Information Security Policy

Version 1.1 | Last Updated: January 2026

Introspectus Counselling Ltd. is committed to protecting the privacy and security of your personal health information. This statement focuses specifically on the technical infrastructure, data handling practices, and administrative security measures that protect your information across our digital systems.

For detailed information about clinical confidentiality, therapeutic boundaries, and when information may be shared, please see our separate Privacy Policy & Confidentiality document.

Our practice complies with the Personal Information Protection Act (PIPA) in British Columbia, the federal Personal Information Protection and Electronic Documents Act (PIPEDA), and the professional standards of the Canadian Counselling and Psychotherapy Association (CCPA).

Annual Review Commitment: We review this policy annually and will notify active clients of any material changes affecting their personal information.

🔍 Quick Summary: Your Information Security at a Glance

🛡️ Multi-Layer Protection: Defense-in-depth security with separate systems for clinical records (Jane App, Canadian servers) and administrative communications (Google Workspace).

🔒 Encryption Everywhere: 256-bit encryption for data at rest, TLS encryption in transit, HTTPS on all websites.

🇨🇦 Canadian Clinical Data: All clinical notes and health records stored securely within Canada via Jane App.

📧 Secure Messaging: Use Jane App’s portal for sensitive information; email is for scheduling/billing only.

⏱️ 7-Year Retention: Clinical records kept minimum 7 years (adult clients) or until age 26 (minor clients).

👁️ Your Rights: Access, correct, or request deletion of your information (subject to legal requirements).

🚨 Breach Notification: You’ll be notified immediately if any security incident affects your data.

📑 Table of Contents

⚖️ Important Notice: When Does a Therapeutic Relationship Begin?

Submitting an inquiry through our website contact form or sending an initial email does not establish a therapeutic or counselor-client relationship.

A formal therapeutic relationship begins only when:

You complete intake paperwork through our secure client portal (Jane App),
You agree to our clinical services terms and confidentiality notice, and
You attend your first scheduled counselling session.

Until that time, any information you provide is handled with care but falls under our general website privacy practices rather than the enhanced protections that apply once a therapeutic relationship is established.

🔐 Digital Infrastructure & Security

We utilize a “Defense in Depth” strategy; multiple layers of security protection, by separating clinical records from administrative communications to ensure maximum security.

📋 Website Security (Kinsta)

Our website is hosted on Kinsta, which operates on Google Cloud Platform infrastructure and provides enterprise-level security, including:

Dual-layer hardware firewalls (Google Cloud Platform and Cloudflare)
DDoS protection and unlimited malware removal
256-bit SSL encryption for all website traffic (HTTPS)
Canadian data center options for website hosting, used where feasible

📋 Clinical Records (Jane App)

All clinical notes and sensitive health history are stored exclusively in Jane App, a practice management platform designed for Canadian healthcare compliance.

Key Jane App safeguards include:

SOC 2 Type II certified security controls
PIPEDA-compliant handling of personal health information
256-bit AES encryption at rest and TLS encryption in transit
Data stored on secure servers within Canada
Role-based access controls and detailed audit logging

We do not store clinical notes in email, Google Docs, or on local unencrypted devices.

📋 Administrative Communication (Google Workspace)

We use Google Workspace Business Standard for scheduling, billing correspondence, and general administrative communications (not clinical notes).

Security measures include:

A Business Associate Agreement (BAA) with Google for HIPAA compliance (US healthcare standard)
Configuration to meet PIPEDA and PIPA requirements for Canadian privacy law
Two-factor authentication (2FA) for all staff accounts
Advanced phishing and malware protection
ISO/IEC 27001 and SOC 2 Type II certifications

Data Location Notice: Emails and scheduling data processed via Google Workspace may be stored on secure servers located outside Canada, primarily in the United States. Under PIPEDA, data stored outside Canada may be accessed by foreign governments under their laws. Google provides contractual protections and security standards regardless of data location.

📋 Third-Party Service Vetting

We carefully vet all third-party service providers (Jane App, Google Workspace, Kinsta) to ensure they:

Meet Canadian privacy standards
Provide appropriate security safeguards for your information
Maintain independent security certifications
Are subject to ongoing oversight and review

🌍 Data Residency & Processing

📋 Clinical Data

Your primary health records (clinical notes, assessments, treatment plans, intake forms) are:

Processed and stored securely within Canada via Jane App
Subject to PIPA, PIPEDA, and CCPA standards
Accessible only to your clinician and authorized staff on a need-to-know basis

📋 Administrative Data

Emails, scheduling confirmations, and billing invoices processed via Google Workspace:

May be stored on secure servers outside Canada (primarily the US)
Are protected by international security standards (ISO/IEC 27001, SOC 2)
Are subject to PIPEDA requirements for cross-border data transfers
Never include detailed clinical notes or session content

📋 Website Data

Website hosting and analytics data:

Hosted on Kinsta (Google Cloud Platform)
Canadian data centers are used where possible
Subject to PIPA and PIPEDA requirements

📊 Collection and Use of Personal Information

We collect only the information necessary to provide safe, ethical, and effective psychotherapy services.

📋 Information Collected in Jane App (Clinical Records)

Personal identification: Name, date of birth, contact information, emergency contacts
Clinical history: Mental health history, presenting concerns, symptoms, relevant medical history
Treatment information: Assessment notes, treatment plans, progress notes, therapeutic goals
Intake forms: Health history, consent forms, questionnaires, relevant insurance information (if applicable)
Billing records: Invoices, payment history, limited insurance details (no full card numbers stored in Jane)

📋 Information Collected in Google Workspace (Administrative)

Appointment times, reminders, and schedule changes
Billing and invoice communications
Insurance-related correspondence (if applicable)
Initial contact and general inquiries

📋 Website-Level Collection (Automatic)

Our web server automatically collects certain technical information, such as:

IP addresses (for security and fraud prevention)
Browser type and version
Device type and operating system
Pages visited, time on site, and navigation patterns
Referring websites

📋 Cookies & Google Analytics

We use Google Analytics to understand how visitors interact with our website and to improve usability.

Google Analytics may collect:

Pages visited and actions taken on the site
General location (city/region), based on IP
Device and browser information
Referring URLs

This information is not linked to your clinical record and does not constitute personal health information.

Your Options:

You may opt out of Google Analytics by using the Google Analytics Opt-out Browser Add-on.
You can manage or disable cookies in your browser settings.

By using our website, you consent to our use of cookies and analytics as described here.

🎯 Purposes for Collection

We collect your information for the following purposes:

Clinical Purposes

Providing psychotherapy and counselling services
Conducting assessments and formulating treatment plans
Monitoring progress and adjusting treatment as needed
Maintaining accurate clinical documentation as required by CCPA standards

Administrative Purposes

Responding to inquiries from prospective clients
Scheduling and confirming appointments
Processing payments and managing billing
Sending appointment reminders and administrative notices

Legal and Ethical Obligations

Complying with PIPA, PIPEDA, and CCPA Standards of Practice
Fulfilling mandatory reporting obligations (detailed in our Privacy Policy & Confidentiality document)
Responding to valid legal requests (e.g., court orders)
Maintaining records for the required retention period

We do not use your information for marketing unrelated third-party services and will not use your information for any purpose beyond those listed without your explicit consent.

For detailed information about confidentiality limits (child protection, imminent harm, vulnerable adults, legal requirements), please see our Privacy Policy & Confidentiality document.

📋 Consent for Initial Contact & Website Use

By submitting the website contact form or emailing us, you consent to:

The collection of your name, email, phone number, and inquiry details
Our use of this information solely to respond to your inquiry

Contact forms should not be used to submit extensive clinical histories or crisis information.

📋 Informed Consent for Clinical Services

Before starting counselling, you will receive a Clinical Services Agreement and Informed Consent Form through Jane App. This form explains:

How and why your information is collected and used
The limits of confidentiality
Your rights and responsibilities as a client
Fees, cancellation policies, and other clinical terms

You will be asked to review and sign this document, and you may ask questions at any time.

📋 Ongoing and Specific Consent

Consent is an ongoing process and can be revisited.

We will request additional consent for new uses of information (e.g., releasing information to another provider, recording sessions).

📋 Withdrawal of Consent

You may withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal and contractual limitations.

Process:

Submit a written request (email or letter).
We will respond within 30 days to confirm and explain implications.

Important:

Withdrawing consent may limit or prevent our ability to provide services.
Legal obligations (e.g., mandatory reporting, record retention) continue to apply even if consent is withdrawn.

💻 Electronic Communication

📋 Our Precautions

Preferred methods for sensitive information:

Jane App secure portal for clinical documents, forms, and secure messaging.
Encrypted transmission and integration with your clinical record.

Administrative communications:

Appointment reminders, confirmations, and invoices via email
Limited attachments via Gmail Confidential Mode with passcode, when necessary

We do not send clinical notes or detailed session content via standard email.

📋 Your Responsibility and Risks

By providing your email, you consent to:

Receiving administrative communications via email (scheduling, billing, basic follow-up)
Accepting the inherent risks of email, including possible interception, unauthorized access, and misdelivery.

We strongly discourage using email for:

Sharing detailed clinical disclosures or journal entries
Crisis or emergency communication

📋 Emergencies and Crisis

Email is not monitored 24/7 and is not suitable for emergencies.

If you are in crisis or experiencing a mental health emergency:

Call 911 or go to the nearest emergency room.
Use available crisis services:
- 988 Suicide Crisis Helpline: Call or text 9-8-8 (24/7)
- Vancouver Island Crisis Line: 1-888-494-3888 (24/7)
- Kids Help Phone: 1-800-668-6868 (24/7)

📅 Data Retention and Destruction

📋 Retention Period (CCPA-Aligned)

In accordance with CCPA Standards of Practice and Canadian privacy law:

Clinical Records (Jane App):

Adult clients: Minimum of seven (7) years from the date of last session.
Minor clients: Minimum of seven (7) years after reaching age 19 (i.e., until at least age 26 in BC).

Administrative Records (Google Workspace):

Emails and scheduling data: Retained for seven (7) years (via Google Vault).
Billing records: Retained for seven (7) years from the date of last transaction, or longer if required by tax law.

Website Contact Forms (Prospective Clients):

Retained for up to one (1) year, then deleted or anonymized, unless you become a client.

📋 Rationale

Retention supports:

Continuity of care
Legal and professional obligations
Response to potential complaints or legal claims
Documentation standards set by CCPA

📋 Extended Retention

We may retain records longer than seven years if:

Legal proceedings are underway or reasonably anticipated
A professional complaint or investigation is ongoing
A longer period is required by law

📋 Professional Will & Cessation of Practice

We maintain a Professional Will and client file directive consistent with CCPA guidance. If the therapist is incapacitated, retires, or dies:

A designated professional executor (bound by confidentiality) will manage records.
Clients will be notified of the status and location of their records where contact information is current.
Clients may choose to transfer records, request copies, or have records held for the balance of the retention period.

📋 Secure Destruction

When the retention period expires and no legal or professional reason requires further retention:

Electronic records are securely deleted and unrecoverable.
Paper records (if any) are shredded or destroyed via an accredited destruction service.
Destruction is documented for accountability.

Records are never destroyed once a valid subpoena or court order has been received or while litigation or investigation is reasonably anticipated.

👁️ Your Rights

You have the following rights regarding your personal information:

📋 Right of Access

You may request to view or obtain a copy of your clinical record.

Requests must be made in writing.
We will respond within 30 days, in line with PIPA/PIPEDA.
Access may be limited in narrow circumstances (e.g., if disclosure would likely cause serious harm to you or another person).
Reasonable copying fees may apply; you will be informed in advance.

📋 Right to Correction

You may request correction of factual errors (e.g., contact information, dates).

Submit a written request specifying the corrections.
We will respond within 30 days.
If a correction is not made, a note of your request and our rationale will be added to your file.
Professional opinions and clinical impressions are not changed, but your disagreement can be documented.

📋 Right to Request Deletion (Subject to Law)

You may request deletion of information where appropriate:

We cannot delete clinical records that must be retained for the seven-year minimum or while legal obligations are in effect.
We will explain what can and cannot be deleted when you make a request.

📋 Right to Withdraw Consent

See Consent section for details. You may withdraw consent for certain uses or disclosures, subject to legal and contractual obligations.

📋 Right to Breach Notification

If a privacy breach occurs that poses a real risk of significant harm, we will:

Notify you as soon as reasonably possible;
Explain what happened and what information was involved;
Describe steps taken to mitigate harm and prevent recurrence;
Advise you of steps you can take to protect yourself;
Report the breach to relevant authorities as required.

🔐 Security Safeguards

We protect your information using a combination of technical, administrative, and physical safeguards.

📋 Technical Safeguards

Encryption of data in transit (TLS) and at rest (AES-256 where supported)
HTTPS enforced on our website
Two-factor authentication for staff accounts
Firewalls, malware detection, and intrusion detection
Regular software updates and security patches
Audit logs for access to clinical records

📋 Administrative Safeguards

Confidentiality agreements for all staff and contractors
Privacy and security training, including PIPA/PIPEDA and CCPA standards
Written policies for access control, incident response, and data handling
Principle of least privilege (only necessary access granted)
Immediate revocation of access on staff departure

📋 Physical Safeguards

Locked offices and secure storage for any physical records
Clean-desk practices (no unattended PHI)
Secure disposal of printed materials (shredding)
Secure handling and storage of encrypted devices

📞 Questions, Concerns, and Complaints

📋 Privacy Officer Contact

If you have questions, concerns, or wish to exercise your privacy rights, contact:

Privacy Officer
Introspectus Counselling Ltd.
Email: sean@introspectuscounselling.ca
Phone: 250-556-4623
Mailing Address: 132-328 Wale Rd., Colwood, BC, V9B 2W8

We aim to respond to all privacy-related inquiries within 30 days.

📋 Filing a Complaint

If you believe your privacy rights have been violated:

Contact our Privacy Officer first with your concern in writing.
If unresolved, you may contact:

Office of the Information and Privacy Commissioner for British Columbia
PO Box 9038, Stn. Prov. Govt.
Victoria, BC V8W 9A4
Phone: 250-387-5629 | Toll-free in BC: 1-800-663-7867

For matters under PIPEDA, you may also contact:

Office of the Privacy Commissioner of Canada
Toll-free: 1-800-282-1376

You will not be penalized or retaliated against for making a good-faith privacy complaint.

📝 Changes to This Policy

We may update this Information Security Statement to reflect:

Changes in law or regulation
Updates to our services or technology
Revisions to professional standards (e.g., CCPA updates)

When changes are made:

The “Last Updated” date and version number will be revised.
Material changes affecting how your information is collected, used, or disclosed will be communicated directly to active clients (e.g., by email or during sessions).

📋 Version History

Version 1.0, January 2026 (initial comprehensive policy)
Version 1.1, January 2026 (CCPA alignment and clarifications)

📋 Relationship to Clinical Services Agreement

This Information Security Statement focuses on technical infrastructure and data handling practices.

For clinical matters, please refer to:

Privacy Policy & Confidentiality, Covers clinical confidentiality limits, mandatory reporting obligations, therapeutic boundaries, and when information may be shared for safety reasons
Clinical Services Agreement (provided at intake), Governs the therapeutic relationship, professional boundaries, fees, cancellations, and session logistics

If there is any conflict between documents:

For technical/data security matters: This Information Security Statement governs
For clinical confidentiality matters: The Privacy Policy & Confidentiality document governs
For therapeutic relationship matters: The Clinical Services Agreement governs

🛡️ Final Note

Protecting your privacy and confidentiality is central to our work. This document focuses on the technical and administrative security measures we use. For questions about clinical confidentiality or therapeutic boundaries, please see our Privacy Policy & Confidentiality document.

Introspectus Counselling Ltd.
Sean Lewis, MA, MDiv, CCC
Canadian Certified Counsellor
132-328 Wale Road, Colwood, British Columbia
Phone: 250-556-4623
Email: sean@introspectuscounselling.ca

This Information Security Statement was last updated January 2026.