Privacy Policy
Private Wellness (“we,” “us”) respects your privacy. This Policy explains what information we collect, why we collect it, and how you can exercise your rights. We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy law.
1. What we collect
When you book a session we collect:
- Identifiers: your name, email, and phone number;
- Booking data: the slot you selected, your membership tier (if any), and your booking history;
- Waiver responses: your answers to contraindication questions, your typed signature, the IP address and browser you used to sign, and the time of signing;
- Payment data: handled directly by Stripe. We never see or store full card numbers. We retain only the Stripe customer, subscription, and payment identifiers needed for reconciliation.
2. Why we collect it
We use your information to:
- provide the service you booked (confirmations, PIN delivery by SMS, follow-up emails);
- verify that our contraindication policy is followed and to maintain liability records;
- process payments and subscriptions;
- investigate security incidents and prevent abuse; and
- comply with our legal obligations.
3. Who we share it with
We share the minimum necessary information with trusted service providers:
- Stripe (Canada and United States) — payment processing and subscription billing.
- Twilio (United States) — SMS confirmation and PIN delivery.
- Resend (United States) — transactional email delivery.
- Seam.so (United States) — creation and revocation of time-bound door PINs.
- Cloudflare (Canada and United States) — website hosting, DNS, and database.
Some of these providers store data in the United States. By using our service you consent to your information being transferred to and processed in those jurisdictions. U.S. law-enforcement authorities may be able to access information held in the United States.
We do not sell your personal information to anyone. We do not use your information for third-party advertising.
4. How long we keep it
- Waivers and booking history: seven (7) years, consistent with Canadian limitation periods for personal-injury claims.
- Payment records: retained by Stripe per its terms and by us for a minimum of six years, to satisfy CRA record-keeping rules.
- Marketing emails: retained until you unsubscribe.
- Aggregated, de-identified analytics: retained indefinitely.
5. Security
All traffic to our site is encrypted via HTTPS. Our database is hosted on Cloudflare D1 with access restricted to our application code. Secrets (API keys, webhook signing keys) are stored as encrypted Cloudflare Pages secrets and are never logged. Door PINs are short-lived (session window + a small grace period) and are revoked automatically when a session ends.
6. Your rights under PIPEDA
You have the right to:
- access the personal information we hold about you;
- correct information that is inaccurate or out of date;
- withdraw consent at any time, subject to legal or contractual restrictions;
- delete your account and associated personal information, except where we are required to retain it by law (e.g. tax and liability records); and
- complain to the Office of the Privacy Commissioner of Canada if you believe we have mishandled your data.
To exercise these rights, email support@privatewellness.ca.
7. Children
Our service is not intended for anyone under 18. We do not knowingly collect personal information from minors.
8. Cookies and analytics
The Site uses strictly necessary cookies to maintain your booking session. We do not use third-party behavioural-tracking cookies. If we add analytics in the future, we will update this Policy and request consent where required.
9. Changes
If we materially change how we handle your data, we will update this page and, where possible, notify you by email.
10. Contact
Privacy inquiries: support@privatewellness.ca