Privacy Policy

Aches Away Toronto Massage Therapy ("Aches Away Toronto," "we," "us," or "our") is deeply committed to protecting the privacy and confidentiality of the personal information and personal health information of our clients, website visitors, and all individuals who interact with our services. This Privacy Policy outlines our practices for the collection, use, disclosure, and protection of your information, in strict adherence to applicable Canadian and Ontario privacy legislation, including:

• The Personal Information Protection and Electronic Documents Act (PIPEDA): Canada's federal private sector privacy law.
• The Personal Health Information Protection Act, 2004 (PHIPA): Ontario's provincial health-specific privacy law, governing personal health information.
• The Regulated Health Professions Act, 1991 (RHPA): Ontario's legislation governing the practice of regulated health professions.
• The standards of respective regulatory colleges: Including the College of Massage Therapists of Ontario (CMTO), College of Osteopaths of Ontario (COOO), College of Naturopaths of Ontario (CONO), and College of Traditional Chinese Medicine Practitioners and Acupuncturists of Ontario (CTCMPAO).

1. Accountability and Our Role as Health Information Custodian

Aches Away Toronto takes full accountability for the personal information and personal health information (PHI) under our control. Our director serves as the designated Health Information Custodian (HIC) under PHIPA with respect to the personal health information we collect, use, and disclose in the course of providing healthcare services at our clinic. This means we are primarily responsible for safeguarding your PHI and ensuring compliance with PHIPA.

In instances where individual practitioners may operate as independent contractors, they are also recognized as Health Information Custodians regarding the PHI they collect and manage. In such cases, Aches Away Toronto may also act as their Agent under a contractual agreement, facilitating administrative and operational functions under strict adherence to PHIPA.

We have a designated Privacy Officer (details in Section 12) who is responsible for overseeing our compliance with this policy and applicable privacy legislation.

2. Collection of Personal Information and Personal Health Information (PHI)

We collect personal information and PHI that is necessary for the purposes identified in this policy. This information may be collected through various means:

• Directly from you: When you book an appointment (online or by phone), complete intake forms, consent forms, client history forms, communicate with us via email, phone, or in person, sign up for our newsletter, or participate in surveys.
• Through our website: Via cookies and other tracking technologies (see Section 6).
• From third-party service providers: Such as our online booking system (Jane App) or secure payment processors, who securely transmit necessary information to us to facilitate services.

The types of personal information and PHI we may collect include:

• Contact Information: Name, home address, telephone number, email address.
• Demographic Information: Date of birth, gender (optional), emergency contact information.
• Personal Health Information (PHI - as defined by PHIPA): This is a critical category for our services. It includes your medical history, current health conditions, symptoms, allergies, medications, treatment notes (including SOAP notes), assessment findings, treatment plans, progress updates, referrals, and any other health-related details relevant to your care. This information is collected solely for the purpose of providing safe, effective, and tailored healthcare services.
• Billing & Payment Information: Credit card details (processed securely by third-party payment processors; we do not store full credit card numbers on our local systems), insurance policy details required for direct billing or issuing receipts for reimbursement.
• Communication Preferences: How you prefer to receive communications from us.
• Website Usage Data: IP address, browser type, operating system, pages visited, time spent on site, and referral sources (collected via cookies and analytics). This data is typically aggregated and anonymized.

2.1. Children's Information Handling

For clients under 16 years of age, we require explicit parental or legal guardian consent to collect, use, and disclose their personal health information, in accordance with PHIPA s.23(1). Parents or legal guardians will be asked to complete and sign specific consent forms for minors.

3. Purposes for Collecting Personal Information and PHI

We collect and use your personal information and PHI strictly for the following purposes, as permitted by PIPEDA, PHIPA, RHPA, and professional regulations:

• To Provide Healthcare Services (Primary Purpose): To assess your health, establish a comprehensive understanding of your needs, develop and deliver appropriate treatment plans (massage therapy, osteopathy, acupuncture, naturopathy), provide effective and safe care, and accurately track your progress and outcomes. This includes maintaining accurate and complete clinical records as required by our professional colleges.
• To Manage Appointments and Client Relationships: To schedule, confirm, and send reminders for appointments; to manage your client account; and to provide you with a smooth and efficient service experience.
• For Communication: To respond to your inquiries, provide information about our services, or send essential updates and instructions directly related to your healthcare (e.g., pre/post-treatment advice).
• For Billing, Payments, and Insurance: To process payments for services, manage direct billing to your insurance provider (with your consent), and issue official receipts required for your personal insurance reimbursement.
• For Internal Clinic Operations: For quality assurance, professional development, anonymized statistical analysis, record-keeping as required by law and professional colleges, and staff training under strict confidentiality protocols.
• For Marketing and Client Engagement (with Explicit Consent): To send newsletters, promotional offers, or information about new services, but only if you have provided explicit, informed consent for such communications. You have the right to withdraw this consent at any time.
• For Legal, Regulatory, and Professional Compliance: To meet our obligations as regulated health professionals under PHIPA, PIPEDA, the RHPA, the standards of our respective professional colleges (e.g., CMTO, COOO, CTCMPAO, CONO), tax laws, and other applicable federal and provincial legislation.
• To Improve Our Services: To understand client needs, analyze general website usage patterns (using aggregated, non-identifiable data), and continuously enhance our service offerings and website experience.

4. Consent to Collection, Use, and Disclosure

Your informed consent is fundamental to our handling of your personal information and especially your PHI.

• Express Consent: For the collection, use, and disclosure of your PHI for treatment purposes, and for any marketing communications, we will seek your clear, explicit, and informed consent, typically obtained in writing (e.g., through our detailed intake and consent forms) or verbally where appropriate. You will be informed of the purposes for which your information is being collected, used, and disclosed.
• Implied Consent: In certain limited circumstances, consent may be implied from your actions. For example, when you voluntarily book an appointment and provide contact details, it is implied that you consent to us using that information to manage your booking.
• Withdrawal of Consent: You have the right to withdraw your consent for the collection, use, or disclosure of your personal information or PHI at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent may affect our ability to provide you with certain services. For health records, withdrawal of consent for treatment purposes may require further discussion with your practitioner regarding the implications for your ongoing care. Please contact us to discuss or withdraw consent.

5. Disclosure of Personal Information and PHI

We will not disclose your personal information or PHI to third parties without your express consent, except as required or explicitly permitted by PIPEDA, PHIPA, and other applicable laws. Circumstances where disclosure may occur, often with your explicit consent, include:

• Within Our Healthcare Team: Relevant PHI may be shared among our practitioners (RMTs, Osteopaths, Acupuncturists, Naturopaths) involved in your direct care to ensure integrated, coordinated, and holistic treatment, but only with your consent and when clinically relevant.
• Third-Party Service Providers (including Cross-Border Data Flow): We engage reputable third-party service providers to facilitate our operations (e.g., secure online booking platforms like Jane App, secure payment processors, cloud-based record systems, IT support). These providers are contractually obligated to protect your information, adhere to strict privacy and security standards (including PHIPA compliance where applicable), and use it solely for the purposes for which we provide it to them.
  Please be aware that some of these third-party service providers, notably Jane App, may store or process personal information and PHI outside of Ontario or Canada (e.g., in the United States). In such cases, your information may be subject to the laws of that foreign jurisdiction, including access by law enforcement or national security authorities in that country. By receiving services from us, you are notified of and consent to this possibility.
• Insurance Companies: For direct billing purposes or to provide necessary documentation for your personal reimbursement, always with your specific consent.
• Referrals: When referring you to other healthcare professionals (e.g., physiotherapists, doctors), with your express consent.
• Legal and Regulatory Requirements: When required by law (e.g., a court order, subpoena), or by our professional regulatory colleges for oversight or disciplinary purposes.
• Emergency Situations: In situations where it is necessary to protect the life, health, or safety of an individual, and obtaining consent is not feasible.
• De-identified or Aggregated Data: We may use and disclose de-identified or aggregated data for research, analysis, or public health purposes, provided that individual identities cannot be determined.

We do not sell, rent, or trade your personal information or PHI to third parties for any marketing or commercial purposes.

6. Cookies and Website Usage Data

Our website utilizes cookies and similar tracking technologies to enhance your Browse experience, analyze website traffic, and understand how you interact with our content.

• Cookies: Small text files stored on your device that help our website remember your preferences and provide a more personalized experience. These are generally not linked to your PHI.
• Analytics: We use tools like Google Analytics to collect non-identifiable information about website usage, such as pages visited, time spent on site, and referral sources. This data is collected in an aggregated and anonymized form and is used to improve our website's functionality and content.
• IP Addresses: We may collect IP addresses, which can be considered personal information. These are used for security, analytics, and to manage website traffic.

Cookie Consent: Our website aims to provide appropriate control over non-essential cookies. You can manage your cookie preferences through your browser settings. For certain non-essential cookies, we may also employ a cookie consent banner or pop-up to obtain your explicit consent before placing them on your device. Please note that disabling cookies may affect the functionality of some parts of our website.

7. Security of Personal Information and PHI

We implement robust administrative, technical, and physical safeguards to protect your personal information and PHI against unauthorized access, use, disclosure, alteration, or destruction, in compliance with PIPEDA, PHIPA, and industry best practices. These measures include:

• Confidentiality Obligations: All staff, contractors, and agents are legally and contractually bound to maintain the confidentiality of your information.
• Secure Electronic Records: Use of secure, password-protected, and encrypted electronic health record systems (e.g., Jane App).
• Physical Security: Securing physical client records (if any) in locked filing cabinets within a secure clinical environment.
• Access Controls: Restricting access to personal information and PHI to authorized personnel on a "need-to-know" basis.
• Data Encryption: Implementing encryption technologies for data at rest and in transit where appropriate, especially for sensitive PHI.
• Regular Security Audits and Training: Periodically reviewing our security practices and providing ongoing privacy and security training to our staff to ensure compliance and vigilance.
• Privacy Impact Assessments (PIAs): We regularly conduct Privacy Impact Assessments for key systems and processes (such as our use of Jane App for EHR and booking) to proactively identify and mitigate privacy risks, aligning with best practices encouraged under PHIPA.

While we are dedicated to protecting your information, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee absolute security.

7.1. Breach Reporting Protocol

In the event of a material breach of personal health information, we have a strict protocol in place. We will promptly notify the Information and Privacy Commissioner of Ontario (IPC) and all affected individuals, consistent with our obligations under PHIPA regulations (O. Reg. 329/04 s. 6.3.1 to 6.3.10). For other types of personal information, we will notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals as required by PIPEDA.

8. Retention of Personal Information and PHI

We retain your personal information and PHI for as long as necessary to fulfill the purposes for which it was collected, to provide ongoing services, and to comply with legal and professional obligations. Specifically for PHI, we adhere to the retention periods mandated by our respective professional colleges and PHIPA (e.g., typically 10 years from the last date of service for adults, or 10 years after the client would have turned 18 for minors). Once your personal information or PHI is no longer required, we securely dispose of it in a manner that prevents unauthorized access or reconstruction.

9. Your Rights Under PIPEDA and PHIPA

As an individual in Ontario, you have significant rights regarding your personal information and PHI:

• Right to Access: You have the right to request access to your personal information and PHI held by us. We will provide you with access within the timeframes specified by PHIPA (typically 30 days) and may charge a reasonable fee for providing copies of records, as permitted by law.
• Right to Correction: You have the right to request correction of any inaccurate or incomplete personal information or PHI we hold about you. We will make the correction or, if we do not agree to the correction, we will append a statement of disagreement to the record.
• Right to Data Portability: You have the right to request a secure transfer of your personal health information to another healthcare provider, as a component of your right of access under PHIPA.
• Right to be Informed: You have the right to be informed about our privacy practices, including the purposes for which your information is collected, used, and disclosed.
• Right to Withdraw Consent: As outlined in Section 4, you can withdraw your consent at any time, subject to legal or contractual restrictions.
• Right to Complain: If you believe your privacy rights under PHIPA or PIPEDA have been violated by our practices, you have the right to:
  • Contact us directly to discuss and resolve the issue with our Privacy Officer.
  • If your concern relates to Personal Health Information (PHI) under PHIPA, you may file a complaint with the Information and Privacy Commissioner of Ontario (IPC).
  • If your concern relates to other personal information not covered by PHIPA (e.g., website data, marketing preferences), you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC).

To exercise any of these rights, please contact our Privacy Officer (details below).

10. Third-Party Websites and Services

Our website may contain links to third-party websites and services (e.g., Jane App for booking, social media platforms). This Privacy Policy applies solely to Aches Away Toronto's practices. We encourage you to review the privacy policies and terms of service of any third-party sites or services you interact with, as we are not responsible for their privacy practices.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements (including amendments to PIPEDA or PHIPA), or service offerings. The "Last Updated" date at the top of this page will indicate when the policy was last revised. We encourage you to review this policy periodically to stay informed about how we are protecting your information.

12. Contact Information / Privacy Officer

For any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, or to exercise your rights, please contact our designated Privacy Officer: