Privacy Policy

1. Introduction

Hayat Embodied Therapy (“we,” “us,” or “our”) respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, disclose, and safeguard information through our Website, hayatembodiedtherapy.com (the “Website”).

We handle personal information in accordance with the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA“), the Personal Health Information Protection Act, 2004 (Ontario) (“PHIPA”), and the professional standards of the College of Registered Psychotherapists of Ontario (CRPO).

Important — two different categories of information:

• Website information — what you provide or what is collected when you browse this Website, submit a form, or contact us. This Privacy Policy covers that information.
• Personal Health Information (PHI) — clinical information collected during intake, sessions, and the therapeutic relationship. PHI is governed by PHIPA and is addressed separately in your Informed Consent and Service Agreement, which is reviewed and signed before therapy begins.

By using this Website, you consent to the practices described in this Privacy Policy.

2. Information We Collect

We collect only the information that we reasonably need to operate the Website, respond to your enquiries, and arrange services.

a. Information You Provide

When you contact us, fill in a form, request a free consultation, or correspond with us by email or phone, we may collect:

• Your first and last name
• Email address
• Phone number
• The service you are interested in
• Any message or information you choose to share with us
• Any other information you voluntarily provide

Please do not include detailed sensitive clinical information (such as detailed mental health history, trauma details, or medication information) in initial contact forms or emails. These channels are not designed for the secure exchange of clinical information. Please share clinical details only after intake, through the secure channels we set up at that point.

b. Information Collected Automatically

When you visit the Website, certain information is collected automatically through standard internet technology, including:

• Your IP address and approximate location (e.g., city or region)
• Browser type and version, operating system, and device type
• Pages you view, time spent on each page, and referring URL
• Date and time of access

This information is used to operate the Website, monitor performance, prevent abuse, and improve user experience. It is generally not used to personally identify you.

c. Information from Third-Party Platforms

If you contact us or interact with us through a third-party platform (for example, a social media page or a professional directory such as Psychology Today), we may receive limited information from that platform in accordance with its own privacy practices and your settings on that platform.

3. Cookies and Similar Technologies

The Website uses cookies and similar technologies to function properly and to understand how visitors interact with our pages. Cookies are small text files placed on your device by a website you visit.

We may use:

• Strictly necessary cookies — required for core functions such as page navigation and form submission;
• Performance and analytics cookies — for example, through Google Tag Manager and analytics tools, to help us understand which pages are visited and how the Website is performing;
• Functionality cookies — to remember choices you make (such as accepting cookie notices).

You can control cookies through your browser settings, including blocking or deleting them. Disabling some cookies may affect how the Website functions for you.

If our website displays a cookie banner, your choices in that banner will apply to your visit.

4. How We Use Your Information

We use the information we collect for the following purposes:

• To respond to your enquiries, calls, emails, and form submissions;
• To schedule and confirm a free initial consultation;
• To assess whether our services are an appropriate fit for your needs.
• To provide, operate, maintain, and improve the Website;
• To monitor Website performance, security, and prevent fraud or misuse;
• To comply with our legal, regulatory, and professional obligations;
• To communicate important changes to our services, practice, or policies.

We use information only for the purposes for which it was collected, or for purposes that a reasonable person would consider compatible. We do not sell, rent, or trade your personal information.

5. Legal Basis and Consent

Under PIPEDA, we collect, use, and disclose your personal information based on your consent, which may be express (for example, when you fill in a form) or implied (for example, when you browse the Website). You may withdraw your consent at any time, subject to legal or contractual restrictions, by contacting us at the details in Section 13. Withdrawing consent may affect our ability to provide certain services to you.

For health information collected in the course of therapy, consent is handled in accordance with PHIPA and is documented in your Informed Consent and Service Agreement.

6. How and With Whom We Share Information

We do not sell or rent your personal information. We share information only in limited circumstances, including:

• Service providers that help us operate the Website or our practice — for example, hosting providers, email providers, analytics tools, scheduling or practice management software, and payment processors. These providers are permitted to access only the information needed to perform their functions and are required to keep it confidential.
• Clinical supervision — as a CRPO requirement for Registered Psychotherapists in the Qualifying category, our practitioner consults with a clinical supervisor. Identifying details are limited to what is reasonably necessary for supervision, and supervisors are bound by their own professional confidentiality obligations.
• Legal and regulatory disclosures — where required by law, court order, subpoena, or by the rules of the CRPO or another regulatory body. This includes mandatory reporting in situations such as a reasonable belief that a child or vulnerable person is at risk of harm, or a serious risk of imminent harm to an identifiable person.
• Professional advisors — such as legal counsel or auditors, where reasonably necessary, under appropriate confidentiality protections.

We do not disclose personal information to third parties for their own marketing purposes.

7. Storage, Security, and Retention

We take reasonable administrative, technical, and physical safeguards to protect personal information against unauthorised access, use, disclosure, alteration, or loss. These safeguards include access controls, password protection, secure storage of devices, and use of reputable service providers.

However, no method of transmission over the internet or method of electronic storage is completely secure. Email, SMS, and unencrypted web forms have inherent risks. We cannot guarantee absolute security, and you share information through these channels at your own risk.

We retain personal information only for as long as it is needed for the purpose for which it was collected, or as required by law and our professional obligations:

• General Website enquiries that do not lead to services are retained for a reasonable period, after which they are securely deleted or de-identified.
• Personal Health Information collected during therapy is retained in accordance with PHIPA and the CRPO’s record-keeping standards (currently, clinical records of an adult client must generally be retained for at least 10 years after the last interaction, with separate rules for minors).

8. Cross-Border Data Transfers

Some of the third-party service providers we use (for example, certain analytics, hosting, or email tools) may store or process information outside Canada, including in the United States or other jurisdictions. When information is processed outside Canada, it may be subject to the laws of that country, including lawful access by foreign authorities.

We take reasonable steps to ensure that service providers handling personal information offer a comparable level of protection, but we cannot guarantee the privacy laws of other jurisdictions are equivalent to Canadian law. By using the Website, you acknowledge this possibility.

9. Your Privacy Rights

Under PIPEDA (and PHIPA, where applicable), you generally have the right to:

• Access the personal information we hold about you;
• Request correction of information that is inaccurate or incomplete;
• Withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions;
• Ask questions about our privacy practices and how your information has been handled.

To exercise any of these rights, please contact us using the details in Section 13. We may need to verify your identity before responding. We will respond within the timeframes required by applicable law. Some requests may be subject to limited exceptions where the law allows or requires us to retain information.

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada (priv.gc.ca) regarding PIPEDA matters or the Information and Privacy Commissioner of Ontario (ipc.on.ca) regarding PHIPA matters.

10. Email Communications and Anti-Spam (CASL)

If you provide your email address through a form, by contacting us, or as part of our services, we may send you communications relating to your enquiry, your consultation, or your care. These are operational and transactional messages necessary to respond to or serve you.

We comply with Canada’s Anti-Spam Legislation (CASL) for any commercial electronic messages. If we ever send commercial messages, you will have the ability to unsubscribe at any time, and we will honour unsubscribe requests promptly.

11. Children’s Privacy

This Website and our services are not directed at children. We do not knowingly collect personal information from children under the age of 13 through the Website. Therapy services for adolescents are arranged through a parent or legal guardian as part of intake. If you believe a child has provided personal information through the Website, please contact us so we can remove it.

12. Third-Party Links

The Website may contain links to third-party websites, social media platforms, or professional directories. Those sites have their own privacy policies, which we do not control. We are not responsible for the privacy practices of any third party. We encourage you to review the privacy policy of any site you visit through a link from our website.

13. Contact Us — Privacy Enquiries

If you have questions, concerns, or requests regarding this Privacy Policy or how your personal information is handled, please contact us:

• Hayat Embodied Therapy Oshawa, Ontario, Canada, L1K
• Phone: +1 (365) 607-6424
• Email: consult@hayatembodiedtherapy.com

We will do our best to address any concerns directly. If we are not able to resolve your concern, you may contact:

• Office of the Privacy Commissioner of Canada — priv.gc.ca (for PIPEDA-related concerns)
• Information and Privacy Commissioner of Ontario — ipc.on.ca (for PHIPA-related concerns and matters involving health information custodians in Ontario)

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The “Last Updated” date at the top of this page will reflect the most recent version. We encourage you to review this Privacy Policy periodically. If we make material changes, we will take reasonable steps to bring them to your attention. Continued use of the Website after changes are posted means you accept the updated Privacy Policy.

This Privacy Policy applies to information collected through the Website. Personal Health Information collected during therapy is handled separately under PHIPA and is addressed in your Informed Consent and Service Agreement.