Privacy + Cookies

1. About this policy

Curate Health is a health and wellness clinic located at 989 Eglinton Avenue West, Suite 2, Toronto, Ontario, M6C 2C6. We are committed to protecting the privacy of our patients, website visitors, staff, and other individuals whose personal information we handle. This policy explains what information we collect, why we collect it, how we use and protect it, how long we keep it, and the rights you have over your information.

We comply with the Personal Health Information Protection Act, 2004 (PHIPA), the Regulated Health Professions Act, 1991, the Personal Information Protection and Electronic Documents Act (PIPEDA) where applicable, and the Payment Card Industry Data Security Standard (PCI DSS) for payment handling. Where regulated health college standards apply to our practitioners, those standards are honoured as well.

2. Who we are as a Health Information Custodian

Under PHIPA, Curate Health is a Health Information Custodian. Dr. Frank Nhan, DC, Founder and President, is the designated Health Information Custodian and Privacy Officer. Questions, access requests, corrections, and privacy complaints can be directed to the Privacy Officer using the contact details in Section 16.

3. What personal information we collect

We collect the minimum information needed to provide our services. Depending on how you interact with us, this may include:

  • Identification and contact details, such as your name, date of birth, address, phone number, and email.
  • Personal health information, such as health history, current concerns, medications, allergies, clinical notes, assessment results, treatment plans, practitioner correspondence, and insurance details, where you choose to submit it.
  • Emergency contact and substitute decision maker information, if you provide it.
  • Appointment and booking information captured through Jane, our practice management system.
  • Payment information captured through our Clover point of sale system, including our Clover Virtual Terminal, and our Ingenico payment terminal. With your authorization, we may store your payment card information on file within the Clover Virtual Terminal for future appointment payments, recurring services, pre authorized billing, late cancellation fees, and no show fees. Card on file storage may include the cardholder name, card number, expiry date, billing details, and other personal information needed to process the payment. Cardholder data held on file is stored within Clover's PCI DSS compliant environment, not on local clinic devices. We do not store CVV codes or PINs. Transaction records, tokenized card references, the last four digits of the card, and receipts are retained for the purposes of reconciliation, refunds, accounting, and insurance submission.
  • Email engagement information collected through our newsletter platform, such as whether you opened a message or clicked a link, where you have subscribed.
  • Communications with us, including emails, voicemails, intake form submissions, and survey responses.
  • Website usage information, such as pages visited, approximate location derived from anonymized IP address, device and browser type, and referral source. See Section 12 for details on cookies.

4. How we collect it

We collect information in the following ways:

  • Directly from you, when you complete intake forms, attend appointments, speak with our team, complete surveys, or send us a message.
  • From a substitute decision maker or family member where authorized by PHIPA.
  • From other health care providers in your circle of care, with your consent.
  • Through Jane, when you book or manage appointments online.
  • Through our Clover point of sale system, the Clover Virtual Terminal, and the Ingenico payment terminal, when you make a payment or authorize a card to be kept on file.
  • Through our newsletter platform, when you subscribe to updates.
  • Through the website and cookies, when you browse curatehealth.ca.

5. Why we collect and use your information

We use personal information only for the purposes identified at or before collection. These purposes include:

  • Providing assessment, treatment, and follow up care.
  • Coordinating your care within your circle of care, including other practitioners at Curate Health and, with your consent, practitioners outside the clinic.
  • Scheduling appointments and sending reminders.
  • Processing payments, holding cards on file where authorized, charging late cancellation or no show fees in accordance with our clinic policies, and issuing receipts for submission to insurers.
  • Sending newsletters and information about Curate Health events, programs, and content that may be of interest to you, where you have opted in. You can unsubscribe at any time.
  • Quality improvement, training, and internal audit.
  • Meeting our obligations to regulatory colleges, public health authorities, funders, and other bodies where the law requires disclosure.
  • Responding to your questions, feedback, complaints, and survey invitations.
  • Understanding how the website is used, so we can improve it.

6. Legal basis and consent

Under PHIPA, we rely on express consent for the collection, use, and disclosure of personal health information, except where the law permits or requires otherwise. Once you are an active patient, we are entitled to assume your implied consent for the exchange of information within your circle of care at Curate Health for the purposes of providing care, unless you have expressly withheld or withdrawn that consent.

Storing a payment card on file in the Clover Virtual Terminal is always optional. We will only retain a card on file with your express authorization, captured at the time the card is provided. You may withdraw that authorization at any time by contacting the clinic, and we will remove the card from file. Removal of a stored card does not affect transactions that have already been processed.

You may withdraw consent for specific uses or disclosures at any time, subject to legal and professional record keeping requirements. If you place a consent directive on certain information, we will honour that directive and will tell you if the restriction materially affects our ability to provide care.

7. Who we share your information with

We share personal information only where you have consented or where the law permits or requires. Recipients may include:

  • Practitioners and team members at Curate Health who are part of your circle of care.
  • Other health care providers you ask us to communicate with, such as family physicians, specialists, or diagnostic imaging services.
  • Regulatory colleges, if required during an investigation or audit.
  • Insurers and benefit providers, where you have authorized direct billing or reimbursement.
  • Law enforcement, public health authorities, child protection services, or the courts, where the law requires disclosure.
  • Service providers that support our operations, listed in Section 8.

We do not sell your personal information. We do not rent it. We do not share it for marketing purposes with third parties.

8. Service providers we use

We rely on the following service providers to operate the clinic. Each has been evaluated against our privacy and security expectations and is contractually required to protect your information and to use it only for the purposes we have authorized.

  • Jane (Jane Software Inc.). Canadian practice management and booking system. Stores patient records, appointments, billing, and communications on Canadian servers. Used for online booking, intake, clinical documentation, and payment coordination.
  • Clover (Clover Network, LLC, a Fiserv company). Point of sale system and Virtual Terminal used in the clinic. Processes card payments and, with patient authorization, stores cardholder data on file within Clover's PCI DSS compliant Virtual Terminal vault. Stored data may include cardholder name, card number, expiry date, billing details, and associated personal information used to process future and recurring transactions. Clover also retains transaction records, tokenized card references, and receipts. Operates within PCI DSS scope.
  • Ingenico. Standalone payment terminal used for in person card payments. Processes card data through PCI DSS compliant infrastructure. Operates within PCI DSS scope.
  • Systeme.io. Email marketing and newsletter platform used to send subscribed email communications. Stores email address, subscription status, and engagement information such as opens and clicks.
  • Google Analytics (Google LLC). Web analytics service used to understand aggregate website usage. Configured to anonymize IP addresses.
  • PostHog. Product and web analytics platform used to understand how visitors interact with curatehealth.ca and to improve the visitor experience.
  • Website hosting and email service providers, used for the delivery of curatehealth.ca and for correspondence.

Curate Health staff follow the internal Information Security and Cardholder Data Protection SOP when handling payment terminals, the Clover Virtual Terminal, and cardholder data.

9. Where your information is stored

Personal health information held in Jane is stored on servers located in Canada. Payment transactions and stored cardholder data processed through Clover and the Clover Virtual Terminal are handled within PCI DSS compliant infrastructure operated by Clover and its parent company Fiserv. Some Clover data, including cardholder data held on file and associated personal information, is processed and stored on servers located in the United States. Payments processed through the Ingenico terminal are handled within PCI DSS compliant infrastructure provided by the acquiring processor. Newsletter data held in Systeme.io, web analytics data held in Google Analytics and PostHog, and limited information held by some email and hosting providers may be processed on servers located outside of Canada.

When information is transferred outside of Canada, we require appropriate safeguards and rely on service providers that comply with recognized international privacy and security standards. Information stored outside of Canada may be subject to the laws of the country where it is held, including lawful access requests by foreign authorities. If a new service provider is added that transfers personal health information outside of Canada, this policy will be updated before the transfer begins and, where appropriate, we will seek your express consent.

10. How long we keep your information

We keep personal information only as long as necessary for the purpose it was collected, or as required by law:

  • Clinical records for adult patients: ten years from the date of the last entry in the record.
  • Clinical records for patients under 18: ten years from the patient's 18th birthday.
  • Financial and billing records, including transaction records and receipts: at least six years, in accordance with Canada Revenue Agency requirements.
  • Cardholder data stored on file in the Clover Virtual Terminal: retained only while your authorization is in effect. Removed promptly when you withdraw authorization, when the card on file is no longer needed for an active billing arrangement, or when your patient relationship with the clinic ends.
  • Newsletter subscriber records: kept for as long as you remain subscribed, and removed promptly on unsubscribe, subject to a reasonable suppression list to honour your opt out.
  • Website analytics and cookies: retained for the periods described in Section 12, typically 14 months or less.
  • Job applications and related records: up to two years after the decision, unless the applicant consents to longer retention for future opportunities.

When retention periods end, records are securely destroyed. Paper records are shredded. Electronic records are permanently deleted from our systems and from any backups at the next backup rotation. Cardholder data is removed from the Clover Virtual Terminal in accordance with Clover's data deletion processes.

11. How we protect your information

We use layered administrative, physical, and technical safeguards, including:

  • A designated Privacy Officer who oversees the privacy program.
  • Written privacy and security policies, including the Information Security and Cardholder Data Protection SOP and the Privacy Breach Response Protocol SOP.
  • Staff training on privacy, security, and PHIPA on hire and annually thereafter. Staff sign a Confidentiality Agreement and a training acknowledgement form.
  • Role based access to Jane, Clover, the Clover Virtual Terminal, and other systems, so only authorized team members see the information they need.
  • Strong passwords, regular password changes, and a policy of no shared accounts. Access to the Clover Virtual Terminal is restricted to named clinic accounts, and login credentials are protected against sharing or reuse.
  • Screen locking when workstations are unattended.
  • Encryption for information in transit through Jane, Clover, email providers, and the website.
  • PCI DSS aligned practices for payment handling. Cardholder data held on file is stored only within Clover's PCI DSS compliant Virtual Terminal vault and not on local clinic devices, paper records, email, or messaging. We do not store CVV codes or PINs in any system. We do not transmit card details by email or messaging.
  • Password protection of sensitive internal folders using Encrypto.
  • Physical controls at the clinic, including locked storage for paper records and supervised access for visitors.
  • Routine review of access logs and annual review of privacy and security policies.

12. Cookies and website tracking

12.1 What cookies are

Cookies are small text files that a website places on your device to remember information about your visit. Some cookies are essential for the site to work. Others help us understand how visitors use the site so we can improve it.

12.2 Cookies we use

  • Strictly necessary cookies. Required for core functionality such as navigation and loading of the site. These cannot be turned off without breaking the site. They do not store personal information.
  • Analytics cookies. Set by Google Analytics and by PostHog to help us understand aggregate website usage, such as the pages people visit, the order they visit them, and how long they stay. Google Analytics is configured to anonymize IP addresses. Retention is set to 14 months in Google Analytics and to the PostHog default for session data.
  • Preference cookies. Remember your language and display preferences during a session, where applicable.

12.3 Cookies we do not use

We do not use advertising cookies. We do not use cross site tracking cookies. We do not sell cookie data to third parties.

12.4 How you can manage cookies

Most browsers allow you to view, manage, block, or delete cookies. The instructions for each major browser are available at the respective browser support websites. Blocking strictly necessary cookies may prevent parts of curatehealth.ca from functioning.

You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on, available at tools.google.com/dlpage/gaoptout. You can opt out of PostHog tracking through your browser's privacy settings or by using a privacy focused browser extension that blocks analytics.

Curate Health respects the Do Not Track signal. When a browser sends a Do Not Track request, we do not set analytics cookies for that visit.

13. Your rights under PHIPA

You have the right to:

  • Request access to the personal health information we hold about you. We will respond within 30 days where possible, as required by PHIPA, and will explain any fees before they are charged.
  • Request correction of information you believe is inaccurate or incomplete.
  • Withdraw consent for the use or disclosure of your personal health information, subject to legal and professional record keeping obligations.
  • Withdraw your authorization to keep a payment card on file at any time. We will remove the card from file promptly upon request.
  • Place a consent directive on some or all of your information, which we will honour within the limits of PHIPA.
  • Ask for a list of disclosures we have made about you outside your circle of care.
  • Unsubscribe from our newsletter at any time, using the unsubscribe link in any newsletter or by contacting us.
  • Receive a response to complaints and, if you are not satisfied, escalate to the Information and Privacy Commissioner of Ontario.

To exercise any of these rights, contact the Privacy Officer using the details in Section 16.

14. Minors and children

For patients under 16, we obtain consent from a parent or legal guardian, unless the minor is capable of providing consent under PHIPA and the relevant college guidelines. Capable minors may make their own privacy decisions. We do not knowingly collect personal information from children through the website.

15. Breach notification

If we experience a privacy breach involving your personal health information or a security incident involving cardholder data held on file, we will contain the breach, investigate, and notify you at the first reasonable opportunity, in accordance with PHIPA and the Privacy Breach Response Protocol. Where required, we will also notify the Information and Privacy Commissioner of Ontario, the relevant payment card brands or acquirer, and any applicable regulatory college.

16. How to contact us

Privacy Officer: Dr. Frank Nhan, DC, Founder and President

Curate Health 989 Eglinton Avenue West, Suite 2 Toronto, Ontario, M6C 2C6 Email: admin@curatehealth.ca Phone: 416-900-3311 Fax: 416-900-3311

If you are not satisfied with our response, you may contact the Information and Privacy Commissioner of Ontario:

Information and Privacy Commissioner of Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario, M4W 1A8 Phone: 1-800-387-0073 Website: ipc.on.ca

17. Changes to this policy

We review this policy regularly and update it when our practices or applicable laws change. Material changes will be communicated through curatehealth.ca and, where appropriate, directly to patients.

Abstract black-and-white geometric design with intersecting circles, triangles, and rectangles.

Sign up to our newsletter