The word "NAVELEX" with a DNA double helix replacing the letter 'X'.

Navexio Privacy Statement

 1. NAVEXIO’S COMMITMENT TO PRIVACY

At Navexio, our north star is to simplify cancer navigation and address the gaps in care that patients and families often face during their cancer journey – our “Purpose.” To fully support you, we collect your personal information including your personal health information (“PI”) – directly from you and from your broader care and treatment team. We use that data to support you, and we disclose it to others for the same Purpose. We also collect PI from our clients’ family members, authorized individuals, and caregivers, all of whom are protected by this commitment.

We recognize the sensitivity of the PI we work with, and are committed to maintaining its privacy and confidentiality. We strive to protect your privacy by meeting or exceeding legal requirements, including Ontario’s Personal Health Information Protection Act, where we are based, and Canada’s Personal Information Protection and Electronic Documents Act, as well as the health information protection laws of other Canadian provinces, the United States, the United Kingdom, and the European Union as applicable.

This Policy outlines why we collect your PI, how we manage it and how we safeguard privacy in fulfilling our Purpose. Every one of our employees and contractors (“Members”) and our affiliated Specialists must protect privacy and confidentiality of all PI that they may access or process through their connection to us. Every Member is required to abide by our confidentiality and privacy requirements, and to certify their compliance annually.

 We have appointed a Privacy Officer for all privacy matters, who can be reached at contact@navexio.com to answer your privacy questions and address any privacy concerns.

 

2. PERSONAL INFORMATION

PI includes any identifying information about you in verbal or written (paper or digital) form. It includes information about your health or health care history that could identify you when used alone or with other information.

3. PI WE COLLECT FROM YOU

We collect, use, and disclose different types of PI depending upon the individuals involved and the nature of their relationship with us. PI may include, for example:

  • client name, contact information, date of birth, medical record number;

  • name and contact information of any authorized individual;

  • symptoms and concerns, health history, family health history, medical records;

  • medications and immunizations;

  • information related to assessment, diagnosis, medication, and treatment; and

  • credit card or other payment information.

With limited exceptions, we obtain most PI from your referring physicians, or directly from you or your authorized individual, or from your electronic medical record (EMR) portal through consented, shared access. Occasionally, we may collect information about you from other sources, including other health care providers, where we have obtained your consent, or are legally permitted or required to.

We will not collect more PI than is reasonably necessary for our Purpose.

 

4. HOW WE USE THE PI WE COLLECT

We only collect, use, and disclose PI for our Purpose. For example, we may use your PI to:

  • provide health care navigation and expert consulting services;

  • obtain payment for services, including from a third party insurer;

  • contact you;

  • conduct quality assurance and related activities;

  • comply with legal and regulatory requirements; and

  • fulfil other purposes permitted or required by law to plan, administer and manage our operations.

If we intend to use your information for any other purpose, we will ask for consent before doing so, unless otherwise required or permitted by law. We will never sell your PI.

 

5. CONSENT

We will not collect, use, or disclose PI without your consent, unless otherwise required or permitted by law. Consent to the collection, use, or disclosure of PI may be express (meaning we have specifically obtained it from you) or implied (meaning we have reasonably concluded from your actions under the circumstances that you agree).

For consent to be valid, it must be knowledgeable and obtained voluntarily (that is, without deception or coercion) from an individual with the capacity to consent. Knowledgeable consent means that it is reasonable under the circumstances to believe that you know the purposes for which we collect, use, or disclose your PI and that you are entitled to give or refuse your consent. If there is something you don’t understand or need more information about, talk to us.

If we are aware that you are incapable of making decisions about your PI, we will consult your authorized individual. If you are under the age of 18, we will obtain consent from your parent or legal guardian.

Unless the law requires such disclosure, we will always ask for your express consent before disclosing your PI to:

  • any testing laboratory for testing purposes;

  • someone who is not a health information custodian; or

  • a health information custodian for purposes other than for them to provide health care to you.

We may collect, use, or disclose your information without consent in certain limited circumstances that are expressly permitted by law.

You may withdraw or limit your consent at any time, unless doing so prevents us from recording the information required by law or meeting our professional standards. You may also give express instructions that specific PI is only to be used or disclosed by or to certain individuals, or for certain purposes. The Privacy Officer or any of our Members working with you will assist in this process.

 

6. SHARING PI

Generally, we will not share your PI with anyone else without your consent, although we may be required or permitted by law in certain instances to do so.

In addition, unless instructed otherwise, we may disclose your PI without express consent to other health care providers, including affiliated Specialists who need to know this information to help provide patient care, as we rely on implied consent to these disclosures.

 

7. SAFEGUARDS AND SECURITY

We take appropriate steps to protect the PI in our custody against theft, loss or unauthorized access, use, or disclosure. We also protect the records containing PI against unauthorized copying, modification, or disposal.

We maintain electronic patient records and protect them through physical and technological security measures and administrative controls.

  • Physical security measures include:

  • restricting office access to authorized individuals; and

  • maintaining all records onsite at our office, which has security measures in place.

Technological security measures include:

  • limiting your records access to you and the Members who need to know to support you;

  • use of reputable cloud providers with security features including file recovery, password protection, watermarking, and viewer history;

  • firewalls and anti-virus software; and

  • logging, auditing, and monitoring of all access to PI electronic records.

Administrative controls include:

  • providing mandatory initial and ongoing privacy training to all Members;

  • prohibiting Members from printing, copying, or downloading electronic records except where necessary for provision of care, or where access to records is required for provision of care and remote access to our server is not available;

  • conducting regular audits of PI electronic records access to ensure compliance with our policies;

  • requiring Members to abide by this Policy and our internal procedures, and to certify their compliance annually; and

  • maintaining a log of, and fully investigating all privacy breaches, which will be audited and monitored to identify patterns, trends, and suspicious activity, and to ensure that our safeguards are functioning as they should.

Please note however, that despite our efforts, we cannot guarantee the security of any PI.

 

8. ELECTRONIC COMMUNICATIONS

Because of the significant privacy risks associated with e-mail and text messaging, we prefer to collect and disclose PI through encrypted email, or electronic platform, or using password protections. We are not responsible for safeguarding the privacy in transmission of any PI that you may voluntarily choose to send by email or text to us.

You will be informed of the privacy risks associated with electronic communication when you first engage us. We will obtain your consent in advance if there is a need to communicate in this manner other than as described above.

9. RETENTION AND DESTRUCTION

We retain PI records for the later of:

  • 15 years from the date of the last entry in the record; or

  • any minimum retention period required by law. 

Your PI will not be deleted without the approval of our Privacy Officer, even if you have requested such deletion, since we must always meet our legal obligations to retain PI.

We will archive your records once we no longer actively support you, and these will only be accessible by our Privacy Officer.

When we destroy PI, we will take reasonable steps to ensure secure and permanent destruction, whether physical or electronic. If we engage a third party to destroy PI, we will enter into a written agreement that sets out the requirements for secure disposal and requires it to certify that secure disposal has occurred. We maintain a record of all PI that has been destroyed, including the date and manner of destruction.

 

10. PRIVACY BREACHES

Should we suspect or discover that your PI has been stolen, lost or subject to unauthorized use, access, disclosure, copying, or modification, our first priority will be to identify and contain the breach, assess the harm, and then investigate and remediate so we can minimize harm to you and the risk of similar breaches in the future.  If your PI may have been lost or subject to unauthorized access, use or disclosure, we will notify you at the first reasonable opportunity.

 

11. ACCESS TO PI

You have a general right to access all your PI in our custody or control.

If you want to access or obtain a copy of your PI, make your request in writing to any Member or to our Privacy Officer. The request must include details about who you are, the records you are seeking and the timeframe of those records. The Privacy Officer will give you a copy of the records requested or make an appointment to review the records with you. A Member will always be present when you review original records.

Your right to access your PI is not absolute, and may be denied if:

  • the information does not exist or cannot be found;

  • denial of access is required or authorized by law; or

  • the request is frivolous, vexatious, or made in bad faith.

All PI access requests will be addressed no later than 30 days from the date of the request. If the Privacy Officer refuses access to your records, they will provide you with an explanation.

To protect privacy, we must verify your identity before providing access. We may charge a reasonable cost recovery fee for making PI available and/or providing copies of records. If we choose to do so, we will advise you of the fee in advance of processing your request.

 

12. KEEPING PI ACCURATE

We take all reasonable steps to ensure all PI is as accurate, complete, and current as necessary for the Purpose.

We will not routinely conduct updates on PI in our custody unless these are necessary to fulfil the Purpose.  We will take reasonable steps, however, to ensure that any PI used on an ongoing basis, including any information that is routinely disclosed to others, is accurate, complete, and current. Where we know that information is inaccurate, incomplete, or outdated, we will note this at the time of use or disclosure.

We ask that you advise us of any changes to your PI promptly so that we may update our records.

If you believe your PI is inaccurate, incomplete, or outdated, you may make a written request to a Member or the Privacy Officer to correct it.

We will correct PI where it is demonstrated that it is, in fact, inaccurate, incomplete or outdated, and enough details are provided to update the record. Where a correction is made, the original information will still be maintained in your record.

However, we may refuse to correct PI where:

  • we are not satisfied that the record is incomplete, inaccurate, or outdated for the Purpose;

  • the record containing the PI was not originally created by us and we do not have sufficient knowledge, expertise, or authority to correct it;

  • the request pertains to a professional opinion or observation that a health care provider has made in good faith; or

  • the request is frivolous , vexatious, or made in bad faith.

All requests to correct PI will be addressed no later than 30 days after receiving the request. If a correction request is denied, we will provide an explanation for the refusal, and you will be entitled to prepare a short statement of disagreement to append to your record. In addition, you have the right to make a complaint about the refusal to the Information and Privacy Commissioner of Ontario or the data protection authority of your province, state or country.

 

13. QUESTIONS/ CONCERNS/ COMPLAINTS

If you have any questions or concerns about the collection, use, disclosure, or protection of your PI, contact our Privacy Officer at contact@navexio.com.

We will investigate all written privacy concerns. If a concern is found to have merit, we will take appropriate measures, including, if necessary, disciplinary action and/or amending our privacy practices or safeguards.

If we are not able to address your concern, or if you require further information regarding privacy in Ontario, you may contact the Information and Privacy Commissioner of Ontario. If you are outside of Ontario, contact the data protection authority of your province, state, or country.

We may update this Privacy Statement from time to time and will post any new version on this website.

This Privacy Statement was last updated in February 2026.