General contact: [email protected]

Changes to this policy

We may update this policy from time to time. We will revise the “Last updated” date above and, for material changes, take reasonable steps to notify users.