Skip to Content

Privacy Notice


Got2, Inc. — Effective: February 2026

Welcome to Got2, Inc.! This Privacy Notice describes how personal information is collected, used, disclosed, and stored by Got2, Inc. (“we,” “us,” or “our”) through the use of our optometry practice management software platform and related services, websites, and web-based resources (collectively, the “Services”).

In this Notice, we use the term “Subscriber” to refer to any optical store, optometry practice, clinic, or practitioner that has subscribed to and paid for use of our platform, including their authorized sub-users. We use the words “you” and “your” to refer to any individual user of our Services, such as a practitioner, staff member, or patient of a Subscriber, or an individual browsing our websites. We use the word “Patient” to refer to any individual who interacts with our platform to book or receive services from a Subscriber.

Notice to Patients

If you are a Patient at any of our Subscriber clinics or practitioners, your clinic or practitioner controls your patient information, including your contact information, billing details, and patient records. Please contact your clinic or practitioner for any questions about your patient information. See the section titled “Patient Data” below for further information.

Why We Collect Personal Information

Got2, Inc. collects personal information in order to provide our Services to our Subscribers and their users, for our own business purposes (such as managing subscriptions and payments), to learn about use of our Services (for improvement, accessibility, and relevant content), and to provide you with information about our Services, including features and promotions. We collect only the minimum amount of personal information needed for these purposes. We do not sell or trade personal information, and we will only share your personal information with third parties in the ways described in this Privacy Notice.

Information We Collect from You

Contact Information. We collect your contact information, such as your name, email address, phone number, and organization, when you fill out our online forms or set up your user account for our Services. We use your contact information to activate your user account, give you access to the Services, and to send you notices about your account. We may also use your contact information for marketing purposes. You can opt-out of our marketing communications at any time by unsubscribing or contacting us at info@got2.ca.

Patient Authentication Information. We collect your authentication credentials (user ID or email and password) when you create an account to link, book, and obtain services from one or more Subscriber clinics as a Patient. We manage the authentication process to allow you to use the same credentials across different Subscriber clinics you choose to register with.

Billing Information. When a Subscriber subscribes to our Services, we may ask them to provide payment information to process payments. We do not store your full credit card information. Payment card data is provided directly to our PCI-compliant payment processor. We receive a “token” from the payment processor that replaces sensitive information and acts as a non-sensitive identifier for future payment processing.

Log and Device Information. When you access and browse our Services, we collect information about how you are accessing our Services, such as your internet connection, browser type, and the type of device you are using. We use this information to optimize our Services for the types of connections, browsers, and devices being used. This information is not used for individual-level marketing.

Cookies and Tracking Information. Our website uses cookies — small data files downloaded to your computer or device. Your web browser lets you manage cookies through its settings. We use cookies and similar technologies to learn about website usage patterns, allow you to log in to secure areas, and store your login credentials for convenient access. For more information, see our Cookie Policy.

Legal Basis for Collection

Got2, Inc. operates in Ontario, Canada, and is subject to federal and provincial privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and, with respect to personal health information, Ontario’s Personal Health Information Protection Act, 2004 (PHIPA).

We rely on the following legal bases for collecting and using your personal information:

•       Your express or implied consent, as applicable

•       The performance of the contract between the Subscriber or user and us, as the provider of the Services

•       Our legitimate business interests, such as operating our business, understanding and improving our Services, and protecting our legal rights

You may withdraw your consent at any time. See below under “Your Rights” for how to withdraw consent or object.

If you are a Patient of one of our Subscriber clinics, please contact your clinic or practitioner if you have any questions about the legal basis for collecting and using your personal health information. Under PHIPA, your clinic or practitioner is a “health information custodian” and determines the purposes and legal authority for collecting, using, and disclosing your personal health information. Got2, Inc. acts as an agent or service provider to the health information custodian.

Patient Data

Patient Data. Subscribers use our platform to collect personal information from their patients and create patient records. These records may include a patient’s name, address, health insurance and billing information, medical charts, appointment history, and other patient data (“Patient Data”). Under PHIPA, this information constitutes “personal health information.” Under PIPEDA, it may be referred to as “personal information.”

Subscriber’s Role. Under PHIPA, Subscribers who are regulated health professionals (such as optometrists) are “health information custodians” and retain sole control over Patient Data. Subscribers determine what Patient Data to collect, how it will be used, who has access, how long it will be stored, and on what basis it may be deleted. Subscribers are responsible for complying with all applicable laws and regulations governing the use of Patient Data, including PHIPA and any applicable regulations of the College of Optometrists of Ontario.

Got2, Inc.’s Role. Got2, Inc. is a service provider to Subscribers and acts as an “agent” of the health information custodian under PHIPA. We store Patient Data in our secure data centres and make it available to Subscribers through our platform. We have no independent control over Patient Data. We will only access Patient Data on the instructions of the Subscriber or its representatives, or in rare cases where needed to prevent or address technical problems, respond to support requests, or comply with legal requirements.

Storage Location. Patient Data is stored in data centres located in Canada and the United States. Got2, Inc. maintains data centre infrastructure in both jurisdictions to support the performance, reliability, and availability of our Services.

Because Patient Data may include personal health information as defined under PHIPA, and because our data centres include locations in the United States, Subscribers should be aware of the following:

•       Under PHIPA, the transfer of personal health information to a service provider (agent) for processing is permitted, provided the agent agrees to comply with the conditions and restrictions imposed by the health information custodian and applicable law.

•       Under PIPEDA, a transfer for processing to a third-party service provider is considered a “use” of information, not a “disclosure,” provided it is for the purposes for which the information was originally collected. Additional consent is not required for such transfers; however, the transferring organization remains accountable for the protection of the information.

•       Personal health information stored in or processed through the United States may be subject to U.S. laws, including laws that permit access to data by U.S. courts, law enforcement, and national security authorities (such as the USA PATRIOT Act).

•       Subscribers are responsible for determining whether their use of our Services, including the storage of Patient Data in the United States, is consistent with their obligations under PHIPA. Where PHIPA requires a Patient’s express consent for the disclosure of personal health information outside of Ontario, the Subscriber is responsible for obtaining that consent.

Got2, Inc. uses contractual safeguards with all data centre providers to ensure a comparable level of protection for Patient Data, regardless of storage location. These safeguards include obligations related to confidentiality, security, data access restrictions, and breach notification.

Some specific features of our Services may involve additional temporary data processing in either jurisdiction, including but not limited to:

•       SMS appointment reminders, which may be processed through U.S.-based communication service providers

•       AI-assisted features, which may require temporary data processing in the U.S. to enable functionality such as translation of clinical notes or data analysis

Data processing in the United States may subject the data to the laws and regulatory frameworks of that jurisdiction. Appropriate safeguards are in place to protect the confidentiality and integrity of information, consistent with applicable Canadian privacy legislation. By using these features, Subscribers and their Patients acknowledge and consent to the possibility of data processing in the United States for the purpose of delivering these features.

Patient Rights. Patients have certain rights with respect to their Patient Data under PHIPA, which include the right to know what personal health information your health information custodian holds about you, the right to request corrections to inaccurate information, and the right to obtain a copy of your records. Please note that health information custodians have strict legal and regulatory obligations around Patient Data and may not always be permitted to delete or remove it.

Questions about Patient Data. If you have any questions about your Patient Data or wish to exercise any of your patient rights, please contact your Subscriber clinic or practitioner. If your clinic or practitioner has questions about the management of Patient Data in the Services, they may contact us and we will support them as needed.


 

Sharing Your Information

We do not sell or distribute personal information to third parties for their own commercial or marketing purposes. We will only share personal information in the following circumstances:

Suppliers and Service Providers. In order to operate our business and provide the Services, we may need to share a limited amount of personal information, including Patient Data, with our third-party suppliers and service providers located in Canada and the United States. Before sharing personal information, we ensure that the third parties have provided appropriate contractual safeguards and that privacy rights are protected. Areas where we use third-party providers include data centres and cloud infrastructure, customer support services, communication services (email and SMS), payment processors, and AI service providers.

Corporate Transactions. We may share personal information in connection with a financing, acquisition, merger, or sale of all or part of our company assets. Before sharing personal information, we will ensure that appropriate confidentiality undertakings are in place. We will not share Patient Data in these circumstances.

Compliance with Laws. We may disclose personal information to governmental or judicial authorities as required by law, to comply with legal obligations, to protect our rights and assets, or to respond to an emergency. We carefully review requests to ensure they comply with applicable law. In such instances, if permissible, we will make every reasonable effort to give you as much notice and detail as possible regarding the disclosure. We will not disclose Patient Data unless legally required to do so.

Anonymized / Aggregated Data. Got2, Inc. may use anonymized and aggregated information from Subscriber Data to assist in the continued development and improvement of our Services, and for statistical analysis. We ensure that such anonymized information cannot be used to identify any individual and is not shared outside of Got2, Inc. without Subscriber consent, though we may share aggregated analysis about the use of the Services.

Security

We take reasonable measures to help protect personal information from accidental loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction. We protect your personal information, including Patient Data stored in our platform, by:

•       Using industry-standard security controls such as encryption and SSL/TLS certificates to ensure information is transmitted over a secured connection

•       Using data centres in Canada and the United States with appropriate security and compliance certifications (such as SOC 2, ISO 27001)

•       Implementing firewall barriers, intrusion detection systems, and access controls

•       Requiring personnel to sign strict confidentiality agreements and complete periodic privacy and security training

•       Limiting access to Patient Data to authorized personnel with a legitimate business need

•       Requiring password protection of user accounts with passwords set by the user

While we employ industry-standard measures to protect your information, no electronic communication can ever be completely secure. You share responsibility for protecting your personal information by setting a strong password and keeping your credentials confidential.

Storage Period

We retain personal information only for as long as necessary to achieve our stated purposes, or as required by applicable law. Contact and billing information is kept for as long as a Subscriber account is active and for a reasonable period after deactivation. User account information may also be retained as necessary to comply with our legal obligations, resolve disputes, or maintain our relationship with a Subscriber.

If you are a Patient, please contact your clinic or practitioner for information regarding the retention period for your Patient Data. Health information custodians in Ontario are subject to specific record retention requirements under PHIPA and the regulations of their governing college.

Cross-Border Data Transfers

Personal information, including Patient Data, may be transferred to and processed in both Canada and the United States in connection with our Services. Before transferring personal information, we ensure that appropriate safeguards are in place, including:

•       Contractual agreements with all data centre providers and service providers requiring them to maintain a comparable level of protection for personal information

•       Restrictions on the use of personal information by service providers to only those purposes authorized by the Subscriber or required by ${COMPANY} for the operation of the Services

•       Obligations related to confidentiality, data security, breach notification, and data return or destruction upon termination of the service relationship

•       Compliance with applicable Canadian privacy legislation, including PIPEDA and PHIPA

Under PIPEDA, Got2 Inc remains accountable for the protection of personal information that has been transferred to a third party for processing, regardless of where that third party is located. Under PHIPA, Got2,Inc.  as an agent of the health information custodian is subject to the same restrictions on the use, disclosure, and protection of personal health information as the custodian.

Please note that personal information stored or processed in the United States may be accessible to U.S. courts, law enforcement, and national security authorities under applicable U.S. laws.

Your Rights

Individuals have certain rights with respect to their personal information under applicable Canadian privacy legislation. If you are a Patient, please contact your Subscriber clinic or practitioner to exercise these rights with respect to your Patient Data.

Correction and Deletion. We will make reasonable efforts to ensure that the personal information we collect from you is accurate and complete. You may update, correct, or delete your account information at any time by logging into your account or by contacting us.

Withdrawing Consent. Where we have relied on your consent to use your personal information, you have the right to withdraw that consent at any time by contacting us, which we will give effect to promptly. All our marketing email messages contain the ability to unsubscribe.

Access. You have the right to request a record of the personal information that we have collected about you. We will respond to your request within thirty (30) days of receiving it. We may charge a fee where permitted by applicable law.

Complaints. You have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (www.priv.gc.ca) for matters under PIPEDA, or with the Information and Privacy Commissioner of Ontario (www.ipc.on.ca) for matters under PHIPA.

Contact Us

If you have any questions or concerns about this Privacy Notice or our privacy practices, please contact us at:

Got2, Inc.

25 Sutter Avenue, Brampton, ON L6Z 1G2

Phone: 647-953-1891

Email: info@got2.ca

 

Updated: February 2026