Flourish TCM Clinic
Instagram Facebook-f Tiktok Youtube Linkedin Pinterest

Privacy Policy

  • Home
  • Privacy Policy

1. Introduction and Scope of Policy

Flourish TCM Clinic (hereinafter referred to as “the Clinic,” “we,” “us,” or “our”), located at 1058 Mainland St Suite 115, Vancouver, BC V6B 2T4, is fundamentally committed to safeguarding the privacy, confidentiality, and security of your personal and health information. We blend the ancient wisdom of Traditional Chinese Medicine (TCM) with modern therapeutic technologies, providing personalized, effective, and non-invasive treatments for your mind, body, and skin.

This Comprehensive Privacy Policy applies to all operations of the Clinic. This encompasses your physical visits to our premises, your interactions with our primary website (flourishtcm.com), your use of our secure patient portal managed via our website, your submission of specialized intake forms managed via Zoho Forms, and your engagement with our digital communications and marketing initiatives.

This document explicitly outlines our practices regarding the collection, use, disclosure, and retention of personal information, operating in strict adherence to the British Columbia Personal Information Protection Act (PIPA) and, where applicable to trans-border data flows, the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

2. Accountability and the Privacy Officer

The Clinic accepts full accountability for all personal information within our custody and control. This accountability extends to any information we securely transfer to third-party service providers for processing on our behalf. To ensure continuous, rigorous compliance with PIPA and other relevant privacy frameworks, the Clinic has designated a Chief Privacy Officer.

The Privacy Officer is explicitly responsible for developing internal privacy protocols, training our clinical and administrative staff on data security best practices, auditing our third-party software integrations, responding promptly to patient access requests, and thoroughly investigating any complaints regarding our privacy practices.

Privacy Officer Contact Information:

  • Title: Tabi Padidar
  • Organization: Flourish TCM Clinic
  • Address: 1058 Mainland St Suite 115, Vancouver, BC V6B 2T4
  • Phone: 604-423-4161
  • Email: info@flourishtcm.com (Please specify “Attn: Privacy Officer” in the subject heading to ensure immediate routing).

If you have any questions about how we use, process, manage, and protect personal information, you may contact our Privacy Officer for detailed information.

3. Definitions and Categories of Personal Information Collected

Under PIPA legislation, “Personal Information” is broadly defined as any information that is reasonably capable of identifying a particular individual, either alone or when combined with information from other available sources. This definition explicitly excludes standard business contact information.

In the context of providing specialized TCM and advanced skincare services, the Clinic collects specific categories of data:

  • Identity Data: Your legal name, preferred name, date of birth, gender, and government-issued identification numbers (only if applicable for specific insurance billing purposes).
  • Contact Data: Your residential address, email address, personal phone numbers, and designated emergency contact details.
  • Personal Health Information (PHI): Comprehensive medical history, records of current symptoms, pharmaceutical prescriptions, lifestyle factors, detailed dermatological conditions, Qi energy assessments, diagnostic imagery, and specialized treatment notes generated by our Registered TCM Practitioners, Acupuncturists, and Advanced Skin Specialists.
  • Financial Data: Billing information, insurance policy details, and payment history. Please note that raw credit card numbers are processed securely via third-party gateways (Stripe, PayPal) and are not stored on local Clinic servers.
  • Technical and Usage Data: IP addresses, browser types, device identifiers, website interaction metrics, and cookie data generated when you interact with our digital properties or view our online advertisements.

4. Purposes for Data Collection

The Clinic adheres strictly to the principle of limited collection. We establish and document the reasonable purpose for the collection, use, and disclosure of information before or at the exact time the information is gathered. The personal information we collect must not merely be convenient for us; it must be integral to the provision of our professional services.

We collect, use, and process personal information for the following specific, primary purposes:

  • Clinical Care Delivery: To accurately assess, diagnose, and formulate highly personalized treatment plans encompassing TCM, acupuncture, registered massage therapy, and advanced skincare procedures (such as OxyGeneo and Microneedling).
  • Administrative Operations: To schedule and seamlessly manage appointments via our website’s booking system, process payments, issue invoices, and manage ICBC or private insurance billing and claims.
  • Patient Communication: To send necessary appointment reminders, respond to your inquiries, provide essential post-treatment aftercare instructions, and deliver test results.
  • Compliance and Legal Obligations: To maintain accurate medical records in accordance with the strict regulatory and retention standards of the College of Traditional Chinese Medicine Practitioners and Acupuncturists of British Columbia (CTCMA) and the College of Massage Therapists of British Columbia (CMTBC).
  • Digital Experience and Analytics: To analyze website usage, improve the functionality of our digital platforms, and optimize the delivery of information regarding our services, facilitated by our technology partner, NexusWave Technologies Inc.

5. Mechanisms of Consent

The Clinic requires informed, valid consent from patients prior to the collection, use, or disclosure of personal information, except in specific, limited circumstances where privacy legislation dictates that no consent is required (e.g., immediate medical emergencies, lawful law enforcement investigations, or debt collection).

  • Explicit Consent: We obtain your express, written consent for the collection and clinical processing of Personal Health Information (PHI). This includes requiring you to sign explicit consent forms for specialized, non-invasive procedures such as OxyGeneo, Microneedling, and Tripollar treatments. These forms are securely administered and encrypted via Zoho Forms.
  • Implied Consent: For secondary operational purposes—such as collecting technical data via website navigation to ensure site functionality—consent may be implied by your voluntary interaction with the website, provided the purpose is obvious and a reasonable person would consider it highly appropriate in the circumstances.
  • Withdrawal of Consent: Patients maintain the fundamental right to withdraw their consent at any time, subject to legal or contractual restrictions and the provision of reasonable notice. Patients must be fully aware that withdrawing consent for the processing of critical health data may severely impede the Clinic’s ability to provide safe, effective, and continuous care. Requests to withdraw consent must be directed in writing to the Privacy Officer.

6. Limiting Use, Disclosure, and Retention

The Clinic restricts the use of personal information internally to those specific practitioners and administrative staff who require access to carry out their designated professional duties (adhering to the strict “need-to-know” principle). We categorically do not sell, rent, or trade personal or health information to third-party data brokers under any circumstances.

Disclosures to Third-Party Service Providers:

Information is only disclosed to external entities when necessary to fulfill the operational purposes identified above, or when legally mandated. We engage trusted third-party processors who provide essential technological infrastructure. These providers are strictly bound by comprehensive Data Processing Addendums (DPAs) and Business Associate Agreements (BAAs).

  • WordPress Website: Acts as our secure official website and scheduling processor. It only accesses patient data upon explicit instruction from the Clinic’s Account Owner or for critical technical support.
  • Zoho Forms: Processes our encrypted patient intake forms. Fields containing health data are specifically marked as “ePHI” (Electronic Protected Health Information), rendering them encrypted and unintelligible to unauthorized personnel, and preventing transmission to external marketing apps.
  • NexusWave Technologies Inc: Acts as our digital agency, managing our web hosting, website maintenance, and digital marketing analytics infrastructure.
  • Payment Processors: Stripe and PayPal securely process financial transactions.

Continuity of Care and Legal Disclosures:

  • With your explicit consent, records may be shared with your other healthcare providers (e.g., your family physician) to ensure cohesive medical management.
  • Information may be disclosed without consent if explicitly required by a court order, subpoena, or to mitigate an immediate, severe threat to the physical or mental health of the patient or another individual.

Data Retention:

The Clinic destroys, erases, or permanently anonymizes personal information when it is no longer required for the purpose for which it was collected, or for related business or legal reasons. Health records are retained in strict adherence to the minimum retention periods mandated by applicable provincial health regulatory colleges (typically up to 16 years from the date of last entry, or longer for minors).

7. Safeguards and Security Measures

The Clinic employs a rigorous, multi-layered security architecture to protect your personal information against unauthorized access, loss, theft, modification, or disclosure.

  • Administrative Safeguards: All staff undergo comprehensive privacy training upon hiring and are bound by strict, legally enforceable confidentiality agreements. Access to health records is granted strictly on a role-based matrix.
  • Technical Safeguards: All digital data is stored on secure, industry-standard cloud servers. Communications between your devices and our platforms (our website, Zoho Forms) are protected by SSL/HTTPS encryption. Data stored within our EHR and specialized intake forms is encrypted at rest. We utilize two-factor authentication (2FA) and complex password policies for all staff accessing clinical systems. Where applicable within the EHR, protective masking options (Disclosure Directives) are utilized to restrict internal access to highly sensitive health information.
  • Physical Safeguards: The Clinic premises feature monitored security, locked filing systems for any residual physical documents, and restricted access to administrative hardware.

8. Notice of Digital Advertising, Analytics, and Remarketing

To optimize market outreach, educate the public, and communicate our services effectively, the Clinic engages in digital advertising across search engines (Google) and social media networks (Meta). We deeply recognize the profound sensitivity of healthcare data and have structured our marketing analytics to comply fully with the strict 2025/2026 healthcare privacy mandates established by major advertising platforms and privacy laws.

8.1 Google Ads, Analytics, and “Your Data Segments” (Remarketing)

The Clinic utilizes Google Analytics to understand website traffic patterns and Google Ads to deliver relevant promotional content. In strict accordance with Google’s EU User Consent Policy and global healthcare advertising regulations, we make the following mandatory disclosures regarding our use of “your data segments” (formerly known as remarketing) or similar audiences:

  1. Use of Remarketing: We use remarketing technologies to advertise our services online. This allows us to re-engage individuals who have previously visited our website, presenting them with relevant information about our TCM and skin care services.
  2. Third-Party Vendors: Third-party vendors, including Google, display our advertisements on various websites and platforms across the Internet.
  3. Use of Cookies and Identifiers: Third-party vendors, including Google, utilize cookies and/or device identifiers to serve ads based on an individual’s past visits to our website. These cookies track anonymous navigational data but are absolutely not linked to your personal medical files, your patient portal, or your Zoho intake forms.
  4. Opt-Out Mechanisms: Visitors have the unconditional right to opt out of these advertising mechanisms. You can opt out of Google’s use of cookies or device identifiers by visiting Google’s Ads Settings. Alternatively, visitors may point their browser to opt out of a third-party vendor’s use of cookies by visiting the Network Advertising Initiative (NAI) opt-out page, or control the use of device identifiers by utilizing their device’s native privacy settings.

8.2 Meta Platforms (Facebook and Instagram) Compliance

In compliance with Meta’s 2025 Health and Wellness restrictions, the Clinic adheres to rigorous technical standards to ensure no Personal Health Information (PHI) is transmitted to Meta’s ad servers.

  • No Web Activity Tracking on Health Pages: The Meta Pixel tracking code is explicitly disabled and restricted from loading on pages that contain patient portals, appointment confirmations, detailed treatment summaries, or any interface where a user logs in to view clinical data.
  • Data Minimization and Hashing: The Clinic does not transmit custom parameters containing health, financial, or personally sensitive information to Meta. Any URL parameters following our primary domain are hashed and encrypted to prevent the unintended transmission of health-related query strings.
  • Audience Restrictions: The Clinic does not upload patient email lists to Meta for Custom Audience retargeting, nor do we generate Lookalike Audiences derived from health-related website visitation data. We do not collect or transmit data from individuals known to be under the age of 13.
  • Our marketing campaigns strictly utilize upper-funnel engagement strategies based on broad, anonymized demographic data, completely decoupled from the specific medical conditions or treatments sought by our patients.

9. Cookie Policy and Consent

Our website uses cookies and similar tracking technologies to ensure you get the best experience. Cookies are small text files placed on your device. We use strictly necessary cookies to make the site function properly (e.g., maintaining secure sessions). If you consent via our cookie banner, we also set analytics cookies to help us understand site usage, and marketing cookies to make advertising messages more relevant to you. You can withdraw and manage your consent at any time by clicking “Manage cookies” at the bottom of our website pages, or by adjusting your web browser settings to block cookies globally.

10. Individual Access, Correction, and Recourse

Under PIPA, patients and employees possess the fundamental right to access their personal information held in the control of the Clinic, and to request corrections to data they believe to be inaccurate or incomplete.

  • Making an Access Request: Requests for access to personal information must be submitted in writing to the Privacy Officer. The request must provide sufficient detail to allow the Clinic to identify and locate the specific information sought.
  • Timeline and Fees: The Clinic will respond to all access requests within thirty (30) business days of receipt. We may request a written time extension if fulfilling the request demands extensive retrieval efforts. A minimal, reasonable fee may be charged for the administrative costs of copying records; the Clinic will provide a cost estimate prior to proceeding.
  • Exceptions to Disclosure: PIPA dictates specific circumstances where an organization must or may refuse access. The Clinic will refuse access if the information is protected by solicitor-client privilege, if it would reveal personal information about an unconsenting third party, or if it could reasonably be expected to cause immediate or serious harm to the safety, physical, or mental health of the requester or another individual. If a request is refused, we will provide written notice explaining the reasons and outlining available recourse.
  • Corrections: If an individual demonstrates that their personal information is inaccurate or incomplete, the Clinic will make every reasonable effort to correct it. If the Clinic disputes the correction request, we will annotate the file to record that a correction was requested but not made.

11. Questions, Complaints, and Enforcement

The Privacy Officer is the primary point of contact for any concerns regarding this Privacy Policy or the Clinic’s data handling practices. If an individual feels their concerns have not been adequately addressed through internal channels, they maintain the right to escalate the matter.

Complaints regarding the Clinic’s compliance with PIPA may be directed in writing to the Information and Privacy Commissioner of British Columbia:

  • Office of the Information and Privacy Commissioner for British Columbia (OIPC)
  • PO Box 9038, Stn. Prov. Govt., Victoria, BC V8W 9A4
  • Email: info@oipc.bc.ca
  • Telephone: (250) 387-5629 (Toll-free access via Enquiry BC: 1-800-663-7867)