COVID Alert privacy notice (Google-Apple Exposure Notification)

On this page

Protecting your privacy

COVID Alert is now retired. While active, COVID Alert had strong privacy protection.

Extensive steps were taken to protect your privacy and data. Personal information was not collected.

Use of the app was voluntary.

App performance and effectiveness metrics

To help us understand how well the app was working, starting the week of February 9, 2021, the app collected the following metrics.

These data were not connected to you or other users. Consult Appendix B: COVID Alert App Metrics in the Privacy Assessment for more details on how the metrics were collected and stored.

What the app collected and stored on your phone

The random codes were used only to notify you and other app users of possible COVID-19 exposures.

COVID Alert had no way of knowing your:

How the data were protected

If you had an Android phone

To use Bluetooth scanning, Android phones using Android 6, 7, 8, 9 or 10 needed the “Location” setting turned on for all apps.

While COVID Alert had no way of knowing where you were, Google may have had access to your location.

Users were informed previously on this webpage that Android phones using Android 6, 7, 8, 9 or 10 could have used the lowest accuracy option for “Location” and could have turned off “Google Location History.”

Android 11 did not need the “Location” setting to be turned on to use COVID Alert.

COVID Alert did not have permission to use location services.

What the app shared

Some data were collected to help us understand how:

This included the:

This data were not linked to you or other users and were not used to identify you. Data were used to assess the effect the COVID Alert was having on the pandemic.

Consult Appendix B: COVID Alert App Metrics in the Privacy Assessment for more details of how metrics were collected and stored.

If you were diagnosed with COVID-19

If another app user was diagnosed with COVID-19

Other information about you

COVID Alert was a Government of Canada app. It was designed so that your health information stayed with your provincial or territorial health care provider. Health care workers had no way of providing your personal information to COVID Alert.

Your identity and health status were not shared with the Government of Canada. COVID Alert did not know who you were and could not access your health information.

If you received an exposure notification, the app suggested next steps. We did not receive any health information about you, whether you were taking those next steps or not.

COVID Alert did not connect with or collect any information from any other app on your phone.

Positive diagnosis and your one-time key

If you tested positive for COVID-19, your health care provider would give you a one-time key. It told COVID Alert that you could upload your random codes. COVID Alert trusted this key. It used this key so it did not have to collect any information that could identify you.

If you entered a one-time key, the app asked for details to help narrow down when you were likely most infectious. This way, the app only notified users who were near you during that time.

It asked if you had any symptoms. Depending on your answer, it asked for either the date your symptoms started or your test date. It gave you the choice  not to enter any of these details. These details were not sent or stored anywhere outside your phone. They just told the app which random codes to share. The app also told the central server if this information was entered, which helped us know if it was a useful feature. The date you entered for your symptoms or test were not shared with the government.

Provincial and territorial identification numbers

To protect the integrity of the one-time keys, your province or territory could have generated a long internal identification number. This told the app the key was requested by a valid source. We were not able to associate these internal identification numbers with you or other app users. They were only used when needed to prevent cybersecurity threats.

Your IP address

As a security measure, the server stored your IP address in system logs when you:

Your IP address was not linked to any other information in the system, such as one-time keys or random codes.

These security measures prevented spammers from flooding the COVID Alert system and your phone with fake exposure notifications.

How IP addresses were used and protected

Deleting your data

All data will be deleted, other than aggregated performance metrics, which cannot be linked to a person.

Provincial and territorial links in the app

The app contained some links to websites that are managed by provincial and territorial governments. They may have asked for or collected information about you. The COVID Alert system could not access any information you gave to those websites.

Privacy assessment

In July 2020, Health Canada, in collaboration with the Canadian Digital Service, completed a privacy assessment of the COVID Alert app. This assessment described the measures taken to protect your privacy in the app.

Contact us

Contact the COVID-19 information line:

Page details

Date modified: