Privacy Policy
Privacy Policy
Last Updated: April 27, 2026
At HerHealth Pharmacy ("we", "us", "our"), we are committed to protecting your personal health information (PHI). As a Health Information Custodian (HIC) under Ontario's Personal Health Information Protection Act, 2004 (PHIPA), we are legally obligated to safeguard your information. This policy explains how we collect, use, disclose, and protect your information.
1. Information We Collect
In the course of providing pharmacy and healthcare services, we may collect the following types of personal health information:
- Identity information: name, date of birth, gender, address, phone number, email address
- Health card information: Ontario Health Insurance Plan (OHIP) number and version code, collected only where required for claims adjudication or as authorized by Ontario law
- Substitute decision-maker information: name and contact details of any person legally authorized to consent on your behalf
- Medical history: current medications, allergies, medical conditions, treatment history
- Prescription data: prescription details, dosages, refill history, prescriber information
- Consultation records: telehealth consultation notes, booking records, appointment history
- Consent records: signed consent forms, withdrawal records, timestamps, IP addresses
- Uploaded documents: prescription images, identification documents
2. How We Use Your Information
We use your personal health information for the following purposes:
- Dispensing and managing your prescriptions
- Providing telehealth consultations and follow-up care
- Sending appointment reminders and refill notifications
- Managing your consent for treatments and services
- Processing orders and managing your subscription services
- Quality improvement and patient safety initiatives
- Complying with legal and regulatory requirements
We practice data minimization — we collect only the information necessary for the stated purposes.
3. Circle of Care
Access to your personal health information is strictly limited to:
- Licensed pharmacists — for dispensing, consultation, and clinical review
- Nurse practitioners — for prescribing and clinical assessments
- Authorized staff — administrative staff with role-based access controls, limited to information necessary for their duties
Within your circle of care (your prescribing physician, nurse practitioner, and other healthcare providers directly involved in your treatment), PHIPA permits information sharing on the basis of implied consent. You may withdraw this implied consent at any time by contacting us.
4. Sharing Outside the Circle of Care
We do not sell your personal health information. Disclosure to any party outside your circle of care requires your express consent (see Third-Party Disclosure Consent in your account). Such third parties may include:
- Insurance companies and third-party drug plan administrators (for claims adjudication)
- Non-treating healthcare providers
- Designated family members or workplace health programs
Only the minimum necessary information is disclosed in each case. Certain disclosures may be required by law (e.g., mandatory reporting obligations, court orders, public health reporting) and do not require your consent.
5. Canadian Data Residency
All personal and health information is stored exclusively on servers located in Canada. Your data will never be transferred, processed, or stored outside of Canada.
6. How We Protect Your Information
We employ administrative, physical, and technical safeguards appropriate to the sensitivity of personal health information:
- Encryption in transit: all data transmitted between your browser and our servers is encrypted using industry-standard transport encryption
- Encryption at rest: sensitive data is encrypted using industry-standard encryption
- Access controls: role-based access ensures staff can only view information relevant to their duties
- Audit logging: all access to patient records is recorded in a tamper-evident audit log
- Session security: automatic session timeout after 30 minutes of inactivity
- Malware protection: all uploaded files are scanned for malware before storage
- Intrusion prevention: we monitor for and block automated attacks against authentication endpoints
- Browser-side defences: we implement standard protections against cross-site scripting and related attacks
7. Cookies and Website Analytics
We use essential cookies to operate our website (session management, shopping cart, security). We use analytics cookies to understand and improve how the site is used. You may disable non-essential cookies through your browser settings or our cookie preferences. Essential cookies cannot be disabled because they are necessary for core website functionality.
8. Telehealth
Telehealth services (video, secure messaging, and telephone consultations) are delivered through a PHIPA-compliant platform with encryption in transit. Sessions are not recorded without your separate written consent. Telehealth is not appropriate for emergencies — if you are experiencing a medical emergency, call 911 or go to your nearest emergency department. A separate Telehealth Consent is required before your first virtual consultation.
9. Marketing Communications
Marketing and promotional emails or text messages are sent only with your express opt-in consent under Canada's Anti-Spam Legislation (CASL). You may withdraw this consent at any time by using the unsubscribe link in any marketing message, replying STOP to a marketing SMS, updating your account preferences, or contacting info@herhealthphar.com. Withdrawal is processed within 10 business days as required by CASL and never affects transactional messages such as prescription notifications, refill reminders, appointment confirmations, or order updates.
10. Retention Periods
We retain your information for the minimum periods required by Ontario pharmacy regulations:
| Data Type | Retention Period | Authority |
|---|---|---|
| Consent signatures | 10 years minimum | OCP Guidelines |
| Audit logs | 10 years minimum | OCP / PHIPA |
| Medical intake records | 10 years from last service | OCP |
| Appointment records | 10 years from last service | OCP |
| Prescription records | 10 years from last service | OCP |
| Marketing consent (CASL) | 3 years after the relationship ends | CASL |
11. Children
Our services are intended for individuals 18 years of age or older. We do not knowingly collect information from minors without the consent of a parent or legal guardian. If you believe we have collected information from a minor without appropriate consent, contact us at info@herhealthphar.com.
12. Your Rights
Under PHIPA, you have the right to:
- Access your personal health information held by us, including submitted forms, consents, and order history
- Request corrections to inaccurate information
- Withdraw consent for future collection, use, or disclosure of your information at any time, subject to retention obligations under Ontario pharmacy regulations and PHIPA. Withdrawal does not affect information already collected, used, or disclosed prior to the withdrawal, and may limit our ability to provide certain services.
- Exercise these rights through a substitute decision-maker where authorized by law
- File a complaint with the Information and Privacy Commissioner of Ontario if you believe your rights have been violated
13. Consent Withdrawal Process
You may withdraw your consent at any time by:
- Logging into your account and visiting the "My Consents" section
- Contacting us at (647) 000-0000 or info@herhealthphar.com
We will explain any consequences before processing your withdrawal. Withdrawal of consent does not affect the legality of any use or disclosure of your information that occurred prior to the withdrawal.
14. Breach Notification
If a breach of your personal health information occurs that creates a real risk of significant harm, we will notify you and the Information and Privacy Commissioner of Ontario at the first reasonable opportunity, in accordance with PHIPA and Ontario Regulation 224/17. You will receive a plain-language explanation of what happened, what information was involved, and steps you can take to protect yourself.
15. Changes to This Policy
We may update this privacy policy from time to time. Material changes — particularly any change to how we collect, use, or disclose your personal health information — will be communicated to you in advance by email or through a notice on our website, and may require renewed consent. Non-material updates take effect upon posting.
16. Contact Information
HerHealth Pharmacy
95 Morley Street, Hamilton, ON
Phone: (647) 000-0000
Email: info@herhealthphar.com
Designated Manager: Monica Nassralla, RPh
Privacy Officer
Monica Nassralla, RPh
Email: info@herhealthphar.com
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Phone: 1-800-387-0073
Website: www.ipc.on.ca