Canadian Privacy and Hivemanager.io
What Canadian privacy law means for your clinic, how we handle personal health information, and what each party is responsible for.
This page covers Canadian federal and provincial privacy legislation as it applies to massage therapy clinics. US-based clinics subject to HIPAA should refer to our HIPAA overview →
Which privacy laws apply to your clinic?
Unlike HIPAA in the US — which applies only to specific "covered entities" — Canadian privacy law applies broadly to any private sector organization that collects, uses, or discloses personal information in the course of commercial activity. For a massage clinic, that means you.
Federal law governing private sector handling of personal information across Canada. Applies to massage clinics in provinces without substantially similar legislation — including Ontario, New Brunswick, Nova Scotia, and others. Sets baseline requirements for consent, purpose limitation, safeguards, and breach notification.
Alberta and British Columbia each have their own substantially similar private sector legislation that applies in place of PIPEDA. The Office of the Privacy Commissioner has recognized both as providing equivalent protection. Clinics in these provinces comply with PIPA rather than PIPEDA — requirements are similar in practice.
Quebec's modernized privacy law — fully in force as of September 2023 — applies to businesses operating in Quebec. It is the strictest provincial regime, with requirements similar to GDPR: mandatory privacy officer designation, privacy impact assessments for high-risk projects, 72-hour breach notification, and strengthened individual rights including data portability and the right to deletion.
Several provinces have separate legislation governing personal health information specifically. Alberta's Health Information Act (HIA) and Ontario's Personal Health Information Protection Act (PHIPA) impose additional requirements on "custodians" of health information — which may include massage therapists, depending on your practice and jurisdiction. If you bill provincial health plans or work within an integrated healthcare setting, these laws likely apply to you.
The applicable law for your clinic depends on your province, whether you handle health information in a regulated capacity, and how you interact with other healthcare providers or insurers. Consult a privacy lawyer if you're unsure which framework governs your practice.
What counts as personal health information?
Under Canadian law, personal information is any information about an identifiable individual. A subset — personal health information — is subject to heightened protection and includes any information relating to a person's physical or mental health condition, healthcare history, or the provision of healthcare services to them.
- Client health history from intake forms — conditions, medications, contraindications
- SOAP notes and session documentation
- Treatment plans and presenting complaints
- Injury and surgical history disclosed by the client
- Name or contact information linked to health records
- Insurance and billing information connected to health services
- Name, email, and contact details (no health context)
- Appointment times and booking history
- Payment records (not linked to a health condition)
- Marketing preferences and communications
- Website visit data collected via analytics tools
Even general personal information is regulated under PIPEDA and its provincial equivalents. You need consent to collect it, must limit use to the stated purpose, and must protect it with appropriate safeguards.
Hivemanager.io as your service provider
Under Canadian privacy law, your clinic is the organization responsible for the personal information you collect from clients. Hivemanager.io is a service provider — we process personal information on your behalf, under your direction, to deliver the software you've subscribed to.
This distinction matters. As the collecting organization, your clinic determines the purposes for which client information is gathered and bears primary accountability to your clients. Hivemanager.io's role is to handle that information securely and in accordance with your instructions and applicable law.
Clinics that require a formal Data Processing Agreement (DPA) — particularly those operating under Quebec Law 25 or working within regulated healthcare settings — can request one from us. Submit a request through our support form and select "DPA request" as the topic.
What a service provider relationship means for your clinic
- You remain accountable to your clients for how their personal information is handled — including by Hivemanager.io
- You should disclose in your privacy policy that you use practice management software and that client data is processed by a third-party service provider
- You should ensure your clients understand that their health information will be stored digitally and processed by your software platform
- Hivemanager.io does not use client personal information for any purpose other than delivering services to your clinic
- Hivemanager.io does not sell, rent, or share client personal information with third parties for their own purposes
Google services we use — and where
Understanding our Google service usage requires distinguishing between two environments: our public marketing website (hivemanager.io) and the Hivemanager application (app.hivemanager.io) where clinic and client data lives.
| Service | Used where | DPA / data agreement | Personal data exposure |
|---|---|---|---|
| Google Analytics 4 (GA4) | Marketing site only | Google's standard DPA | Anonymized traffic data — no client health records |
| Google Tag Manager (GTM) | Marketing site only | Google's standard DPA | Tag delivery only — no client health records |
| Google Search Console | Marketing site only | N/A | Search performance data — no personal information |
| Google Cloud | Application infrastructure | Google Cloud DPA (GDPR-aligned) | Client records stored here — subject to DPA |
| Google Workspace | Internal operations | Google Workspace DPA | Isolated from client health records |
Data residency
Hivemanager.io runs on Google Cloud infrastructure. Google Cloud operates data centres in Canada (Montreal — northamerica-northeast1) and the United States. We use Canadian regions where available for primary data storage. However, some Google Cloud services and operational functions may involve data processing outside Canada.
Under PIPEDA and most provincial privacy laws, cross-border transfers of personal information are permitted where equivalent protection is in place. By subscribing to Hivemanager.io, your clinic acknowledges that client data may be processed in jurisdictions outside Canada, including the United States, where Google Cloud infrastructure operates. Google's Cloud Data Processing Addendum governs these transfers and incorporates standard contractual clauses.
If your clinic is subject to provincial health information legislation (such as Alberta's HIA or Ontario's PHIPA) that restricts cross-border health data transfers, consult your privacy officer or legal counsel about whether additional safeguards are required.
Responsibilities of each party
Privacy compliance under Canadian law is shared between your clinic and its service providers. Hivemanager.io handles the platform — your clinic handles the relationship with your clients and the obligations that come with collecting their health information.
Your clinic (Collecting Organization)
- Identify the purposes for collecting client personal information and obtain meaningful consent before or at the time of collection
- Provide clients with a clear, accessible privacy policy that explains what information you collect, why, and who you share it with (including your software provider)
- Limit collection to information that is necessary for the stated purpose — don't collect health data you don't need
- Designate a privacy officer responsible for your clinic's compliance (required under Quebec Law 25; best practice elsewhere)
- Respond to client access requests — individuals have the right to know what personal information you hold about them
- Report breaches to the applicable Privacy Commissioner and affected individuals when required (PIPEDA: "real risk of significant harm" threshold; Quebec Law 25: 72-hour notification for high-risk breaches)
- Retain personal information only as long as necessary for the purpose it was collected
- Review your privacy practices if your clinic operates in Quebec — Law 25 requirements are more prescriptive and include mandatory privacy impact assessments for certain activities
Hivemanager.io (Service Provider)
- Process personal information only to provide the contracted services — no secondary use, no selling data
- Implement and maintain appropriate technical and organizational safeguards to protect personal information
- Encrypt personal health records at rest and in transit
- Notify your clinic of any security breach involving your clients' personal information without unreasonable delay
- Provide Data Processing Agreements to clinics that require them for compliance purposes
- Ensure sub-processors (including Google Cloud) are bound by equivalent data protection obligations
- Support your clinic's ability to respond to client access requests — you can export client data from your account at any time
- Delete your clinic's data upon account termination, subject to any legally required retention periods
Google (Infrastructure / Sub-processor)
- Google Cloud: provides infrastructure with SOC 2, ISO 27001, and ISO 27018 certifications; signs a Cloud Data Processing Addendum that incorporates standard contractual clauses for international transfers
- Google Workspace: signs a Data Processing Amendment for business accounts; excludes use for health data without appropriate configuration
- Google Analytics and Google Tag Manager: governed by Google's standard advertising and measurement DPA; used only on the Hivemanager.io marketing website where no personal health records are processed
- Google does not use customer data processed through Google Cloud to serve ads or for Google's own commercial purposes
Email communications and CASL
Canada's Anti-Spam Legislation (CASL) governs commercial electronic messages — including appointment reminders, promotional emails, and newsletters — sent to Canadian recipients. CASL requires express or implied consent before sending a commercial electronic message, and every message must include a working unsubscribe mechanism.
- Appointment reminders and confirmations are considered transactional messages and are generally exempt from CASL consent requirements when sent in connection with an existing business relationship
- Promotional or re-engagement emails — including campaigns you send through your client list — require consent. An existing client relationship typically provides implied consent for up to two years from the client's last transaction
- New client communications initiated outside of a booking transaction require express consent before any commercial messages are sent
Hivemanager.io provides the tools to send automated communications to your clients. Your clinic is responsible for ensuring the communications you configure comply with CASL, including that recipients have appropriate consent. Consult a CASL compliance resource or legal counsel if you're building new email sequences or marketing campaigns.
Technical safeguards in Hivemanager.io
Encryption in transit
All data transmitted between your browser and Hivemanager.io is encrypted using TLS 1.2 or higher. Connections are enforced over HTTPS.
Encryption at rest
Client health records, intake forms, and SOAP notes are encrypted at rest in our database infrastructure.
Access controls
Role-based permissions limit which staff members can view, edit, or export client health records within your clinic account.
Audit logging
Access to client records is logged. Clinic owners can review who accessed what and when.
Authentication
Account access requires email and password authentication. Multi-factor authentication is available and recommended for all staff accounts.
Infrastructure
Hivemanager.io runs on Google Cloud infrastructure certified to SOC 2, ISO 27001, and ISO 27018 (cloud privacy) standards.
Questions about privacy compliance?
If you have questions about our data practices, need to execute a Data Processing Agreement, or want to understand how Hivemanager.io handles specific types of personal health information, contact us directly.
Disclaimer: This page provides general information about Canadian privacy legislation and how Hivemanager.io approaches compliance. It is not legal advice. The applicable laws and specific obligations for your clinic depend on your province, practice type, and how you handle personal health information. Consult a licensed privacy lawyer or your provincial privacy commissioner's guidance for advice specific to your situation. This page was last reviewed in May 2026.