Legal · Privacy

Privacy Policy.

Effective February 2026Last updated February 2026

Template document

This document is a starting point grounded in Canadian law. Before going live, please have it reviewed by a healthcare lawyer in Ontario familiar with PHIPA and consumer protection statutes. Items marked [confirm with counsel] require your specific input or legal review.

Revelle Med Spa is committed to safeguarding the privacy of every person who walks through our doors or visits this site. This policy explains, in plain language, what information we collect, why we collect it, and the choices you have.

01

Who we are

Revelle Med Spa (referred to in this policy as “we,” “us,” and “our”) is a medical aesthetics practice in Vaughan, Ontario [confirm legal business name and full address with counsel].

Treatments are delivered by Annoshia Siva, working under a written medical directive issued by an Ontario-licensed physician.

For the purposes of Ontario’s Personal Health Information Protection Act, 2004 (PHIPA), Revelle Med Spa is a Health Information Custodian. We collect and hold personal health information about the people we treat, and we are accountable to you and to the Information and Privacy Commissioner of Ontario for how that information is handled.

For everything that is not personal health information, such as a general enquiry through this website, we comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

02

Information we collect

We collect only what we need to provide safe, effective care and to comply with our legal obligations.

Personal information

  • Name, date of birth, address, phone, email
  • Emergency contact (if you choose to provide one)
  • How you found us
  • Marketing preferences (opt-in only)

Personal health information

  • Medical history, allergies, current medications, prior treatments
  • Skin assessment, contraindication screening, treatment plan
  • Detailed treatment records (product, batch number, lot, dose, site, technique)
  • Clinical photographs (only with separate, written consent; see Section 5)
  • Follow-up notes and outcomes

Payment information

  • Payment is processed by our payment provider [name the processor: Stripe, Square, Moneris, etc.]. We do not store full credit card details on our systems. We retain the transaction record, the last four digits of the card, and the processor’s reference number.

Website usage information

  • IP address, browser type, pages visited, referring site, approximate location (country / region)
  • See Section 9 for details on cookies and analytics.
03

How we use your information

We use the information we collect to:

  • Provide medical aesthetic treatment and follow-up care
  • Confirm and remind you of appointments
  • Maintain accurate and complete clinical records
  • Process payments for treatments and deposits
  • Communicate with you about your care and (only if you opt in) news or promotions
  • Comply with our legal and professional obligations, including those of the College of Nurses of Ontario
  • Detect and prevent fraud or misuse of our services

We do not sell or trade your personal information. We do not use your information for any purpose materially different from those listed above without your separate consent.

04

How we share your information

We share information only when it is necessary to deliver care or run the practice, and only with parties who are bound by confidentiality and applicable Canadian privacy law.

  • Our medical director. The Ontario-licensed physician who issues our medical directive has access to relevant clinical records as required by their professional obligations.
  • Other healthcare providers. Only with your express written consent, or where required by law (for example, to manage an adverse event).
  • Service providers. Our payment processor, our hosting and email providers, and our booking software, each under a written agreement that limits their use of your data to providing the service.
  • When required by law. Where we are legally obligated to disclose, for example by court order or a request from a regulatory body acting within its authority.

Some of our service providers may store data outside of Canada (commonly in the United States). When this happens, your information may be subject to the laws of that jurisdiction. We choose providers with strong contractual privacy commitments and recognized security certifications. [list the specific providers and locations]

05

Photography and marketing

We may take clinical photographs before, during, and after treatment to track results and inform your care plan. Clinical photography is part of providing safe treatment, and is held with the rest of your clinical record.

We will never publish your image on our website, social media, or printed materials without your separate, specific, written consent. That consent is entirely voluntary, can be limited to specific uses, and can be withdrawn at any time by writing to us at the address in Section 12. Where consent is withdrawn, we will remove the image from any channel we control going forward; copies that have already been shared by others may not be retrievable.

If you opt in to our email or SMS list, you can unsubscribe at any time using the link in any message, or by replying STOP to SMS. Even after you unsubscribe, we will continue to send transactional messages such as appointment reminders.

06

Data retention

We keep your personal health information for at least ten (10) years after the date of your most recent visit, in keeping with the record retention guidance of the College of Nurses of Ontario and the standards of practice for medical aesthetics in Ontario.

Records for clients who were minors at the time of treatment are kept until at least ten years after the client’s eighteenth birthday.

Non-health information, such as transactional data for a treatment payment, is kept for as long as needed to meet our tax, accounting, and legal obligations (generally six to seven years under Canadian law), then destroyed.

When information is destroyed, it is destroyed securely. Paper records are cross-cut shredded and digital records are permanently deleted from primary and backup systems.

07

Security

We take reasonable steps to protect personal information against loss, theft, unauthorized access, copying, modification, or disclosure.

  • Clinical records are stored in encrypted, access-controlled systems
  • Paper records are kept in a locked cabinet in a secure area of the suite
  • Access is limited to people who need it to do their work
  • Our website is served over HTTPS
  • We carry professional liability insurance that includes coverage for privacy breaches

No system is perfectly secure. In the unlikely event of a material privacy breach that is reasonably expected to create a real risk of significant harm, we will notify affected individuals and the Information and Privacy Commissioner of Ontario as required by PHIPA.

08

Your rights under PHIPA

You have the right to:

  • Access the personal health information we hold about you, and to receive a copy in a portable format
  • Request a correction to information you believe is inaccurate or incomplete. Where we disagree, we will note your statement of disagreement on the record.
  • Withdraw consent to the collection, use, or disclosure of your information, subject to our legal and professional obligations
  • Receive an account of certain disclosures we have made of your personal health information
  • Make a complaint to the Information and Privacy Commissioner of Ontario at any time, without first contacting us

We will respond to a written request within thirty (30) days. A reasonable fee may apply where permitted by PHIPA; we will tell you in advance.

09

Cookies and analytics

This website uses a small number of cookies to make the site work properly and to understand how visitors use it. We do not use third-party advertising or behavioural tracking cookies.

[update once an analytics provider is added: Plausible, Fathom, GA4, or none]

You can disable cookies in your browser settings. The site will continue to work, though some features may not persist between visits.

10

Children's information

Revelle Med Spa does not provide treatment to individuals under eighteen (18) years of age, and does not knowingly collect personal information from children. If you believe a child has submitted information to us, please contact us and we will promptly delete it.

11

Changes to this policy

We may update this policy from time to time to reflect changes in our practice, our services, or the law. The “Last updated” date at the top reflects the most recent revision.

For material changes, we will provide notice to active clients by email and post a prominent notice on this site for at least thirty (30) days before the change takes effect.

12

Contact and complaints

Privacy questions, access requests, and consent changes should be directed to our Information Practices Officer:

Annoshia Siva
Information Practices Officer
Revelle Med Spa

Vaughan, Ontario

privacy@revellemedspa.com

If you are not satisfied with our response, you may file a complaint with the Information and Privacy Commissioner of Ontario:

Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, ON  M4W 1A8
www.ipc.on.ca · 1-800-387-0073