Privacy Policy

Effective Date: June 4, 2026

LUNA Occupational Therapy (“we,” “us,” or “our”) is committed to protecting the privacy, confidentiality, and security of personal information and personal health information entrusted to us. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard information in the course of providing occupational therapy services and operating our practice in Ontario, including our website. This Privacy Policy also serves as our Statement of Information Practices regarding personal health information.

This Policy reflects our obligations under the Personal Health Information and Protection Act, 2004 (“PHIPA”) with respect to personal health information in Ontario, and under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) where applicable, including in relation to personal information handled in the course of commercial activities.

1. Who We Are and Accountability


LUNA Occupational Therapy is an occupational therapy practice located in Clarence-Rockland, Ontario. In relation to personal health information in our custody or control, we act as a health information custodian for the purposes of PHIPA, where applicable.

We are responsible for personal information and personal health information under our custody or control. We have designated a Privacy Officer to oversee compliance with this Policy, respond to questions and complaints, and handle access or correction requests.

We maintain policies, procedures, and safeguards designed to protect information, limit access on a need-to-know basis, and ensure that employees, contractors, and service providers understand their privacy and confidentiality obligations.

We do not sell or give out personal information or personal health information.

2. The Information We Collect


We collect only the information that is reasonably necessary for the purposes identified in this Policy and permitted by law. Depending on the circumstances, this may include:

  • Contact and identifying information, such as your name, address, telephone number, email address, date of birth, and emergency contact information;
  • Personal health information, such as health history, medical information relevant to services, assessment results, treatment plans, reports, clinical notes, and records of care;
  • Information received from physicians, other health-care professionals, caregivers, schools, employers, insurers, or family members where you have consented or where otherwise permitted or required by law;
  • Billing, payment and insurance or benefit information;
  • Appointment, communication, and service records; and
  • Technical information collected through our website or online services, such as device, browser, IP address, and usage data.

3. How We Collect Information


We generally collect information directly from you. With your consent, or as otherwise permitted or required by law, we may also collect information from third parties, including persons acting on your behalf, referring professionals, insurers, family members, schools, employers, or other service providers involved in your care or payment arrangements. Some information may also be collected through third-party service providers such as a clinic management platform.

As a health custodian, we will not collect personal health information if other information will serve the purpose. In addition, we will not collect more personal health information than is reasonably necessary to meet the purpose.

4. Purposes For Collection, Use, and Disclosure


We collect, use, and disclose information for purposes such as:

  • Providing occupational therapy assessments, treatment, consultation, follow-up care, and related services;
  • Maintaining clinical and business records;
  • Scheduling appointments and communicating with clients and authorized representatives;
  • Preparing reports, recommendations, invoices, and other service-related documents;
  • Coordinating care with other health-care providers and authorized persons;
  • Processing payments and submitting insurance or benefit claims where authorized;
  • Operating, evaluating, and improving our services, systems, and risk management practices;
  • Meeting legal, regulatory, professional, insurance, and recordkeeping obligations; and
  • Any other purpose permitted or required by law or identified to you at or before collection.

We limit our collection, use, and disclosure to what is reasonably necessary for these purposes, unless otherwise permitted or required by law.

5. Consent


We obtain consent to collect, use, and disclose personal information and personal health information except where otherwise permitted or required by law. By seeking services from us, providing information, or authorizing others to provide information on your behalf, you consent to our handling of your information for the purposes described in this Policy, subject to applicable law.

You may withhold or withdraw consent in certain circumstances by contacting our Privacy Officer. However, doing so may limit our ability to provide services or carry out requested activities where the information is necessary for those purposes.

We do not use or disclose your personal information and personal health information for new purposes without additional consent unless permitted or required by law. In cases where we will collect, use or disclose your personal health information without your consent, we will do so only where we have clear authority under PHIPA.

6. Disclosure of Information


We may disclose information, where authorized, permitted, or required, to:

  • Other health-care providers involved in your care;
  • Insurers, benefit providers, or third-party payors where you have authorized the disclosure;
  • Guardians, substitute decision-makers, legal representatives, or other persons legally authorized to act on your behalf;
  • Service providers who assist us with practice management, record storage, information technology, scheduling, virtual care, billing, payment processing, or similar services;
  • Professional regulators, auditors, insurers, legal counsel, or other advisors where necessary; and
  • Courts, law enforcement, regulators, or other parties where disclosure is required or authorized by law.

We require service providers and other third parties handling information on our behalf to protect it with appropriate safeguards and to use it only for authorized purposes.

We may also use or disclose de-identified, anonymized, or aggregated information where it no longer identifies an individual and where permitted by law.

7. Website, Cookies, and Online Services


You may visit portions of our website without providing personal information. Our website and online services may use cookies and similar technologies to improve functionality, understand usage, enhance user experience, and support security and administration.

We may use third-party website analytics or service tools that collect technical information such as IP address, browser type, pages visited, date and time of access, and similar usage information. Most browsers allow you to manage cookies through your settings, although disabling cookies may affect website performance.

Our website may contain links to third-party websites or platforms. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy policies.

8. Service Providers and Cross-Border Processing


We may use third-party service providers, including without limitation Jane APP for record storage, cloud services, information technology, scheduling, communication, payment processing, virtual care, or other administrative and operational functions. In some cases, information may be stored, processed, or accessed outside Ontario or outside Canada and may be subject to the laws of those jurisdictions.

When we use service providers, we take reasonable steps to ensure they provide a comparable level of protection through contractual, technical, and organizational measures appropriate to the sensitivity of the information.

9. Safeguards


We use administrative, physical, and technological safeguards appropriate to the sensitivity of the information to protect against theft, loss, and unauthorized access, use, disclosure, copying, modification, or disposal.

These safeguards may include role-based access controls, passwords and authentication measures, encryption where appropriate, secure storage, audit and monitoring practices, staff training, confidentiality obligations, and secure destruction procedures. Although no system can be completely secure, we take reasonable steps to protect the information in our custody or control.

10. Retention and Destruction


We retain personal information and personal health information only for as long as necessary to fulfill the purposes for which it was collected and to meet applicable legal, regulatory, professional, insurance, and recordkeeping requirements.

When information is no longer required, it is securely destroyed, deleted, anonymized, or otherwise disposed of in accordance with our retention practices and applicable law.

11. Access and Correction


Subject to applicable law and limited exceptions, you may request access to the personal information or personal health information we hold about you and request correction of inaccurate or incomplete information. We may ask you to verify your identity before responding.

Requests should be directed to our Privacy Officer in writing. We will respond in accordance with applicable legal requirements. Access may be limited where permitted or required by law.

12. Accuracy


We take reasonable steps to ensure that personal information and personal health information is as accurate, complete, and up to date as necessary for the purposes for which it is used.

13. Privacy Incidents and Breach


If personal information or personal health information is lost, stolen, accessed, used, or disclosed without authorization, we will investigate, take reasonable steps to contain and reduce the risk of harm, and provide any notifications, reporting, or recordkeeping required by applicable law.

Specifically, we will report breaches of personal information posing a real risk of significant harm to the Office of the Privacy Commissioner of Canada and notify the affected individuals. Similarly, we will report breaches of personal health information to the Information and Privacy Commissioner of Ontario at the first reasonable opportunity if required and in all cases notify the affected individuals. Records of all breaches will be maintained.

14. Questions, Concerns, and Complaints


Questions, concerns, access requests, correction requests, or complaints about our privacy practices may be directed to our Privacy Officer using the contact information below. We will respond in accordance with applicable legal requirements.

If you are not satisfied with our response regarding personal health information, you may file a complain to the Information and Privacy Commissioner of Ontario (“IPC”) using the contact information below.

15. Changes To This Policy


We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. The current version will be made available on request and, where applicable, on our website.

16. Contact Information


For more information about our privacy policy and information practices, please contact the Privacy Officer:

Privacy Officer
Jezlyn Lang
LUNA Occupational Therapy
Email: info@lunaot.com

You may also contact the IPC regarding concerns about personal health information:

Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Telephone: 416-326-3333 or Toll-free: 1-800-387-0073
TTY: 416-325-7539
Fax: 416-325-9195
Email: info@ipc.on.ca

Scroll to Top