01 — Privacy
Privacy Policy
HyperTherapy is committed to protecting your personal health information in accordance with Ontario's Personal Health Information Protection Act, 2004 (PHIPA) and the standards of the College of Massage Therapists of Ontario (CMTO).
Last updated: March 2026
02 — Introduction
Who we are
HyperTherapy is a mobile massage therapy practice operated by Ken Zhou, a Registered Massage Therapist (RMT) in good standing with the College of Massage Therapists of Ontario (CMTO). Ken provides in-home and on-site massage therapy services across Toronto and the Greater Toronto Area.
This Privacy Policy explains how we collect, use, disclose, and protect your personal health information (PHI) when you use our services, visit our website at hypertherapy.ca, or communicate with us by phone, email, or text message.
As a health information custodian under PHIPA, Ken Zhou is personally responsible for the protection of all personal health information in his custody or control.
03 — Collection
What personal health information we collect
In the course of providing massage therapy services, we may collect the following types of personal health information:
Health history and intake information
Medical conditions, injuries, medications, allergies, surgical history, and areas of concern disclosed during your initial intake or subsequent visits.
Clinical records (SOAP notes)
Subjective complaints, objective assessment findings, treatment provided, and plan for future care documented at each visit.
Contact information
Full name, phone number, email address, and service address (home or office where treatment is provided).
Payment and billing information
Credit or debit card details processed through Stripe, insurance provider and policy number for receipt issuance, and transaction history.
Intake and consent forms
Signed informed consent for treatment, consent for electronic communication, and any waivers or acknowledgements.
Communication records
Appointment confirmations, reminders sent via SMS or email, and any correspondence related to your care.
04 — Purpose
Why we collect your information
We collect personal health information only for purposes that are directly related to providing you with massage therapy services. These purposes include:
- Providing safe, effective massage therapy treatment tailored to your health needs and goals.
- Developing and maintaining accurate clinical records as required by the CMTO Standards of Practice.
- Processing payments and issuing insurance-eligible receipts.
- Scheduling and managing appointments, including sending confirmation and reminder notifications.
- Communicating with you about your care, follow-up recommendations, and appointment changes.
- Complying with legal and regulatory obligations, including CMTO record-keeping requirements.
We will not collect information beyond what is necessary for these purposes. If we need to use your information for a new purpose, we will seek your consent before doing so.
05 — Security
How we protect your information
We implement administrative, technical, and physical safeguards to protect your personal health information against unauthorized access, loss, theft, or disclosure.
Encryption in transit and at rest
All data transmitted between your device and our systems is encrypted using TLS 1.2 or higher. Stored data is encrypted at rest using AES-256 encryption.
Canadian data residency
Your clinical and personal data is stored on servers located in Montreal, Canada (Supabase ca-central-1 region), ensuring your information remains within Canadian jurisdiction.
Access controls
Only Ken Zhou, RMT, has access to your personal health information. Access is protected by strong authentication and is limited to what is necessary to provide your care.
Audit logging
All access to clinical records is logged with timestamps, providing a full audit trail as required by PHIPA and CMTO standards.
Secure payment processing
Payment card information is processed by Stripe, a PCI DSS Level 1 certified payment processor. HyperTherapy does not store your full credit card number on its own servers.
Record retention and disposal
Records are retained for the minimum period required by law (see Section 10) and are securely destroyed after the retention period expires, using methods that prevent reconstruction.
06 — Your Rights
Your rights under PHIPA
Under Ontario's Personal Health Information Protection Act, you have the following rights regarding your personal health information:
Right to access your records
You may request a copy of your personal health information at any time. We will respond to your request within 30 days. A reasonable fee may apply for copying and preparation.
Right to request corrections
If you believe your records contain an error or omission, you may request a correction in writing. If we agree, the correction will be made and noted. If we disagree, your request and our reasons will be attached to the record.
Right to withdraw consent
You may withdraw your consent for the collection, use, or disclosure of your personal health information at any time, subject to legal restrictions. Withdrawal of consent may affect our ability to continue providing treatment.
Right to be informed of a breach
In the event of a theft, loss, or unauthorized access to your personal health information, we will notify you at the first reasonable opportunity, as required by PHIPA.
Right to file a complaint
If you believe your privacy rights have been violated, you have the right to file a complaint with the Information and Privacy Commissioner of Ontario (IPC).
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400, Toronto, ON M4W 1A8
Phone: 1-800-387-0073 · Website: ipc.on.ca
07 — Disclosure
Sharing and disclosure
We do not sell, rent, or trade your personal health information. We will only share your information in the following circumstances:
- With your express consent. For example, if you ask us to send your treatment records to another healthcare provider or to submit claims to your insurance company on your behalf.
- As required or permitted by law. This includes disclosure to the CMTO for regulatory purposes, to comply with a court order or subpoena, or to report information as required by public health or safety legislation.
- To your insurance provider at your request. When you provide your insurance information and request direct billing or receipt issuance, we share only the minimum information necessary to process your claim (your name, date of service, treatment type, RMT registration number, and amount paid).
- In a medical emergency. If disclosure is necessary to prevent or reduce a significant risk of serious bodily harm to you or another individual.
08 — Website
Cookies and analytics
The HyperTherapy marketing website (hypertherapy.ca) is separate from the clinical record system. Website data does not contain personal health information.
Our website may use the following technologies:
- Essential cookies. Required for basic site functionality, such as remembering your session state. These cannot be disabled.
- Google Analytics 4 (GA4). We use GA4 to understand how visitors use our website, including page views, traffic sources, and general engagement patterns. GA4 data is anonymized and does not identify individual users. IP anonymization is enabled.
- Microsoft Clarity. We use Clarity to understand how visitors interact with our website through heatmaps and session recordings. Clarity does not capture personal health information, keystrokes in form fields, or payment data.
You can control cookies through your browser settings. Disabling analytics cookies will not affect your ability to use the website or book appointments.
09 — Third Parties
Third-party service providers
We use the following third-party service providers to operate HyperTherapy. Each provider processes only the minimum data necessary for their specific function and is bound by their own privacy and security commitments.
Supabase (Database hosting)
Hosts clinical records and client data. Data is stored in the ca-central-1 (Montreal) region, keeping all information within Canada. Supabase provides encryption at rest, row-level security, and SOC 2 Type II compliance.
Stripe (Payment processing)
Processes credit and debit card payments. Stripe is PCI DSS Level 1 certified, the highest level of payment security certification. HyperTherapy does not store your full card number.
Twilio (SMS notifications)
Sends appointment confirmations, reminders, and booking-related text messages to your phone number. Message content is limited to scheduling information and does not include clinical details.
Resend (Email communications)
Sends transactional emails including appointment confirmations, insurance receipts, and booking notifications. Email content does not include detailed clinical information.
We review our service providers periodically to ensure they maintain appropriate privacy and security standards. If a provider changes in a way that materially affects the protection of your information, we will update this policy accordingly.
10 — Retention
Data retention
Under PHIPA and the CMTO Standards of Practice, we are required to retain your clinical records for a minimum period following your last interaction with HyperTherapy.
Adult clients
Clinical records are retained for a minimum of 10 years after your last visit or the date of your last interaction with HyperTherapy.
Minor clients (under 18)
Clinical records are retained for a minimum of 10 years after the client turns 18 years of age, or 10 years after the last visit, whichever is later.
Billing and payment records
Transaction records are retained for 7 years as required by the Canada Revenue Agency for tax purposes.
Website analytics data
Anonymized analytics data is retained according to the default retention periods of each analytics provider (26 months for GA4).
After the applicable retention period, records are securely destroyed using methods that prevent recovery or reconstruction, including secure digital deletion and physical shredding of any paper records.
11 — Contact
Privacy inquiries
If you have questions about this Privacy Policy, wish to exercise your rights under PHIPA, or have concerns about how your personal health information is being handled, please contact:
Ken Zhou, RMT
Privacy Contact · HyperTherapy
Email: info@hypertherapy.ca
Phone: 647-927-9066
Address: E8-333 Sheppard Ave East, Toronto, ON M2N 3B3
We will acknowledge receipt of your inquiry within 2 business days and respond substantively within 30 days.
12 — Updates
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. When we make changes:
- The "Last updated" date at the top of this page will be revised.
- For material changes that affect how your personal health information is collected, used, or disclosed, we will notify you by email or at your next appointment.
- Continued use of our services after a policy update constitutes acceptance of the revised terms, except where PHIPA requires explicit consent for a new purpose.
We encourage you to review this policy periodically. If you have questions about any changes, please contact us using the information above.
Questions about your privacy?
Your trust matters. If you have any questions about how we handle your information, reach out directly.
Ready to book?
Professional mobile massage therapy delivered to your door across Toronto and the GTA.