Privacy Policy

(Updated January, 2023)

My Viva Plan and Your Privacy

My Viva Plan (“MVP”) is an online lifestyle program/tool designed to address wellness at the individual level that is administered by My Viva Inc. My Viva Inc. is an industry leader in up-to-date, evidence-based nutritional, physical and emotional wellness coaching. Through this coaching, we help motivate and empower people in achieving their goals to live with energy, vitality and health. This program provides you with support and expertise/advice and guidance to assist you with weight management, prediabetes, diabetes, high blood pressure, high cholesterol, fitness nutrition, prenatal and postnatal care, anxiety, depression, dietary restrictions, allergies and intestinal health.

The program provides you with health and fitness tools to help you visualize how your actions and behaviors impact your personal and professional journey. Participating in the program starts by completing your online customer profile at MVP.
In order for you to participate in the program and for MVP to support the program services, we need to collect and use certain information about you – your Personal Information. MVP is committed to protecting your privacy and the confidentiality and security of your Personal Information.

This Privacy Policy explains:

  • how and why we collect, use, and sometimes disclose your Personal Information;
  • how you can access your Personal Information that we hold; and
  • who to contact if you have questions or concerns about your privacy.

It applies only to your Personal Information collected through the MVP online tool or through our mobile application.

Definitions:
As used in this Privacy Policy, the capitalized words below have the following meanings:
Aggregate Information means data that has been compiled from record-level data to a level of aggregation that ensures that the identity of the individuals to which the data relates cannot be determined by reasonably foreseeable methods.

Applicable Privacy Laws means any and all applicable laws relating to privacy and the collection, use and disclosure of Personal Information in all applicable jurisdictions, that are in existence as of the last update of this Privacy Policy or subsequently come into existence, as they may be amended, re-enacted, consolidated and/or replaced, from time to time, and any successor to the foregoing.

Artificial Intelligence (AI) means the capability of a machine to imitate intelligent human behavior. When personal information is provided to AI tools, the solutions can generate responses to questions and assist in problem-solving. Currently, only the My Viva product YARO uses AI in its solution.

De-Identified Data means data that has Personal Information removed or obscured, such that the remaining information does not identify an individual and there is no reasonable basis to believe that the information could be used either alone, or in combination with other information, to identify an individual.

Personal Information means information about an identifiable individual, including, but not limited to, your name, birthdate, physical or mental health, health history, diagnostic, treatment and care information. It does not include the name, title or business address or telephone number of an employee of an organization.

What type of information does MVP collect?

Personal Information You Provide

MVP collects your Personal Information that is necessary to support the delivery of our programs to you. When you register for the program, you must complete your online customer profile by providing us with your contact information: your full name, email address, telephone number, unique username and password, city, province, and country of residence. We only collect Personal Information that we need to develop a specialized program for you as described below. This information includes your age, sex at birth, gender, height, weight, waist circumference, lifestyle habits, as well as your short and long-term goals. Should you choose to supply it, this information will also include your current and historical medical information, such as past diagnosis or current medications, blood pressure, blood sugar levels, and cholesterol.

Information Obtained by Connected Devices

If you choose to connect MVP with third-party health and fitness devices, Personal Information from these devices will be shared with MVP. This information will include heartrate, blood pressure, blood sugar levels, and other vitals as collected depending on the device and your settings.

Information Obtained Automatically – Cookies

“Cookies” are an example of “digital markers”: a small file placed on your computer by a website that you visit. They are stored there so that the web server can remember certain pieces of information about you and make your visit easier – you do not have to re-enter the same information every time. This information is used by the web server during the same or another visit to the website. A cookie captures the Internet Protocol (“IP”) address of the device you use to access our website. The IP address on its own may not identify you but can do so when combined about other data automatically collected when you visit our web page, such as the name of the page you visited and the date and time of your visit. MVP collects your IP address which will be used should we require it to investigate any unusual access by our users.

In addition, MVP uses cookies if you select “remember me” for automatic sign-in so that Personal Information you have previously provided to us is automatically included for your convenience. We do not use this computer identification to further identify individual users.

You can set your Internet browser to send you an alert before a cookie is placed on your device. You may adjust your browser settings to reject digital markers, including cookies. Disabling cookies when you visit our website will have no discernible impact on your browsing experience for MVP. However, you will need to turn them on should you select “remember me” for automatic sign in. Please consult your browser’s Help Menu for instructions.

Two-factor authentication

In addition, MVP uses two-factor authentication (2FA) which is a security process whereby you provide two different authentication factors- (security questions or a code sent to your email address) to verify yourself. Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person’s devices or online accounts.

How Does MVP Use My Personal Information?

Your Personal Information will only be used by authorized MVP staff and coaches for the purpose for which it was originally collected as set out below, or if you provide us with your consent to use it for another purpose.

The purpose of the Personal Information you provide regarding your health history, current health issues, eating and exercise habits is to develop individual plans to assist you with weight management, prediabetes, diabetes, high blood pressure, high cholesterol, fitness nutrition, prenatal and postnatal care, anxiety, depression, dietary restrictions, allergies and intestinal health.
My Viva uses device information, including IP addresses, for security purposes. Device information is logged when your account is accessed. If we suspect your account has been compromised, we will use your contact information to notify you. My Viva may also use your contact information to inform you of other security or maintenance issues. These include anticipated downtime, potential changes to your account level, or future changes to our corporate status.

On occasion, My Viva works with researchers for studies to improve healthcare quality. My Viva always asks for consent prior to your participation or use of your information in such studies.

Use of Aggregate Information

If you have joined My Viva on a corporate plan, we will assist your corporate entity to promote the long-term health of its employees by providing it with Aggregate Information related to the number of employees using the service, stress assessments, categories for blood pressure results, and percentages of employees completing their daily reflections.

My Viva also uses Aggregate Information to improve its website and online products. Using cookies, My Viva compiles reports of Aggregate Information of site visitors. This information is used to improve our services, website layout and product design.

How Does MVP Share My Personal Information?

MVP does not sell, share or disclose your Personal Information to others for any type of mailing list. In addition to these measures, we will not disclose or transfer your Personal Information to third parties without your permission, except as specified in this Privacy Policy.

MVP may disclose your Personal Information

  • for the purpose of the program for which it was collected (see “How does MVP Use my Personal Information” for more details);
  • to meet or comply with any applicable laws, regulation, legal process, audit or enforceable request from a government agency or regulatory body;
  • in specific circumstances, with your prior consent;
  • in connection with a bankruptcy proceeding or the sale, merger or change of control of MVP; and
  • if MVP is acquired or merged with another company, we may transfer information about you to the extent the Personal Information is necessary to carry on the business or activity that was the object of the transaction. In this instance, we will give notice to affected individuals before their Personal Information is transferred or MVP becomes subject to a different privacy policy.

From time-to-time MVP may retain other companies and contractors to provide services on our behalf (“Service Providers”). These Service Providers may have limited access to Personal Information in order to provide their services. MVP uses contractual means to require these Service Providers to maintain the confidentiality and security of the information to the same degree as does MVP. Contracts prohibit them from using or disclosing the information about our members for any other purpose other than to provide the services.

We store your Personal Information in Canada. However, some of MVP’s Service Providers (as described above) may operate outside of Canada. These Service Providers are contractually required to meet MVP’s privacy standards. By using MVP, you consent to the access of your Personal Information from outside Canada.

You understand that if your information is accessed from, or stored in a foreign country, it may be subject to foreign laws and accessible to law enforcement and national security authorities with that jurisdiction.

Except as set forth in this Privacy Policy and any updates and/or changes thereto, we will not collect, use or disclose your Personal Information for any other purposes without your consent.

What Safeguards are in Place to Protect my Personal Information?

MVP has implemented reasonable security safeguards to protect your Personal Information against such risks as unauthorized access, collection, use, disclosure or disposal. Security measures have been integrated into the design and day-to-day operating practices as part of MVP’s commitment to the protection of the Personal Information it holds.

MVP uses technical, administrative (organizational) and physical safeguards to protect your Personal Information:

Technical Safeguards include but are not limited to:

  • Firewalls
  • Secure servers
  • Use of Encryption when data is in transit and at rest
  • Strong password standards
  • Limited user access based on need-to-know principles
  • Maintaining logs of access to your Personal Information and auditing these logs to confirm only authorized users have accessed information.

 

Administrative (Organizational) Safeguards

  • We have put in place privacy and security policies and procedures, as well as entered into confidentiality agreements with our staff/coaches to ensure a proper level of protection of your Personal Information.
  • Our staff/coaches are trained on our policies and procedures so that they understand their privacy and security responsibilities.
  • My Viva enters into contracts with all third-party suppliers that need access to your Personal Information to provide their services, which contracts require that they will enact their own safeguards safeguards that, at minimum protect the Personal Information to the same degree as My Viva, and only use Personal Information for the purpose of providing services.

 

Physical Safeguards include but are not limited to:

  • Use of Microsoft Azure secure cloud. Microsoft Azure is certified as compliant with ISO Standard 27018 Code of Practice for personal identifiable information (PII) protection in public clouds acting as PII processors. In addition to the independent certification process under ISO27018, the Standard also includes the right to audit Microsoft for compliance.
  • Secure Office Buildings
  • Secure and limited physical file storage

 

Accuracy and Correction of my Personal Information

As an MVP member you are entitled to access all of your Personal Information (as described above) that we have in our custody and under our control. You may access your Personal Information via your secure online account. If you would like to request our staff to access your information for this purpose, please contact us per our contact information below and provide us with your username. Once we verify your identity and confirm the request, we will generate a copy of your information for you.

Once we receive your request, we may contact you further for more information. We will respond to all requests for information within 7 days or sooner if possible. Prior to information release, My Viva reserves the right to verify the identity of the requestor and refuse access requests on grounds of suspicious activity.

You may correct and update your Personal Information at any time by accessing your account through the website or our mobile applications.

We rely on you to ensure that the Personal Information you provide to us is accurate and up to date. It is very important that you maintain the accuracy and currency of your information so that we can tailor your program to your ongoing and/or changing needs.

How May I Close my Account?

If you have a personal account, you may close your account at any time by accessing your account and payment history and selecting the “cancel” option. Your account will be cancelled immediately, but you will have access to it until the end of the current billing cycle. If your MVP account is provided to you and paid for by a third party such as your employer or your insurance company, please contact that third party directly in order to close your account.

When you cancel your membership and close your account, My Viva Inc. retains your Personal Information only if required by law or regulations. In the event My Viva is required to hold any Personal Information, your account is deactivated, and your information will be retained but no longer continue be processed. If My Viva is not required to retain your Personal Information by law, the information will be destroyed by secure means.

How Will I Know if MVP Makes Changes to This Privacy Policy?

MVP may update and/or make changes to this Privacy Policy at any time. When we make changes, the “last updated” date at the top of the Policy will be revised. Every time that a change to this Policy is made, users will be notified.
Privacy Policy updates will be reflected on this page so that visitors to the site and users of the Service are always aware of what information we collect, how we use it, and under what circumstances we disclose it. When you access MVP, you should check to ensure that you are familiar with the latest version of this Privacy Policy.
By registering to use our services (whether through the MVP website, or our mobile applications), you consent to the collection, use and disclosure of your Personal Information as described in this Privacy Policy. Your continued use of MVP after having been notified of any updates and/or changes to the Privacy Policy constitutes your agreement and continued consent.

Compliance with Applicable Privacy Laws

MVP complies with the Applicable Privacy Laws of the relevant jurisdiction in which MVP operates at any given time. MVP regularly reviews the Applicable Privacy Laws to reflect any changes in its policies and practices.

You-AR-Ok (YARO)

My Viva Inc. also manages and is responsible for the You-AR-Ok (YARO) Avatar application. YARO is an augmented reality (AR) buddy (online chat bot) to promote resilience at a time of stress: using AI programmed through the use of use of Pinecone Systems and OpenAI, you can talk to YARO and it can talk back, offering assurances and self-care recommendations.

When operating, YARO utilizes the speech to text function from the mobile device that you using to communicate with YARO. You are responsible for establishing your own device privacy settings, such as limiting how long text to speech stays on your device. With the exception of the information below as it specifically relates to YARO, all other provisions of this Privacy Policy apply. YARO is not available as a desktop product at this time.

What type of information does YARO collect?

When talking to the application, YARO asks for your name, and collects any Personal Information you choose to provide during your discussion about self-care and health goals. YARO also connects to your My Viva ID when you log in. As you talk to YARO, your device transforms the conversation into a transcript which allows the data to be processed.

How is this information processed and used?

During the call, your conversation becomes a transcript through the operation of the speech to text function on your device. YARO takes the transcript and processes the information into “pieces” of data, which allow it to offer support during your conversation and future conversations. For example, if you talk to YARO about how tired you feel, YARO takes the phrase “I’m very tired” as a piece of data and can then offer a simple suggestion to get more sleep.

After your discussion, YARO saves the pieces of your conversation, such as “I’m very tired”, still connected with your My Viva ID, for future conversations you may have with YARO. This means if you tell YARO you want to “eat more fruit” during one talk, YARO can ask you “how is your goal to eat more fruit progressing?” in future conversations.

At the end of your conversation, you are also given a choice to permit My Viva to use your full transcript as data for training YARO. If you choose to provide consent, your MVP ID and name are removed so the transcript is no longer connected with your account before it is uploaded into a separate database My Viva uses for training data. Coaches and YARO developers then review transcripts for common problems and actual user struggles addressed in conversations, to train YARO into offering better responses.

If you do not choose to provide consent, YARO does not save the transcript of your conversation.

Is my information shared outside of YARO?

In order to operate, YARO relies on the AI tools OpenAI and Pinecone. When the transcript is broken down into pieces by YARO, these pieces are then sent to Pinecone and OpenAI who provide some of the system’s back-end application programming interface (API). YARO does not share your My Viva ID or other account information with OpenAI or Pinecone: as long as you have not included identifiable information in the chat, pieces are de-identified (see below). Pinecone and OpenAI review the de-identified ‘pieces’ of data from your conversation against data used to train the AI, to determine how YARO should respond. Under their Terms of Use, these tools process data on My Viva’s behalf.

As stated in its Privacy Policy, OpenAI also uses the de-identified “pieces” of information for quality assurance and AI development. By using YARO, you agree to OpenAI’s continued processing of these pieces. See Pinecone’s Privacy Policy and OpenAI’s Privacy Policy for more information.

What do you mean by “de-identified pieces of data”? Does this mean that YARO de-identifies all the information I provide?

As a safeguard, when the transcript of your call is broken down into pieces by YARO, the data becomes de-identified if this information is not connected to your My Viva ID. The phrase “I’m struggling to lose weight” for example, if not connected to data that personally identifies the speaker, could come from anyone.

However, data processed by YARO is only de-identified if you do not include identifiable information in your call. If you tell YARO “I live at 25 Oak Street in Calgary with my partner and our three children” YARO’s AI may retain “I live at 25 Oak Street in Calgary” making the data identifiable. Similarly, if you inform YARO “I’m seeing Dr. Smith in Toronto for a heart problem” the AI may save “Dr. Smith in Toronto for a heart problem” which could identify you. For this reason, avoid sharing sensitive information with YARO, and NEVER share critical IDs, such as your Social Insurance Number, Medical Number or payment cards.

YARO’s Advisory
Please be aware that YARO’s recommendations are based on the information you provide through your discussion with the application, and the data YARO’s AI has been trained on.

YARO is not intended to replace a healthcare professional, or for discussion of sensitive health topics, and cannot give a medical diagnosis. YARO is intended only as a tool to help users with self-care and personal health goals. Never use YARO as an official health diagnosis tool or in place of recommendations by a healthcare professional.

How can I access my YARO data?
To review a copy of your YARO data, email our Privacy Officer at the address below.

How Do I Contact MVP to Answer My Questions About this Privacy Policy or Make a Privacy- Related Complaint?

MVP has appointed a knowledgeable individual within its organization to be responsible for privacy compliance. It is the Privacy Officer’s responsibility to monitor and enforce this Policy.

If you have any questions about this Privacy Policy, or wish to make a complaint about how MVP manages your Personal Information, please contact our Privacy Officer at:

3728-91 Street NW
Edmonton, Alberta T6E 5M3
Telephone: 780-450-2027
Email: privacy@myvivaplan.com

If, having shared your concerns with us, you are still not satisfied, you may file a complaint with the privacy regulator:

Office of the Information and Privacy Commissioner

#410, 9925 – 109 Street NW
Edmonton, AB T5K 2J8
Phone: 780-422-6860
Toll-Free: 1-888-878-4044
Email: generalinfo@oipc.ab.ca