Privacy Notice

~4 mins to read

Who are we?

1

ioēs in an integrative therapeutic practice offering a range of services that combine somatic therapy with philosophical counselling (ABN: 71425042384).

What data do we process?

2

As with all organisations operating in Australia, we are responsible for complying with the Privacy Act of 1988.

By processing payments through our payment service providers, we end up with information relating to orders (you booking and paying for a consult, booking and paying for a workshop or booking and paying for an event). This includes:

  • The customer name (first and last)

  • The customer email

  • The billing address

  • The billing method (i.e. Apple Pay or Mastercard)

  • Information about the order, such as the specific products and the status of the order (i.e. ‘paid’)

We are able to view this from within our Squarespace dashboard (this is the content management system we use for our website). We only use this information for the purpose of processing your payment.

We only store the data for as long as we need to for commercial purposes. In Australia, this period is 5 years, as designated by the Australian Taxation Office (ATO).

When you contact us using one of our contact forms, we end up with access to the following information:

  • Your name

  • The nature of your inquiry

  • Your email address

  • Your phone number

We only use this information to contact you back.

If you book a consult with us and become a client, we will take notes and keep records relating to your therapeutic process. This information is documented, processed, stored and discarded of (we have an obligation to securely store these records for 7 years) in alignment with the Australian Health Practitioner Regulatory Agency (AHPRA) guidelines and code of conduct, as well as the National Code of Conduct for Health Care Workers. This information must be kept private and confidential. You also have a right to request a copy of this information. You will always be asked for your explicit consent in order for us to take notes relating to the therapeutic process.

We also have access to Squarespace analytics. This gives us visibility of basic information about how people behave on our site (what pages were viewed, for how long and in what sequence). We do not use any of this information to identify individuals or make decisions about individuals. To limit the risk of us accessing data we don’t need, we have turned off all of the analytical functions we can.

We do not process any other data. We do not use any data shared throughout the purchasing process for any other reason.

Why do we process this data?

3

We only process data to deliver our services to you. We practice the principles of Privacy and Security by Design in order to ensure that your data is respected, protected and within your control.

Principle 1: Proactive Not Reactive; Preventative Not Remedial

Principle 2: Privacy As the Default Setting

Principle 3: Privacy Embedded Into Design

Principle 4: Full Functionality – Positive-sum, Not Zero-sum 

Principle 5: End-to-end Security – Lifecycle Protection

Principle 6: Visibility and Transparency – Keep It Open 

Principle 7: Respect for User Privacy – Keep It User-centric 

What is the lawful basis for our data processing?

4

As per the EU’s General Data Protection Regulation (GDPR), the lawful basis for processing data on the site is contract. That’s because our site exists to:

  1. Communicate our service offering, and

  2. Enable you to book and purchase our services

More generally, the basis for processing data as an alternative health provider (the category our business most directly fits into) is to deliver services to you in alignment with our various privacy, data protection and record keeping obligations.

Do we share this data with any other parties?

5

No. We will never share data with any other parties unless you ask us to. And even in such a case, this will be limited to referring you to another healthcare provider, such as a General Practitioner or Clinical Psychologist.

Do we conduct automated profiling or decision-making?

6

No.

How do we mitigate risks (such as the risk of data breaches)?

7

We’ve designed workflows that actively minimise the data we have the ability to access. This is one of the better mitigation tactics. In addition, we use various Identity and Access Management protocols (password management, at least two factors of authentication etc.) to limit unlawful access.

If a breach occurs, or is suspected to have occurred, we execute a process aligned to the OAIC’s Notifiable Data Breach Scheme. We:

  1. Assess the incident

  2. Mitigate the impact

  3. Communicate with relevant stakeholders, and

  4. Ensure any preventable weaknesses are improved as quickly as possible

Putting it simply, if any unintended consequences arise, we work quickly to rectify them and notify you where relevant.

What rights do you have?

8

We respect and protect your data rights.

Want a copy of any data we hold in a machine readable format?

Want to update an error about your information?

Contact us and any of the above will be done within 72 hours.

Thank you for reading.