DeNovo Psychotherapy — Privacy Policy (Ontario)
Effective date: 13 September 2025
Scope: Clients, prospective clients, website visitors, and anyone who interacts with DeNovo Psychotherapy (“we,” “our,” “us”).

1) Who we are & the laws that apply
We are a psychotherapy practice in Ontario. We comply with PHIPA (2004) for the collection, use, and disclosure of personal health information (PHI) and adhere to CRPO Professional Practice Standards for confidentiality and record-keeping. You have PHIPA rights of access and correction.
2) Key terms

• “Client,” “you”: any person who visits our website, contacts us, or receives services.

• “Personal information (PI)”: information that identifies you (e.g., name, email, phone, IP address, referral source).

• “Personal health information (PHI)”: health-related information (e.g., presenting concerns, diagnoses, session notes) subject to PHIPA.

• “Website”: pages we operate under our domain(s).

 
Clinical/therapy records are PHI and are governed by PHIPA and CRPO standards. Website/contact data that is not health information is treated as PI under this policy.

3) What we collect
a) You provide it

• Contact & inquiry details (e.g., name, email, phone, what you’re seeking help for).

• Intake & consent: if you start therapy, additional PHI is collected and stored in our Jane electronic health record (EHR).

• Email subscriptions: if you opt in, we store your name/email for newsletters or updates.

b) Collected automatically (non-PHI)

• Usage/technical data: pages viewed, time on site, device/browser type, approximate location, IP address (for security and performance).

• Cookies/pixels: to improve the website and measure marketing effectiveness. (See §9 and §11.)
   

We aim to collect only what is reasonably necessary for care, administration, security, and legal compliance.

4) How we use information

• Respond to your inquiries and book services.

• Match you with a suitable therapist.

• Manage appointments, billing, and clinic operations.

• Communicate about scheduling, service availability, or (if you’ve opted in) clinic updates.

• Improve site performance and user experience (analytics).

• Comply with legal/college obligations and maintain security.
   

We do not sell or rent your information.

5) Our clinical systems & electronic communication
Jane (scheduling, charting, telehealth, messaging)
We use Jane for day-to-day practice. Jane supports encryption and Canadian data residency when the Canadian region is selected. We remain the health information custodian and control user access in Jane.
Email under PHIPA
Email is convenient but not ideal for sensitive content. We use reasonable safeguards and offer more secure options (e.g., Jane client portal, secure links). Please avoid sending detailed clinical information by regular email. Where PHI must be transmitted electronically, we use encryption whenever feasible.

6) Advertising, Meta (Facebook/Instagram), and lead forms
We run occasional ads on Meta platforms.

• Instant Forms (Lead Ads): If you submit a form, we receive the contact details you choose to provide (e.g., name, email, phone) to follow up about services. Please do not include sensitive health details in any ad form. Clinical information is collected only after you review our informed-consent documents inside Jane.

Tracking technologies: We do not place the Meta Pixel on intake/booking or client-portal pages where PHI might be entered, and we do not knowingly send PHI to advertising platforms.
 
When you interact with advertisements or submit information through third-party platforms (e.g., Meta/Facebook/Instagram, Google, Bing, Pinterest), your use of those platforms is governed by their terms and privacy policies as well. These companies may collect, use, store, share, or retain information (including via cookies, pixels, device IDs, and analytics) independently of DeNovo Psychotherapy. We do not control how those platforms process data once you visit or use their services, and we are not responsible for their security practices or compliance.

• We limit what information we request from advertising platforms and do not knowingly transmit PHI through ads, pixels, or forms.

• Any details you provide directly on a third-party site/app (including lead/instant forms) are handled under that platform’s policies.

• You can manage ad preferences or opt-out of interest-based ads using the platform controls and industry tools listed above (e.g., Facebook/Instagram Ad Preferences, Google Ad Settings, Digital Advertising Alliance).

• Third-party platforms may process data on servers outside Canada; we do not control their storage locations.

• Opt-outs for targeted advertising:

  • Facebook/Instagram: https://www.facebook.com/settings/?tab=ads

  • Google: https://www.google.com/settings/ads/anonymous

  • Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads

  • Pinterest: https://help.pinterest.com/en/business/article/stop-ads

  • Digital Advertising Alliance: http://optout.aboutads.info/
     

If you submit a Meta Instant Form and later prefer no further contact, tell us and we’ll remove you from marketing follow-ups.

7) Cookies, analytics & embedded content (website)

• Cookies help remember preferences, improve load speed, and support security/analytics. You can restrict cookies in your browser; some features may degrade.

• Analytics (e.g., Google Analytics) helps us understand aggregate usage and improve the website. Analytics reports use de-identified/aggregated data.

• Embedded content (e.g., videos, maps, social posts) behaves as if you visited the third-party site; those services may set cookies or collect usage data under their own policies.
  
  We do not link your site-browsing data to your clinical chart.

8) Disclosures & third parties
We share information only as described here:

• Care delivery & operations: with service providers who support our practice (e.g., Jane, secure email, payment processing, website hosting/analytics). These providers may access information only as needed to perform services for us and must protect it appropriately. Clinical notes and PHI remain in the EHR and are not shared with marketing or general IT vendors.

• With your consent: e.g., letters to third parties. We seek express consent, limit content to what’s relevant, and use secure transmission.

• Required or permitted by law: e.g., serious and foreseeable risk, child protection, court orders, professional/regulatory requirements.

• Business transitions: If we undergo a merger, acquisition, or re-organisation, permitted information may be transferred subject to confidentiality and applicable law.

We may also use or share non-identifying, aggregated data to improve services and understand website trends.
9) Safeguards
We employ administrative, technical, and physical safeguards proportionate to the sensitivity of the data (role-based access, encryption, audit trails, secure storage, least-privilege access, secure disposal). PHIPA requires protection against theft, loss, and unauthorized use/disclosure; we align our practices accordingly.
10) Retention & secure destruction

• Clinical/administrative records: retained at least 10 years from the date of last contact, or 10 years after the 18th birthday for minors—whichever is later—per CRPO and Ontario guidance.

• Website/contact inquiry data: retained for as long as reasonably necessary for the purposes described (e.g., responding to you, security, legal obligations) and then securely deleted or de-identified.

11) Your choices & rights

• Access & copies (PHIPA): You can request access to your record; reasonable fees may apply.

• Corrections: You can request corrections; if we disagree, you may add a statement of disagreement to your record.

• Consent management: You may withdraw or limit consent to disclosures, subject to legal limits and safety exceptions.

• Marketing emails: You can unsubscribe at any time via the link in our messages. Transactional messages (e.g., appointment reminders) may still be sent as necessary.
   

12) Teletherapy
Video sessions are provided through Jane’s telehealth feature. For privacy, we recommend a quiet, private location, secure Wi-Fi, and updated devices/headphones.

13) Children & substitute decision-makers
For minors and clients with substitute decision-makers (SDMs), we obtain consent from the capable client or the appropriate SDM in line with PHIPA and CRPO standards.
14) Privacy incidents (breach response)
If a privacy incident affects your information, we will act promptly to contain and assess the issue, notify you and any required authorities, and implement remedial steps consistent with PHIPA and regulator guidance.

15) Application of this policy
This policy covers website and general contact information and explains how we handle non-PHI and high-level clinic operations data. Therapy services are also governed by separate informed-consent and clinical confidentiality documents that apply to your PHI in our EHR.

16) Changes to this policy
We may update this policy to reflect legal, regulatory, or operational changes. The most current version will carry the effective date above.

17) Contact us (Privacy Officer)
DeNovo Psychotherapy – Privacy Officer
Email: info@denovopsychotherapy.ca

If we cannot resolve your concern, you may contact the Information and Privacy Commissioner of Ontario (IPC) for a health-privacy complaint, and/or the CRPO for concerns regarding a registrant’s conduct.