Privacy Policy

ALLI ("we," "our," or "us") is committed to protecting the privacy and confidentiality of your personal information and personal health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our online therapy platform and related services (the "Services").

This policy complies with the Personal Health Information Protection Act, 2004 (PHIPA) of Ontario, the Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable Canadian privacy legislation.

1. Definitions

• "Personal Health Information" (PHI) means identifying information about an individual's physical or mental health, including information about therapy sessions, treatment plans, diagnoses, and health history.
• "Personal Information" means information about an identifiable individual that is not PHI, such as name, address, email, and payment information.
• "Health Information Custodian" means our licensed therapists who provide healthcare services through our platform.

2. Information We Collect

2.1 Personal Information

• • Name, date of birth, gender, and contact information
• • Email address and phone number
• • Payment and billing information
• • Emergency contact information
• • Geographic location (province/territory)
• • Account credentials and preferences

2.2 Personal Health Information

• • Mental health history and current concerns
• • Therapy session notes and treatment records
• • Intake forms and assessments
• • Communications with your therapist
• • Medications and treatment history
• • Insurance information (if applicable)

2.3 Technical Information

• • IP address and device information
• • Browser type and operating system
• • Usage data and analytics
• • Cookies and similar tracking technologies

3. How We Use Your Information

3.1 Provision of Healthcare Services

• • To provide mental health therapy services
• • To match you with appropriate therapists
• • To schedule and manage appointments
• • To maintain treatment records as required by law
• • To communicate with you about your care

3.2 Platform Operations

• • To create and manage your account
• • To process payments and insurance claims
• • To provide customer support
• • To improve our Services and develop new features
• • To ensure platform security and prevent fraud

3.3 Legal and Regulatory Compliance

• • To comply with legal obligations under PHIPA and other laws
• • To respond to legal process and government requests
• • To protect rights, safety, and property
• • To maintain professional standards and licensing requirements

4. Consent

4.1 Express Consent

We obtain your express consent for the collection, use, and disclosure of your PHI for the provision of healthcare services. You provide this consent when you:

• • Complete our intake process
• • Begin therapy with one of our therapists
• • Sign consent forms for specific uses or disclosures

4.2 Implied Consent

Your consent may be implied for uses and disclosures of PHI that are:

• • For the purpose of providing healthcare to you
• • Directly related to the original purpose of collection
• • For obtaining payment for healthcare services

4.3 Withdrawal of Consent

You may withdraw or modify your consent at any time, subject to legal restrictions and reasonable notice. Please note that withdrawal of consent may affect our ability to provide Services to you.

5. Disclosure of Your Information

5.1 With Your Consent

We will disclose your PHI with your express consent to:

• • Other healthcare providers involved in your care
• • Family members or persons you designate
• • Insurance companies for claim processing

5.2 Without Consent (As Permitted or Required by Law)

We may disclose your PHI without consent in the following circumstances:

• • To eliminate or reduce a significant risk of serious bodily harm to you or others
• • For a prescribed purpose under PHIPA (e.g., to public health authorities)
• • To comply with a subpoena, warrant, or court order
• • To a regulatory college for quality assurance purposes
• • To report suspected child abuse or neglect as required by law
• • For research purposes, with Research Ethics Board approval

5.3 Service Providers

We may share your information with trusted service providers who assist us in operating our platform, such as:

• • Cloud storage and hosting providers
• • Payment processors
• • Communication services (email, SMS, video conferencing)
• • Analytics and monitoring services

All service providers are contractually required to protect your information and use it only for the purposes we specify.

6. Data Security

6.1 Administrative Safeguards

• • Privacy and security training for all staff
• • Confidentiality agreements with employees and contractors
• • Access controls and role-based permissions
• • Regular security audits and risk assessments

6.2 Physical Safeguards

• • Secure data centers with restricted access
• • Locked filing systems for any physical records
• • Secure disposal of records

6.3 Technical Safeguards

• • End-to-end encryption for all communications
• • Encryption of data at rest and in transit
• • Multi-factor authentication
• • Regular security updates and patches
• • Intrusion detection and prevention systems
• • Regular backups and disaster recovery procedures

7. Retention and Disposal

7.1 Retention Periods

We retain your information in accordance with professional standards and legal requirements:

• • Clinical records: Minimum of 10 years from the date of last service
• • Records for minors: 10 years after the day the individual turns 18
• • Financial records: 7 years as required by tax laws
• • General account information: Duration of account plus 2 years

7.2 Secure Disposal

When retention periods expire, we securely dispose of your information using methods appropriate to the sensitivity of the information, including secure deletion of electronic records and shredding of physical documents.

8. Your Rights

Under PHIPA and applicable privacy laws, you have the right to:

8.1 Access

• • Request access to your PHI and personal information
• • Receive a copy of your records in a readable format
• • Know how your information has been used and disclosed

8.2 Correction

• • Request corrections to inaccurate or incomplete information
• • Have a statement of disagreement attached to your record if we decline to make a correction

8.3 Consent Management

• • Withdraw or modify consent for certain uses and disclosures
• • Restrict access to certain parts of your record
• • Express wishes about who may access your information

8.4 Complaints

You have the right to file a complaint with us or with the Information and Privacy Commissioner of Ontario if you believe your privacy rights have been violated.

9. Information About Minors

Our Services are generally intended for individuals 18 years and older. When we provide services to minors:

• • We assess the minor's capacity to consent to treatment
• • We obtain consent from a parent or guardian when required
• • We follow specific rules about disclosure of a minor's PHI to parents/guardians
• • We maintain confidentiality except where disclosure is required by law

10. Cross-Border Data Transfer

Your information is stored and processed in Canada. We do not transfer PHI outside of Canada without your express consent, except where:

• • Required by law
• • Necessary for the provision of healthcare (e.g., consulting with an out-of-country specialist)
• • You are accessing our Services while outside Canada

If we use service providers located outside Canada for non-PHI processing, we ensure appropriate safeguards are in place.

11. Breach Notification

In the event of a privacy breach involving your PHI, we will:

• • Notify you at the first reasonable opportunity if the breach creates a risk of significant harm
• • Notify the Information and Privacy Commissioner as required
• • Take immediate steps to contain the breach and prevent future occurrences
• • Document the breach and our response

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on our platform and updating the "Last Updated" date. For significant changes affecting the handling of PHI, we will seek your consent where required.

13. Contact Information