Privacy Policy
My Privacy Commitment to You
Privacy of personal information is an important principle to Ripple & Flow Physiotherapy (“I”, “me” or “my”). I am committed to collecting, using and disclosing personal information responsibly and only to the extent necessary for the services I provide. I try to be open and transparent about how I handle personal information. This document describes my privacy policies.
By accessing or using my Website or my services, you agree to accept this Privacy Policy, including the terms and conditions of this Privacy Policy that relate to the ways that I collect, use, and disclose your personal information. You can withdraw your consent at any time by contacting me (in my role as Information Officer) using the contact information that is included below. Please note that if you choose to withdraw your consent, I may not be able to provide you with my services or communications.
I show my commitment to your privacy by complying with applicable privacy laws in Canada, and specifically the Personal Information Protection and Electronic Documents Act (Canada), and the Personal Health Information Protection Act, 2004 (Ontario). I also abide by the rules and regulations imposed by the College of Physiotherapists of Ontario with respect to the collection, use, and disclosure of your personal health information.
What is Personal Health Information?
Personal health information is information about an identifiable individual. Personal health
information includes:
contact and identification information, such as your name, email address, telephone number, and home address. For example, you will be asked to provide this information when you create an account with me or book an appointment. When you create an account, you may also choose to add another family member profile to the account. To do so, I ask that you provide the name and email address of the individual you add to the account.
personal health information, including your health card number, patient records, health insurance information (e.g., policy number, policy holder date of birth, policy ID), medical charts, appointment history, and other similar health-related information that is relevant to your use of my services.
payment information, including your credit card number and billing address.
other personal information that you choose to provide to me when you contact me for support, provide me with feedback, or otherwise communicate with me. The types of personal information that I collect will depend on what personal information you choose to provide to me.
Please note that I also collect personal information about your child when you request that I provide my services for the benefit of your child. I do not collect a child’s personal information without the consent of a child’s parent or legal guardian. You agree that by providing me with any personal information about another individual (including your child), you represent that you have received their permission to provide the individual’s personal information to me. In the case of a minor, if you are not the parent or legal guardian of the minor, you represent that you have received the minor’s parent or legal guardian’s permission to share the minor’s information with me. You will be asked to complete an intake form where you will be asked to further confirm that you authorize me to collect, use, and disclose your and your child’s personal information in connection with the services that I provide. I do not seek to collect, use, or disclose a child’s personal information without the consent of their parent or legal guardian and I limit the use of a child’s personal information for and in connection with the child’s use of my services.
I work with Jane Software Inc. (“Jane”), a service provider who supplies data storage and clinic management services through its proprietary platform. Jane collects, uses, and stores your personal information on my behalf in connection with the operation of my business. For example, when you make a booking, your booking will be facilitated by Jane and the information that you provide will be stored on Jane’s servers on my behalf. I have taken reasonable steps to ensure that Jane will only collect, use, and disclose your personal information based on my instructions in connection with the operation of my business and in accordance with applicable laws. You can access Jane’s privacy policy here.
In addition, I may receive your or your child’s personal information, including personal health information, from physicians or other healthcare practitioners that I or you deal with in connection with your and your child’s use of my services. These include the healthcare providers that are responsible for requisitioning your use of my services.
I also automatically collect certain device and statistical information to make my Website work better for you. My Website uses cookies and other technologies that are similar to cookies (“Cookies”). A Cookie is a small file of letters and numbers that I may set on your device to store and sometimes track information about you. Cookies and similar technologies I use are designed for “analytics”. This allows me to distinguish you from other users of the Website. This helps me to provide you with a good experience when you use the Website and allows me to improve my Website and my Services.
Why I Collect Personal Health Information
I collect, use and disclose personal information in order to serve my clients. For my clients, the primary purpose for collecting personal health information is to provide Infant Physiotherapy, Pelvic Floor Physiotherapy, and/or Pilates-Focused Physiotherapy assessment and treatment. For example, I collect information about a client’s health history, including their family history, physical condition and function and social situation in order to help me assess what their health needs are, to advise them of their options and then to provide the health care they choose to have. A second primary purpose is to obtain a baseline of health and social information so that in providing ongoing health services I can identify changes that are occurring over time.
I also collect, use and disclose personal health information for purposes related to or secondary to my primary purpose. The most common examples of my related and secondary purposes are as follows:
To establish, maintain, and manage my relationship with you, including by assisting you to create an account, communicate with me, and provide you with the services that you request.
By using my services, you agree to receive transactional communications about your account, your bookings, and your and your child’s services. For example, when you create an account or reset your password you may receive an email confirming the details of such activity. You may not opt-out of receiving these transactional communications.
To obtain payment for services or goods provided.
I may disclose your personal information to third-party healthcare providers in connection with your use of my services, including the physicians that are responsible for requisitioning or monitoring an individual’s rehabilitation or treatment plan. This information may include personal health information. For example, I may share your personal health information with other physiotherapists and physicians as part of the clinical decision-making process that is part of your treatment. I will obtain your consent to sharing your information for this purpose before I do so.
I may work with third parties that provide services to me that help me facilitate one or more aspects of the services that I offer to you. I may provide these third parties with your personal information directly or they may collect your personal information from you on my behalf. For example, I may use a third-party payment processor to process payments made on or in connection with my Services. These service providers may also send you communications on my behalf. For example, as described above, I work with Jane who provides me with data storage and clinic management services through its proprietary platform.
To conduct quality improvement and risk management activities. I review client files to ensure that I provide high-quality services. External consultants (e.g. auditors, lawyers, practice consultants, voluntary accreditation programs) may conduct audits and quality improvement reviews on my behalf.
I may disclose aggregated, non-personal information and related usage information, which does not contain any personal information that can identify you, with third parties, including my customers, clients, partners, advertisers, service providers, vendors, suppliers, and content providers.
To promote my business, new services, special events and opportunities that I have available. I will always obtain express consent from you prior to collecting or handling personal health information for this purpose, unless an exception to obtaining your consent applies under applicable laws.
To comply with external regulators. I am regulated by the College Of Physiotherapists of Ontario (“The College”) , who may inspect my records and interview me as a part of its regulatory activities in the public interest. The College has its own strict confidentiality and privacy obligations. In addition, as a professional, I will report serious misconduct, incompetence or incapacity of other practitioners, whether they belong to other organizations or my business. Also, I believe that I should report information suggesting illegal behaviour to the authorities. In addition, I may be required by law to disclose personal health information to various government agencies (e.g. Ministry of Health, children’s aid societies, Canada Customs and Revenue Agency, Information and Privacy Commissioner, etc.).
To facilitate the sale of my business. If my business or its assets were to be sold, the potential purchaser would want to conduct a “due diligence” review of my business’s records to ensure that it is a viable business that has been honestly portrayed. The potential purchaser must first enter into an agreement with me to keep the information confidential and secure and not to retain any of the information longer than necessary to conduct the due diligence. Once a sale has been finalized, the organization may transfer records to the purchaser, but it will make reasonable efforts to provide notice to the individual before doing so.
Since I may share your personal information with third parties (including my service providers) as described in this Privacy Policy, your personal information may be collected, used, stored, or disclosed outside of your jurisdiction of residence, including in Canada. As such, your personal information may potentially be accessible to law enforcement and national security authorities of another jurisdiction where local laws provide for a different level of protection for personal information. In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security agencies in those other countries may be entitled to access your personal information.
If you would like further information about my policies and practices regarding the third parties (including my service providers) to whom I disclose your personal information and how these third parties collect, use, disclose and store personal information, please contact me (in my role as Information Officer) using the contact details below. By providing your personal information to me, you consent to my disclosure of this information to my service providers (and other third parties) as described in this Privacy Policy, including those that may be located outside of your jurisdiction of residence.
Protecting Personal Information
I understand the importance of protecting personal information. For that reason, I have
taken the following steps:
I try to avoid personal health information on paper, but any paper information is either under supervision or secured in a locked or restricted area. If relevant, paper information is transferred through sealed, addressed envelopes or boxes by reputable companies with strong privacy policies.
Electronic hardware is either under supervision or secured in a locked or restricted area at all times. In addition, strong passwords are used on all computers and mobile devices.
Personal health information is only stored on mobile devices if necessary. All personal health information stored on mobile devices is protected by strong encryption.
When taking personal health information home to work on, I transport, use and store the personal health information securely.
Electronic information is either anonymized or encrypted before being transmitted.
I collect, use and disclose personal information only as necessary to fulfill my duties and in accordance with my privacy policy.
I do not post any personal information about my clients on social media sites and I am trained on the appropriate use of social media sites.
External consultants and agencies with access to personal information must enter into privacy agreements with me.
Retention and Destruction of Personal Information
I do not keep your personal information forever. I will keep your personal information for as long as is reasonably necessary for me to complete my dealings with you, or as may be required by law, whichever is longer. I need to retain personal information for some time to ensure that I can answer any questions you might have about the services provided and for my own accountability to external regulatory bodies. However, in order to protect your privacy, I do not want to keep personal information for too long.
I keep my client files for at least ten years from the date of the last client interaction or from the date the client turns 18.
I destroy paper files containing personal health information by cross-cut shredding. I destroy electronic information by deleting it in a manner that it cannot be restored. When hardware is discarded, I ensure that the hardware is physically destroyed or the data is erased or overwritten in a manner that the information cannot be recovered.
You Can Look at Your Records
With only a few exceptions, you have the right to see what personal information I hold about you, by contacting me. I can help you identify what records I might have about you. I will also try to help you understand any information you do not understand (e.g., short forms, technical language, etc.). I will need to confirm your identity before providing you with this access. I reserve the right to charge $30.00 for the first twenty pages of records and 25 cents for each additional page. I may ask you to put your request in writing. I will respond to your request as soon as possible and generally within 30 days, if at all possible. If I cannot give you access, I will tell you the reason, as best I can, as to why. If you believe there is a mistake in the information, you have the right to ask for it to be corrected. This applies to factual information and not to any professional opinions I may have formed. I may ask you to provide documentation that my files are wrong. Where I agree that I made a mistake, I will make the correction. At your request and where it is reasonably possible, I will notify anyone to whom I sent this information (but I may deny your request if it would not reasonably have an effect on the ongoing provision of health care). If I do not agree that I have made a mistake, I will still agree to include in my file a brief statement from you on the point.
If there is a Privacy Breach
While I will take precautions to avoid any breach of your privacy, if there is a loss, theft or unauthorized access of your personal health information I will notify you. Upon learning of a possible or known breach, I will take the following steps:
I will contain the breach to the best of my ability, including by taking the following steps if applicable
Retrieving hard copies of personal health information that have been disclosed
Ensuring no copies have been made
Taking steps to prevent unauthorized access to electronic information (e.g., change passwords, restrict access, temporarily shut down system)
I will notify affected individuals
I will provide my contact information in case the individual has further questions
I will provide the Commissioner’s contact information and advise the affected individual of their right to complain to the Commissioner
I will investigate and remediate the problem, by:
Conducting an internal investigation
Determining what steps should be taken to prevent future breaches (e.g. changes to policies, additional safeguards)
Depending on the circumstances of the breach, I may notify and work with the Information and Privacy Commissioner of Ontario or The College of Physiotherapists of Ontario.
Do You Have Questions or Concerns?
I serve as Information Officer, and I can be reached at:
audrey@rippleandflowphysiotherapy.ca
I will attempt to answer any questions or concerns you might have.
If you wish to make a formal complaint about my privacy practices, you may make it in writing to me. I will acknowledge receipt of your complaint, and ensure that it is investigated promptly and that you are provided with a formal decision and reasons in writing.
You also have the right to complain to the Information and Privacy Commissioner of Ontario if you have concerns about my privacy practices or how your personal health information has been handled, by contacting:
Information and Privacy Commissioner/Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Telephone: Toronto Area (416/local 905): (416) 326-3333
Long Distance: 1 (800) 387-0073 (within Ontario)
TDD/TTY: (416) 325-7539
FAX: (416) 325-9195
This policy is made under the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3. It is a complex statute and provides some additional exceptions to the privacy principles that are too detailed to set out here.
I may make changes to this Privacy Policy from time to time. These changes may be made as a result of changes to my legal obligations or the ways in which I collect, use, disclose, or otherwise process your personal information.
I will post an updated version of my Privacy Policy on my website when I make changes and may also notify you of the changes I have made if I am required to do so by applicable law. I encourage you to check this Privacy Policy for updates on a regular basis.
You agree that by continuing to use my products, services, or website after an update to my Privacy Policy, you agree to accept and consent to the collection, use, and disclosure of your personal information as described in the updated version of the Privacy Policy.
This Privacy Policy was last updated on March 19th, 2026.