Privacy Policy

How ClinicFlow collects, uses, and protects your information

Effective June 1, 2025  ·  iMentalHealth Counselling

ClinicFlow is built by iMentalHealth Counselling and designed for psychology and counselling clinics. We take privacy seriously and comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). This policy explains what information we collect, why we collect it, and how you can control it. It is written in plain English — no legalese.

1. What Information We Collect

We collect only what is needed to run your payroll and deliver invoices.

Clinic account information
  • Clinic name and admin email address
  • Password (stored as a bcrypt hash — we cannot read it)
  • Billing information processed by Stripe (ClinicFlow never sees or stores your card number)
Session data from your CSV import
  • Session dates, service types, and dollar amounts
  • Payer categories (e.g. Private, Blue Cross, VAC)
  • Patient names are stored as initials only (e.g. "J.S.") — never as full names
Contractor information
  • Contractor names and email addresses
  • GST / HST registration numbers
  • Pay rates and tier thresholds you configure in Settings
Clinic settings
  • Clinic address and GST number
  • Fiscal year and service type mappings
  • Invoice run history (month, date, workbook reference)
2. How We Use Your Information

We use your data for exactly three purposes:

  1. Payroll calculation — ClinicFlow applies your contractor rates, tier thresholds, and splits to your imported session data to compute exactly what each contractor is owed. The math is done by ClinicFlow, not your scheduling platform.
  2. Invoice delivery — generating a PDF invoice for each contractor and emailing it to the address you provided in Settings, along with a one-click approval link.
  3. Billing — processing your subscription payment through Stripe, and sending you receipts and subscription status emails.
We do not use your data for any marketing, profiling, or analytics beyond basic app functionality (e.g. keeping you logged in).
3. What We Do NOT Do

We want to be explicit about what ClinicFlow will never do with your data:

  • We do not sell your data — to anyone, ever, for any reason.
  • We do not store full patient names. Patient identifiers from your imported CSV are reduced to initials before storage.
  • We do not access clinical notes, health records, session content, diagnoses, or any other clinical information.
  • We do not share your data with third parties except Stripe (for payment processing) and the email delivery service used to send contractor invoices.
  • We do not use advertising cookies or cross-site tracking of any kind.
4. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on Railway, a managed cloud platform. Railway operates infrastructure in Canada and the United States. By using ClinicFlow you acknowledge that your data may be processed on servers located in either country.

  • All data is transmitted over HTTPS / TLS encryption.
  • Passwords are hashed with bcrypt — we cannot recover your password.
  • Contractor approval tokens are single-use and expire after use.
  • Access to your clinic's data is restricted to authenticated users belonging to your account.
5. Contractor Data

Contractor names and email addresses are entered by clinic administrators in Settings. This information is stored solely to:

  • Match session records from your imported CSV to the correct contractor.
  • Address and deliver PDF invoices by email each payroll period.
  • Display invoice status and approval records in the clinic's portal.

Contractor data is not shared with other clinics or used for any purpose beyond invoice delivery. Contractors can contact us at clinicflow@imentalhealth.ca to request access to or deletion of their information.

6. Your Rights (PIPEDA)

Under PIPEDA, you have the right to:

Access
Request a copy of the personal information we hold about you or your clinic.
Correction
Ask us to correct any inaccurate information we hold about you.
Deletion
Request deletion of your account and associated data. See our retention policy in the Terms of Service.

To exercise any of these rights, email us at clinicflow@imentalhealth.ca. We will respond within 30 days.

7. Cookies

ClinicFlow uses one cookie only: a secure session cookie that keeps you logged in while you use the app. This cookie:

  • Is set only when you log in and expires when you log out or close your browser.
  • Does not track your behaviour across other websites.
  • Is not used for advertising, remarketing, or analytics.
We do not use Google Analytics, Facebook Pixel, or any other third-party tracking scripts.
8. Contact Us

Questions, concerns, or requests about this privacy policy? Reach our privacy officer at:

iMentalHealth Counselling — ClinicFlow Privacy
clinicflow@imentalhealth.ca

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada.

Effective date: June 1, 2025  ·  iMentalHealth Counselling  ·  clinicflow@imentalhealth.ca