top of page

Privacy Policy

Wellsession Psychotherapy (“we,” “us,” “our”) is a sole‑proprietor psychotherapy practice based in Waterloo, Ontario, owned and operated by Taran Ranu. This Privacy Policy explains how we collect, use, disclose, and protect personal information and personal health information when you visit our website at www.wellsession.ca, use our online booking and forms, or receive psychotherapy and related services from us.

This Policy is intended to meet our obligations under Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which set rules for the collection, use, disclosure, and safeguarding of personal information and personal health information in private practice. For some clients located in the United States, U.S. law such as HIPAA may also apply; we use features offered by our service providers to support compliance, but this Policy is focused on Canadian privacy obligations.

By using our website, booking an appointment, or receiving services from us, you consent to the practices described in this Policy, subject to your rights to withdraw or modify consent as set out below.

1. Who we are and contact information

Wellsession Psychotherapy is a sole‑proprietor psychotherapy practice based in Waterloo, Ontario, providing psychotherapy services to adults (and any other groups your client serves) in Ontario and, where clinically appropriate and permitted, some clients located in the United States.

For questions about this Policy or your privacy rights, you can contact:

Wellsession Psychotherapy – Privacy Officer
Email: info@wellsession.ca
Mailing address: Waterloo, Ontario, Canada (full mailing address available on request or on the website contact page).

As required under PHIPA and PIPEDA, we designate the practice owner (or their delegate) to act as our “Privacy Officer,” accountable for our information practices and compliance with applicable privacy laws.

2. Scope and legal framework

This Policy applies to:

  • The public website at www.wellsession.ca and any related pages hosted on the Wix platform.

  • Online booking, consent and intake forms, client portal, and communication tools offered through Wix or other integrated services.

  • Our in‑person and virtual psychotherapy services and clinical record‑keeping.

We treat personal information (any information about an identifiable individual) and personal health information (identifying information about physical or mental health, health history, care provided, payments, etc.) in accordance with PHIPA and PIPEDA.

Where there is any inconsistency between this Policy and applicable law, the law prevails.

3. Information we collect

3.1 Information you provide through the website

Through our Wix website, consent and intake forms, and booking tools, we may collect:

  • Identification and contact details: name, email, phone number, mailing address, preferred pronouns.

  • Demographic information: date of birth, emergency contact details, and other information requested in our Consent & Intake Form (for example, relationship status or general background, if included).

  • Appointment information: requested services, preferred appointment times, time zone, and other scheduling details.

  • Written information you choose to share: brief description of your concerns, goals for therapy, or other messages you submit through forms or secure messaging.

These details are collected so we can set up your file, contact you, determine whether our services are appropriate, schedule appointments, and provide care.

3.2 Information collected during psychotherapy and in your clinical record

As part of providing psychotherapy, we create and maintain a clinical record that may include:

  • Personal identifiers (name, contact details, date of birth, and other basic demographic information).

  • Referral information and relevant background.

  • Session notes and progress notes about your mental health, functioning, and treatment.

  • Clinical assessments, diagnoses (where applicable), treatment plans, safety or crisis plans, and recommendations.

  • Information about your consent, preferences, and instructions regarding use and disclosure of your information.

  • Copies or summaries of communications relevant to your care (for example, important emails, letters, or portal messages).

Under PHIPA, we are considered a health information custodian for this personal health information and must collect, use, and disclose it only as permitted or required by law and as reasonably necessary to provide or support your care.

3.3 Payment information

We use Wix Booking and Point of Sale (POS) tools, which integrate with third‑party payment processors to accept credit and debit cards and digital wallet payments such as Apple Pay. These processors are designed to meet payment card industry (PCI) security standards, and card information is handled directly by them rather than being stored on our website.

We typically receive limited payment information such as:

  • Confirmation that payment was approved or declined.

  • Amount paid, date, and transaction ID.

  • Basic billing information (e.g., name and contact details associated with the payment).

We do not store full credit card numbers or CVV codes in our systems. If any manual or paper card details are ever recorded (for example, in an exceptional situation), they are kept securely and destroyed as soon as no longer needed.

3.4 Cookies, analytics, and online tracking

Our Wix website uses cookies and similar technologies for basic site functionality, security, and performance. Wix provides a cookie consent banner and consent log, supported by Usercentrics, to help manage GDPR/CCPA‑style consent and record‑keeping for cookies and similar tracking technologies.

We also use Google Analytics and related analytics tools to understand how visitors use our website (for example, pages visited, time spent on the site, browser type, device information, and general location such as city or region). Google Analytics collects this information in a de‑identified or pseudonymized way, but it may still be considered personal information in some circumstances.

You can control cookies and analytics through:

  • The cookie banner on our site, where available.

  • Your browser settings (e.g., blocking or deleting cookies).

  • Google’s own opt‑out tools for analytics.

4. How we use your information

We use personal information and personal health information for purposes such as:

  • Determining whether our services are appropriate for you and, if so, establishing and maintaining a professional therapeutic relationship.

  • Providing psychotherapy and related services, including assessment, diagnosis (where applicable), treatment planning, and monitoring of progress.

  • Scheduling appointments, sending confirmations and reminders, and managing your client portal and bookings.

  • Communicating with you about your care, scheduling, billing, and other administrative matters.

  • Processing payments, issuing receipts, and managing accounts.

  • Maintaining accurate and up‑to‑date clinical records, as required by professional and legal standards.

  • Managing our business operations, such as quality improvement, supervision/consultation (using de‑identified information where possible), risk management, or regulatory compliance.

  • Operating and improving our website, ensuring security, and generating aggregated statistics about site usage.

We limit collection, use, and disclosure of your information to what is reasonably necessary for these purposes, consistent with the “limiting collection” and “limiting use, disclosure and retention” principles in PIPEDA and the collection/use/disclosure rules in PHIPA.

5. Consent

5.1 Obtaining consent

We seek your consent for the collection, use, and disclosure of personal information and personal health information, except where the law allows or requires us to act without consent (for example, in emergencies or when required by a court order).

Consent may be:

  • Express, for example when you sign our Consent & Intake form, check a box, or provide a verbal agreement to a specific use or disclosure.

  • Implied, for example when you provide information and continue to receive psychotherapy services after being given information about our practices and your rights.

For more sensitive uses or disclosures, we will usually seek express consent.

5.2 Withdrawing or modifying consent

You may withdraw or modify your consent, subject to legal and contractual restrictions and reasonable notice. For example, you may:

  • Ask us not to use your email for appointment reminders.

  • Ask us not to share information with a particular health provider or family member.

Withdrawing consent may affect our ability to provide services or communicate with you. Under PHIPA, you also have the right to provide instructions (sometimes called a “lock‑box” request) limiting how your health information is used or disclosed for health care purposes, subject to certain exceptions.

6. How we share and disclose information

We do not sell your personal information or personal health information.

We may disclose information in the following circumstances, in accordance with PHIPA and PIPEDA:

6.1 For your care and at your request

  • To other health care providers involved in your care (e.g., family physician, psychiatrist, other therapists), with your consent or as permitted/required by law.

  • To third parties such as insurers, employee assistance programs, lawyers, or others, when you request this and provide appropriate consent.

6.2 Service providers and technology partners

We use third‑party service providers who may have access to limited personal information in order to provide their services to us, such as:

  • Wix.com Ltd. – website hosting, booking, forms, portal, email communications, and compliance tools (cookie banner, consent logs, data request tools). Wix hosts data using a multi‑cloud infrastructure with servers in North America and Europe, working with AWS and Google Cloud.

  • Payment processors integrated via Wix – processing online POS, card, and digital wallet payments, operating under PCI security standards.

  • Google LLC – Google Analytics and related tools for website analytics.

These service providers are required by contract and/or law to use appropriate safeguards and to process personal information only for the purposes of providing services to us. Some of these providers are located outside Ontario and Canada, so your information may be transferred to and processed in other jurisdictions (for example, the United States or the European Union), where it may be accessible to foreign courts and authorities under applicable laws.

6.3 Legal and safety‑related disclosures

We may disclose personal information or personal health information without consent where required or authorized by law, for example:

  • If we believe a child or other person is at risk of serious harm, in accordance with mandatory reporting or duty‑to‑warn obligations.

  • To comply with a court order, subpoena, or warrant.

  • To respond to a lawful request from a regulatory college or privacy commissioner.

  • To prevent, investigate, or address serious misconduct, fraud, or security issues.

These situations are carefully assessed and limited to what the law requires or permits.

7. International clients and HIPAA‑related features

Our practice is based in Ontario and governed primarily by Canadian laws such as PHIPA and PIPEDA. HIPAA is a U.S. law that does not generally apply to Canadian‑based health care providers unless specific conditions are met, but it may become relevant when we work with clients located in the United States.

To support work with U.S. clients, we use Wix’s HIPAA‑oriented offering, which includes features such as PHI activation, HIPAA‑designed communication workflows, and a Business Associate Agreement (BAA) between Wix and the practice for covered uses of protected health information. Even with these features, no online system is perfectly secure, and we cannot guarantee absolute security or HIPAA compliance in all circumstances. We therefore encourage all clients, including those in the U.S., to avoid including unnecessary detailed health information in unencrypted communications and to use secure channels provided (such as the client portal) whenever possible.

8. Security safeguards

We take reasonable administrative, technical, and physical measures to protect personal information and personal health information against loss, theft, unauthorized access, disclosure, copying, use, or modification, appropriate to the sensitivity of the information.

These measures include, for example:

  • Using secure, password‑protected systems and limiting access to those who need it for their work.

  • Using reputable service providers (such as Wix and integrated payment processors) that implement strong security, encryption, and compliance frameworks, and that undergo regular security audits.

  • Protecting our devices with encryption, strong passwords, and, where available, multi‑factor authentication.

  • Maintaining secure Wi‑Fi and network practices.

  • Limiting or avoiding storage of clinical information on local devices where not necessary.

  • Securely storing any paper records (if used) in locked cabinets in restricted areas.

  • Training and awareness about privacy and security obligations.

Despite these safeguards, no system can be guaranteed 100% secure. We will promptly assess and respond to any suspected or actual privacy or security incident, and notify affected individuals and/or regulators as required by law.

9. Retention and destruction of records

We retain clinical and billing records for the time reasonably necessary to fulfill the purposes for which they were collected and to comply with legal, regulatory, and insurer requirements.

In line with common regulatory standards for Ontario health professionals, this typically means keeping adult clinical records for at least 10 years after the client’s last contact, and in the case of minors, for at least 10 years after the date the client turns 18, unless a longer period is required by law or by professional regulation. Financial and administrative records may be kept for a period consistent with tax and accounting requirements.

When records are no longer needed, they are securely destroyed or anonymized so that they can no longer reasonably identify an individual (for example, by secure shredding of paper files and secure deletion of electronic files).

10. Your rights

Under PHIPA and PIPEDA, you have important rights regarding your personal health information and personal information, including the right to:

  • Be informed about the purposes for which your information is collected, used, and disclosed.

  • Request access to your clinical record and other personal information we hold about you, subject to limited exceptions.

  • Request correction of incomplete or inaccurate information in your record.

  • Withdraw or modify your consent to certain uses or disclosures, subject to legal and contractual limits.

  • Ask for a record of disclosures, where applicable and reasonably available.

  • Complain if you are unhappy with how we handle your information.

10.1 How to request access or correction

To request access to your clinical record or other personal information, or to request a correction, please contact us in writing using the contact details above. We will respond within a reasonable time and in accordance with PHIPA and PIPEDA. In some cases, we may need to verify your identity, and we may charge a reasonable fee for copies in accordance with applicable law.

If we decline a request (for example, where providing access would pose a serious risk of harm, disclose information about another person, or is otherwise limited by law), we will provide an explanation, subject to legal restrictions, and inform you of your options to challenge the decision.

11. Electronic communication

Email and standard text messaging are convenient but are not inherently secure. If you choose to communicate with us by email or similar channels, you do so with the understanding that there are security and confidentiality risks (for example, messages could be intercepted, misdirected, or accessed on a shared device).

We recommend:

  • Using secure portals or messaging tools provided through our booking or EMR system for clinical or sensitive matters whenever possible.

  • Keeping email and text content limited (e.g., scheduling, rescheduling, or high‑level questions) rather than sharing detailed health information.

  • Protecting access to your own email accounts and devices.

We will not use email or similar channels for highly sensitive content without your informed consent, except where it is necessary and proportionate to an emergency or other legal obligation.

12. Virtual care (online sessions)

Where we offer telepsychotherapy or virtual sessions, we use video platforms and tools that are reasonably designed for health‑related services and that provide encryption and other safeguards intended to support PHIPA‑compliant care. We do not record sessions without your explicit consent and a clear clinical or legal rationale.

We ask clients receiving virtual care to:

  • Use a private, quiet space where you cannot be overheard.

  • Use personal (not shared) devices where possible, with password protection.

  • Avoid recording sessions unless this has been explicitly discussed and agreed upon.

13. Website links and third‑party content

Our website may include links to external websites (for example, professional directories, resources, or social media pages). We are not responsible for the privacy practices of those third‑party sites. We encourage you to review the privacy policies of any site you visit before providing personal information.

If we embed third‑party content (for example, videos or maps), those providers may collect certain technical information about your device and usage directly through their content. Any such collection is governed by their own privacy policies.

14. Children, youth, and substitute decision‑makers

If we work with minors or individuals who lack capacity to make their own health decisions, consent may be obtained from a parent, guardian, or other legally authorized substitute decision‑maker, in accordance with Ontario law. In many cases, mature minors may be able to consent to their own care and control access to their health information, depending on capacity and the circumstances.

We balance the privacy rights of the child or youth with the involvement of parents/guardians, consistent with PHIPA, professional standards, and the best interests of the client.

15. Supervision, consultation, and de‑identified information

To support high‑quality care, we may, from time to time, discuss cases in clinical supervision or consultation. Wherever possible, we use de‑identified or anonymized information, removing names and other direct identifiers. If there is a need to share more detailed information that could reasonably identify you, we will seek your consent or rely only on disclosures that are clearly permitted by law as necessary for your care or for professional obligations.

We may also use aggregated, de‑identified information to improve our services or for basic practice statistics. De‑identified information is not considered personal information if it cannot reasonably be re‑identified.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the “Last updated” date at the top of the Policy and, where appropriate, provide additional notice (for example, posting a notice on our website).

Your continued use of our services or website after an update signifies your acceptance of the revised Policy, subject to your rights under applicable law.

17. Questions, concerns, and complaints

If you have any questions or concerns about this Privacy Policy or how we handle your information, please contact:

Privacy Officer – Wellsession Psychotherapy
Email: info@wellsession.ca

We will do our best to address your concern. If you feel that we have not resolved your privacy issue, you have the right to make a complaint to the appropriate regulator. In Ontario, you may contact:

Information and Privacy Commissioner of Ontario (IPC)
Website: https://www.ipc.on.ca

If you are located elsewhere in Canada or the United States, you may also have the right to complain to your local privacy or data protection authority.

bottom of page