Last Update: June 1, 2026
1. Introduction
DISABILITIESAI INC. ("Benefits2," "we," "us," or "our"), headquartered in Burlington, Ontario, operates a software platform that assists Canadians living with disabilities, and the family members who support them, in applying for the Disability Tax Credit ("DTC") administered by the Canada Revenue Agency ("CRA"). In the course of providing these services, we may collect, use, and disclose Personal Information, including highly sensitive Personal Health Information ("PHI"), about our clients and the individuals on whose behalf they apply.
We take our responsibility to protect that information seriously. This Privacy Policy (the "Policy") describes how Benefits2 handles Personal Information in accordance with the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation that may apply to our processing.
This Policy applies to all Personal Information collected through the Benefits2 website at benefits2.ca (the "Website"), our software application (the "Platform"), and any related communications, including telephone, email, fax, and electronic document exchange between Benefits2 and our clients, navigators, medical practitioners, or service providers (collectively, the "Services").
By accessing the Website, completing our preliminary eligibility assessment, creating an account, or otherwise providing Personal Information to Benefits2, you acknowledge that you have read and understood this Policy and you consent to the collection, use, and disclosure of your Personal Information as described herein.
Benefits2 is a software service provider and is not itself a "health information custodian" within the meaning of Ontario’s Personal Health Information Protection Act ("PHIPA"). However, certain medical practitioners with whom you interact through the Platform may be health information custodians under PHIPA or comparable provincial legislation, and their handling of your Personal Health Information will be subject to that legislation independently of this Policy.
2. Definitions
For the purposes of this Policy:
“Personal Information” means information about an identifiable individual, as defined under PIPEDA. This includes, but is not limited to, your name, contact details, demographic information, financial information, and any health-related information you provide to us.
“Personal Health Information” or “PHI” means Personal Information that relates to your physical or mental health, the provision of health care to you, your medical history, medications, treatments, devices, diagnoses, or any other information of a clinical nature collected in connection with your DTC application.
“Service Provider” or “Sub-Processor” means a third party engaged by Benefits2 to process Personal Information on our behalf for the purpose of delivering the Services, as further described in Section 7 below.
“You” or “your” means the natural person interacting with the Services, whether (a) applying on your own behalf, (b) applying on behalf of a dependent, minor, or family member for whom you hold legal authority or express consent, or (c) acting as a supporting family member to whom a credit may be transferred.
“Navigator” means a Benefits2 employee or contractor who assists clients in completing the application process, including by reviewing answers, gathering supporting documentation, and communicating with you, your medical practitioner, or the CRA on your behalf.
3. Accountability
Benefits2 is responsible for all Personal Information under our control, including Personal Information that we transfer to Service Providers for processing on our behalf. We have designated an individual to be accountable for our compliance with this Policy and with PIPEDA.
3.1 Designated Privacy Officer
Our Privacy Officer / Chief Information Security Officer ("Privacy Officer") oversees the implementation of this Policy and is the point of contact for any privacy-related inquiry, request, or complaint. You may contact the Privacy Officer using the contact information provided in Section 14 of this Policy.
3.2 Policies, Procedures and Staff Training
We have implemented internal policies and procedures designed to give effect to the privacy principles set out in this Policy, including procedures to protect Personal Information, to receive and respond to complaints and inquiries, to train and communicate to our staff about our privacy practices, and to make information about our privacy practices readily available.
3.3 Service Provider Accountability
Where Benefits2 transfers Personal Information to a Service Provider for processing, we use contractual or other means to provide a comparable level of protection while the information is being processed by that Service Provider. The use of a Service Provider does not relieve Benefits2 of its responsibility for the Personal Information transferred.
4. Identifying the Purposes for Collection
The purposes for which we collect, use, and disclose Personal Information are:
· To determine your preliminary eligibility for the Disability Tax Credit through our online assessment tool;
· To create and authenticate your secure user account on the Platform;
· To collect, organize, and map the clinical and demographic information necessary to complete any related CRA forms;
· To facilitate secure communication and document exchange between you, Benefits2, your designated medical practitioner, and (where applicable) the CRA;
· To process payment for the Services through our authorized payment processor;
· To provide customer support, respond to inquiries, and manage the ongoing client relationship;
· To comply with applicable legal, regulatory, audit, and tax obligations; and
· For any other purpose to which you expressly consent.
We will not use your Personal Information for any new purpose without first identifying that purpose and obtaining your consent, except where required or permitted by law.
5. Consent
Your knowledge and consent are required for the collection, use, or disclosure of your Personal Information, except where PIPEDA or other applicable law permits us to act without consent. Because Benefits2 routinely collects and processes Personal Health Information, which is considered sensitive under PIPEDA, we rely primarily on express, opt-in consent rather than implied consent.
5.1 How Consent is Obtained
You provide express consent to the practices described in this Policy by:
· Affirmatively checking the consent box presented at the time of account creation;
· Electronically signing requests for the release of medical records by your healthcare provider; and
· Electronically signing any forms prior to transmission to the CRA.
5.2 Withdrawal of Consent
Subject to legal or contractual restrictions and reasonable notice, you may withdraw your consent to our collection, use, or disclosure of your Personal Information at any time by contacting our Privacy Officer using the contact information in Section 14. If you withdraw consent, we will explain the likely consequences of doing so, which may include our inability to continue to provide some or all of the Services to you.
5.3 Consent on Behalf of Third Parties
In many cases, an account holder uses the Platform to apply for the Disability Tax Credit on behalf of another individual; for example, a parent applying on behalf of a minor child, an adult child applying on behalf of an aging parent, or a guardian or attorney applying on behalf of a dependent adult. By submitting the Personal Information or Personal Health Information of any individual other than yourself through the Platform, you represent and warrant to Benefits2 that:
· You are the parent or legal guardian of the individual, or you otherwise hold the legal authority (including under a power of attorney, guardianship order, or substitute decision-maker designation) to disclose that individual’s Personal Information to Benefits2 for the purposes described in this Policy; or
· The individual has provided you with their informed, express consent to disclose their Personal Information to Benefits2 for those purposes; and
· You have made the individual aware of, or where appropriate provided them with a copy of, this Policy and Schedule “A”.
Benefits2 reserves the right, but is not obligated, to request evidence of your authority before processing Personal Information about another individual.
5.4 Consent Involving Minors
Benefits2 does not knowingly collect Personal Information directly from children. Where an application relates to a minor, the account must be created and maintained by a parent or legal guardian of the minor. The consent of the parent or legal guardian will be treated as the consent of the minor for the purposes of this Policy, subject to the minor’s right, at the age of majority, to access and correct their own Personal Information held by Benefits2.
6. Limiting Collection: Information We Collect
Benefits2 limits the collection of Personal Information to that which is necessary for the purposes identified in Section 4. We collect Personal Information by fair and lawful means. The categories of Personal Information we collect are described below.
6.1 Preliminary Assessment Data
Before creating an account, you may complete a preliminary online assessment that asks general questions about impairments in basic activities of daily living, including walking, mental functions, feeding, dressing, hearing, speaking, vision, and elimination. If you abandon the assessment without proceeding to account creation, your responses are not associated with any identifying information and are retained, if at all, only in aggregate or anonymized form for the purpose of improving the assessment tool.
6.2 Account Registration Data
To register for an account, we collect:
· Your first name and last name;
· Your email address; and
· Your mobile telephone number.
Your mobile telephone number is required to enable mandatory Two-Factor Authentication ("2FA") when you log in to the Platform, and to deliver time-limited secure access codes to any medical practitioner you authorize to review your application.
6.3 Demographic Information
During the application process, we collect demographic information, including your postal code, and information about whether you currently have a treating medical practitioner or wish to be referred to a participating practitioner through our network.
6.4 Personal Health Information
To map your circumstances to the requirements of Form T2201, we collect detailed Personal Health Information, including:
· The category or categories of impairment that affect you (for example, walking, mental functions, hearing, dressing, or feeding);
· The severity of the impairment (for example, "moderate," "severe," or "profound");
· The frequency with which the impairment restricts your daily activities (for example, "always," "almost always," or "more than 90% of the time");
· The approximate date of onset of the impairment, which may include retrospective data going back to the date of diagnosis. While the CRA will reassess a maximum of ten (10) years, we commonly receive information dating back to the date of diagnosis, which may be more than ten (10) years;
· Your medical diagnosis or diagnoses associated with the impairment;
· Underlying causes or symptoms contributing to the impairment, such as pain, fatigue, loss of balance, or lack of flexibility;
· Medications you take in connection with the impairment;
· Therapeutic treatments you receive (for example, physiotherapy or occupational therapy); and
· Medical devices, aids, or assistive technologies that you require.
6.5 Information About Supporting or Qualifying Family Members
Where you intend to transfer all or part of the Disability Tax Credit to a supporting family member, we collect the supporting family member’s first name, last name, relationship to the applicant, and a description of the support provided (for example, food, shelter, or clothing). Your authority to disclose this information is governed by Section 5.2.
6.6 Financial Information
We collect billing information necessary to process payment for the Services. Payment card information is collected and processed directly by our third-party payment processor (currently Stripe Inc.). Benefits2 does not collect, view, or store full payment card numbers on our systems. Our payment processor processes card data in accordance with its own privacy policy and applicable PCI-DSS standards.
6.7 Communications and Support Data
We retain records of our communications with you, including emails, telephone calls, text messages, support tickets, and notes added by our team or by navigators, for the purpose of providing ongoing support and maintaining an accurate service record.
6.8 Technical and Website Usage Data
When you visit the Website, we and our analytics providers automatically collect certain technical information, including your Internet Protocol (IP) address, device and browser type, operating system, referring URLs, pages viewed, and the dates and times of your visits. We use this information to administer the Website, to diagnose technical problems, to detect and prevent fraud or abuse, and to improve the Services. See Section 12 (Cookies and Similar Technologies) for further detail.
7. Limiting Use, Disclosure, and Retention
Benefits2 uses and discloses Personal Information only for the purposes identified at or before the time of collection, except with your further consent or as required or permitted by law. We do not sell, rent, lease, or trade your Personal Information.
7.1 Disclosure to Service Providers
We disclose Personal Information to the following Service Providers for the limited purpose of delivering the Services. Each Service Provider is bound by contractual obligations to safeguard the Personal Information they process on our behalf and to use it solely for the purposes for which it was disclosed.
a) Microsoft Azure — Core Platform Hosting (Canada)
All primary Platform data, including account records, application data, and the archived final PDF copies of completed applications, is hosted on Microsoft Azure infrastructure located in the Canada Central or Canada East regions. Azure is the operator of our core production database and application servers.
b) Azure OpenAI Service — AI Narrative Generation (Canada)
To generate the descriptive narrative passages required by Form T2201, Benefits2 transmits a strictly limited subset of your information to the Azure OpenAI Service hosted in a Canadian Azure region. Under Microsoft’s Product Terms and Data Protection Addendum applicable to the Azure OpenAI Service, the prompts and responses generated through Benefits2’s deployment are not used to train, retrain, or improve any Microsoft or OpenAI foundation model. Your express consent to this processing is obtained separately in Schedule "A" to this Policy, which describes the limited use of prompt and response logging for abuse monitoring purposes.
c) Tamboo — Independent Medical Record Storage (Canada)
We instruct clients not to send sensitive medical records to Benefits2 by ordinary email. Instead, we ask that medical records be uploaded to Tamboo, an independent Canadian medical record storage platform based in Kitchener-Waterloo, Ontario, which is built on the MedStack compliance infrastructure and uses BlackBerry-backed security technology. You create and control your own Tamboo account; Tamboo is a separate data controller for the records you store with them, and your relationship with Tamboo is governed by Tamboo’s own terms and privacy policy. You may, at your discretion, share specific records with Benefits2 or with your medical practitioner through Tamboo. Benefits2 has no control over the security configuration of your Tamboo account.
d) SRFax — Secure Digital Fax (Canada)
We use SRFax, a Canadian-hosted digital fax service that markets itself as PIPEDA, PHIPA, and HIPAA-compliant, to transmit medical record requests to physicians’ offices and to deliver signed Form T2201 packages to the CRA. SRFax is operated from British Columbia, Canada.
e) GoHighLevel — Customer Relationship Management
We use GoHighLevel as our customer relationship management ("CRM") system to store client contact information, workflow status, and a chronological log of communications with you. What is stored in the CRM: first name, last name, email address, mobile telephone number, postal code, application status, and a chronological log of communications (including emails and call notes) with Benefits2. Navigator notes recorded in the CRM are kept to operational matters (such as application progress, communications log, and scheduling) and are not intended to record clinical detail. What is not intentionally stored in the CRM: the granular clinical answers to the impairment questionnaire, diagnoses, medication lists, therapeutic treatments, or medical devices. These categories of Personal Health Information are processed only within the Azure-hosted Platform described in Section 7.1(a). Benefits2 trains its navigators to keep clinical information out of the CRM, but in the event that a client volunteers clinical information in the course of a communication that is logged to the CRM, that information may incidentally be stored in the CRM as part of the communication record.
f) SendGrid and Mailgun — Transactional Email Delivery
We use SendGrid (operated by Twilio Inc.) and Mailgun (operated by Sinch Email) to deliver transactional emails, including 2FA codes, account notifications, and the final completed Form T2201 PDF when delivered to you by email. SendGrid and Mailgun are United States-based service providers, and your email address and the metadata associated with email delivery may be processed in the United States.
g) Payment Processing
Our payment processor processes payment card information on our behalf. Our current processor is headquartered in the United States and processes payment information in accordance with its own privacy policy and applicable PCI-DSS requirements. Benefits2 receives only summary transaction information necessary to confirm payment and to reconcile accounts; full payment card numbers are never received or stored by Benefits2.
7.2 Cross-Border Transfers and Foreign Lawful Access
As described in Section 7.1, certain Service Providers process Personal Information in the United States. While we contractually require these Service Providers to maintain a comparable level of protection, you should be aware that Personal Information processed outside Canada may be subject to lawful access requests by foreign courts, law enforcement, or governmental authorities under the laws of that jurisdiction. All Personal Health Information processed by Benefits2 — including all responses to the impairment questionnaire, all clinical detail, the inputs to the AI narrative generation, and the archived completed Form T2201 PDF — remains hosted in Canada.
7.3 Disclosure to Medical Practitioners
Where you instruct us to do so, Benefits2 will share the contents of your draft Form T2201 with a medical practitioner you designate, or with a participating practitioner network such as AbilityDocs, for the purpose of clinical review, completion, and certification of the form. Once a medical practitioner reviews or signs your application, that practitioner becomes the controller of the clinical record they create and is independently subject to their professional college’s record-retention requirements. This retention obligation is independent of Benefits2 and is not controlled by us.
7.4 Disclosure to the CRA
At your direction and with your electronic signature, Benefits2 transmits completed Form T2201 packages to the Canada Revenue Agency by secure digital fax. These packages include the questionnaires and medical records completed by the physicians. Once received by the CRA, your information is governed by the Income Tax Act, the Privacy Act, and other federal legislation applicable to the CRA, and is no longer under the control of Benefits2.
7.5 Disclosure Required by Law
Benefits2 may disclose Personal Information without your consent where required or permitted by law, including in response to a subpoena, warrant, court order, or other legally binding demand from a Canadian court, tribunal, or regulator with jurisdiction over Benefits2. Where lawful, we will notify you of any such demand before disclosing your Personal Information.
7.6 Disclosure in Connection with a Business Transaction
Personal Information may be disclosed to a prospective or actual purchaser, investor, lender, or successor in the context of a financing, merger, acquisition, reorganization, or sale of all or part of the business of Benefits2, provided that the recipient agrees to treat the Personal Information in a manner consistent with this Policy and PIPEDA.
8. Retention and Destruction
We retain Personal Information only for as long as is reasonably necessary to fulfill the purposes for which it was collected, or as required by applicable law.
8.1 Raw Application Data
The raw inputs you provide while completing the impairment questionnaire, including granular responses about severity, frequency, onset dates, symptoms, medications, therapies, and devices, are automatically and permanently deleted from our active Azure database thirty (30) days after the corresponding Form T2201 has been generated. After this date, these granular inputs are no longer accessible to Benefits2 personnel or to you through the Platform.
8.2 Incomplete or Abandoned Applications
Where you create an account and begin an application but do not complete or generate a Form T2201, your in-progress responses remain stored in the Azure database to allow you to resume the application. If no activity is recorded on the application for a period of twelve (12) months, the in-progress responses are automatically and permanently deleted. Your base account profile may remain active in accordance with Section 8.4.
8.3 Archived Form T2201 PDFs
A static PDF copy of each completed Form T2201 is retained by Benefits2 in a secure Azure storage container in Canada. This retention period aligns with the Canada Revenue Agency’s general recommendation that taxpayers retain supporting records for six (6) years from the end of the last tax year to which they relate. Benefits2 retains the archived PDF for a period of seven (7) years from the date of generation, after which it is permanently deleted. You may request the earlier deletion of your archived PDF at any time by contacting the Privacy Officer. We will honour such requests unless we are legally required, or have a legitimate business reason (for example, an active CRA reassessment or a pending dispute), to retain the document.
8.4 Account and CRM Data
Your basic account profile and CRM record (name, contact details, communication history) is retained while your account remains active and for a period of two (2) years following your most recent interaction with Benefits2, after which it is deleted or anonymized. You may request earlier deletion at any time, subject to Section 8.5.
8.5 Limits on Deletion
Where you request the deletion of Personal Information, Benefits2 may retain limited records as necessary to comply with applicable legal, regulatory, audit, or tax obligations, to defend or assert legal claims, to investigate suspected fraud or abuse, or to enforce our contractual rights. Any retained Personal Information will continue to be protected in accordance with this Policy.
8.6 Method of Destruction
When Personal Information is no longer required, we destroy, erase, or anonymize it using methods appropriate to the medium and sensitivity of the information, in accordance with industry standards.
9. Accuracy
Personal Information held by Benefits2 must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Because the Disability Tax Credit application relies on the accuracy of your responses, we encourage you to:
· Review your responses carefully before submitting your application;
· Notify our Privacy Officer or your assigned navigator of any change in your contact details, medical circumstances, or treating practitioner; and
· Use the access and correction process described in Section 11 if you believe your Personal Information is inaccurate.
10. Safeguards
Benefits2 protects Personal Information with security safeguards appropriate to the sensitivity of the information, regardless of the format in which it is held. Our safeguards include the following.
10.1 Technical Safeguards
Our technical safeguards include the following:
Encryption of Personal Information in transit between your device, the Platform, and our Service Providers using current industry-standard transport layer security (TLS);
· Encryption at rest of Personal Information stored within Microsoft Azure databases and storage containers, in accordance with Azure’s default platform-level encryption;
· Mandatory Two-Factor Authentication for all client accounts and for medical practitioners accessing the Platform through our external practitioner portal;
· Access controls that limit employee, contractor, and navigator access to Personal Information to those whose duties reasonably require it;
· Logging of access to, and administrative changes within, the Platform sufficient to support investigation of suspected unauthorized activity;
· Data minimization by design in our AI integration, such that diagnostic information is excluded from the data transmitted to the Azure OpenAI Service (see Schedule “A”); and
· Routine application and operating-system updates and vulnerability monitoring.
10.2 Organizational Safeguards
Written confidentiality and privacy obligations imposed on all employees, contractors, and navigators;
· Privacy and security training for personnel handling Personal Information;
· Data processing agreements with all Service Providers; and
· Periodic internal review of our privacy practices and incident response procedures.
10.3 Physical Safeguards
Personal Information held in physical form, such as printed correspondence or fax records, is stored in secure premises with restricted access and is shredded when no longer required.
10.4 Limitations
No method of electronic transmission or storage is perfectly secure. While Benefits2 takes reasonable steps to protect Personal Information, we cannot guarantee absolute security. You play an important role in safeguarding your own information by maintaining the confidentiality of your password, enabling 2FA, refraining from sending medical records by ordinary email, and notifying us promptly of any suspected unauthorized access to your account.
11. Individual Access and Correction
Subject to the limited exceptions permitted by PIPEDA, you have the right to be informed of the existence, use, and disclosure of your Personal Information held by Benefits2, and to be given access to that information. You also have the right to challenge the accuracy and completeness of the information and have it amended as appropriate.
11.1 Submitting a Request
To submit an access or correction request, contact our Privacy Officer using the information in Section 14. To protect your privacy, we will require you to verify your identity before we respond. We will respond to your request within thirty (30) days of receipt, or notify you within that time if an extension is required.
11.2 Right to Review and Amend the Draft Application
In addition to the formal access right described above, you (and any medical practitioner you authorize) may at any time before submission to the CRA review, download, and request corrections to the draft Form T2201 generated by the Platform.
11.3 Refusing Access
We may refuse access where permitted or required by law; for example, where granting access would reveal Personal Information about another individual, where the information is protected by solicitor-client or litigation privilege, or where disclosure would reveal confidential commercial information. If we refuse access, we will inform you in writing of the reasons and of your right to challenge our decision.
11.4 Fees
Benefits2 does not charge a fee to respond to a routine access request. If responding to your request would require a substantial amount of work, we will advise you of any estimated fee before proceeding, and you may then withdraw or modify your request.
12. Cookies and Similar Technologies
The Website uses cookies and similar tracking technologies to operate the Website, authenticate logged-in sessions, remember user preferences, and analyze how visitors interact with the Website. The categories of cookies we use are strictly necessary cookies that are required for the Website and Platform to function, including session and authentication cookies. These cookies cannot be disabled through the Website. Functional cookies that remember choices you make (such as language or display preferences) to enhance your experience.
Analytics cookies that allow us and our analytics providers to understand how visitors interact with the Website on an aggregated basis. You may control or disable cookies through your browser settings. Disabling strictly necessary cookies may prevent you from logging in to the Platform or completing an application.
13. Privacy Breach Notification
Benefits2 maintains an incident response procedure for identifying, containing, investigating, and responding to suspected privacy breaches. Where a breach of security safeguards involving your Personal Information creates a real risk of significant harm to you, we will:
Notify you of the breach as soon as feasible, in accordance with PIPEDA and the Breach of Security Safeguards Regulations;
· Report the breach to the Office of the Privacy Commissioner of Canada;
· Notify any other organization or government institution that may be in a position to mitigate the risk of harm; and
· Maintain a record of the breach for the period required by PIPEDA.
Our notice will describe the circumstances of the breach, the Personal Information involved, the steps we have taken or will take to mitigate harm, and steps you can take to reduce your risk.
14. Inquiries, Complaints, and Contact Information
We welcome your questions and feedback regarding our privacy practices. If you have a question, would like to access or correct your Personal Information, would like to withdraw consent, or wish to make a complaint, please contact our Privacy Officer:
Privacy Officer
Disabilitiesai Inc.
4521 Spruce Avenue
Burlington ON L7L 1M5
Email: [email protected]
Telephone: 1-877-257-7725
We will acknowledge your inquiry promptly and investigate complaints fairly and confidentially. If we find a complaint to be justified, we will take appropriate measures to resolve it, including, where necessary, amending our policies and practices.
14.1 Escalation to the Privacy Commissioner
If you are not satisfied with our response to a privacy concern, you may contact the Office of the Privacy Commissioner of Canada:
Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
Website: www.priv.gc.ca
15. Openness and Changes to This Policy
Benefits2 makes specific information about our policies and practices relating to the management of Personal Information readily available to individuals. This Policy is published on the Website and is also available in alternate format upon request.
We may amend this Policy from time to time to reflect changes in our practices, our Service Providers, applicable law, or industry standards. The "Effective Date" at the top of this Policy indicates when the current version came into force. Where a change is material, we will notify you by email or by a prominent notice on the Website before the change takes effect. Your continued use of the Services following any such notice constitutes your acceptance of the revised Policy.
SCHEDULE "A"
AI Processing Consent Schedule
A.1 Purpose of This Schedule
This Schedule forms part of the Benefits2 Privacy Policy and describes, in additional detail, the artificial intelligence ("AI") processing that Benefits2 uses to generate the descriptive narrative passages required by Form T2201 (Disability Tax Credit Certificate). Because we consider this processing to involve a sensitive technology applied to sensitive information, we obtain your express, opt-in consent separately from your general consent to this Policy.
A.2 What the AI Processing Does
Form T2201 requires that the medical practitioner certify, in narrative form, the manner in which an impairment restricts the applicant’s activities of daily living. To assist with this, Benefits2 transmits a limited, abstracted set of your answers to the Azure OpenAI Service so that the service can generate one or more candidate narrative sentences for inclusion in your draft Form T2201. The candidate text is presented to you and to your medical practitioner for review, amendment, and approval before it is included in the final form. The AI does not make any eligibility decision, does not assess whether you qualify for the Disability Tax Credit, and does not substitute for the clinical judgment of your medical practitioner.
A.3 What Data Is Transmitted to Azure OpenAI
When you instruct the Platform to generate a draft narrative, the following limited data points are transmitted to the Azure OpenAI Service hosted in a Canadian Azure region:
· Your first name;
· The category of impairment to be described (for example, "walking" or "mental functions");
· The severity of the impairment (for example, "moderate" or "severe");
· The frequency of the restriction (for example, "always" or "more than 90% of the time");
· Micro-causes contributing to the impairment, where applicable (for example, "pain," "fatigue," or "loss of balance");
· Therapeutic treatments you receive that are relevant to the narrative; and
· Medical devices or aids that you require that are relevant to the narrative.
What is not transmitted to Azure OpenAI: your last name, your full date of birth, your address, your email address or telephone number, your specific medical diagnosis, your medical record number, or any other direct identifier or detailed clinical information not listed in the section above. The Platform abstracts your inputs so that the AI receives only what is needed to draft a grammatically and stylistically appropriate narrative sentence.
A.4 Where the Processing Occurs
Benefits2 uses the Azure OpenAI Service operated by Microsoft within a Canadian Azure region. Your data does not leave Canada in the course of this processing.
A.5 Microsoft’s Contractual Privacy Commitments
Azure OpenAI processing is governed by Microsoft’s Product Terms and Data Protection Addendum applicable to the Azure OpenAI Service. Under those terms:
· No model training. Microsoft does not use Customer Data, including the data Benefits2 transmits on your behalf, to train, retrain, or improve the foundation models offered through the Azure OpenAI Service or any other Microsoft or third-party product.
· No use for other customers. The data Benefits2 transmits is not made available to any other Microsoft customer.
Confidential abuse monitoring. Microsoft may, by default, log prompts and outputs for up to thirty (30) days for the limited purposes of detecting and mitigating abusive use of the service, and reviewing potential violations of Microsoft’s Code of Conduct. Access to such logs is restricted to authorized Microsoft personnel. Microsoft offers eligible customers the ability to apply for an exemption from this abuse-monitoring logging; Benefits2 will, where eligible and operationally feasible, pursue such an exemption and will update this Schedule accordingly.
Deletion after the abuse-monitoring window. Where abuse monitoring is enabled, logs are deleted on a rolling basis at the end of the thirty (30) day window unless required to be retained longer to address a confirmed violation.
A.6 If You Do Not Consent
Your consent to AI processing is voluntary. If you do not provide consent under this Schedule, or if you withdraw consent that you have previously given, Benefits2 will instead prepare the narrative sections of your Form T2201 manually, with the assistance of a Benefits2 navigator. The manual process may take longer to complete than the AI-assisted process, but it has no other adverse impact on your application or your eligibility for the Disability Tax Credit. No additional fee will be charged for the manual alternative.
A.7 Withdrawing Consent
You may withdraw your consent to AI processing at any time by:
Toggling the AI processing consent setting in your account preferences on the Platform; or
Contacting our Privacy Officer at [email protected]. Withdrawal of consent will not affect any narrative content already generated and approved by you and your medical practitioner before the withdrawal, but it will prevent any further transmission of your data to the Azure OpenAI Service.
A.8 Your Express Consent
By checking the "I consent to AI narrative generation" box presented at the time of application generation, you confirm that:
· You have read and understood this Schedule "A" and the Benefits2 Privacy Policy of which it forms part;
· You understand exactly what data will be transmitted to the Azure OpenAI Service and what data will not;
· You understand that the processing occurs in Canada and that Microsoft does not use your data to train its AI models;
· You understand that Microsoft may retain prompts and outputs for up to thirty (30) days for abuse-monitoring purposes, unless an exemption has been obtained;
· You understand that a manual alternative is available if you do not consent; and
· You expressly consent to the transmission of the specified data to the Azure OpenAI Service for the purpose of generating draft narrative content for your Form T2201.