Health data handling procedures

Building in public. This document is part of a technology demonstration. It has not been reviewed or approved by legal counsel and does not constitute legal advice, a binding agreement, or a final policy. Polymorphism is an Alberta home-care marketplace prototype built to showcase platform architecture — not a live service accepting clients or caregivers at this time.

What we may store

Care coordination records can include intake narratives, high-level ADL needs, scheduling metadata, visit verification (EVV) timestamps, billing artifacts, and uploaded compliance documents — limited to what is necessary for marketplace operations.

Access controls

Supabase Row Level Security restricts rows to the owning client or caregiver account; platform automations use a dedicated service role with audit logging recommended in production.

Encryption & residency

Data in transit uses TLS. At-rest encryption follows the database provider's defaults. Choose Canadian or contractually approved regions when provisioning Supabase for regulated workloads.

Breach notification

Material privacy incidents should be escalated to the Privacy Officer and, where required, reported to the Alberta Information and Privacy Commissioner within statutory timelines.

Retention

Health-adjacent records often require multi-year retention (commonly up to seven years for business records — confirm with counsel and clinical governance).