Join Our Scoliosis Info Session on December 9th! Online or In person. Register Now

Visit Our Location
504-685 Sheppard Ave E
Give Us a Call
+1 (647) 350-1062
Send Us a Message
[email protected]
Opening Hours
Mon – Sat: 10 AM – 6 PM

Privacy Policy

Canada Scoliosis & Neuro CentrePrivacy Policy

This page explains how Canada Scoliosis & Neuro Clinic (“we”, “our”, “the Clinic”) collects, uses, discloses, protects and retains personal information (including personal health information) when you interact with us in person, by phone or email, or via our website and online booking system. It also explains your rights and how to exercise them.

Who we are / contact

Legal name: Canada Scoliosis & Neuro Clinic.
Address: 110 Yonge St., Suite 905, Toronto, ON M5C 1T4.
Information / Privacy Officer: Alishah Merchant — phone (416) 777-9999, email: [email protected]

Scope & legal framework

This policy covers personal information and personal health information (PHI) that we collect and hold in Ontario in accordance with the Personal Health Information Protection Act (PHIPA) and applicable federal privacy laws (e.g., PIPEDA) where relevant. For regulatory detail and statutory rights under PHIPA, see the Ontario statute and IPC guidance.

Information we collect

We collect the following types of information:

Personal identifiers & contact details

Full name, address, phone number, email, emergency contact.

Appointment & billing information

Booking details, treatment dates, invoices, insurance information, and payment transaction identifiers.

Personal Health Information (PHI)

Health history, symptoms, assessment and treatment notes, referrals, medications, diagnostic results, health card number where required, substitute decision-maker details, and other information necessary to provide care. Our description of PHI follows PHIPA’s definitions.

Technical & website data

Cookies, analytics, IP address, device/browser info when you visit our website or use online booking.

How we collect information

We collect information:

  • Directly from you (intake/consent forms, online booking, phone, email, in-clinic forms).
  • From third parties when authorized by you (referring clinicians, insurers).
  • Automatically via website cookies and analytics (see Cookies & tracking below).

If you enter information in our online booking form or patient portal, that information is collected at the time of booking or portal submission.

Why we collect information (uses & disclosures)

We collect, use and disclose personal information only for the purposes necessary to deliver care and run the Clinic, including:

  • Assessment, diagnosis, care planning and treatment.
  • Billing, claims to insurers and payment processing.
  • Appointment reminders and communications related to care.
  • Quality assurance, audits, legal compliance and regulatory obligations (e.g. College inspections).
  • Limited marketing/clinic news where you have opted in (newsletters, events).

We disclose information only as required or permitted by law or with your consent (e.g., to insurers or courts), or to our contracted service providers who act on our behalf. Examples of related/secondary purposes are in our original draft (invoicing, newsletters, audits).

Third-party service providers (who processes your data)

We use trusted third-party service providers to operate the Clinic and website. These providers process information on our behalf under contractual terms requiring confidentiality and security. Currently (inserted as part of this policy) we use:

  • EMR / Online booking: Cliniko — used for appointment booking, charting and secure patient messaging. Cliniko publishes guidance on Canadian privacy/PHIPA compliance.
  • Payment processing: In-person  
  • Website analytics: Google Analytics (and Google Tag Manager) — used to measure site usage and improve our website. Users may opt out via Google’s opt-out add-on. Google HelpGoogle for Developers
  • Email & marketing: Mailchimp (or similar) — used to send newsletters and marketing emails; all marketing messages include an easy unsubscribe option in compliance with CASL. Mailchimp+1

International / cross-border processing and safeguards

Some third-party vendors (e.g., payment processors, cloud services, analytics providers) may store or process data outside Canada. Where data is transferred or stored internationally we:

  • Only transfer to processors that provide contractual safeguards (Data Processing Agreements, standard contractual clauses where needed), and security measures such as encryption at rest and in transit.
  • Limit the data exported to what is strictly necessary. If you wish to know the country(ies) where your data is stored for a particular vendor (e.g. Google), contact our Privacy Officer and we’ll provide current hosting locations and safeguards.

Cookies & tracking

Our website uses cookies and analytics to operate the site and improve our service (session/functional cookies, analytics cookies). You can:

  • Manage or block cookies via your browser settings;
  • Use the Google Analytics opt-out add-on to prevent your data being sent to Google Analytics. Google Help

If you prefer not to be tracked by analytics, follow browser opt-outs or contact our Privacy Officer for assistance.

Consent

For PHI, PHIPA requires that consent be obtained before collecting, using or disclosing PHI except in limited circumstances. We obtain consent:

  • Express consent when you sign intake forms, when we collect sensitive information, or when disclosures to third parties (e.g., insurers) are needed.
  • Implied consent may apply for routine, low-risk uses such as appointment reminders or basic clinical follow-up where consent can reasonably be inferred.

If you withhold consent for a particular purpose, we will explain how that may affect the delivery of care or administrative processes.

Security measures

We use administrative, technical and physical safeguards to protect personal information, including:

  • Locked storage for paper charts and restricted access to rooms with PHI.
  • Password protection, role-based access controls, and encryption for electronic records where available.
  • Staff training on privacy and confidentiality; confidentiality agreements for external consultants.
  • Contracts with processors that require reasonable security and confidentiality.

While we use reasonable safeguards, no electronic transmission is 100% secure. We will notify you if we become aware of a breach affecting your information (see Breach notification below).

Retention & destruction

We retain records in line with regulatory guidance and clinical needs:

  • Client health records (PHI): minimum 10 years from last entry (or 10 years after age 18 where the client was a minor at last entry). This aligns with the retention described in our original draft and College requirements.
  • Non-clinical contact lists / marketing lists: typically retained for up to 2 years since last engagement unless you opt out sooner.
  • Destruction: Paper files are shredded; electronic files are deleted/promptly removed and hardware sanitized or physically destroyed when retired.

If you would like a copy of your file or request deletion of non-required records, contact our Privacy Officer (see Access & correction below).

Access, correction & how to make a request

You have the right to access and request correction of your personal information that we hold. To make a request:

  1. Send a written request to our Privacy Officer at [email protected] (include full name, date of birth, contact info and the records you are requesting).
  2. We may ask you to confirm your identity.
  3. We aim to respond within 30 days of a properly submitted request; if we require an extension we will notify you with reasons (this timeline follows IPC/PHIPA guidance). ipc.on.capeelregion.ca
  4. We may charge a nominal fee for reproduction/copying as permitted by law; we will advise you in advance if a fee applies.

If you believe there is an error in your record, we will correct factual errors and notify parties who received the erroneous info where appropriate; if we decline a correction request we will add your brief statement to the file.

Breach notification (what we will do)

If we determine a privacy breach has occurred that creates a real risk of significant harm to an individual, we will:

  • Immediately contain the breach and begin an investigation.
  • Notify affected individuals with details about the breach and steps to mitigate harm.
  • Notify the Information and Privacy Commissioner of Ontario (IPC) where required under PHIPA and cooperate with any investigation.
  • Review and update controls to prevent recurrence.

We take breaches seriously and will act promptly and transparently. IPC has guidance and reporting expectations for health custodians. ipc.on.caOntario

Email, voicemail & unsecure communications

Email and standard voicemail are not fully secure. We will not proactively send detailed PHI by unsecured email unless you expressly request it. If you transmit PHI to us via email you accept the risk that email might be intercepted. For secure messaging, use the patient portal/EMR messaging or contact us by phone.

Marketing and newsletters

We send occasional clinic updates and event invitations only where you have opted in. Every marketing email includes an unsubscribe link and we comply with CASL (Canada’s anti-spam law). You may also opt out by contacting [email protected] Mailchimp+1

Children & substitute decision-makers

When the patient is a minor or incapable, a substitute decision-maker may provide consent in accordance with PHIPA. We treat health card numbers and substitute decision-maker details as PHI and safeguard them accordingly.

Changes to this policy

We may update this policy from time to time. The effective date at the top indicates the latest revision. Material changes will be posted on the site and, where appropriate, notified to patients.

Complaints / regulatory oversight

If you have a privacy concern or wish to make a formal complaint, contact our Privacy Officer (Alishah Merchant) at the address/phone above. We will acknowledge your complaint, investigate and provide a written response.If you are not satisfied with our response you may contact the Information and Privacy Commissioner of Ontario for health privacy matters. IPC contact and guidance is available here. ipc.on.ca

Practical notes / quick patient summary

  • How to contact us about privacy: [email protected] or (416) 777-9999.
  • How long we keep records: ~10 years for clinical records; ~2 years for marketing lists.
  • Online booking & portal: we use Cliniko for secure booking and messaging; payment processing is handled in-person (we do not store full card numbers).