top of page

Privacy Policy

Privacy Policy 

1) Who we are

WellCalmRx (“WellCalmRx”, “we”, “us”) provides a clinical practice supported by digital tools. Our public-facing website provides information about our services and routes you to our booking portal hosted by an approved electronic medical record (EMR) system in Canada.

​

2) What this Policy covers

This Policy explains how WellCalmRx handles personal information connected with:

  • use of our public-facing (informational) website; and

  • administrative activities we perform to support your care (e.g., coordinating referrals or prescription transmission, where applicable).

This Policy does not govern how your healthcare provider (e.g., nurse practitioner, physician, or other regulated professional) manages your medical record. Your provider is legally responsible for the clinical chart they create and maintain in the EMR.

​

3) Key definitions

  • Personal Information (PI): Information about an identifiable individual.

  • Personal Health Information (PHI): Health/health-care information about an identifiable individual as defined in applicable health privacy laws (e.g., PHIPA in Ontario).

  • Authorized Provider: Regulated health professional licensed in a Canadian province/territory who provides care to you.

  • EMR: An approved electronic medical record system used to document and manage clinical records.

​​

4) Roles under applicable law (PHIPA/PIPEDA and equivalents)

  • Authorized Providers are Health Information Custodians (HICs) (or the provincial equivalent) for the PHI they collect and create in the EMR.

  • WellCalmRx acts as an agent/service provider to the HIC for PHI that we handle to support care delivery (e.g., scheduling, coordination, secure transmission). As an agent/service provider, we:

    • handle PHI only as permitted by law and the HIC’s instructions;

    • implement appropriate administrative, technical, and physical safeguards; and

    • promptly report suspected privacy breaches involving PHI to the HIC and cooperate with required notifications.

  • For non-PHI PI we handle (e.g., operations email), we act as an “organization” under PIPEDA (or applicable provincial private-sector privacy law).

​​

5) Our website and your data

  • Our public-facing website does not collect or store personal information beyond strictly necessary cookies and privacy-preserving analytics (see Section 12).

  • When you select Book, you are redirected to a secure booking page hosted by an approved Canadian EMR. Any personal or health information entered there is collected and stored in the EMR, not on our public-facing website.

​​

6) Where your health information is stored

All PHI is stored in Canada in an approved EMR that meets applicable health privacy requirements (e.g., PHIPA in Ontario) and employs industry-standard security controls, including encryption at rest where supported by the EMR. 

​

7) Cross-border access  

While PHI is stored in Canada within the EMR, certain limited services (e.g., transactional email/SMS delivery, security monitoring, availability alerts, website analytics) may involve processing or access from outside Canada. Where this occurs, we use written agreements requiring confidentiality, least-privilege access, safeguard equivalency, and timely breach notice. We do not permit service providers to use your information for their own marketing.

​

8) Consent

By using our website and by receiving services coordinated by WellCalmRx, you consent to our handling of personal information as described here. Authorized Providers obtain the consent required for assessment, treatment, and documentation in the EMR under applicable law (e.g., implied consent under PHIPA for the circle of care, or express consent where required). You may withdraw consent for certain administrative uses by contacting us (Section 16); if you withdraw consent needed for service delivery, some services may no longer be available.

​

9) How we use information (minimal, non-exhaustive)

  • To schedule appointments through the EMR booking system.

  • To communicate about logistics (e.g., reminders if enabled).

  • To coordinate care at your or your provider’s request (e.g., sending a prescription to a pharmacy, forwarding a referral).
    Where feasible, we use de-identified or non-identifying data and collect only what is necessary. We do not make decisions that produce legal or similarly significant effects solely by automated means.

  • ​

10) Service providers (sub-processors)

We engage service providers to support website hosting, email/SMS delivery, analytics, security, and operations. We use written agreements that require confidentiality, security safeguards, breach notification, deletion/return of data at end of services, and flow-down obligations to any permitted subcontractors. Upon request, we will provide a current list of material service providers who may handle personal information, including their roles and processing locations.

​

11) Disclosures

We may disclose information:

  • to your Authorized Provider to enable or support care you request;

  • to third parties with your consent (e.g., insurer/third-party payer);

  • as required or permitted by law (e.g., responding to lawful requests, preventing fraud or harm, asserting legal rights); and

  • in connection with business transfers (e.g., merger, acquisition, asset sale) subject to appropriate safeguards and any required notifications.

We do not sell personal information and do not permit third parties to use it for their own marketing without your consent.

​

12) Cookies, analytics, and CASL

  • Cookies/analytics: Our public-facing website may use (i) strictly necessary cookies and (ii) privacy-preserving analytics that avoids creating individual profiles (e.g., IP truncation/aggregation). Tool in use: [insert, e.g., Plausible/Matomo self-hosted/none]. You can manage cookies in your browser; disabling some cookies may affect functionality.

  • Commercial electronic messages (CASL): We send marketing emails/SMS only with consent or as otherwise permitted by law. You can unsubscribe at any time via the link in the message or by contacting us (Section 16). Service and transactional messages (e.g., appointment confirmations) may still be sent.

​

13) Privacy incidents and breach notification

We maintain an incident response program. If we become aware of an incident involving personal information under our control, we will contain and investigate the incident, take appropriate remediation steps, and provide notifications required by law, including notifying the relevant Authorized Provider/HIC where PHI is involved and cooperating with any regulator notifications (e.g., IPC-ON).

​

14) Security

We apply administrative, technical, and physical safeguards designed to protect information under our control, including encryption in transit, encryption at rest where supported, role-based access controls, least-privilege permissions, and multi-factor authentication where available. We conduct periodic risk assessments and vendor due diligence. No system is perfectly secure; electronic transmission and storage carry inherent risks that we work to minimize.

​

15) Third-party links

Our website may link to third-party sites. Their privacy policies apply to those sites; we are not responsible for their practices.

​

16) Changes and versioning

We may update this Policy from time to time. The “Last updated” date shows the most recent version. We can provide prior versions upon request. Continued use of our website or services after changes indicates acceptance of the updated Policy.

​

17) Contact us: WellCalmRx - Privacy Officer

Email: infowellcalmrx@gmail.com

Mailing address: 

Suite# 343

6-1500 Upper Middle Rd. W

Oakville, Ontario L6M 0C2

 

Last updated: October 16, 2025

bottom of page