Information Security Policy
Version 1.1 | Last Updated: January 2026
Introspectus Counselling Ltd. is committed to protecting the privacy and security of your personal health information. This statement focuses specifically on the technical infrastructure, data handling practices, and administrative security measures that protect your information across our digital systems.
For detailed information about clinical confidentiality, therapeutic boundaries, and when information may be shared, please see our separate Privacy Policy & Confidentiality document.
Our practice complies with the Personal Information Protection Act (PIPA) in British Columbia, the federal Personal Information Protection and Electronic Documents Act (PIPEDA), and the professional standards of the Canadian Counselling and Psychotherapy Association (CCPA).
Annual Review Commitment: We review this policy annually and will notify active clients of any material changes affecting their personal information.
🔍 Quick Summary: Your Information Security at a Glance
🛡️ Multi-Layer Protection: Defense-in-depth security with separate systems for clinical records (Jane App, Canadian servers) and administrative communications (Google Workspace).
🔒 Encryption Everywhere: 256-bit encryption for data at rest, TLS encryption in transit, HTTPS on all websites.
🇨🇦 Canadian Clinical Data: All clinical notes and health records stored securely within Canada via Jane App.
📧 Secure Messaging: Use Jane App’s portal for sensitive information; email is for scheduling/billing only.
⏱️ 7-Year Retention: Clinical records kept minimum 7 years (adult clients) or until age 26 (minor clients).
👁️ Your Rights: Access, correct, or request deletion of your information (subject to legal requirements).
🚨 Breach Notification: You’ll be notified immediately if any security incident affects your data.
📑 Table of Contents
⚖️ Important Notice: When Does a Therapeutic Relationship Begin?
Submitting an inquiry through our website contact form or sending an initial email does not establish a therapeutic or counselor-client relationship.
A formal therapeutic relationship begins only when:
- You complete intake paperwork through our secure client portal (Jane App),
- You agree to our clinical services terms and confidentiality notice, and
- You attend your first scheduled counselling session.
Until that time, any information you provide is handled with care but falls under our general website privacy practices rather than the enhanced protections that apply once a therapeutic relationship is established.
🔐 Digital Infrastructure & Security
We utilize a “Defense in Depth” strategy; multiple layers of security protection, by separating clinical records from administrative communications to ensure maximum security.
📋 Website Security (Kinsta)
Our website is hosted on Kinsta, which operates on Google Cloud Platform infrastructure and provides enterprise-level security, including:
- Dual-layer hardware firewalls (Google Cloud Platform and Cloudflare)
- DDoS protection and unlimited malware removal
- 256-bit SSL encryption for all website traffic (HTTPS)
- Canadian data center options for website hosting, used where feasible
📋 Clinical Records (Jane App)
All clinical notes and sensitive health history are stored exclusively in Jane App, a practice management platform designed for Canadian healthcare compliance.
Key Jane App safeguards include:
- SOC 2 Type II certified security controls
- PIPEDA-compliant handling of personal health information
- 256-bit AES encryption at rest and TLS encryption in transit
- Data stored on secure servers within Canada
- Role-based access controls and detailed audit logging
We do not store clinical notes in email, Google Docs, or on local unencrypted devices.
📋 Administrative Communication (Google Workspace)
We use Google Workspace Business Standard for scheduling, billing correspondence, and general administrative communications (not clinical notes).
Security measures include:
- A Business Associate Agreement (BAA) with Google for HIPAA compliance (US healthcare standard)
- Configuration to meet PIPEDA and PIPA requirements for Canadian privacy law
- Two-factor authentication (2FA) for all staff accounts
- Advanced phishing and malware protection
- ISO/IEC 27001 and SOC 2 Type II certifications
Data Location Notice: Emails and scheduling data processed via Google Workspace may be stored on secure servers located outside Canada, primarily in the United States. Under PIPEDA, data stored outside Canada may be accessed by foreign governments under their laws. Google provides contractual protections and security standards regardless of data location.
📋 Third-Party Service Vetting
We carefully vet all third-party service providers (Jane App, Google Workspace, Kinsta) to ensure they:
- Meet Canadian privacy standards
- Provide appropriate security safeguards for your information
- Maintain independent security certifications
- Are subject to ongoing oversight and review
🌍 Data Residency & Processing
📋 Clinical Data
Your primary health records (clinical notes, assessments, treatment plans, intake forms) are:
- Processed and stored securely within Canada via Jane App
- Subject to PIPA, PIPEDA, and CCPA standards
- Accessible only to your clinician and authorized staff on a need-to-know basis
📋 Administrative Data
Emails, scheduling confirmations, and billing invoices processed via Google Workspace:
- May be stored on secure servers outside Canada (primarily the US)
- Are protected by international security standards (ISO/IEC 27001, SOC 2)
- Are subject to PIPEDA requirements for cross-border data transfers
- Never include detailed clinical notes or session content
📋 Website Data
Website hosting and analytics data:
- Hosted on Kinsta (Google Cloud Platform)
- Canadian data centers are used where possible
- Subject to PIPA and PIPEDA requirements
📊 Collection and Use of Personal Information
We collect only the information necessary to provide safe, ethical, and effective psychotherapy services.
📋 Information Collected in Jane App (Clinical Records)
- Personal identification: Name, date of birth, contact information, emergency contacts
- Clinical history: Mental health history, presenting concerns, symptoms, relevant medical history
- Treatment information: Assessment notes, treatment plans, progress notes, therapeutic goals
- Intake forms: Health history, consent forms, questionnaires, relevant insurance information (if applicable)
- Billing records: Invoices, payment history, limited insurance details (no full card numbers stored in Jane)
📋 Information Collected in Google Workspace (Administrative)
- Appointment times, reminders, and schedule changes
- Billing and invoice communications
- Insurance-related correspondence (if applicable)
- Initial contact and general inquiries
📋 Website-Level Collection (Automatic)
Our web server automatically collects certain technical information, such as:
- IP addresses (for security and fraud prevention)
- Browser type and version
- Device type and operating system
- Pages visited, time on site, and navigation patterns
- Referring websites
📋 Cookies & Google Analytics
We use Google Analytics to understand how visitors interact with our website and to improve usability.
Google Analytics may collect:
- Pages visited and actions taken on the site
- General location (city/region), based on IP
- Device and browser information
- Referring URLs
This information is not linked to your clinical record and does not constitute personal health information.
Your Options:
- You may opt out of Google Analytics by using the Google Analytics Opt-out Browser Add-on.
- You can manage or disable cookies in your browser settings.
By using our website, you consent to our use of cookies and analytics as described here.
🎯 Purposes for Collection
We collect your information for the following purposes:
Clinical Purposes
- Providing psychotherapy and counselling services
- Conducting assessments and formulating treatment plans
- Monitoring progress and adjusting treatment as needed
- Maintaining accurate clinical documentation as required by CCPA standards
Administrative Purposes
- Responding to inquiries from prospective clients
- Scheduling and confirming appointments
- Processing payments and managing billing
- Sending appointment reminders and administrative notices
Legal and Ethical Obligations
- Complying with PIPA, PIPEDA, and CCPA Standards of Practice
- Fulfilling mandatory reporting obligations (detailed in our Privacy Policy & Confidentiality document)
- Responding to valid legal requests (e.g., court orders)
- Maintaining records for the required retention period
We do not use your information for marketing unrelated third-party services and will not use your information for any purpose beyond those listed without your explicit consent.
For detailed information about confidentiality limits (child protection, imminent harm, vulnerable adults, legal requirements), please see our Privacy Policy & Confidentiality document.
✅ Consent
📋 Consent for Initial Contact & Website Use
By submitting the website contact form or emailing us, you consent to:
- The collection of your name, email, phone number, and inquiry details
- Our use of this information solely to respond to your inquiry
Contact forms should not be used to submit extensive clinical histories or crisis information.
📋 Informed Consent for Clinical Services
Before starting counselling, you will receive a Clinical Services Agreement and Informed Consent Form through Jane App. This form explains:
- How and why your information is collected and used
- The limits of confidentiality
- Your rights and responsibilities as a client
- Fees, cancellation policies, and other clinical terms
You will be asked to review and sign this document, and you may ask questions at any time.
📋 Ongoing and Specific Consent
Consent is an ongoing process and can be revisited.
We will request additional consent for new uses of information (e.g., releasing information to another provider, recording sessions).
📋 Withdrawal of Consent
You may withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal and contractual limitations.
Process:
- Submit a written request (email or letter).
- We will respond within 30 days to confirm and explain implications.
Important:
- Withdrawing consent may limit or prevent our ability to provide services.
- Legal obligations (e.g., mandatory reporting, record retention) continue to apply even if consent is withdrawn.
💻 Electronic Communication
📋 Our Precautions
Preferred methods for sensitive information:
- Jane App secure portal for clinical documents, forms, and secure messaging.
- Encrypted transmission and integration with your clinical record.
Administrative communications:
- Appointment reminders, confirmations, and invoices via email
- Limited attachments via Gmail Confidential Mode with passcode, when necessary
We do not send clinical notes or detailed session content via standard email.
📋 Your Responsibility and Risks
By providing your email, you consent to:
- Receiving administrative communications via email (scheduling, billing, basic follow-up)
- Accepting the inherent risks of email, including possible interception, unauthorized access, and misdelivery.
We strongly discourage using email for:
- Sharing detailed clinical disclosures or journal entries
- Crisis or emergency communication
📋 Emergencies and Crisis
Email is not monitored 24/7 and is not suitable for emergencies.
If you are in crisis or experiencing a mental health emergency:
- Call 911 or go to the nearest emergency room.
- Use available crisis services:
- 988 Suicide Crisis Helpline: Call or text 9-8-8 (24/7)
- Vancouver Island Crisis Line: 1-888-494-3888 (24/7)
- Kids Help Phone: 1-800-668-6868 (24/7)
📅 Data Retention and Destruction
📋 Retention Period (CCPA-Aligned)
In accordance with CCPA Standards of Practice and Canadian privacy law:
Clinical Records (Jane App):
- Adult clients: Minimum of seven (7) years from the date of last session.
- Minor clients: Minimum of seven (7) years after reaching age 19 (i.e., until at least age 26 in BC).
Administrative Records (Google Workspace):
- Emails and scheduling data: Retained for seven (7) years (via Google Vault).
- Billing records: Retained for seven (7) years from the date of last transaction, or longer if required by tax law.
Website Contact Forms (Prospective Clients):
- Retained for up to one (1) year, then deleted or anonymized, unless you become a client.
📋 Rationale
Retention supports:
- Continuity of care
- Legal and professional obligations
- Response to potential complaints or legal claims
- Documentation standards set by CCPA
📋 Extended Retention
We may retain records longer than seven years if:
- Legal proceedings are underway or reasonably anticipated
- A professional complaint or investigation is ongoing
- A longer period is required by law
📋 Professional Will & Cessation of Practice
We maintain a Professional Will and client file directive consistent with CCPA guidance. If the therapist is incapacitated, retires, or dies:
- A designated professional executor (bound by confidentiality) will manage records.
- Clients will be notified of the status and location of their records where contact information is current.
- Clients may choose to transfer records, request copies, or have records held for the balance of the retention period.
📋 Secure Destruction
When the retention period expires and no legal or professional reason requires further retention:
- Electronic records are securely deleted and unrecoverable.
- Paper records (if any) are shredded or destroyed via an accredited destruction service.
- Destruction is documented for accountability.
Records are never destroyed once a valid subpoena or court order has been received or while litigation or investigation is reasonably anticipated.
👁️ Your Rights
You have the following rights regarding your personal information:
📋 Right of Access
You may request to view or obtain a copy of your clinical record.
📋 Right to Correction
You may request correction of factual errors (e.g., contact information, dates).
- Submit a written request specifying the corrections.
- We will respond within 30 days.
- If a correction is not made, a note of your request and our rationale will be added to your file.
- Professional opinions and clinical impressions are not changed, but your disagreement can be documented.
📋 Right to Request Deletion (Subject to Law)
You may request deletion of information where appropriate:
- We cannot delete clinical records that must be retained for the seven-year minimum or while legal obligations are in effect.
- We will explain what can and cannot be deleted when you make a request.
📋 Right to Withdraw Consent
See Consent section for details. You may withdraw consent for certain uses or disclosures, subject to legal and contractual obligations.
📋 Right to Breach Notification
If a privacy breach occurs that poses a real risk of significant harm, we will:
- Notify you as soon as reasonably possible;
- Explain what happened and what information was involved;
- Describe steps taken to mitigate harm and prevent recurrence;
- Advise you of steps you can take to protect yourself;
- Report the breach to relevant authorities as required.
🔐 Security Safeguards
We protect your information using a combination of technical, administrative, and physical safeguards.
📋 Technical Safeguards
📋 Administrative Safeguards
- Confidentiality agreements for all staff and contractors
- Privacy and security training, including PIPA/PIPEDA and CCPA standards
- Written policies for access control, incident response, and data handling
- Principle of least privilege (only necessary access granted)
- Immediate revocation of access on staff departure
📋 Physical Safeguards
- Locked offices and secure storage for any physical records
- Clean-desk practices (no unattended PHI)
- Secure disposal of printed materials (shredding)
- Secure handling and storage of encrypted devices
📞 Questions, Concerns, and Complaints
📋 Privacy Officer Contact
If you have questions, concerns, or wish to exercise your privacy rights, contact:
Privacy Officer
Introspectus Counselling Ltd.
Email: sean@introspectuscounselling.ca
Phone: 250-556-4623
Mailing Address: 132-328 Wale Rd., Colwood, BC, V9B 0J8
We aim to respond to all privacy-related inquiries within 30 days.
📋 Filing a Complaint
If you believe your privacy rights have been violated:
- Contact our Privacy Officer first with your concern in writing.
- If unresolved, you may contact:
Office of the Information and Privacy Commissioner for British Columbia
PO Box 9038, Stn. Prov. Govt.
Victoria, BC V8W 9A4
Phone: 250-387-5629 | Toll-free in BC: 1-800-663-7867
For matters under PIPEDA, you may also contact:
You will not be penalized or retaliated against for making a good-faith privacy complaint.
📝 Changes to This Policy
We may update this Information Security Statement to reflect:
- Changes in law or regulation
- Updates to our services or technology
- Revisions to professional standards (e.g., CCPA updates)
When changes are made:
- The “Last Updated” date and version number will be revised.
- Material changes affecting how your information is collected, used, or disclosed will be communicated directly to active clients (e.g., by email or during sessions).
📋 Version History
- Version 1.0, January 2026 (initial comprehensive policy)
- Version 1.1, January 2026 (CCPA alignment and clarifications)
📋 Relationship to Clinical Services Agreement
This Information Security Statement focuses on technical infrastructure and data handling practices.
For clinical matters, please refer to:
- Privacy Policy & Confidentiality, Covers clinical confidentiality limits, mandatory reporting obligations, therapeutic boundaries, and when information may be shared for safety reasons
- Clinical Services Agreement (provided at intake), Governs the therapeutic relationship, professional boundaries, fees, cancellations, and session logistics
If there is any conflict between documents:
- For technical/data security matters: This Information Security Statement governs
- For clinical confidentiality matters: The Privacy Policy & Confidentiality document governs
- For therapeutic relationship matters: The Clinical Services Agreement governs
🛡️ Final Note
Protecting your privacy and confidentiality is central to our work. This document focuses on the technical and administrative security measures we use. For questions about clinical confidentiality or therapeutic boundaries, please see our Privacy Policy & Confidentiality document.
Introspectus Counselling Ltd.
Sean Lewis, MA, MDiv, CCC
Canadian Certified Counsellor
132-328 Wale Road, Colwood, British Columbia
Phone: 250-556-4623
Email: sean@introspectuscounselling.ca
This Information Security Statement was last updated January 2026.
