1. Information We Collect
We collect only the information needed to deliver clinical care, spa services, and a high standard of client experience. This includes:
- Identifying information — name, date of birth, address, phone number, email address.
- Clinical information — medical history, symptoms, conditions, medications, treatment notes, intake forms, and consent records.
- Booking & payment data — appointment history, service preferences, transaction records (processed by our PCI‑compliant payment provider; we do not store full card numbers).
- Website & device data — IP address, browser type, pages viewed, referring URL, and cookies described in §6.
- Communications — messages you send us by email, SMS, or contact form, including any voicemails.
2. How We Use Information
We use personal information to:
- Provide, schedule, and bill for clinical and spa services;
- Maintain accurate health records and continuity of care;
- Communicate with you about appointments, follow‑ups, and updates to services;
- Operate, secure, and improve our website and facility systems;
- Comply with legal, regulatory, professional, and insurance obligations.
We do not sell personal information, and we do not share clinical information for marketing purposes.
3. Legal Basis
Aurum operates in Ontario under the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Health Information Protection Act (PHIPA). Where you provide clinical information, it is treated as personal health information and subject to the heightened safeguards required by PHIPA, including custodianship by our clinical director.
4. Sharing & Disclosure
We share information only as needed and only with parties bound to confidentiality:
- Service providers — booking platform, payment processor, email and SMS providers, secure hosting and analytics — all under written data‑processing terms.
- Care collaborators — only with your explicit consent, with referring or co‑treating practitioners.
- Legal authorities — when required by a court order, statute, or to prevent imminent harm.
5. Retention
Clinical records are retained for at least ten (10) years from the date of last contact, or longer where required by regulatory bodies. Non‑clinical records (bookings, marketing consents, website logs) are retained only as long as needed for the purposes outlined above. We securely destroy or de‑identify information once retention requirements have been satisfied.
6. Cookies & Analytics
We use a minimal set of cookies for site functionality, security (including CSRF protection), and aggregated analytics. We do not deploy advertising cookies and we do not engage in cross‑site tracking. You can disable cookies in your browser; some features (such as signed‑in account access) require them.
7. Your Rights
You have the right to:
- Request access to the personal information we hold about you;
- Request correction of inaccurate or incomplete information;
- Withdraw consent for non‑essential communications at any time;
- File a complaint with the Office of the Privacy Commissioner of Canada or the Information and Privacy Commissioner of Ontario.
To exercise these rights, contact our Privacy Officer using the details in §10.
8. Security
Personal information is protected through a layered set of administrative, technical, and physical safeguards — encrypted storage, access controls limited to authorized staff, audit logging, locked physical records, and staff training on confidentiality obligations.
9. Children
Where we provide care to minors, we obtain consent from a parent or legal guardian and apply the heightened safeguards required by PHIPA.
10. Contact Our Privacy Officer
Questions, concerns, or requests under this Policy can be directed to:
Privacy Officer, APN Health Collective Inc.
4150 Garden St. — Unit 2, Whitby, Ontario L1R 0S1
privacy@apnhc.com · +1 289‑220‑7039
11. Updates to This Policy
We may revise this Policy from time to time. The “Last updated” date above reflects the most recent change. Material updates will be communicated to active clients by email or in‑facility notice.