Heal House of Canada Ltd.

Website Privacy Policy
Effective Date: January 1, 2025

1. Introduction

Heal House of Canada Ltd. (“Heal House,” “we,” “us,” “our”) is committed to safeguarding the privacy, confidentiality, and security of your personal information and personal health information (“PHI”). We process personal data in accordance with:
• the Personal Health Information Protection Act, 2004 (“PHIPA”);
• the Personal Information Protection and Electronic Documents Act (“PIPEDA”); and
• the forthcoming Consumer Privacy Protection Act (“CPPA”) and Artificial Intelligence and Data Act (“AIDA”), which will apply upon coming into force.

2. Definitions

“Personal Information” (PI) means information about an identifiable individual that is not PHI.
“Personal Health Information” (PHI) means identifying information about an individual’s physical or mental health, healthcare history, or payments for healthcare.
“Automated Decision System” (ADS) means technology that assists or replaces human judgment to make recommendations or decisions about an individual.
“Data Mobility” refers to the right—once CPPA is in force—to have PI transferred to another organization in a structured, commonly used format.

3. Accountability and Contact Information

Heal House is responsible for all PI and PHI under its control and maintains a comprehensive Privacy Management Program. A designated Privacy Officer oversees compliance, conducts Privacy Impact Assessments, and monitors service providers

Email: privacy@healhouse.ca
Mail: Privacy Officer, 26 Doctors Lane, King City, Ontario L7B 1G2
Phone: 905‑833‑4325

4. Information We Collect

Personal Information: Name, address, date of birth, contact details, payment information, and other identifiers.
Personal Health Information: Medical history, diagnoses, treatments, test results, referral information, health‑card number, and data you provide in person or through our digital services.
Technical and Usage Data: IP address, device and browser details, log files, cookies, and analytics data.
Children’s Data: We do not knowingly collect data from individuals under eighteen (18) years of age without verified parental or guardian consent (see section 15).

5. Purposes for Collection, Use, and Disclosure

We collect, use, and disclose PI and PHI only as necessary to:
• deliver, coordinate, and manage healthcare and related services;
• communicate with you regarding appointments, services, or health matters;
• verify identity and eligibility for services;
• process payments, insurance, and billing;
• fulfil legal, regulatory, college, or professional obligations;
• improve our services, technology, and user experience;
• conduct quality‑assurance, risk‑management, and approved research;
• respond to inquiries, requests, or complaints; and
• generate health‑related insights using Automated Decision Systems. When ADS are used, we provide meaningful information about the logic involved, the significance and potential impact of the decision, and offer a means to request human review.
If we intend to use or disclose your information for a new purpose, we will obtain your consent unless otherwise permitted or required by law.

6. Consent

We obtain knowledgeable consent—express or implied depending on context and sensitivity—for the collection, use, and disclosure of PI and PHI, except where the law provides otherwise. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice; withdrawal may affect our ability to provide services.

7. Limiting Collection, Use, Retention, and Destruction

Minimum Collection: We collect only what is necessary for the purposes listed above.
Retention: PHI is retained for at least ten (10) years after the last entry in the record, or ten (10) years after an individual turns eighteen (18), whichever is later, unless a longer period is required by law or professional‑college regulation.
Secure Destruction: After the retention period, records are irreversibly destroyed or de‑identified using National Institute of Standards and Technology (NIST) approved methods, and certificates of destruction are maintained for audit purposes.
Record of Processing: We maintain an internal inventory of data flows, sub-processors, and retention triggers.
8. No Sale or Monetary Sharing of Personal Information
Heal House does not sell, rent, license, or otherwise monetize your PI or PHI. Transfers to service providers are strictly for delivering our services under written agreements that prohibit secondary use.

9. Disclosure of Information

We disclose PI and PHI only to the extent necessary for the purposes stated in section 5, including healthcare professionals involved in your care; third‑party service providers under confidentiality and security obligations; insurers or payers for billing and claims; regulators, colleges, government bodies, or law enforcement where required or permitted by law; family members or other third parties with your express consent; and quality‑of‑care committees operating under Ontario’s Quality of Care Information Protection Act (QCIPA), whose records are sequestered and disclosed only as that Act permits.

10. Cross‑Border Transfers

Some service providers are located outside Canada (for example, in the United States) and are subject to foreign laws such as the U.S. CLOUD Act. While they are contractually bound to meet or exceed Canadian privacy standards, foreign authorities may lawfully access your data. By using our services, you acknowledge and consent to such cross‑border transfers.

11. Safeguards, Security, and Business Continuity

We employ administrative, technical, and physical safeguards appropriate to the sensitivity of the information. Administrative measures include role‑based access controls, annual privacy and security training, Privacy Impact Assessments for new systems, and alignment with ISO 27001 and SOC 2 Type II standards. Technical measures include AES‑256 encryption in transit and at rest, multifactor authentication, network segmentation, quarterly review of electronic audit logs in anticipation of PHIPA section 10.1, and annual third‑party penetration testing with remediation tracking. Physical measures include restricted access to facilities, CCTV monitoring, locked storage for paper files, and secure shredding with documented chain‑of‑custody. Business continuity and disaster recovery measures include off‑site encrypted backups, redundant Canadian data centres, and an annually tested disaster‑recovery plan.

12. Cookies and Tracking Technologies

Our website uses Essential Cookies necessary for site security and basic functionality, Analytics Cookies that remain disabled until you opt in, and Preference Cookies that also remain disabled until you opt in. You can change or withdraw your consent at any time through the “Cookie Settings” banner on our website.

13. Accuracy, Access, Data Mobility, and Disposal Rights

We take reasonable steps to ensure information is accurate, complete, and up to date. Written access requests are acknowledged within thirty (30) days and fulfilled within sixty (60) days, subject to lawful exceptions. You may request corrections, and we will annotate or correct records as required by law. Once the CPPA is in force, you will have the right to obtain and direct the secure transfer of your PI to another organization, and you may request deletion of your PI, subject to legal or medical record‑keeping obligations. Direct all requests to the Privacy Officer using the contact details in section 3.

14. Breach Notification

If a privacy breach involving your PI or PHI occurs, we will notify you at the first reasonable opportunity – and no later than seventy‑two (72) hours after confirming a reportable breach – and will report to the Information and Privacy Commissioner of Ontario and any other authorities as required. We will take immediate steps to contain, investigate, and prevent future occurrences.

15. Children’s Privacy

We do not knowingly collect PI or PHI from children under eighteen (18) years of age without verified parental or guardian consent. If such information is inadvertently collected, we will delete it promptly.

16. Complaints and Inquiries

If you have questions, concerns, or complaints about our privacy practices, please contact our Privacy Officer. If you are not satisfied with our response, you may contact the Office of the Information and Privacy Commissioner of Ontario, 2 Bloor Street East, Suite 1400, Toronto ON M4W 1A8, Telephone 1‑800‑387‑0073, Website www.ipc.on.ca.

17. Updates to This Policy

We may amend this Privacy Policy to reflect changes in law, technology, or our practices. Updated versions will be posted on our website with a new “Last Reviewed” date. Your continued use of our services after an update constitutes acceptance of the revised Policy.
Need Assistance? Email privacy@healhouse.ca | Call 905‑833‑4325