Privacy by default
Maximum confidentiality settings out of the box. Quebec Law 25 medspa deployments ship with consent defaults at the strictest interpretation; clinics relax, not tighten.
Canada · Quebec Law 25 medspa
For Quebec-based aesthetic clinics that need Law 25 covered out of the box, including automated-decision disclosures, 72-hour breach notification, and bilingual consent capture. Quebec Law 25 medspa software that's Phase 1, 2, and 3 ready today.
Section 01 · What Law 25 requires
Bill 64, P-39.1, six obligations.
Quebec Law 25, also known as Bill 64 and P-39.1, is Quebec's private-sector privacy law. It's the strictest Canadian privacy standard, and because the strictest rule wins across jurisdictions, Quebec Law 25 medspa software effectively sets the national bar. Delam is built to that bar.
Source: Commission d'accès à l'information du Québec, Loi 25, 2024.
Explicit consent
Consent is obtained before collection, purpose-specific, documented, and revocable. Separate consents for care, photos, marketing, and AI assistance.
Automated-decision transparency
Any system that makes or helps make a decision about a person must disclose automation, main factors, and the right to request a human review.
72-hour breach notification
Confidentiality incidents with real risk of serious harm must be reported to the CAI and to affected individuals inside a tight window.
Designated privacy officer
Each enterprise must name a privacy officer, publish their contact, and route data-subject requests and complaints through them.
Cross-border PIA
Before any personal information leaves Quebec, a documented privacy impact assessment evaluates the foreign legal regime and the protections in place.
Section 02 · How Delam handles Law 25
Every Law 25 surface, shipped.
Automation
Automated-decision disclosures, every touch
The Quebec Law 25 medspa automation engine surfaces a disclosure before every AI step. The AI front desk opens every call with the disclosure. No-show risk scoring writes an audit entry when it influences a booking decision. The branded app shows patients which factors fed the automation.
Voice
French disclosure scripts
Law 25 disclosure scripts ship bilingual. The AI front desk detects the caller's language on the first utterance and reads the fr-CA disclosure in Quebec French, not EU French, reviewed by Canadian clinical staff for natural phrasing and by a legal reviewer for CAI alignment.
Incident
Breach notification workflow
A confidentiality incident triggers a 72-hour internal clock, prewritten CAI and patient notices in en-CA and fr-CA, a breach register retained two years, and a remediation-tracking checklist. The designated privacy officer receives the incident immediately, with an escalation path to Delam's security team.
Flow
PIA templates and registry
Cross-border privacy impact assessments run before any data leaves Quebec. Delam ships PIA templates, a data-flow inventory, and a registry of cross-border transfers with legal-regime evaluations and standard contractual clauses. Every transfer is disclosed in the clinic privacy notice.
Consent
Bilingual consent capture
Every consent template in Delam's Quebec Law 25 medspa stack is maintained in parallel en-CA and fr-CA versions, reviewed by Canadian clinical and legal reviewers. The signed record stores both the language the patient read and the template version, so a clinic can reproduce the exact wording a patient signed on a given date. Revocation is one tap with downstream automations halting in under 60 seconds.
Section 03 · Minor-data handling
Under 14. Parental consent required.
Law 25 sets the strictest Canadian rule for minors. For patients under 14, Quebec Law 25 medspa software never collects personal information directly from the minor unless parental or guardian consent exists, or the collection is clearly in the minor's best interest and cannot be done otherwise.
Delam stores guardian contact separately, links it to the minor's record, requires age verification before processing, and applies tighter retention defaults. Marketing automations never fire to a minor's contact point. The audit trail captures every read, write, and export on a minor's record with the guardian consent version on file.
For patients 14 and over, consent flows default to the individual, with guardian notice preserved where clinically appropriate.
Section 04 · Automated-decision transparency
The AI front desk, disclosed every call.
Law 25 Section 12.1 requires that any person whose information feeds an automated decision must be told about the automation, the main factors and logic, and their right to request a human review. Quebec Law 25 medspa software cannot meet that bar with a privacy-policy mention; it has to happen at the moment of interaction.
What the AI front desk surfaces
- 1. Opening line. Automation is named in the first sentence, in the caller's language.
- 2. Main factors. Service catalog, live schedule, membership tier, booking policies.
- 3. Human review. The caller can say transfer me to a person, or parlez-moi à quelqu'un, at any time.
- 4. Audit. The disclosure, consent, and any human-handoff is logged to CallLog with timestamp and transcript.
When a caller requests a human, Delam routes to on-shift staff with the calls.receive permission and a current ShiftPunch. If no staff are punched in, the AI offers to page on-call staff or schedule a callback. Every human-review request is retained in the audit trail.
< 72 h
Breach notification response
Prewritten patient and CAI notice templates
100%
AI calls with disclosure logged
Law 25 automated-decision transparency
en + fr
Bilingual templates
en-CA and fr-CA, maintained in parallel
Section 05 · FAQ
Law 25, asked and answered.
The questions Quebec clinic owners ask us when they're comparing Quebec Law 25 medspa software vendors.
- Does Delam meet Quebec's stricter rules?
- Yes. Quebec Law 25 (P-39.1) is stricter than PIPEDA on consent, automated-decision transparency, and breach notification. The strictest rule wins, so Delam's PIPEDA medspa software stack also satisfies Law 25 by default. Quebec-specific surfaces, automated-decision disclosures on AI calls, bilingual fr-CA consent templates, cross-border PIA, ship with the platform.
- What is Quebec Law 25?
- Quebec Law 25, also known as Bill 64 and P-39.1, is Quebec's private-sector privacy law. It rolled out in three phases: September 2022 (designated privacy officer, breach notification), September 2023 (consent rules, automated-decision transparency, cross-border PIA), and September 2024 (data portability). Any Quebec Law 25 medspa handling personal information of Quebec residents has to comply, even if the clinic sits in another province.
- How does Delam disclose automated decisions?
- Every AI-assisted interaction in a Quebec Law 25 medspa deployment surfaces a plain-language disclosure before the automated step runs. The AI front desk opens every Quebec call with the disclosure. The dashboard logs when automated scoring (for example, the no-show risk score) influenced a decision. Patients can request a human review with one tap in the branded app, and Delam routes the request to on-shift staff.
- Does the AI front desk disclose at every call?
- Yes. Law 25 automated-decision transparency means the disclosure fires on every call, every caller, every language. The opening line tells the caller they're talking to an automated assistant, names the main factors the AI uses to help (schedule, service catalog, membership tier), and offers a human at any time. The disclosure is logged to the CallLog audit trail alongside the consent timestamp.
- Can patients request a human after AI contact?
- Yes. Every automated-decision touchpoint in a Quebec Law 25 medspa deployment has a human-review path. On a call the caller can say transfer me to a person or parlez-moi à quelqu'un at any moment. In the branded app, a request-human-review button on every automated score (no-show risk, membership recommendation) escalates to staff with the relevant permission, inside the clinic's service-level commitment.
- What about data transferred out of Quebec?
- Law 25 requires a documented privacy impact assessment before any personal information leaves Quebec. Delam runs the PIA before enabling any cross-border feature, evaluates the foreign legal regime, applies standard contractual clauses, strips direct identifiers before AI inference, and discloses the transfer in the clinic privacy notice. The PIA is retained in the Quebec Law 25 medspa audit trail for regulator review.
― Related
- PIPEDA medspa software
Federal privacy law, 10 principles, Canadian data residency, audit trails.
- Bilingual medspa software
en-CA and fr-CA across every surface, patient app to AI front desk.
- AI front desk
24/7 call handling with Law 25 automated-decision disclosure on the opening line.
- Canada hub
PIPEDA, Law 25, PHIPA, R-22.1, bilingual, Interac, CAD payouts.
Ready when you are
Quebec Law 25 medspa software in 24 hours.
P-39.1 Phase 1, 2, and 3 covered. Automated-decision disclosures, 72-hour breach notification, bilingual consent, and cross-border PIA, all first-class primitives. Preview your branded app in 24 hours.
P-39.1Automated-decisionBreach 72hen + fr-CA
Last updated